summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* mozjs-128: Fix build error with arm and muslAnkur Tyagi2026-01-2014-32/+75
| | | | | | | | | | | | | | | | Build fails for qemuarm with musl with following error: mozglue/misc/StackWalk.o: in function `unwind_callback(_Unwind_Context*, void*)': | /usr/src/debug/mozjs-128/128.5.2/mozglue/misc/StackWalk.cpp:810:(.text._ZL15unwind_callbackP15_Unwind_ContextPv+0x4): undefined reference to `_Unwind_GetIP' Referenced commit[1] for the fix, also refreshed patches. [1] https://github.com/OSSystems/meta-browser/commit/bb8662912354dae13634c0ec35c3803c344b1e72 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 30942cebe8997dbadcd8bcd81ed0e55d42b48677) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libsdl3-image: upgrade 3.2.4 -> 3.2.6Wang Mingyu2026-01-201-1/+1
| | | | | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Release Notes: https://github.com/libsdl-org/SDL_image/releases/tag/release-3.2.6 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* smarty: extend CVE_PRODUCTGyorgy Sarvari2026-01-201-1/+1
| | | | | | | | | | | | | | Some CVEs assign smarty-php as the vendor to the corresponding CPE. E.g CVE-2024-35226[1] is tracked with smarty-php:smarty by mitre (NVD tracks it without CPE). [1]: https://cveawg.mitre.org/api/cve/CVE-2024-35226 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 1aee6a403c1901bc7ae793a2f4581b3cdbd95c1d) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* vboxguestdrivers: Upgrade to 7.2.4Khem Raj2026-01-201-1/+1
| | | | | | | | | | | | | | | | | This is a maintenance release. The following items were fixed or added: GUI: Fixed VirtualBox VM Manager crash when host was resuming from sleep (​github:gh-121, ​github:gh-170) GUI: Updated native language support for Traditional Chinese, Greek, Swedish, Hungarian and Indonesian translations NAT: Fixed issue when multiple port forwarding rules affected NAT functionality (​github:gh-232) Linux host and guest: Introduced initial support for kernel 6.18 Linux Guest Additions: Introduced additional fixes for RHEL 9.6 and 9.7 kernels (​github:GH-12) Windows Guest Additions: Introduced additional fixes for issue when installation was failing in Windows XP SP2 guest (​github:GH-142) Signed-off-by: Khem Raj <raj.khem@gmail.com> Cc: Bruce Ashfield <bruce.ashfield@gmail.com> (cherry picked from commit 0ecf2814b207cc25962a3949c8265d856a355ea0) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libdecor: upgrade 0.2.4 -> 0.2.5Wang Mingyu2026-01-201-1/+1
| | | | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Changelog: https://gitlab.freedesktop.org/libdecor/libdecor/-/compare/0.2.4...0.2.5?from_project_id=18349 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* cryptsetup: upgrade 2.8.1 -> 2.8.3Wang Mingyu2026-01-201-1/+1
| | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6f41c5872d9166aa1197ce1b51f8670561548353) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nodejs: remove extra CVE_PRODUCTGyorgy Sarvari2026-01-201-2/+0
| | | | | | | | | | | | | CVE_PRODUCT is specified twice - the second instance only duplicates one value from the first instance. Remove this extra CVE_PRODUCT. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6ff92524842233efb68eb92d4bf7637ef378900d) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* php: upgrade 8.4.16 -> 8.4.17Ankur Tyagi2026-01-201-1/+1
| | | | | | | Changelog: https://www.php.net/ChangeLog-8.php#8.4.17 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* microsoft-gsl: upgrade 4.2.0 -> 4.2.1Wang Mingyu2026-01-201-4/+4
| | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 1d33fb39d9700a125a02d5bbd8292db2756b6f6c) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* vulkan-cts: upgrade 1.4.4.0 -> 1.4.4.2Dmitry Baryshkov2026-01-204-36/+45
| | | | | | | | | | | Upgrade Vulkan CTS to the point release, fixing several tests. While we are at it, refresh Vulkan-Video-Samples patches. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 374949c531de346739efc4e8e7ca79d7b81f270a) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* minicoredumper: fix 2038 year problem in timestamp handlingJiaying Song2026-01-202-0/+56
| | | | | | | | | | | | | | | | | | | The minicoredumper has multiple 2038 year problems where 'long' type variables and strtol() function calls cause overflow on 32-bit systems when handling timestamps after 2038-01-19. This leads to incorrect timestamp formatting in core dump directory names (e.g., sleep40s.20380119.031407+0000.598). Fix by changing 'long timestamp' to 'time_t timestamp' and replacing strtol() with strtoll() to properly handle 64-bit timestamps on 32-bit systems. Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit b5685fb375d01d2a146c1707a6f290fad195826f) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* usb-modeswitch: upgrade 2.6.1 -> 2.6.2Wang Mingyu2026-01-202-55/+2
