summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* python-grpcio(-tools): add grpc:grpc to cve productPeter Marko2026-05-212-0/+4
| | | | | | | | | | | | | | | | | | | | | | These grpc python modules contain parts of grpc core. Each CVE needs to be assessed if the patch applies also to core parts included in each module. Note that so far there was never a CVE specific for python module, only for grpc:grpc and many of those needed to be fixed at leasts in grpcio: sqlite> select vendor, product, count(*) from products where product like '%grpc%' group by vendor, product; grpc|grpc|21 grpck|grpck|1 linuxfoundation|grpc_swift|9 microsoft|grpconv|1 opentelemetry|configgrpc|1 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit f993cb2ecb62193bcce8d3d0e06e180a7fef44b8) Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* wireshark: fix for CVE-2025-13946Hitendra Prajapati2026-05-212-0/+52
| | | | | | | | | | | Pick patch from [1] also mentioned at NVD report in [2] [1] https://gitlab.com/wireshark/wireshark/-/issues/20884 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-13946 [3] https://security-tracker.debian.org/tracker/CVE-2025-13946 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* jq: Stick to C17 until next releaseKhem Raj2026-05-051-0/+3
| | | | | | | | | | | | | Patches are sprinkled in master branch of jq but the backports regresses tests, so its better to keep it at C17 for now. Backport: changed from += to :append to apply to all target, native and nativesdk builds. Signed-off-by: Khem Raj <raj.khem@gmail.com> Cc: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* onig: fix gcc 15 buildMikko Rapeli2026-04-292-0/+139
| | | | | | | With backport from upstream 6.9.10. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* jq: patch CVE-2026-39979Ankur Tyagi2026-04-292-0/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-39979 Ptests passed: root@qemux86:~# ptest-runner jq START: ptest-runner 2026-04-26T11:09 BEGIN: /usr/lib/jq/ptest PASS: optionaltest PASS: mantest PASS: jqtest PASS: onigtest PASS: shtest PASS: utf8test PASS: base64test === Test Summary === TOTAL: 7 PASSED: 7 FAILED: 0 SKIPPED: 0 DURATION: 44 END: /usr/lib/jq/ptest 2026-04-26T11:10 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* jq: patch CVE-2026-33948Ankur Tyagi2026-04-292-0/+52
| | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33948 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* jq: patch CVE-2026-33947Ankur Tyagi2026-04-292-0/+108
| | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33947 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* jq: patch CVE-2026-32316Ankur Tyagi2026-04-292-0/+56
| | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32316 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-pillow: fix CVE-2026-40192Hitendra Prajapati2026-04-292-0/+51
| | | | | | | | | | | Backport commit[1] which fixes this vulnerability as mentioned NVD report in [2]. [1] https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-40192 [3] https://security-tracker.debian.org/tracker/CVE-2026-40192 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libssh: Fix CVE-2026-0965Ankur Tyagi2026-04-292-0/+285
| | | | | | | | | | | | | | | | | | | | | | | Backport the patch [1] as mentioned in [2] [1] https://git.libssh.org/projects/libssh.git/commit/?id=bf390a042623e02abc8f421c4c5fadc0429a8a76 [2] https://security-tracker.debian.org/tracker/CVE-2026-0965 Ptests passed: root@qemux86:~# ptest-runner libssh START: ptest-runner 2026-04-28T04:44 BEGIN: /usr/lib/libssh/ptest ... ... DURATION: 269 END: /usr/lib/libssh/ptest 2026-04-28T04:49 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libssh: patch CVE-2026-0967Ankur Tyagi2026-04-292-0/+361
| | | | | | | | | | Backport patch [1] as mentioned in [2] [1] https://git.libssh.org/projects/libssh.git/commit/?id=6d74aa6138895b3662bade9bd578338b0c4f8a15 [2] https://security-tracker.debian.org/tracker/CVE-2026-0967 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libssh: patch CVE-2026-0968Ankur Tyagi2026-04-293-0/+202
