summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* fcgi: add follow-up patch for CVE-2025-23016Peter Marko2026-02-263-1/+85
| | | | | | | | | New release [1] added additional fir for this CVE. [1] https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.7 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* nginx: patch CVE-2026-1642Peter Marko2026-02-262-0/+47
| | | | | | | | | Pick patch accorting to [1]. [1] https://security-tracker.debian.org/tracker/CVE-2026-1642 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* dovecot: ignore CVE-2025-30189Ankur Tyagi2026-02-261-0/+3
| | | | | | | | | | | | | Vulnerable versions are 2.4.0, 2.4.1 according to the full disclosure[1] Details: https://nvd.nist.gov/vuln/detail/CVE-2025-30189 [1] https://seclists.org/fulldisclosure/2025/Oct/29 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Adapted to Kirkstone. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* rocksdb: Add an option to set static libraryZahir Hussain2026-02-262-1/+75
| | | | | | | | | | | | | | | | | | Modify the CMakeLists.txt to add an Option for STATIC target import, as available for shared library. Link: https://github.com/facebook/rocksdb/pull/12890 Configure static library as option, default to ON. Provides option to make it off thru PACKCONFIG, if needed. Signed-off-by: Bhabu Bindu <bindu.bhabu@kpit.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 233079a41caded6b68972317f01dc09435ba1ae0) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 72018ca1b1a471226917e8246e8bbf9a374ccf97) Signed-off-by: Zahir Hussain <zahir.basha@kpit.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* postgresql: upgrade 14.20 -> 14.21Hitendra Prajapati2026-02-262-4/+4
| | | | | | | | | | | | | | It contains Security fixes for CVE-2026-2003, CVE-2026-2004, CVE-2026-2005, CVE-2026-2006 and CVE-2026-2007. It also contains other bug fixes and for more details refer Release note. 0001-configure.ac-bypass-autoconf-2.69-version-check.patch refreshed for 14.21 Release notes: https://www.postgresql.org/docs/release/14.21/ Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* wireshark: Fix multiple CVEsHitendra Prajapati2026-02-194-0/+473
| | | | | | | | | | | Backport fixes for : * CVE-2024-8645 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/8e5f8de8836d3a81276ae5b9bf78cbac58bb6108 * CVE-2026-0960 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/f31123dcdbac37272046b58b2f7941bc7fb42934 * CVE-2025-13945 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/9139917bd8e2c80a5db7079993d5528db74e3519 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* poppler: mark CVE-2022-38171 patchedGyorgy Sarvari2026-02-151-1/+1
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2022-38171 This is the same as CVE-2021-30860, but that one was primarily filed against Apple software (and some other related projects). The patch that fixes this vulenrability is already added to the recipe, just extend its CVE tag Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-django: upgrade 4.2.27 -> 4.2.28Gyorgy Sarvari2026-02-152-1/+1
| | | | | | | Contains fixes for CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287 and CVE-2026-1312 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* mercurial: ignore CVE-2022-43410Gyorgy Sarvari2026-02-151-0/+2
| | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2022-43410 The vulnerability affects only the Mercurial Jenkins plugin, which is a different project. This CVE can be ignored in this recipe. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* libebml: patch CVE-2015-8791Gyorgy Sarvari2026-02-152-5/+34
| | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2015-8791 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* ez-ipupdate: patch CVE-2003-0887Gyorgy Sarvari2026-02-132-0/+165
| | | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2003-0887 The vulnerability is about the default (example) configurations, which place cache files into the /tmp folder, that is world-writeable. The recommendation would be to place them to a more secure folder. The recipe however does not install these example configurations, and as such it is not vulnerable either. Just to make sure, patch these folders to a non-tmp folder (and also install that folder, empty). Some more discussion about the vulnerability: https://bugzilla.suse.com/show_bug.cgi?id=48161 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit dd81ffdb685bd9c2ce1b27d0e5ff3f8e5551e3ad) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* Use https when accessing archive.xfce.orgJason Schonberg2026-02-1210-10/+10
| | | | | | | | | | | | | | | | | | | | | While using devtool to check available versions, I noticed a 301 http error. Specifically : $ devtool latest-version libxfce4ui Resolving archive.xfce.org (archive.xfce.org)... 217.70.191.87 Connecting to archive.xfce.org (archive.xfce.org)|217.70.191.87|:80... connected . HTTP request sent, awaiting response... 301 Moved Permanently Location: https://archive.xfce.org/src/xfce/libxfce4ui/4.20/ [following] With this patch, we change to make the SRC_URI an https request. A similar patch is already in master - commit 808916819692d4ee2a592ef25af55081d80a8021 Signed-off-by: Jason Schonberg <schonm@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* strongswan: Security fix for CVE-2025-62291Rohini Sangam2026-02-112-0/+50