| | | | | | | | | | | 0001-Fix-build-with-gcc-15.patch removed since it's included in 2.6.2 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit dfbe08b6c3d842bf4add77580a579f76a1cd4cee) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* usb-modeswitch-data: upgrade 20191128 -> 20251207Wang Mingyu2026-01-201-1/+1
| | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8f2c436db5b4e6ba59550ad63f73a61dd459ba45) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libsdl3: upgrade 3.2.26 -> 3.2.28Wang Mingyu2026-01-201-1/+1
| | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 26e3ef119b00bf1910306a2153891140a3df2389) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* liblognorm: upgrade 2.0.7 -> 2.0.8Liu Yiding2026-01-201-2/+1
| | | | | | | | | | | | | | | | | Change log ========== Version 2.0.8, 2025-12-04 - fix potential segfault on some platforms Thanks to Julian Thomas for a fix - fix memory leak when a custom type in rules does not match Thanks to Meric Sentunali for the fix and Julian Thomas for alerting me of the missing merge. Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit c627784366f53c880719994e09f393265d894d35) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* parallel: upgrade 20251022 -> 20251122Wang Mingyu2026-01-201-1/+1
| | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit c9c4b5a88718822697ad41d86b8b89961fb23c10) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-psycopg: upgrade 3.2.12 -> 3.2.13Wang Mingyu2026-01-201-1/+1
| | | | | | | | | | | | | | | Changelog: ============== - Show the host name in the error message in case of name resolution error - Fix Cursor.copy() and AsyncCursor.copy() to hold the connection lock for the entire operation, preventing concurrent access issues - Fix GSSAPI check with C extension built with libpq < v16 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 4b297312d7d256ddbca007f9fbdb1daa337fe431) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libcoap: set CVE version suffixPeter Marko2026-01-201-0/+2
| | | | | | | | | CVE metrics currently report CVE-2025-34468 as open. CPE is <=4.3.5, while recipe version is 4.3.5a which is a higher version, however by default cve-check only compares numbers. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libsodium: patch CVE-2025-69277Peter Marko2026-01-202-0/+63
| | | | | | | | | Pick patch per [1]. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-69277 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* net-snmp: patch CVE-2025-68615Peter Marko2026-01-202-0/+34
| | | | | | | | | Pick patch per [1]. [1] https://security-tracker.debian.org/tracker/CVE-2025-68615 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 5.2.8 -> 5.2.9Gyorgy Sarvari2026-01-061-1/+1
| | | | | | | | | | | | Includes fix for CVE-2025-13372 and CVE-2025-64460 Changelog: https://github.com/django/django/blob/5.2.9/docs/releases/5.2.9.txt Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 2538918df1826b965215e0441c7aa6d0958f1911) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 4.2.26 -> 4.2.27Gyorgy Sarvari2026-01-061-1/+1
| | | | | | | | | | | | Contains fix for CVE-2025-13372 and CVE-2025-64460 Changelog: https://github.com/django/django/blob/4.2.27/docs/releases/4.2.27.txt Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit fae6fe9b4156fae7696a7978700c823f414da8f7) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-configobj: ignore CVE-2023-26112Gyorgy Sarvari2026-01-061-0/+2
| | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-26112 The used version (5.0.9) contains the fix[1] already - ignore the CVE. [1]: https://github.com/DiffSK/configobj/commit/7c618b0bbaff6ecaca51a6f05b29795d1377a4a5 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* postgresql: upgrade 17.6 -> 17.7Gyorgy Sarvari2026-01-062-3/+3
| | | | | | | | | | | | | It contains fixes for CVE-2025-12817 and CVE-2025-12818. Changelog: https://www.postgresql.org/docs/release/17.7/ Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8217b90e941619820c88dbdb4db5e35d171a4157) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* php: upgrade 8.4.15 -> 8.4.16Gyorgy Sarvari2026-01-061-1/+1
| | | | | | | | | | This is a bugfix release, containing fixes for CVE-2025-14177, CVE-2025-14178 and CVE-2025-14180. Changelog: https://www.php.net/ChangeLog-8.php#8.4.16 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* openvpn: upgrade 2.6.16 -> 2.6.17Gyorgy Sarvari2026-01-061-1/+1
| | | | | | | Contains fix for CVE-2025-13751 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libwebsockets: fix CVE-2025-11678Hugo SIMELIERE2026-01-062-0/+129
| | | | | | | | | | | | | | Backport a fix from Debian: https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11678.patch Upstream commit: https://github.com/warmcat/libwebsockets/commit/2bb9598562b37c942ba5b04bcde3f7fdf66a9d3a Signed-off-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit 5fab8bd31b32892acf3d8b56b240a7958890beac) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libwebsockets: fix CVE-2025-11677Hugo SIMELIERE2026-01-062-0/+162
