summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* imagemagick: upgrade 7.1.2-13 -> 7.1.2-15Wang Mingyu2026-03-091-1/+1
| | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 853aecb2f9d8ff277c8e47499bbc24f9595e603e) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* ceres-solver: Don't fail if .git/hooks/commit-msg can't be touchedPeter Kjellerstedt2026-03-061-1/+1
| | | | | | | | | | | The .git/hooks/commit-msg Git hook may already exist and not be writable. E.g., in our environment it is a symbolic link to a script in /usr/share. Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit a22fe21c597b1f7439d863342591d7947ec2ccca) Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-flask: Upgrade 3.1.2 -> 3.1.3Leon Anavi2026-03-061-2/+2
| | | | | | | | | | | | | Upgrade to release 3.1.3: - The session is marked as accessed for operations that only access the keys but not the values, such as in and len. Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 0badc6de53e06045d943143ef70773d6959f1a08) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-werkzeug: upgrade 3.1.5 -> 3.1.6Gyorgy Sarvari2026-03-061-1/+1
| | | | | | | | | | | | Contains fix for CVE-2026-27199 Changelog: safe_join on Windows does not allow special devices names in multi-segment paths Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 9cbc4befe55716bfcf60616cd695318a5477b32d) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-sqlparse: upgrade 0.5.4 -> 0.5.5Wang Mingyu2026-03-061-1/+1
| | | | | | | | | | | | | | Changelog: ========== * Fix DoS protection to raise SQLParseError instead of silently returning None when grouping limits are exceeded * Fix splitting of BEGIN TRANSACTION statements Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 48617f70328d1a2abc2787594df028a3031e5268) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-greenlet: upgrade 3.2.4 -> 3.2.5Ankur Tyagi2026-03-061-1/+1
| | | | | | | | | Fix a crash on Python 3.9 if there are active greenlets during interpreter shutdown https://greenlet.readthedocs.io/en/latest/changes.html#id4 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-filelock: Upgrade 3.20.2 -> 3.20.3Leon Anavi2026-03-061-1/+1
| | | | | | | | | | | Upgrade to release 3.20.3: - Fix TOCTOU symlink vulnerability in SoftFileLock Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-filelock: Upgrade 3.20.1 -> 3.20.2Leon Anavi2026-03-061-1/+1
| | | | | | | | | | | | | Upgrade to release 3.20.2: - Support Unix systems without O_NOFOLLOW - [pre-commit.ci] pre-commit autoupdate Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8b5e1f5dbf6bfe9dd6725d5dd04cd4c6aff73c86) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-filelock: upgrade 3.20.0 -> 3.20.1Wang Mingyu2026-03-061-1/+1
| | | | | | | | | | | Changelog: CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit c2710a2df9bbafa9fabe87610f29864c56476b9d) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* valkey: upgrade 8.1.4 -> 8.1.6Ankur Tyagi2026-03-061-2/+2
| | | | | | | | | | | | Includes fix for CVE-2026-21863, CVE-2025-67733 and various bug fixes. Also include tag in the SRC_URI. https://github.com/valkey-io/valkey/releases/tag/8.1.5 https://github.com/valkey-io/valkey/releases/tag/8.1.6 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nbench-byte: Fix sysinfo generation in parallel buildDaniel Klauer2026-03-063-1/+99
| | | | | | | | | | | | | | | | | | The project Makefile uses a script (sysinfo.sh) to non-atomically generate two .c files (sysinfo.c, sysinfoc.c) which are then included in the build. Since the script always overwrites both .c files, the Makefile should only invoke it once, not twice in parallel. Otherwise the .c files may be corrupted and cause random build failures in parallel builds. Requires at least GNU make 4.3, for Grouped Targets support [1]. [1] https://lists.gnu.org/archive/html/info-gnu/2020-01/msg00004.html Reviewed-by: Silvio Fricke <silvio.fricke@gin.de> Signed-off-by: Daniel Klauer <daniel.klauer@gin.de> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit add2d94ab7d4170cece4e20af829a7221c572d5f) Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* xrdp: patch CVE-2025-68670Ankur Tyagi2026-03-062-0/+79
| | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68670 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* minidlna: ignore CVE-2024-51442Gyorgy Sarvari2026-03-061-0/+1
| | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-51442 The description of the vulnerability says "attacker [...] execute arbitrary OS commands via a specially crafted minidlna.conf configuration file". There is no official fix for this CVE, and upstream seems to be inactive for the past 3 years. The reason for ignoring this CVE is that the referenced minidlna.conf file is in the /etc folder, and the file is not world-writable. Which means that this vulnerability can be exploited only when someone is root - but if the attacker is already root, they don't need to resort to minidlna config-file modifications to execute any command they want. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* gimp: ignore already fixed CVEsGyorgy Sarvari2026-03-061-1/+4
| | | | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0797 https://nvd.nist.gov/vuln/detail/CVE-2026-2044 https://nvd.nist.gov/vuln/detail/CVE-2026-2045 https://nvd.nist.gov/vuln/detail/CVE-2026-2047 https://nvd.nist.gov/vuln/detail/CVE-2026-2048 All these CVEs are already fixed in the recipe version, however NVD tracks them currently without CPE info. Ignore them. Relevant upstream commits: CVE-2026-0797: https://gitlab.gnome.org/GNOME/gimp/-/commit/ca449c745d58daa3f4b1ed4c2030d35d401a009d Note that the commit referenced by NVD is incorrect. This commit was identified from the relevant upstream Gitlab issue: https://gitlab.gnome.org/GNOME/gimp/-/issues/15555 CVE-2026-2044: https://gitlab.gnome.org/GNOME/gimp/-/commit/3b5f9ec2b4c03cf4a51a5414f2793844c26747e5 CVE-2026-2045: https://gitlab.gnome.org/GNOME/gimp/-/commit/bb896f67942557658b3fbfc67a1c073775c002c7 CVE-2026-2047: https://gitlab.gnome.org/GNOME/gimp/-/commit/5873e16f80cf4152d25a4c86b08553008a331e90 CVE-2026-2048: https://gitlab.gnome.org/GNOME/gimp/-/commit/fa69ac5ec5692f675de5c50a6df758f7d3e45117 Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* gnome-shell: ignore CVE-2021-3982Gyorgy Sarvari2026-03-061-0/+1
| | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3982 The vulnerability is about a privilege escalation, in case the host distribution sets CAP_SYS_NICE capability on the gnome-shell binary. OE distros don't do that, and due to this this recipe is not affected by this issue. The CVE is ignored. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libjxl: upgrade 0.11.1 -> 0.11.2Ankur Tyagi2026-03-061-2/+2
| | | | | | | | | | | | | - fix tile dimension in low memory rendering pipeline (CVE-2025-12474) - fix number of channels for gray-to-gray color transform (CVE-2026-1837) - djxl: reject decoding JXL files if "packed" representation size overflows size_t https://github.com/libjxl/libjxl/releases/tag/v0.11.2 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* protobuf: ignore CVE-2026-0994Gyorgy Sarvari2026-03-061-0/+2
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994 The vulnerability impacts only the python bindings of protobuf, which is in a separate recipe (python3-protobuf, where it is patched). Ignore this CVE in this recipe due to this. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* postgresql: upgrade 17.7 -> 17.8Ankur Tyagi2026-03-067-21/+15
| | | | | | | | | | | | | | | License-Update: Update license year to 2026 Refreshed patches for version 17.8 Includes fix for CVE-2026-2003, CVE-2026-2004, CVE-2026-2005, CVE-2026-2006 Release Notes: https://www.postgresql.org/docs/release/17.8/ Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* openjpeg: patch CVE-2023-39327Gyorgy Sarvari2026-03-062-0/+51
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39327 Take the patch that is used by OpenSUSE to mitigate this vulnerability. Upstream seems to be unresponsive to this issue. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nginx: patch CVE-2026-1642Gyorgy Sarvari2026-03-062-0/+47
| | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-1642 Note: this is only for v1.29.1. v1.28.x recipe contains this fix already. Pick the commit that was identified by the reporter on the oss-sec mailing list[1] [1]: https://www.openwall.com/lists/oss-security/2026/02/05/1 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* wolfssl: patch CVE-2025-7394Ankur Tyagi2026-03-067-0/+632
| | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7394 Backport patches from the PR[1][2][3] mentioned in the changelog[4]. [1] https://github.com/wolfSSL/wolfssl/pull/8849 [2] https://github.com/wolfSSL/wolfssl/pull/8867 [3] https://github.com/wolfSSL/wolfssl/pull/8898 [4] https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025 Dropped changes to github workflow and tests during backport. Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* wolfssl: patch CVE-2025-7395Ankur Tyagi2026-03-065-0/+170
| | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7395 Backport patches from the PR[1] mentioned in the changelog[2] [1] github.com/wolfSSL/wolfssl/pull/8833 [2] https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* wolfssl: patch CVE-2025-13912Ankur Tyagi2026-03-062-0/+440
| | | | | | | | | | Backport changes from PR[1] mentioned in nvd[2] [1] https://github.com/wolfSSL/wolfssl/pull/9148 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-13912 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* systemd-netlogd: upgrade 1.4.4 -> 1.4.5Anuj Mittal2026-03-061-2/+2
| | | | | | | | | | | | Fixes build with 32 bit machines. - Fix build on 32-bit with 64-bit time_t by @cgzones in #136 - Misc by @cgzones in #137 - Add terminating newline also for TLS connections by @Googulator in #139 - Add RFC5425 length field by @derobert in #140 - Correct examples for ExcludeSyslogFacility and ExcludeSyslogLevel by @ngraziano in #141 Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-pybind11-json: fix Targets.cmake trying to reference hostTafil Avdyli2026-03-062-1/+36
| | | | | | | | | | | | | | | | | | The resulting pybind11_jsonTargets.cmake in the dev-package adds an absolute path to python include directories in the target properties: set_target_properties(pybind11_json PROPERTIES INTERFACE_INCLUDE_DIRECTORIES "/usr/include/python3.13;${_IMPORT_PREFIX}/include" ) The patch removes ${PYTHON_INCLUDE_DIRS} which is set by pybind11 from set_target_properties to remove the poisonous host path. Signed-off-by: Tafil Avdyli <tafil@tafhub.de> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 0332dae9bb2ff79e4a4faa45c42d96e0dccee4db) Signed-off-by: Tafil Avdyli <tafil@tafhub.de> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* tomoyo-tools: update SRC_URIAnkur Tyagi2026-02-241-1/+2
| | | | | | | The previous one became inaccessible. Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nginx: upgrade 1.28.1 -> 1.28.2Gyorgy Sarvari2026-02-191-1/+1
| | | | | | | | | | | | Changelog: - Security: an attacker might inject plain text data in the response from an SSL backend (CVE-2026-1642). - Bugfix: use-after-free might occur after switching to the next gRPC or HTTP/2 backend. - Bugfix: fixed warning when compiling with MSVC 2022 x86. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* php: upgrade 8.4.17 -> 8.4.18Jason Schonberg2026-02-191-1/+1
| | | | | | | | | This is a bug fix release. Changelog: https://www.php.net/ChangeLog-8.php#8.4.18 Signed-off-by: Jason Schonberg <schonm@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libtracefs: upgrade 1.8.2 -> 1.8.3Wang Mingyu2026-02-191-1/+1
| | | | | | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 0fbbddd53762d6cb273e898dbea6838a8af468d5) Changes: https://git.kernel.org/pub/scm/libs/libtrace/libtracefs.git/tag/?h=libtracefs-1.8.3 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* usbids: upgrade 2025.09.15 -> 2025.12.13Jason Schonberg2026-02-191-2/+2
| | | | | | | | Signed-off-by: Jason Schonberg <schonm@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 5aca0a216d07a1876ed6e9d22f34456f0595ed64) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* minizip-ng: 4.0.8 -> 4.0.10Liu Yiding2026-02-192-37/+1
| | | | | | | | | | | | | 1.Changelog: https://github.com/zlib-ng/minizip-ng/releases/tag/4.0.10 2.Remove 0001-crypt.h-Remove-register-keyword.patch as it was merged upstream. Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 5f6dbb284a16d3e0e85bb9ece7566703c213ba63) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* paho-mqtt-c: upgrade 1.3.14 -> 1.3.15Gyorgy Sarvari2026-02-192-40/+2
| | | | | | | | | | | | | | | | Drop patch to fix gcc15 compatibility - the problem has been solved by upstream. Changelog: - Update getaddrinfo options to support IPv6 hostname resolution - Removed unnecessary _WIN64 conditional checks - Fixed condition variable timed wait - Support tls:// prefix Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit cb9d043f4639e88ea0267882f46a41b2c5e49c16) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libx86-1: upgrade 1.1 -> 1.1.1Gyorgy Sarvari2026-02-196-247/+4