| | | | | | | | | | | | | | | | | Backport patches [1] and [2] as mentioned in [3] [1] https://git.libssh.org/projects/libssh.git/commit/?id=796d85f786dff62bd4bcc4408d9b7bbc855841e9 [2] https://git.libssh.org/projects/libssh.git/commit/?id=212121971fb26e1e00b72bd5402c0454a4d84c03 [3] https://security-tracker.debian.org/tracker/CVE-2026-0968 Certain functions from sftp.c were moved to a new file sftp_common.c in version 0.11.0 by following commit: https://git.libssh.org/projects/libssh.git/commit/src/sftp_common.c?id=c3e03ab4651e4f3382e3a51c0273ade894f0c48a This is the backport of the changes using the original file sftp.c Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* corosync: patch CVE-2026-35092Gyorgy Sarvari2026-04-292-0/+58
| | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35092 Pick the patch that mentions the CVE ID explicitly (the same commit was identified by Debian also[1]) [1]: https://security-tracker.debian.org/tracker/CVE-2026-35092 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> (cherry picked from commit af73e716bc7150ae8d912d8af00f6995e25f2031) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* corosync: patch CVE-2026-35091Gyorgy Sarvari2026-04-292-0/+48
| | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35091 Pick the patch that mentions the CVE ID explicitly (it was identified by Debian also as the fix[1]) [1]: https://security-tracker.debian.org/tracker/CVE-2026-35091 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> (cherry picked from commit 701b22fda35648efc333d6e6e7abd8e70aa49870) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* opensc: patch CVE-2025-66215Ankur Tyagi2026-04-295-0/+177
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66215 Backport the patches referenced by the PR[1] mentioned in the nvd. Dropped the formatting commit from the backport. [1] https://github.com/OpenSC/OpenSC/pull/3436 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* opensc: patch CVE-2025-66038Ankur Tyagi2026-04-292-0/+42
| | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66038 Backport the patch referenced by the wiki[1] mentioned in the nvd. [1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* opensc: patch CVE-2025-66037Ankur Tyagi2026-04-292-0/+36
| | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66037 Backport the patch referenced by the wiki[1] mentioned in the nvd. [1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66037 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* opensc: patch CVE-2025-49010Ankur Tyagi2026-04-292-0/+73
| | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49010 Backport the patch referenced by the wiki[1] mentioned in the nvd. [1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-49010 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* openjpeg: patch CVE-2026-6192Gyorgy Sarvari2026-04-292-0/+36
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6192 Backport the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> (cherry picked from commit 09050325e6e0736beccc40d125e56430054b7cb8) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* jq: fix CVE-2026-40164Daniel Turull2026-04-292-0/+93
| | | | | | | Backport patch to fix CVE-2026-40164. Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nginx: fix CVE-2026-32647Hitendra Prajapati2026-04-292-0/+79
| | | | | | | | | | | | As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix. Backport the commit[3] from 1.28.3 changelog matching the description. [1] https://my.f5.com/manage/s/article/K000160366 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-32647 [3] https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* krb5: Backport additional fixes to build on clangKhem Raj2026-04-293-0/+1243
| | | | | | | | | | | | Enabling additional warning tightens the function prototype checks and clang goes a step ahead to flag void foo() as well it should be void foo(void) Signed-off-by: Khem Raj <raj.khem@gmail.com> Cc: Martin Jansa <martin.jansa@gmail.com> (cherry picked from commit 37cc472e44ef5b2b8c0ae8b5bcebf875fa9dd5be) Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* kernel-hardening-checker: update 0.6.10.2 -> 0.6.17.1Michael Opdenacker2026-04-291-1/+1
