Mirror of git.openembedded.org/meta-openembedded https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=whinlatter 2026-03-26T04:59:24+00:00 2026-03-26T04:59:24+00:00 Bartosz Golaszewski bartosz.golaszewski@oss.qualcomm.com 2026-03-22T10:51:25+00:00 urn:sha1:40642ec81044538a107e59f3b69b745086171e89 Bug-fix release addressing a memory leak and a couple minor issues. We now ship the license file with the dist tarball so update the recipe to take this into account. While at it: trim the LICENSE value to only include LGPL-v2.1-or-later as the other two licenses cover tests and text files. Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit f75f4164fd7184ed47e119c782cea583b96fbb45) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-03-26T04:59:24+00:00 Gyorgy Sarvari skandigraun@gmail.com 2026-03-18T19:35:57+00:00 urn:sha1:6e9eff155e92efdc7b809b7a1afb71f9b5dc4c8e Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68480 The vulnerability has been fixed in version 4.1.2[1], however NVD tracks this CVE without version info. Mark it as patched explicitly. [1]: https://github.com/marshmallow-code/marshmallow/commit/d24a0c9df061c4daa92f71cf85aca25b83eee508 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-03-26T04:59:24+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-03-16T20:18:27+00:00 urn:sha1:eb76962875191b7cf8368e3394a3575951574dfd Security fixes including CVE-2026-31958 https://www.tornadoweb.org/en/stable/releases/v6.5.5.html Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-03-26T04:59:24+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-03-16T20:18:26+00:00 urn:sha1:dbde84f17b9e38d288d9918c0f41ab1e9df64e8b Details https://nvd.nist.gov/vuln/detail/CVE-2026-32597 Backport commit[1] which fixes this vulnerability as mentioned in changelog[2] Dropped changes to the changelog, version bump and tests during backport. [1] https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92 [2] https://github.com/jpadilla/pyjwt/blob/2.12.0/CHANGELOG.rst Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-03-26T04:59:23+00:00 Gyorgy Sarvari skandigraun@gmail.com 2026-03-10T20:21:38+00:00 urn:sha1:d7546078a9e76c4ea21ef803e7b5fa31a69ca2ae Contains fixes for CVE-2026-25673 and CVE-2026-25674. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-03-26T04:59:23+00:00 Gyorgy Sarvari skandigraun@gmail.com 2026-03-10T12:17:25+00:00 urn:sha1:c08b3e9d8fa315ea82a1b9f3198990b6192d2269 Ptests passed successfully. Changelog: https://docs.djangoproject.com/en/6.0/releases/5.2.12/ - Fixed CVE-2026-25673 and CVE-2026-25674 - Fixed NameError when inspecting functions making use of deferred annotations in Python 3.14. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-03-09T02:19:32+00:00 Gyorgy Sarvari skandigraun@gmail.com 2026-03-08T15:36:50+00:00 urn:sha1:6bb74fff880a39fe2e82277e1657cc3c340fded8 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994 It is fixed already in the currently used version, however NVD tracks it without any version info, so it still shows up in CVE reports. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-03-09T02:19:31+00:00 Gyorgy Sarvari skandigraun@gmail.com 2026-03-06T18:33:45+00:00 urn:sha1:9fcdfa8b226e6c7f6ca6cdf1d7e1d196be971a9b Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25990 Backport the patch referenced by the NVD advisory. Note that the patch contain some new binary test data, which requires "git" PATCHTOOL - other tools fail to apply binary patches. All ptests passed successfully: Testsuite summary TOTAL: 5011 PASS: 4577 SKIP: 431 XFAIL: 3 FAIL: 0 XPASS: 0 ERROR: 0 DURATION: 59 END: /usr/lib/python3-pillow/ptest 2026-03-06T17:58 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-03-09T02:19:30+00:00 Gyorgy Sarvari skandigraun@gmail.com 2026-03-06T18:33:44+00:00 urn:sha1:a892f6cfc9a5b354966790660118e1277f6f07f2 Contains fix for CVE-2026-14009. Changelog: * Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader * Block path traversal/arbitrary reads in nltk.data for protocol-less refs * Block path traversal/abs paths in corpus readers and FS pointers * Validate external StanfordSegmenter JARs using SHA256 * Add optional sandbox enforcement for filestring() * Maintenance: downloader/zipped models, CI/tooling updates Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 14d464c15094d1758dc14706646a8aa645a3bf34) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-03-06T04:39:14+00:00 Leon Anavi leon.anavi@konsulko.com 2026-03-03T09:19:41+00:00 urn:sha1:d925b85aee552890925bfb09c352221e0124cb7e Upgrade to release 3.1.3: - The session is marked as accessed for operations that only access the keys but not the values, such as in and len. Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 0badc6de53e06045d943143ef70773d6959f1a08) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>