| | | | | | | | | | | | | | | Bugfix release, mostly with patches applied from other distros. Also fixes the SRC_URI which became inaccessible over time. Drop patches that are included in this release. Shortlog: https://gitlab.archlinux.org/grawlinson/libx86/-/compare/v1.1...v1.1.1 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 19fdc49db3a41b1380c387bf9b5dbbf631048a64) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libsdl2-compat: update 2.32.58 -> 2.32.62Markus Volk2026-02-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | Changelog: 2.32.62: This is a stable bugfix release, with the following changes: Improved support for GNU/Hurd Fixed crash if hidapi strings are not available 2.32.60: This is a stable bugfix release, with the following changes: Fixed crash at startup in Dwarf Fortress Fixed crash at startup in Stellaris Fixed mouse stuttering in Amiberry Fixed the viewport not being reset when the window is resized Signed-off-by: Markus Volk <f_l_k@t-online.de> Signed-off-by: Khem Raj <raj.khem@gmail.com> Adapted for Whinlatter to keep x11 in REQUIRED_DISTRO_FEATURES Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* cryptsetup: upgrade 2.8.3 -> 2.8.4Wang Mingyu2026-02-191-1/+1
| | | | | | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Stable bug-fix release https://gitlab.com/cryptsetup/cryptsetup/-/blob/v2.8.4/docs/v2.8.4-ReleaseNotes?ref_type=tags (cherry picked from commit 9111684d670f1091fc38778cfb140d39871d9c0b) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 4.2.27 -> 4.2.28Gyorgy Sarvari2026-02-191-1/+1
| | | | | | | | Contains fixes for CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287 and CVE-2026-1312 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 5.2.9 -> 5.2.11Gyorgy Sarvari2026-02-191-1/+1
| | | | | | | | | | | | | | | | | Changelog: 5.2.11: Contains fixes for CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287 and CVE-2026-1312 5.2.10: * Fixed a bug in Django 5.2 where data exceeding max_length was silently truncated by QuerySet.bulk_create on PostgreSQL. * Fixed a bug where management command colorized help (introduced in Python 3.14) ignored the --no-color option and the DJANGO_COLORS setting. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-watchdog: Remove obsolete dependenciesTero Kinnunen2026-02-191-7/+2
| | | | | | | | | | | | | | | | Python watchdog has removed all dependencies except optional `pyyaml` dependency for `watchmedo` utility, like follows [1]: * pathtools dependency was removed in 1.0.0 * python-argh dependency removed in 2.1.6 * requests was never a dependency * pyyaml only needed for extras (`watchmedo`) and may not be strictly necessary [1] https://github.com/gorakhargosh/watchdog/blob/master/changelog.rst Signed-off-by: Tero Kinnunen <tero.kinnunen@vaisala.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* gnome-desktop: upgrade 44.1 -> 44.4Gyorgy Sarvari2026-02-191-1/+1
| | | | | | | | | | | | | | | | | | | | Changes: Version 44.4 - Support TryExec for thumbnailers - Translation updates Version 44.3 - Fix CI regression for release upload Version 44.2 - Stop using ratio character for time in the wall-clock - Fix variable initialization - General CI cleanups - Only parse XML files as slideshows - Translation updates Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* wireshark: patch CVE-2026-0962Gyorgy Sarvari2026-02-192-0/+132
| | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0962 Backport the commit that is referenced in the related gitlab issue[1]. [1]: https://gitlab.com/wireshark/wireshark/-/issues/20945 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-python-multipart: patch CVE-2026-24486Gyorgy Sarvari2026-02-192-0/+62
| | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24486 Pick the patch that is referenced by the NVD advisory. Ptests passed successfully: Testsuite summary TOTAL: 121 PASS: 121 SKIP: 0 XFAIL: 0 FAIL: 0 XPASS: 0 ERROR: 0 DURATION: 2 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* redis: ignore CVE-2025-46686Gyorgy Sarvari2026-02-192-0/+2
| | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-46686 Upstream disputes that it is a security violation, and says that implementing a mitigation for this would negatively affect the rest of the application, so they elected to ignore it. See Github advisory about the same vulnerability: https://github.com/redis/redis/security/advisories/GHSA-2r7g-8hpc-rpq9 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 868b4b2959c1f6be13693e31eae5b27a1fa697e6) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* raptor2: patch CVE-2024-57822 and CVE-2024-57823Gyorgy Sarvari2026-02-193-0/+77
| | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-57822 https://nvd.nist.gov/vuln/detail/CVE-2024-57823 Pick the patches mentioned in the github issue[1] mentioned in the NVD advisories (both of them are covered by the same issue) [1]: https://github.com/dajobe/raptor/issues/70 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit dc2c6a514e7744da4165effefa61ad59c27cf507) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-werkzeug: upgrade 3.1.4 -> 3.1.5Gyorgy Sarvari2026-02-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | Contains fix for CVE-2026-21860 Changelog: - safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. - The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. - Fix AttributeError when initializing DebuggedApplication with pin_security=False. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit ecf359d2562795ca8de18f12f117cd654c30965e) From the release notes: This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-werkzeug: upgrade 3.1.3 -> 3.1.4Wang Mingyu2026-02-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: ============== - safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. - The debugger pin fails after 10 attempts instead of 11. - The multipart form parser handles a \r\n sequence at a chunk boundary. - Improve CPU usage during Watchdog reloader. - Request.json annotation is more accurate. - Traceback rendering handles when the line number is beyond the available source lines. - HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 74aa2bdac6d658791af34881f291d91aa4dc57ba) Contains fix for CVE-2025-66221. From the release notes: This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-virtualenv: patch CVE-2026-22702Gyorgy Sarvari2026-02-192-0/+61
| | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22702 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-uvicorn: mark CVE-2020-7694 patchedGyorgy Sarvari2026-02-191-0/+1
| | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2020-7694 The vulnerability was reported to the project[1], and the commit[2] that resolved the issue has been part of the project since version 0.11.7. Mark the CVE as patched due to this. [1]: https://github.com/Kludex/uvicorn/issues/723 [2]: https://github.com/Kludex/uvicorn/commit/895807f94ea9a8e588605c12076b7d7517cda503 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit a5ee234b8cf06b6385a9bf1eb5b60d6171a993c9) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-twitter: mark CVE-2012-5825 patchedGyorgy Sarvari2026-02-191-0/+2
| | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2012-5825 The Debian bugtracker[1] indicated that the issue is tracked by upstream in github[2] (with a difference CVE ID, but same issue), where the vulnerability was confirmed. Later in the same github issue the solution is confirmed: the project switched to use the requests library, which doesn't suffer from this vulnerability. Due to this mark the CVE as patched. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692444 [2]: https://github.com/tweepy/tweepy/issues/279 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 3ee544e7591b36a49550a263a0ec4d64b5e490e8) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-tornado: upgrade 6.5.3 -> 6.5.4Wang Mingyu2026-02-191-1/+1
| | | | | | | | | | | | | | | Bug fixes ~~~~~~~~~ - The "in" operator for "HTTPHeaders" was incorrectly case-sensitive, causing lookups to fail for headers with different casing than the original header name. This was a regression in version 6.5.3 and has been fixed to restore the intended case-insensitive behavior from version 6.5.2 and earlier. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit ebca0ae79d15c5d5f1489a8b5de18c810891e7e4) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-tornado: upgrade 6.5.2 -> 6.5.3Wang Mingyu2026-02-191-1/+1
| | | | | | | | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8ba97b66461e6dc9c8b073e43286932394d53ed0) Changelog: https://github.com/tornadoweb/tornado/blob/master/docs/releases/v6.5.3.rst - Fix CVE-2025-67724, CVE-2025-67725 and CVE-2025-67726 - Fix open redirect vulnerabilities in demos - Fix path traversal vulnerabilites in demos Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-04-22 06:38:47 +0000