| | | | | | | | | | Following the update on master. This version reports more hardening issues: 128 "failures" instead of 113 on the same kernel. Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-tornado: set CVE_PRODUCTGyorgy Sarvari2026-04-291-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The default "python:tornado" CVE_PRODUCT doesn't match relevant CVEs, because the project's CPE is "tornadoweb:tornado". See cve db query (docmosis is an irrelevant vendor): sqlite> select * from products where PRODUCT = 'tornado'; CVE-2012-2374|tornadoweb|tornado|||2.2|<= CVE-2012-2374|tornadoweb|tornado|1.0|=|| CVE-2012-2374|tornadoweb|tornado|1.0.1|=|| CVE-2012-2374|tornadoweb|tornado|1.1|=|| CVE-2012-2374|tornadoweb|tornado|1.1.1|=|| CVE-2012-2374|tornadoweb|tornado|1.2|=|| CVE-2012-2374|tornadoweb|tornado|1.2.1|=|| CVE-2012-2374|tornadoweb|tornado|2.0|=|| CVE-2012-2374|tornadoweb|tornado|2.1|=|| CVE-2012-2374|tornadoweb|tornado|2.1.1|=|| CVE-2014-9720|tornadoweb|tornado|||3.2.2|< CVE-2023-25264|docmosis|tornado|||2.9.5|< CVE-2023-25265|docmosis|tornado|||2.9.5|< CVE-2023-25266|docmosis|tornado|||2.9.5|< CVE-2023-28370|tornadoweb|tornado|||6.3.2|< CVE-2024-42733|docmosis|tornado|||2.9.7|<= CVE-2024-52804|tornadoweb|tornado|||6.4.2|< CVE-2025-47287|tornadoweb|tornado|||6.5.0|< CVE-2025-67724|tornadoweb|tornado|||6.5.3|< CVE-2025-67725|tornadoweb|tornado|||6.5.3|< CVE-2025-67726|tornadoweb|tornado|||6.5.3|< Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 139cc15de304918edc0197346579162b12006faa) Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* hdf5: fix CVE-2025-6857Libo Chen2026-04-292-0/+256
| | | | | | | | | | | | | | | | According to [1], A vulnerability has been found in HDF5 1.14.6 and classified as problematic. Affected by this vulnerability is the function H5G__node_cmp3 of the file src/H5Gnode.c. The manipulation leads to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Backport patch [2] from upstream to fix CVE-2025-6857 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-6857 [2] https://github.com/HDFGroup/hdf5/commit/a8ceb1d95bb997f548c1129363dad53c18540096 Signed-off-by: Libo Chen <libo.chen.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* hdf5: fix CVE-2025-2308Libo Chen2026-04-292-0/+334
| | | | | | | | | | | | | | | | | According to [1], A vulnerability, which was classified as critical, was found in HDF5 1.14.6. This affects the function H5Z__scaleoffset_decompress_one_byte of the component Scale-Offset Filter. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor plans to fix this issue in an upcoming release. Backport patch [2] from upstream to fix CVE-2025-2308 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-2308 [2] https://github.com/HDFGroup/hdf5/commit/2ce7fdc4cf147d280aa6d49686297faacc250e40 Signed-off-by: Libo Chen <libo.chen.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nginx: set CVE_PRODUCTGyorgy Sarvari2026-04-291-0/+2
| | | | | | | | | | | | nginx has a long history, and has used multiple CPEs over time. Set CVE_PRODUCT to reflect current and historic vendor:product pairs. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit d25aadbbb53d54382b4b82b1f78a69d4d117fd28) Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* rocksdb: packageconfig knob for set static library optionZahir Hussain2026-04-291-1/+1
| | | | | | | | | | | Adding PACKAGECONFIG knob for enable/disable the static library option It is just a follow-up changes of previous commit https://git.openembedded.org/meta-openembedded/commit/?h=scarthgap&id=72018ca1b1a471226917e8246e8bbf9a374ccf97 and also this changes are already accepted and integrated in kirkstone branch. Signed-off-by: Zahir Hussain <zahir.basha@kpit.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* imagemagick: Fix CVEsNaman Jain2026-04-2929-0/+2121
| | | | | | | | | | | | | | Fix the following CVEs- CVE-2026-24481 CVE-2026-25638 CVE-2026-25794 CVE-2026-25795 CVE-2026-25796 CVE-2026-25797 CVE-2026-25798 CVE-2026-25799 CVE-2026-25897 CVE-2026-25898 CVE-2026-25965 CVE-2026-25966 CVE-2026-25967 CVE-2026-25968 CVE-2026-25969 CVE-2026-25970 CVE-2026-25982 CVE-2026-25985 CVE-2026-25986 CVE-2026-25987 CVE-2026-25988 CVE-2026-26066 CVE-2026-26283 CVE-2026-26284 CVE-2026-26983 Signed-off-by: Naman Jain <namanj1@kpit.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nginx: fix CVE-2026-28753Ankur Tyagi2026-04-152-0/+94
| | | | | | | | | | | | As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix. Backport the commit[3] from 1.28.3 changelog matching the description. [1] https://my.f5.com/manage/s/article/K000160367 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-28753 [3] https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nginx: fix CVE-2026-27654Ankur Tyagi2026-04-152-0/+82
