summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* imagemagick: patch CVE-2025-55212Gyorgy Sarvari2026-01-122-0/+30
| | | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55212 Backport the patch that is mentioned in the NVD advisory. Notes about the backport: The original patch deletes two extra lines compared to the backport: those lines were a previous attempt[1] to solve the same vulnerability, and the final patch reverted them. Since that patch wasn't part of the recipe, those deletions were dropped from the backported patch. The PerceptibleReciprocal function was renamed[2] to MagickSafeReciprocal after the recipe's revision, but there were no functional changes in the function's behavior. [1]: https://github.com/ImageMagick/ImageMagick/commit/43d92bf855155e8e716ecbb50ed94c2ed41ff9f6 [2]: https://github.com/ImageMagick/ImageMagick/commit/7e5d87fe6e9 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* imagemagick: patch CVE-2025-55160Gyorgy Sarvari2026-01-122-0/+160
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55160 Pick the patch that mentions the related github advisory[1] in its commit message. [1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hgw-6x87-578x Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* imagemagick: patch CVE-2025-55154Gyorgy Sarvari2026-01-122-0/+80
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55154 Pick the patch that mentions the related github advisory[1] in its commit message. [1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp29-wxp5-wh82 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* imagemagick: patch CVE-2025-55005Gyorgy Sarvari2026-01-122-0/+35
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55005 Pick the patch that mentions the related github advisory[1] in its commit message. [1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v393-38qx-v8fp Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* imagemagick: patch CVE-2025-55004Gyorgy Sarvari2026-01-122-0/+66
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55004 Pick the patch that mentions the related github advisory[1] explicitly in its commit message. [1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cjc8-g9w8-chfw Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* imagemagick: patch CVE-2025-53101Gyorgy Sarvari2026-01-122-0/+55
| | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53101 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* imagemagick: patch CVE-2025-53019Gyorgy Sarvari2026-01-122-0/+27
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53019 Pick the commit that is marked as a fix at the bottom of the relevant github advisory[1]. [1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* imagemagick: patch CVE-2025-53015Gyorgy Sarvari2026-01-122-0/+52
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53015 Backport the patches marked as a solution at the bottom of the relevant github advisory[1]. [1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* imagemagick: patch CVE-2025-53014Gyorgy Sarvari2026-01-122-1/+28
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53014 Pick the commit that is mentioned as a solution at the bottom of the relevant Github advisory[1]. [1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* imagemagick: mark CVE-2023-5341 as patchedGyorgy Sarvari2026-01-121-0/+1
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-5341 The fix[1] mentioned in the NVD report has been part of the recipe since 7.1.1-19. [1]: https://github.com/ImageMagick/ImageMagick/commit/aa673b2e4defc7cad5bec16c4fc8324f71e531f1 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* imagemagick: upgrade 7.1.1-26 -> 7.1.1-47Gyorgy Sarvari2026-01-121-2/+2
| | | | | | | Contains fixes for CVE-2024-41817, CVE-2025-43965 and CVE-2025-46393 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* net-snmp: patch CVE-2025-68615Peter Marko2026-01-122-0/+34
| | | | | | | | | Pick patch per [1]. [1] https://security-tracker.debian.org/tracker/CVE-2025-68615 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nginx: Fix CVE-2025-23419 for 1.25.5Colin McAllister2026-01-124-2/+121