| | | | | | | | | | | | | | Backport a fix from Debian: https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11677.patch Upstream commit: https://github.com/warmcat/libwebsockets/commit/2f082ec31261f556969160143ba94875d783971a Signed-off-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit da04d7003e65af77667e2c18fa988f0ada62f744) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libcoap: ignore CVE-2025-50518Gyorgy Sarvari2026-01-061-0/+2
| | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-50518 The vulnerability is disputed by upstream, because the vulnerability requires a user error, incorrect library usage. See also an upstream discussion in a related (rejected) PR: https://github.com/obgm/libcoap/pull/1726 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 598176e1cb6c928e322e26d358e8d01ba9d5af0a) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* imagemagick: upgrade 7.1.2-8 -> 7.1.2-12Gyorgy Sarvari2026-01-061-1/+1
| | | | | | | Contains fix for CVE-2025-65955 and CVE-2025-69204. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* gimp: patch CVE-2025-14425Gyorgy Sarvari2026-01-062-0/+80
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14425 Backport the patch referenced by the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 49732c90c0a4e1b3fc3679456ce2bd2819b144d0) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* gimp: patch CVE-2025-14424Gyorgy Sarvari2026-01-062-0/+35
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14424 Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit b16c1a543ac5e997d6d3aa27978393106d5a8937) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* gimp: patch CVE-2025-14423Gyorgy Sarvari2026-01-062-0/+107
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14423 Pick the patch references by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6aa5720e76d632f62f53ed7be7fe649138fbd55c) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* gimp: patch CVE-2025-14422Gyorgy Sarvari2026-01-062-5/+73
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14422 Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit a0b41204afe57f9b2b3f2e8ff496be72d04e0eb7) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* freerdp3: ignore CVE-2025-68118Gyorgy Sarvari2026-01-061-0/+1
| | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68118 It is a Windows only vulnerability, ignore it. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* fetchmail: patch CVE-2025-61962Ankur Tyagi2026-01-062-0/+52
| | | | | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2025-61962 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit 0d9da1105276f04cb23046de5f31fc75f09e2e89) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* civetweb: ignore CVE-2025-9648Gyorgy Sarvari2026-01-061-1/+2
| | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-9648 It is already fixed in the currently used version. Also, update CVE-2025-55763's status to "fixed-version" (so it will be marked as "Patched" in the CVE report instead of "Ignored") Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit bfb76da63bd141173aeb71ce91c336b8aa557a5f) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* tigervnc: ignore CVE-2025-26594...26601Gyorgy Sarvari2026-01-061-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ignore the following CVEs: CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597, CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26594 https://nvd.nist.gov/vuln/detail/CVE-2025-26595 https://nvd.nist.gov/vuln/detail/CVE-2025-26596 https://nvd.nist.gov/vuln/detail/CVE-2025-26597 https://nvd.nist.gov/vuln/detail/CVE-2025-26598 https://nvd.nist.gov/vuln/detail/CVE-2025-26599 https://nvd.nist.gov/vuln/detail/CVE-2025-26600 https://nvd.nist.gov/vuln/detail/CVE-2025-26601 TigerVNC compiles its own xserver, this is why these CVEs are associated with it - despite the vulnerabilities being in xserver. All of these vulnerabilities were fixed by the same PR[1], which has been part of xserver since version 21.1.16 (the currently used xserver version in TigerVNC is 21.1.18). Due to this, ignore these vulnerabilities, and just mark them as patched. [1]: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 4924e89bb77fe5486063229c50039a458d60f8ea) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* tigervnc: ignore CVE-2023-6478Gyorgy Sarvari2026-01-061-0/+1
| | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6478 TigerVNC compiles its own xserver, this is why this CVE is associated with it - despite the vulnerability being in xserver. The vulnerability was fixed by [1] (from the nvd report), which has been backported[2] to the xserver version used by the recipe - so ignore the CVE, since it's patched already. [1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632 [2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/58e83c683950ac9e253ab05dd7a13a8368b70a3c Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 62a78f8ba7c8bd229cc82cf81bcc6a6d8116ebca) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* tigervnc: ignore CVE-2023-6377Gyorgy Sarvari2026-01-061-0/+1
| | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6377 TigerVNC compiles its own xserver, this is why this CVE is associated with it - despite the vulnerability being in xserver. The vulnerability was fixed by [1] (from the nvd report), which has been backported[2] to the xserver version used by the recipe - so ignore the CVE, since it's patched already. [1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd [2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/a7bda3080d2b44eae668cdcec7a93095385b9652 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit f691f2178b15eec22f09a1c17b9945fad4e330e6) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* tigervnc: sync xserver code with oe-coreGyorgy Sarvari2026-01-061-2/+2
| | | | | | | | | | | TigerVNC compiles its own xserver. Synchronize the xserver version with oe-core. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit fadb9c05709dae9e817a50e4d99093d4e2937933) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* tigervnc: fix typo in CVE_STATUSGyorgy Sarvari2026-01-061-1/+1
| | | | | | | | | | Forgot to add the CVE- prefix in previous patch. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 2f913279d4926ab92b97ffbb7c53031835b393bd) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* fio: ignore CVE-2025-10824Gyorgy Sarvari2026-01-061-0/+2
| | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-10824 The upstream maintainer wasn't able to reproduce the issue[1], and the related bug is closed without further action. [1]: https://github.com/axboe/fio/issues/1981 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit a275078cbeaa0fafcfa4eb60ca69f05a8fe3df99) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* dovecot: patch CVE-2025-30189Gyorgy Sarvari2026-01-068-0/+489
| | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-30189 Pick the patches referenced by the advisory[1] from the Full Disclosure list. [1]: https://seclists.org/fulldisclosure/2025/Oct/29 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* cups-filters: patch CVE-2025-64524Gyorgy Sarvari2026-01-062-5/+87
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64524 Pick the patch mentioned in the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 056ee43dd1d0e46a9b40339e877a4bf76cf8196b) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* cifs-utils: patch CVE-2025-2312Gyorgy Sarvari2026-01-062-1/+138
| | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2312 Pick the patch that is referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* c-ares: upgrade 1.34.5 -> 1.34.6Jason Schonberg2026-01-062-23/+1
| | | | | | | | | | | | | | Drop memory leak patch which has already been included in this new version. The new version also includes a fix for CVE 2025-62408. Changelog: https://github.com/c-ares/c-ares/releases/tag/v1.34.6 Signed-off-by: Jason Schonberg <schonm@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 996768e0800a008e06d6c8d305f443198d4df847) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* minio: ignore irrelevant CVEsGyorgy Sarvari2026-01-061-0/+6
| | | | | | | | | | | | | | | | The minio umbrella covers multiple projects. The recipe itself builds "minio client", which is a set of basic tools to query data from "minio server" - like ls, mv, find... The CVEs were files against minio server. Looking at the go mod list, this recipe doesn't use minio server even as a build dependency - so ignore the CVEs. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit df462075be855c60117af661dbce1836c652fc16) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* accountsservice: ignore CVE-2023-3297Gyorgy Sarvari2026-01-061-0/+2
| | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-3297 The vulnerability is triggered by a patch added by Ubuntu, and the vulnerable patch is not present in the recipe. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 071a45c9d76c9a222c8fbaa50089a8af44f44e74) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* fex: ignore unrelated CVEsGyorgy Sarvari2026-01-051-0/+6
| | | | | | | | | | | | | These CVEs were filed for "Fram's Fast File Exchange" application, which has the same abbreviated name as fex. Currently this recipe has no historical CVEs associated, so I couldn't set the correct CVE_PRODUCT. Rather ignore these irrelevant CVEs explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit b990486203b8eca688cfb6fc9bebf8b138e0b334) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-04-22 10:32:43 +0000