| | | | | | | | | | | | As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix. Backport the commit[3] from 1.28.3 changelog matching the description. [1] https://my.f5.com/manage/s/article/K000160382 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-27654 [3] https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nginx: fix CVE-2026-27651Ankur Tyagi2026-04-152-0/+35
| | | | | | | | | | | | As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix. Backport the commit[3] from 1.28.3 changelog matching the description. [1] https://my.f5.com/manage/s/article/K000160383 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-27651 [3] https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* grpc: set status for CVE-2026-33186Peter Marko2026-04-151-0/+2
| | | | | | | | | | CPE per NVD report is for "go", while this is C++ component: * cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:* Also the link to adisory within NVD report says "grpc-go": * https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-werkzeug: ignore CVE-2026-27199Ankur Tyagi2026-04-151-0/+1
| | | | | | | | | Vvulnerability affects Windows application and can be ignored. Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27199 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-tornado: fix CVE-2026-35536Ankur Tyagi2026-04-152-0/+156
| | | | | | | | | | | Backport the commit[1] from version 6.5.5 which fixes this vulnerability according to the NVD[2]. [1] https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-35536 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-flask: upgrade 3.0.2 -> 3.0.3Ankur Tyagi2026-04-151-2/+2
| | | | | | | | | | | | License Update: File renamed as txt[1] Release Notes: https://github.com/pallets/flask/releases/tag/3.0.3 [1] https://github.com/pallets/flask/commit/87d5f5b9a9697434e6d972b021201105eabb54e6 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-ecdsa: fix CVE-2026-33936Ankur Tyagi2026-04-152-0/+57
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33936 Ptests passed: root@qemux86:~# ptest-runner python3-ecdsa START: ptest-runner 2026-04-11T08:04 BEGIN: /usr/lib/python3-ecdsa/ptest ... ... Testsuite summary # TOTAL: 1978 # PASS: 1974 # SKIP: 4 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 DURATION: 386 END: /usr/lib/python3-ecdsa/ptest 2026-04-11T08:10 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 4.2.29 -> 4.2.30Ankur Tyagi2026-04-152-1/+1
| | | | | | | | Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.30/ Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nmap: rename enum PCAP_SOCKETJinfeng Wang2026-04-152-0/+82
| | | | | | | | | The enum PCAP_SOCKET conflicts with the PCAP_SOCKET macro introduced in libpcap 1.10.5. Use ifdefs to handle both old and new libpcap versions, renaming the enum to NM_PCAP_SOCKET when the PCAP_SOCKET macro is defined. Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: fix CVE-2025-59681Haixiao Yan2026-04-152-0/+179
| | | | | | | | | | | | | | | | | QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods on MySQL and MariaDB. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-59681 Upstream-patch: https://github.com/django/django/commit/38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: fix CVE-2025-57833Haixiao Yan2026-04-152-0/+89
| | | | | | | | | | | | | | | | FilteredRelation was subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-57833 Upstream-patch: https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* hdf5: fix CVE-2025-2309Libo Chen2026-04-152-0/+42
| | | | | | | | | | | | | | | | | | | According to [1], A vulnerability has been found in HDF5 1.14.6 and classified as critical. This vulnerability affects the function H5T__bit_copy of the component Type Conversion Logic. The manipulation leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor plans to fix this issue in an upcoming release. Backport patch [2] from upstream to fix CVE-2025-2309 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-2309 [2] https://github.com/HDFGroup/hdf5/commit/9d90b21ef5c5373978014f1a711795aa653bd9a1 Signed-off-by: Libo Chen <libo.chen.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* hdf5: fix CVE-2025-44905Libo Chen2026-04-152-0/+47
| | | | | | | | | | | | | | According to [1], hdf5 v1.14.6 was discovered to contain a heap buffer overflow via the H5Z__filter_scaleoffset function. Backport patch [2] from upstream to fix CVE-2025-44905 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-44905 [2] https://github.com/HDFGroup/hdf5/commit/42588aeba786a121fec1fbad72cf39d8f60a4983 Signed-off-by: Libo Chen <libo.chen.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* hdf5: fix CVE-2025-2310Libo Chen2026-04-152-0/+38
