summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* tinyproxy: patch CVE-2025-63938Gyorgy Sarvari2026-01-202-0/+44
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-63938 Pick the patch referenced by the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 7981f52062d444aed1759c674bd3ec024a4f232c) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* dante: Add _GNU_SOURCE for musl buildsKhem Raj2026-01-201-0/+2
| | | | | | | | | | This helps build fixes e.g. cpuset_t definitions etc. glibc builds have _GNU_SOURCE defined inherently. Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 848bac20ea27afddc3843c41ad105843ad167177) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* dante: upgrade 1.4.3 -> 1.4.4Gyorgy Sarvari2026-01-201-2/+2
| | | | | | | | | | | | | | | | | | | | License-Update: copyright year bump Changelog: - Fix potential security issue CVE-2024-54662, related to "socksmethod" use in client/hostid-rules. - Add a missing call to setgroups(2). - Patch to fix compilation with libminiupnp 2.2.8. - Client connectchild optimizations. - Client SIGIO handling improvements. - Various configure/build fixes. - Updated to support TCP_EXP1 version of TCP hostid format. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 9f12c5fbc63143c33d6c68139cccac770817b4eb) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* frr: upgrade 10.4.1 -> 10.4.2Ankur Tyagi2026-01-201-1/+1
| | | | | | | | Release Notes: https://github.com/FRRouting/frr/releases/tag/frr-10.4.2 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* xerces-c: set CVE_PRODUCTGyorgy Sarvari2026-01-201-0/+2
| | | | | | | | | | | | | | | | | | | The related CVEs are tracked with "xerces-c\+\+" (sic). See CVE db query: sqlite> select vendor, product, count(*) from PRODUCTs where product like '%xerces%' group by 1, 2; apache|xerces-c\+\+|29 apache|xerces-j|2 apache|xerces2_java|3 redhat|xerces|3 Set CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 29a272744a314564035ec4a337704eb6d31e879e) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* lmdb: patch CVE-2026-22185Gyorgy Sarvari2026-01-202-0/+32
| | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22185 Pick the patch that is mentioned as a solution in the related upstream bug[1]. [1]: https://bugs.openldap.org/show_bug.cgi?id=10421 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit e0f86a4a7f8e413c682fbd4a9c01b12b0234cd71) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* boinc-client: mark CVE-2013-2018 patchedGyorgy Sarvari2026-01-201-0/+1
| | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2013-2018 According to oss-security email[1], version 7.0.45 included the fixes[2][3][4] [1]: https://www.openwall.com/lists/oss-security/2013/04/29/11 [2]: https://github.com/BOINC/boinc/commit/6e205de096da83b12ffb2f0183b43e51261eb0c4 [3]: https://github.com/BOINC/boinc/commit/e8d6c33fe158129a5616e18eb84a7a9d44aca15f [4]: https://github.com/BOINC/boinc/commit/ce3110489bc139b8218252ba1cb0862d69f72ae3 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 2a78ad8813845677132ad0f1552fcaa4961c3e15) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* influxdb: ignore CVE-2024-30896Ankur Tyagi2026-01-201-0/+1
| | | | | | | | | | | | | | | | As mentioned in the comment[1], vulnerability is in /api/v2/authorizations API which only exists in 2.x, 1.x is not affected. Details: https://nvd.nist.gov/vuln/detail/CVE-2024-30896 [1] https://github.com/influxdata/influxdb/issues/24797#issuecomment-2514690740 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 2f1d7a8597596d8e51a6f6f3b62e7e5f153f6e73) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* boinc-client: set CVE_PRODUCTGyorgy Sarvari2026-01-201-0/+3
| | | | | | | | | | | | | | | | | | | The relevant CVEs are tracked with underscore in their name. See CVE db query: sqlite> select vendor, product, count(*) from PRODUCTs where product like '%boinc%' group by 1, 2; berkeley|boinc_client|2 berkeley|boinc_forum|1 universityofcalifornia|boinc_client|165 universityofcalifornia|boinc_server|5 Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 31de060b48c57194ea2e6c6844d746eb59a0d056) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* asyncmqtt: set CVE_PRODUCTGyorgy Sarvari2026-01-201-0/+2
| | | | | | | | | | | | | | | The CVEs are tracked with an underscore in the product name: sqlite> select * from PRODUCTs where product like '%async%mq%'; CVE-2025-65503|redboltz|async_mqtt|10.2.5|=|| This patch sets the correct CVE_PRODUCT. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 4da079d7f572efed610bdf1291e838d0a5fc45cc) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libcereal: set CVE_PRODUCTGyorgy Sarvari2026-01-201-0/+2
| | | | | | | | | | | | | | | | The relevant CVEs are associated with usc:cereal CPE. See CVE db query: sqlite> select * from PRODUCTS where PRODUCT like '%cereal%'; CVE-2020-11104|usc|cereal|||1.3.0|<= CVE-2020-11105|usc|cereal|||1.3.0|<= Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6e936626cbccf6c17fc8b2d61fd2c7d4bcb022b5) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* raptor2: set CVE_PRODUCTGyorgy Sarvari2026-01-201-0/+2
| | | | | | | | | | | | | | | | | | | | All relevant CVEs are files against these CPEs. See CVE db query (zediious vendor is not relevant): sqlite> select * from PRODUCTs where PRODUCT like '%raptor%' and vendor <> 'symantec' and product <> 'velociraptor'; CVE-2012-0037|librdf|raptor|||2.0.7|< CVE-2017-18926|librdf|raptor_rdf_syntax_library|2.0.15|=|| CVE-2020-25713|librdf|raptor_rdf_syntax_library|2.0.15|=|| CVE-2023-49078|zediious|raptor-web|0.4.4|=|| CVE-2024-57822|librdf|raptor_rdf_syntax_library|||2.0.16|<= CVE-2024-57823|librdf|raptor_rdf_syntax_library|||2.0.16|<= Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 15aca0b2fa03dc25f551e84d381295c89dae8253) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libsdl3: upgrade 3.2.28 -> 3.2.30Liu Yiding2026-01-201-1/+1