| | | | | | | | | CVE fixed: - CVE-2025-62291 strongswan: Arbitrary Code Execution and Denial of Service via crafted EAP-MSCHAPv2 message Upstream-Status: Backport from https://download.strongswan.org/security/CVE-2025-62291/strongswan-4.4.0-6.0.2_eap_mschapv2_failure_request_len.patch Signed-off-by: Rohini Sangam <rsangam@mvista.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* mariadb: Fix CVE-2025-30693Vijay Anusuri2026-02-112-0/+157
| | | | | | | Upstream-Status: Backport from https://github.com/MariaDB/server/commit/1c9f64e54ffb109bb6cf6a189e863bfa54e46510 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* tigervnc: mark CVE-2024-0408 and CVE-2024-0409 patchedGyorgy Sarvari2026-02-101-1/+1
| | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-0408 https://nvd.nist.gov/vuln/detail/CVE-2024-0409 Both of these vulnerabilities were fixed[1][2] in xserver 21.1.11, just mark them patched. [1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/8d825f72da71d6c38cbb02cf2ee2dd9e0e0f50f2 [2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/a4f0e9466f3bc7073a8f0c28a581211c2d7adf0e Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* tigervnc: ignore CVE-2025-26594...26601Gyorgy Sarvari2026-02-101-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ignore the following CVEs: CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597, CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26594 https://nvd.nist.gov/vuln/detail/CVE-2025-26595 https://nvd.nist.gov/vuln/detail/CVE-2025-26596 https://nvd.nist.gov/vuln/detail/CVE-2025-26597 https://nvd.nist.gov/vuln/detail/CVE-2025-26598 https://nvd.nist.gov/vuln/detail/CVE-2025-26599 https://nvd.nist.gov/vuln/detail/CVE-2025-26600 https://nvd.nist.gov/vuln/detail/CVE-2025-26601 TigerVNC compiles its own xserver, this is why these CVEs are associated with it - despite the vulnerabilities being in xserver. All of these vulnerabilities were fixed by the same PR[1], which has been part of xserver since version 21.1.16 (the currently used xserver version in TigerVNC is 21.1.18). Due to this, ignore these vulnerabilities, and just mark them as patched. [1]: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 4924e89bb77fe5486063229c50039a458d60f8ea) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* tigervnc: ignore CVE-2023-6478Gyorgy Sarvari2026-02-101-1/+1
| | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6478 TigerVNC compiles its own xserver, this is why this CVE is associated with it - despite the vulnerability being in xserver. The vulnerability was fixed by [1] (from the nvd report), which has been backported[2] to the xserver version used by the recipe - so ignore the CVE, since it's patched already. [1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632 [2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/58e83c683950ac9e253ab05dd7a13a8368b70a3c Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 62a78f8ba7c8bd229cc82cf81bcc6a6d8116ebca) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* tigervnc: ignore CVE-2023-6377Gyorgy Sarvari2026-02-101-0/+3
| | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6377 TigerVNC compiles its own xserver, this is why this CVE is associated with it - despite the vulnerability being in xserver. The vulnerability was fixed by [1] (from the nvd report), which has been backported[2] to the xserver version used by the recipe - so ignore the CVE, since it's patched already. [1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd [2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/a7bda3080d2b44eae668cdcec7a93095385b9652 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit f691f2178b15eec22f09a1c17b9945fad4e330e6) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* tigervnc: sync xserver component with oe-coreGyorgy Sarvari2026-02-104-23/+180
| | | | | | | | | | | oe-core has a newer version of xserver than this recipe used to compile TigerVNC with. This recipe updates xserver to the same version, 21.1.18. TigerVNC only started to support this xserver version 2 versions later, with 1.13. Due to this 3 commits were backported that add the missing changes. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* sox: patch CVE-2019-8354Gyorgy Sarvari2026-02-102-0/+30
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2019-8354 Pick the patch that was identified by Debian[1] as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2019-8354 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* sox: patch CVE-2019-13590Gyorgy Sarvari2026-02-102-0/+35
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2019-13590 Pick the patch that was identified by Debian[1] as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2019-13590 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* sox: mark CVE-2019-1010004 as patchedGyorgy Sarvari2026-02-101-1/+1
| | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2019-1010004 The description mentions that this vulnerability overlaps with CVE-2017-18189, and Debian's investigation[1] confirms that it is solved by the same commit. Add the ID to the CVE tag of CVE-2017-18189.patch. [1]: https://security-tracker.debian.org/tracker/CVE-2019-1010004 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* sox: patch CVE-2017-18189Gyorgy Sarvari2026-02-102-0/+35