| | | | | | | | | | | | | | | | | According to [1], A vulnerability was found in HDF5 1.14.6 and classified as critical. This issue affects the function H5MM_strndup of the component Metadata Attribute Decoder. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. Backport patch [2] from upstream to fix CVE-2025-2310 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-2310 [2] https://github.com/HDFGroup/hdf5/commit/6c86f97e03c6dc7d7bd2bae9acc422bdc3438ff4 Signed-off-by: Libo Chen <libo.chen.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* hdf5: fix CVE-2025-2153Libo Chen2026-04-152-0/+52
| | | | | | | | | | | | | | | | | | According to [1], A vulnerability, which was classified as critical, was found in HDF5 1.14.6. Affected is the function H5SM_delete of the file H5SM.c of the component h5 File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Backport patch [2] from upstream to fix CVE-2025-2153 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-2153 [2] https://github.com/HDFGroup/hdf5/commit/38954615fc079538aa45d48097625a6d76aceef0 Signed-off-by: Libo Chen <libo.chen.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: fix CVE-2025-64459Haixiao Yan2026-04-153-1/+124
| | | | | | | | | | | | | | | | | | The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q() were subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the _connector argument. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-64459 https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html Upstream-patch: https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241 https://github.com/django/django/commit/4624ed769c0f7caea0d48ac824a75fa6b6f17671 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* yasm: fix CVE-2021-33454Guocai He2026-04-152-0/+30
| | | | | | | | | | | | | An issue was discovered in yasm version 1.3.0. There is a NULL pointer dereference in yasm_expr_get_intnum() in libyasm/expr.c. Backport patch to fix CVE-2021-33454 per reference [1]. [1]: https://security-tracker.debian.org/tracker/CVE-2021-33454 Signed-off-by: Guocai He <guocai.he.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* unbound: Fix CVE-2025-11411Jackson James2026-04-134-49/+2029
| | | | | | | | | | | | | | | Backport complete patch to fix CVE-2025-11411 The existing scarthgap patch is a partial backport with hardcoded logic, causing incorrect behavior and ptest failures. Backport the full upstream fix along with the follow-up patch to ensure correct functionality. Add below patch to fix 0001-CVE-2025-11411-1.patch 0002-CVE-2025-11411-2.patch Signed-off-by: Jackson James <jacksonj2@kpit.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nodejs: upgrade 20.20.0 -> 20.20.2Ankur Tyagi2026-04-131-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | License Update: Update minimatch to the Blue Oak Model License[1] nodejs LTS releases containing security and bugfixes. https://nodejs.org/en/blog/release/v20.20.1 https://nodejs.org/en/blog/release/v20.20.2 [1] https://github.com/nodejs/node/commit/f0ef221b0d458d9358c6e6e49094da475e86c229 Ptests passed: root@qemux86:~# ptest-runner nodejs START: ptest-runner 2026-04-09T10:37 BEGIN: /usr/lib/nodejs/ptest Running main() from /usr/src/debug/nodejs/20.20.2/deps/googletest/src/gtest_main.cc [==========] Running 152 tests from 23 test suites. [----------] Global test environment set-up. ... ... [----------] Global test environment tear-down [==========] 152 tests from 23 test suites ran. (30533 ms total) [ PASSED ] 152 tests. PASS: nodejs DURATION: 31 END: /usr/lib/nodejs/ptest 2026-04-09T10:37 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* mbedtls: upgrade 3.6.5 -> 3.6.6Gyorgy Sarvari2026-04-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Contains fixes for CVE-2026-25833, CVE-2026-25834, CVE-2026-25835, CVE-2026-34872, CVE-2026-34873, CVE-2026-34874 and CVE-2026-34875. Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.6 Ptests passed: root@qemux86:~# ptest-runner mbedtls START: ptest-runner 2026-04-09T10:41 BEGIN: /usr/lib/mbedtls/ptest ... ... DURATION: 508 END: /usr/lib/mbedtls/ptest 2026-04-09T10:49 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> (cherry picked from commit fe1b038cd814102b317c6896f265019909a67de8) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>