| | | | | | | | | | Updates nginx.inc to apply CVE-2025-23419.patch to both 1.24.0 and 1.25.5. However, a unique patch is provided for 1.25.5 since the upstream patch for CVE-2025-23419 can be cleanly applied to 1.25.5. Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com> Change-Id: Ia7b8e16067781776cf0a39fac757f8d25ac118fa Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nginx: upgrade 1.25.4 -> 1.25.5Colin McAllister2026-01-121-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Changelog: ========== https://nginx.org/en/CHANGES *) Feature: virtual servers in the stream module. *) Feature: the ngx_stream_pass_module. *) Feature: the "deferred", "accept_filter", and "setfib" parameters of the "listen" directive in the stream module. *) Feature: cache line size detection for some architectures. *) Feature: support for Homebrew on Apple Silicon. *) Bugfix: Windows cross-compilation bugfixes and improvements. *) Bugfix: unexpected connection closure while using 0-RTT in QUIC. Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* recipes-core/toybox: Switch SRC_URI to HTTPS for reliable fetchSanjay Chitroda2026-01-121-1/+1
| | | | | | | | | The upstream site (landley.net) serves inconsistent content when using HTTP, causing checksum mismatches during do_fetch. Using HTTPS ensures stable downloads and resolves checksum failures. Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-cbor2: Fix CVE-2025-64076Vijay Anusuri2026-01-122-0/+92
| | | | | | | Upstream-Status: Backport from https://github.com/agronholm/cbor2/commit/2349197bea8ebd1bf57a68f4a6549d8fd7585e66 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* atop: patch CVE-2025-31160Gyorgy Sarvari2025-12-302-0/+608
| | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-31160 Backport the patch that's subject references the CVE id explicitly. I was able to verify the patch with a reproducer[1] (which is mentioned in a reference[2] in the nvd report). Without the patch atop crashed, with the patch it worked fine (both with and without -k/-K flags). [1]: https://blog.bismuth.sh/blog/bismuth-found-the-atop-bug [2]: https://gist.github.com/kallsyms/3acdf857ccc5c9fbaae7ed823be0365e Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* Add missing HOMEPAGEs to xfce recipesJason Schonberg2025-12-3010-0/+10
| | | | | | | | Signed-off-by: Jason Schonberg <schonm@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 4d964d4d79388c8c2db8d8a3fec029a656f9f937) Signed-off-by: Jason Schonberg <schonm@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* zabbix: patch CVE-2025-49643Gyorgy Sarvari2025-12-302-0/+39
| | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49643 The actual patch was identified by checking the file that was modified in the tag 6.0.42, and also by looking at the Jira item referenced by it: the patch references DEV-4466, the same ID that is referenced in the Jira ticket[1] referenced by the NVD report (look in the "All Activity" tab). [1]: https://support.zabbix.com/browse/ZBX-27284 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* wolfssl: patch CVE-2025-7395Gyorgy Sarvari2025-12-304-4/+142
| | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7395 Backport the patches from the PR[1] that is referenced by the project's changelog[2] to fix this issue. [1]: https://github.com/wolfSSL/wolfssl/pull/8833 [2]: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libcoap: patch CVE-2025-59391Ankur Tyagi2025-12-302-0/+89
| | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2025-59391 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libcoap: ignore CVE-2023-51847Ankur Tyagi2025-12-301-0/+1
| | | | | | | | | | | | | | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2023-51847 The vulnerability exists in coap_threadsafe.c but thread safe support was added in version v4.5.3 [1] [1] https://github.com/obgm/libcoap/commit/c69c5d5af0a30859e90756f535e2ca21cdeda0b2 $ git tag --contains c69c5d5 v4.3.5 v4.3.5-rc1 v4.3.5-rc2 v4.3.5-rc3 v4.3.5a Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libcoap: ignore CVE-2025-50518Gyorgy Sarvari2025-12-301-0/+2
| | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-50518 The vulnerability is disputed by upstream, because the vulnerability requires a user error, incorrect library usage. See also an upstream discussion in a related (rejected) PR: https://github.com/obgm/libcoap/pull/1726 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 598176e1cb6c928e322e26d358e8d01ba9d5af0a) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libmemcached: ignore CVE-2023-27478Peter Marko2025-12-301-0/+2
| | | | | | | | | | | | | | | | | | | | Per [1] this is fixed by [2]. The commit message says that it is reverting feature added in: $ git tag --no-contains d7a0084 | grep 1.0.18 1.0.18 This recipe is for the original memcached which is unmaintained now. Hence the ignore instead of upgrade. [1] https://nvd.nist.gov/vuln/detail/CVE-2023-27478 [2] https://github.com/awesomized/libmemcached/commit/48dcc61a Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 607a44649189a29e6f547ce89b41ba332a45946a) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libiec61850: patch CVE-2024-45969Ankur Tyagi2025-12-302-0/+33
| | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2024-45969 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* dovecot: upgrade 2.3.21 -> 2.3.21.1Ankur Tyagi2025-12-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | Release Notes: - CVE-2024-23184: A large number of address headers in email resulted in excessive CPU usage. - CVE-2024-23185: Abnormally large email headers are now truncated or discarded, with a limit of 10MB on a single header and 50MB for all the headers of all the parts of an email. - oauth2: Dovecot would send client_id and client_secret as POST parameters to introspection server. These need to be optionally in Basic auth instead as required by OIDC specification. - oauth2: JWT key type check was too strict. - oauth2: JWT token audience was not validated against client_id as required by OIDC specification. - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out protocol specific error message on all errors. This broke OIDC discovery. - oauth2: JWT aud validation was not performed if aud was missing from token, but was configured on Dovecot. Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* freerdp3: patch CVE-2025-68118Ankur Tyagi2025-12-302-0/+58
| | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2025-68118 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* cups-filters: patch CVE-2025-64524Ankur Tyagi2025-12-302-0/+82
| | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2025-64524 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* krb5: fix for CVE-2024-3596Hitendra Prajapati2025-12-302-0/+629
| | | | | | | Upstream-Status: Backport from https://github.com/krb5/krb5/commit/871125fea8ce0370a972bf65f7d1de63f619b06c Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* sngrep: upgrade 1.8.1 -> 1.8.2Gyorgy Sarvari2025-12-301-1/+1
| | | | | | | | | | This update contains fix for CVE-2024-35434, and a small build system change that adds a fallback in case ncurses library isn't available during build. Shortlog: https://github.com/irontec/sngrep/compare/v1.8.1...v1.8.2 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* postgresql: upgrade 16.10 -> 16.11Gyorgy Sarvari2025-12-302-3/+3
| | | | | | | | | | This is a bugfix release. Contains fixes for CVE-2025-12817 and CVE-2025-12818. Changelog: https://www.postgresql.org/docs/16/release-16-11.html Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* fio: ignore CVE-2025-10824Gyorgy Sarvari2025-12-301-0/+2
| | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-10824 The upstream maintainer wasn't able to reproduce the issue[1], and the related bug is closed without further action. [1]: https://github.com/axboe/fio/issues/1981 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit a275078cbeaa0fafcfa4eb60ca69f05a8fe3df99) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* minio: ignore irrelevant CVEsGyorgy Sarvari2025-12-301-0/+6
| | | | | | | | | | | | | | | | The minio umbrella covers multiple projects. The recipe itself builds "minio client", which is a set of basic tools to query data from "minio server" - like ls, mv, find... The CVEs were files against minio server. Looking at the go mod list, this recipe doesn't use minio server even as a build dependency - so ignore the CVEs. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit df462075be855c60117af661dbce1836c652fc16) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* accountservice: ignore CVE-2023-3297Gyorgy Sarvari2025-12-301-0/+2
| | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-3297 The vulnerability is triggered by a patch added by Ubuntu, and the vulnerable patch is not present in the recipe. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 071a45c9d76c9a222c8fbaa50089a8af44f44e74) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* p7zip 16.02: Fix CVE-2022-47069Vrushti Dabhi2025-12-302-0/+64
| | | | | | | | | | | | | | | | | | | | | | | | | | | Upstream Repository: https://sourceforge.net/projects/p7zip/ Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47069 Type: Security Fix CVE: CVE-2022-47069 Score: 7.8 Note: - Commit [1] updates complete p7zip archive source for v17 and includes changes that fixes CVE-2022-47609, adapted fix related changes in current p7zip v16.02. - Similar changes via [2] have been integrated into the upstream 7zip package, which replaced p7zip 16.02 in OE-Core master. For the testing: - Verified fix using steps mentioned at [3], trace not observed. - Validated against known malicious ZIP samples [3] References: [1] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2 [2] https://github.com/ip7z/7zip/commit/f19f813537c7 [3] https://sourceforge.net/p/p7zip/bugs/241/ [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069 Signed-off-by: Vrushti Dabhi <vdabhi@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* redis: Refine CVE-2022-0543 status descriptionDeepak Rathore2025-12-222-2/+12