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2017-18189 Pick the patch that was identified by Debian[1] as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2017-18189 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* sox: patch CVE-2017-15642Gyorgy Sarvari2026-02-102-0/+36
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15642 Pick the patch that was identified by Debian[1] as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2017-15642 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* sox: patch CVE-2017-15372Gyorgy Sarvari2026-02-102-0/+101
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15372 Pick the patch that was indeitified by Debian[1] as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2017-15372 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* sox: patch CVE-2017-15371Gyorgy Sarvari2026-02-102-0/+41
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15371 Pick the patch that was identified by Debian[1] to fix the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2017-15371 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* sox: patch CVE-2017-15370Gyorgy Sarvari2026-02-102-0/+30
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15370 Pick the patch that was identified by Debian[1] as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2017-15370 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* sox: patch CVE-2017-11359Gyorgy Sarvari2026-02-102-0/+31
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2017-11359 Pick the patch that was identified by Debian[1] as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2017-11359 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* sox: patch CVE-2017-11358Gyorgy Sarvari2026-02-102-0/+30
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2017-11358 Pick the patch that was identified by Debian[1] as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2017-11358 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* sox: patch CVE-2017-11332Gyorgy Sarvari2026-02-102-0/+29
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2017-11332 Pick the patch that was identified by Debian[1] as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2017-11332 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-protobuf: patch CVE-2026-0994Peter Marko2026-02-032-0/+48
| | | | | | | | | | Pick patch from PR in NVD report. It is the only code change in 33.5 release. Skip the test file change as it's not shipped in python module sources. Resolve formatting-only conflict. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* faad2: patch CVE-2021-32276Gyorgy Sarvari2026-02-013-0/+121
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32276 Pick the patches from the PR[1] that resolved the issue[2] referenced by the NVD advisory. [1]: https://github.com/knik0/faad2/pull/66 [2]: https://github.com/knik0/faad2/issues/58 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-pymongo: upgrade 4.1.0 -> 4.1.1zhengruoqin2026-01-301-1/+1
| | | | | | | | | Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-1-1-released/157895 Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 5bfe98cb4074baa6b9a81e9a205eacf0d898db41) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-pymongo: patch CVE-2024-5629Gyorgy Sarvari2026-01-302-0/+50
| | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-5629 Backport the patch that is indicated to solve the issue based on the upstream project's Jira ticket[1] (which comes from the NVD report). [1]: https://jira.mongodb.org/browse/PYTHON-4305 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* libiec61850: patch CVE-2024-45970Gyorgy Sarvari2026-01-302-0/+72
| | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-45970 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* libiec61850: patch CVE-2024-45969Gyorgy Sarvari2026-01-302-1/+33
| | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-45969 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-ecdsa: ignore CVE-2024-23342Gyorgy Sarvari2026-01-301-0/+3
| | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-23342 The issue won't be fixed, because it is not in the scope of the project. See also the discussion in the relevant Github issue[1]. [1]: https://github.com/tlsfuzzer/python-ecdsa/issues/330 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* libass: patch CVE-2020-24994Gyorgy Sarvari2026-01-302-1/+51
| | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2020-24994 Backport the commit that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* frr: ignore CVE-2023-3748, CVE-2023-41359..61Gyorgy Sarvari2026-01-301-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-3748 https://nvd.nist.gov/vuln/detail/CVE-2023-41359 https://nvd.nist.gov/vuln/detail/CVE-2023-41360 https://nvd.nist.gov/vuln/detail/CVE-2023-41361 Regarding CVE-2023-3748: Based on Debian's investigation, the vulnerability was solved by [1]. However that vulnerable code that was fixed was introduced after the recipe version, only in version 8.4.0[2]. Since the recipe version isn't affected by this CVE, ignore it. Regarding CVE-2023-41359: The pull request[3] referenced by the NVD report references another pull request[4] which was opened to backport the fix. The conversion on this PR confirms that the vulnerable