| | | | | | | | | | | | | | | | | | | | | | | | Refine the CVE_STATUS description for CVE-2022-0543 to provide a more precise explanation of this Debian-specific vulnerability. The vulnerability originates from Debian's packaging methodology, which loads system-wide Lua libraries (lua-cjson, lua-cmsgpack), enabling Lua sandbox escape. Upstream Redis builds, including those built by Yocto/OpenEmbedded, utilize embedded Lua from the deps/ directory and are therefore not affected by this issue. It is also fixed in Debian with this commit: https://salsa.debian.org/lamby/pkg-redis/-/commit/c7fd665150dc4769402cae97d1152b3c6e4366f0 References: - https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce - https://nvd.nist.gov/vuln/detail/CVE-2022-0543 Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 7675392aa7c1bf27b8993d08936bc4bc84d1508d) Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* openh264: patch CVE-2025-27091Ankur Tyagi2025-12-172-0/+29
| | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2025-27091 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* openvpn: patch CVE-2025-13086Ankur Tyagi2025-12-172-0/+158
| | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2025-13086 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* tcpreplay: fix CVE-2025-9157Archana Polampalli2025-12-172-0/+45
| | | | | | | | | | | | | | | | A vulnerability was determined in appneta tcpreplay up to 4.5.2-beta2. The impacted element is the function untrunc_packet of the file src/tcpedit/edit_packet.c of the component tcprewrite. Executing manipulation can lead to use after free. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. This patch is called 73008f261f1cdf7a1087dc8759115242696d35da. Applying a patch is advised to resolve this issue. Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit 0538af085a47b038e369db9872ffed8945b200c2) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* unbound: patch CVE-2024-43168Ankur Tyagi2025-12-173-0/+88
| | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2024-43168 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* unbound: patch CVE-2024-43167Ankur Tyagi2025-12-172-0/+47
| | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2024-43167 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* fetchmail: patch CVE-2025-61962Ankur Tyagi2025-12-172-0/+52
| | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2025-61962 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* civetweb: patch CVE-2025-9648Ankur Tyagi2025-12-172-0/+255
| | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2025-9648 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* editorconfig-core-c: patch CVE-2024-53849Ankur Tyagi2025-12-173-1/+106
| | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2024-53849 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* flatpak: patch CVE-2024-42472Ankur Tyagi2025-12-173-0/+215
| | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2024-42472 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libcupsfilters: patch CVE-2025-57812Ankur Tyagi2025-12-172-0/+130
| | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2025-57812 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* jasper: patch CVE-2024-31744Ankur Tyagi2025-12-172-0/+31
| | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2024-31744 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* mbedtls: fix CVE-2025-47917Kai Kang2025-12-172-0/+53
| | | | | | | | | | | CVE-2025-47917 is that the function mbedtls_x509_string_to_names() takes a head argument and performs a deep free() on it. Backport patch to fix CVE-2025-47917 and drop the modification in doc file and comment in header file which lack of context. Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* proftpd: Fix CVE-2023-48795Vijay Anusuri2025-12-112-0/+786
| | | | | | | | | | Upstream-Status: Backport from https://github.com/proftpd/proftpd/commit/bcec15efe6c53dac40420731013f1cd2fd54123b Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit 6c8ae54fc345fb6249f1cc92ed769d451ddc12b5) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* wireshark: fix CVE-2025-13499Hitendra Prajapati2025-12-112-0/+46
| | | | | | | Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/e180152d3dae668249f78c72a55a4ba436b57af7 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>