feature was introduced in 8.5. Due to this, ignore this CVE. Regarding CVE-2023-41360: The vulnerable code was introduced[5] in version 8.4.0, and the recipe version is not vulnerable. Due to this ignore this CVE. Regarding CVE-2023-41361: The vulnerable code was introduced[6] in version 9.0 and the recipe version is not vulnerable. Due to this ignore this CVE. [1]: https://github.com/FRRouting/frr/commit/0a95d121ca8e1f43d41d952d6c82d111ca850085 [2]: https://github.com/FRRouting/frr/commit/54a3e60b3ebd3621c4dd90b0b49e8e36e4e100d8 [3]: https://github.com/FRRouting/frr/pull/14232 [4]: https://github.com/FRRouting/frr/pull/15927 [5]: https://github.com/FRRouting/frr/commit/f1aa49293a4a8302b70989aaa9ceb715385c3a7e [6]: https://github.com/FRRouting/frr/commit/234f6fd4f4804bb17bd8cbb1dd91994a914f38d2 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* gnome-settings-daemon: ignore CVE-2024-38394Gyorgy Sarvari2026-01-301-0/+3
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-38394 The CVE has the disputed flag. The project maintainers claim that the issue is not in gnome-setttings-daemon. If the vulnerability needs to be handled in gnome-settings-daemon, than it is a new feature rather than a vulnerability fix. Due to this, ignore this CVE. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* gpsd: patch CVE-2025-67268Gyorgy Sarvari2026-01-302-0/+98
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-67268 Pick the patch that is referenced by the NVD advisory. The original commit also contains a lot of commenting style changes (// vs /* */) and whitespace changes which were removed from the backport. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-twitter: mark CVE-2012-5825 patchedGyorgy Sarvari2026-01-301-0/+3
| | | | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2012-5825 The Debian bugtracker[1] indicated that the issue is tracked by upstream in github[2] (with a difference CVE ID, but same issue), where the vulnerability was confirmed. Later in the same github issue the solution is confirmed: the project switched to use the requests library, which doesn't suffer from this vulnerability. Due to this mark the CVE as patched. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692444 [2]: https://github.com/tweepy/tweepy/issues/279 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 3ee544e7591b36a49550a263a0ec4d64b5e490e8) Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* proftpd: ignore CVE-2021-47865Gyorgy Sarvari2026-01-301-0/+3
| | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2021-47865 This CVE was opened based on a 5 years old Github issue[1], and has been made public recently. The CVE wasn't officially disputed (yet?), but based on the description and the given PoC the application is working as expected. The vulnerability description and the PoC basically configures proftpd to accept maximum x connections, and then when the user tries to open x + 1 concurrent connections, it refuses new connections over the configured limit. See also discussion in the Github issue. I just put it on the ignore list. [1]: https://github.com/proftpd/proftpd/issues/1298 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* libvncserver: patch CVE-2020-29260Gyorgy Sarvari2026-01-302-1/+31
| | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2020-29260 Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* catfish: upgrade 4.16.3 -> 4.16.4Gyorgy Sarvari2026-01-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | Changelog: - Add "Open with" right click item and dialog - Add a command-line option for setting default sort method - Add Ctrl+A accelerator for the treeview - Add option to show file size in binary or decimal - Cosmetic changes for search entry and delete dialog - Fix Ctrl+H not always toggling hidden files - Fix DE detection when launched from Electron apps - Fix exo file manager lookup for non-existent keys - Fix file manager lookup outside of Xfce - Fix GNOME DE detection in Ubuntu - Improve application menu appearance - Improve default width for the sidebar - Prepend the project root directory to sys.path - Support running without Xfconf (no preference saving) - Switch to using the super() method - Use correct executable for elementary Files - Translation Updates Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* nautilus: upgrade 42.1.1 -> 42.6Gyorgy Sarvari2026-01-301-1/+1
| | | | | | | | | | | | | | | | | | | | | Bugfix releases. Note that there were no 42.3 and 42.4 releases. 42.6: * Fix crash when pasting invalid clipboard data. CVE-2022-37290 42.5: * Really fix the cropped compress format popover on X11 * Fix behavior inconsistencies with new tabs * Fix memory leaks and missing signal disconnections * Translation updates 42.2: * Close broken link message dialog on response * Fix crash when opening new window from pathbar * Fix remote filesystem check * Translation updates Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* libadwaita: upgrade 1.1.1 -> 1.1.7Gyorgy Sarvari2026-01-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bugfix releases. Changelog: Version 1.1.7: - AdwCarousel - Fix allocation - AdwFlap - Add a missing setter annotation for :fold-policy - Correctly measure separator - Avoid notify emissions in dispose() - AdwLeaflet - Fix can-unfold=false - AdwSpringAnimation - Fix critical damping velocity - AdwSwipeable - Fix get_swipe_area() fallback - AdwTabBar - Fix clipped labels - AdwToastOverlay - Don't focus buttons on click - Demo - Open primary menu with F10 - Fix the switch on the avatar page - Stylesheet - Fix GtkLevelBar fill colors - Fix dependency names in docs - Memory leak fixes Version 1.1.6: - AdwAvatar - Correctly redraw on custom image changes - AdwFlap - Fix natural width with fold-policy=never - AdwSplitButton - Don't make dropdown insensitive when the button is - AdwTabBar - Fix focus handling - Fix autoscroll for non-local drags - AdwToastOverlay - Clarify documentation - Stylesheet - Fix GtkSpinButton inside toolbars Version 1.1.5: - AdwCarousel - Fix a crash when removing a child while it's animating - AdwSqueezer - Sizing fixes - AdwTabBar - Fix long press handling - Fix a crash when clicking empty space while a tab is animating - AdwTabView - Fix set_menu_model() input check Version 1.1.4: - AdwAvatar - Fix draw_to_texture() with rectangular avatars - AdwTabBar - Fix squished or clipped text with gtk-hint-font-metrics=0 - AdwShadowHelper - Fix warnings when drawing vertical shadow - AdwSwipeTracker - Fix swipe speed on GTK 4.7.x - Fix criticals with GTK 4.7.x Version 1.1.3: - AdwLeaflet - Fix a broken link in docs - AdwPreferencesGroup - Fix accessibility labels - AdwToast - Fix the example in docs - Stylesheet - Add missing borders in high contrast version Version 1.1.2: - AdwLeaflet - Fix child sizing with fold-threshold-policy=natural - AdwStyleManager - Correctly handle removing a GdkDisplay - AdwSwipeTracker - Fix a memory leak - Fix high contrast setting name when using a portal - AdwTabBar - Fix middle click when inside GtkWindowHandle - Stylesheet - Fix action row title and subtitle inside GtkHeaderBar - Fix progressbar.osd overriding text color - Ensure active states consistently work with touchscreens - Fix GtkDropDown visual glitch when pressed on touchscreen - Translation updates: Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* gvfs: upgrade 1.50.4 -> 1.50.7Gyorgy Sarvari2026-01-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: 1.50.7: * client: Prevent returning invalid mount cache entries * dav: Fix authentication issues when DNS-SD URIs are used * nfs: Fix IPv6 URI handling * sftp/ftp: Ensure that is-symlink is always set to avoid warnings * Translation updates 1.50.6: * udisks2: Disconnect signal handlers to fix crashes when unmounting * fuse: Include missing locale.h header * Translation updates 1.50.5: * smbbrowse: Fix empty device listing after unrelated mount failure * udisks: Fix missing unmount notifications * trash: Fix nfs4 and cifs monitoring * smb: Allow renaming a file to the same name with a different case * mtp: Emit delete event on device disconnection * trash: Fix wrongly reported item-count * Some other fixes and improvements * Translation updates Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* gtk4: fix qa error with gstreamer PACKAGECONFIGGyorgy Sarvari2026-01-301-0/+1
| | | | | | | | | | | When gstreamer PACKAGECONFIG is enabled, packaging fails with the following error: ERROR: gtk4-4.6.9-r0 do_package: QA Issue: gtk4: Files/directories were installed but not shipped in any package: /usr/lib/gtk-4.0/4.0.0/media/libmedia-gstreamer.so Fix it by packaging this file also. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* gtksourceview5: upgrade 5.4.1 -> 5.4.2Gyorgy Sarvari2026-01-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: * Updated languages: c.lang, perl.lang * Updated style-schemes: Adwaita-dark, solarized-light, solarized-dark * Updated translations: Friulian * Gutter renderers are now provided a prelight quark for lines when the pointer is over the gutter. * Hover assistants now avoid synthesized motion which is used much more often in GTK 4 when dealing with crossing-events. * Hover assistants will now dismiss themselves when the cursor moves. * GtkSourceMap has reduced how often it needs to do allocation by ignoring spurious notify::upper and value-changed signals from GtkTextView's vertical GtkAdjustment. * The testsuite has gained some correctness improvements thanks to issues pointed out by Sébastien Wilmet. * The Vim emulation's register implementation is now shared between buffers as it would be expected in Vim. * Snippets have gained some robustness improvements including the ability to simplify results from the snippet parser, more defensive behavior, and being lazier when possible. * Tabbing through focus-positions in snippets will now immediately jump to the new position if scrolling is required instead of animating as it results in better placement of tooltip assistants. * Assistants including completion, hover, and interactive tooltips now reduce how often they request presentation and position calculation from GDK and ultimately display servers such as Wayland. * Completion windows now take the size of the gutter into account when calculating their position relative to the parent GtkWindow so that the typed-text column remains aligned with typed text in the source view. * Completion has gained robustness improvements to do less work when possible and avoid spinning the frame-clock which could happen in certain scenarios. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>