| | | | | | | | | | | Changelog: https://github.com/libsdl-org/SDL/releases/tag/release-3.2.30 Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit a524aaddaceabedcfba002550eaef0b5aa10e0eb) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libjxl: Fix build error with arm and muslAnkur Tyagi2026-01-201-0/+3
| | | | | | | | | | | | Build fails for qemuarm with musl with following error: /build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1/lib/jxl/convolve_separable5.cc | error: out of range pc-relative fixup value Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 63ae47a70d6d81937f5122c535d890678ed3c13e) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* mozjs-128: Fix build error with arm and muslAnkur Tyagi2026-01-2014-32/+75
| | | | | | | | | | | | | | | | Build fails for qemuarm with musl with following error: mozglue/misc/StackWalk.o: in function `unwind_callback(_Unwind_Context*, void*)': | /usr/src/debug/mozjs-128/128.5.2/mozglue/misc/StackWalk.cpp:810:(.text._ZL15unwind_callbackP15_Unwind_ContextPv+0x4): undefined reference to `_Unwind_GetIP' Referenced commit[1] for the fix, also refreshed patches. [1] https://github.com/OSSystems/meta-browser/commit/bb8662912354dae13634c0ec35c3803c344b1e72 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 30942cebe8997dbadcd8bcd81ed0e55d42b48677) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libsdl3-image: upgrade 3.2.4 -> 3.2.6Wang Mingyu2026-01-201-1/+1
| | | | | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Release Notes: https://github.com/libsdl-org/SDL_image/releases/tag/release-3.2.6 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* smarty: extend CVE_PRODUCTGyorgy Sarvari2026-01-201-1/+1
| | | | | | | | | | | | | | Some CVEs assign smarty-php as the vendor to the corresponding CPE. E.g CVE-2024-35226[1] is tracked with smarty-php:smarty by mitre (NVD tracks it without CPE). [1]: https://cveawg.mitre.org/api/cve/CVE-2024-35226 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 1aee6a403c1901bc7ae793a2f4581b3cdbd95c1d) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* vboxguestdrivers: Upgrade to 7.2.4Khem Raj2026-01-201-1/+1
| | | | | | | | | | | | | | | | | This is a maintenance release. The following items were fixed or added: GUI: Fixed VirtualBox VM Manager crash when host was resuming from sleep (​github:gh-121, ​github:gh-170) GUI: Updated native language support for Traditional Chinese, Greek, Swedish, Hungarian and Indonesian translations NAT: Fixed issue when multiple port forwarding rules affected NAT functionality (​github:gh-232) Linux host and guest: Introduced initial support for kernel 6.18 Linux Guest Additions: Introduced additional fixes for RHEL 9.6 and 9.7 kernels (​github:GH-12) Windows Guest Additions: Introduced additional fixes for issue when installation was failing in Windows XP SP2 guest (​github:GH-142) Signed-off-by: Khem Raj <raj.khem@gmail.com> Cc: Bruce Ashfield <bruce.ashfield@gmail.com> (cherry picked from commit 0ecf2814b207cc25962a3949c8265d856a355ea0) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libdecor: upgrade 0.2.4 -> 0.2.5Wang Mingyu2026-01-201-1/+1
| | | | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Changelog: https://gitlab.freedesktop.org/libdecor/libdecor/-/compare/0.2.4...0.2.5?from_project_id=18349 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* cryptsetup: upgrade 2.8.1 -> 2.8.3Wang Mingyu2026-01-201-1/+1
| | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6f41c5872d9166aa1197ce1b51f8670561548353) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nodejs: remove extra CVE_PRODUCTGyorgy Sarvari2026-01-201-2/+0
| | | | | | | | | | | | | CVE_PRODUCT is specified twice - the second instance only duplicates one value from the first instance. Remove this extra CVE_PRODUCT. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6ff92524842233efb68eb92d4bf7637ef378900d) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* php: upgrade 8.4.16 -> 8.4.17Ankur Tyagi2026-01-201-1/+1
| | | | | | | Changelog: https://www.php.net/ChangeLog-8.php#8.4.17 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* microsoft-gsl: upgrade 4.2.0 -> 4.2.1Wang Mingyu2026-01-201-4/+4
| | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 1d33fb39d9700a125a02d5bbd8292db2756b6f6c) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* vulkan-cts: upgrade 1.4.4.0 -> 1.4.4.2Dmitry Baryshkov2026-01-204-36/+45
| | | | | | | | | | | Upgrade Vulkan CTS to the point release, fixing several tests. While we are at it, refresh Vulkan-Video-Samples patches. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 374949c531de346739efc4e8e7ca79d7b81f270a) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* minicoredumper: fix 2038 year problem in timestamp handlingJiaying Song2026-01-202-0/+56
| | | | | | | | | | | | | | | | | | | The minicoredumper has multiple 2038 year problems where 'long' type variables and strtol() function calls cause overflow on 32-bit systems when handling timestamps after 2038-01-19. This leads to incorrect timestamp formatting in core dump directory names (e.g., sleep40s.20380119.031407+0000.598). Fix by changing 'long timestamp' to 'time_t timestamp' and replacing strtol() with strtoll() to properly handle 64-bit timestamps on 32-bit systems. Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit b5685fb375d01d2a146c1707a6f290fad195826f) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* usb-modeswitch: upgrade 2.6.1 -> 2.6.2Wang Mingyu2026-01-202-55/+2
| | | | | | | | | | | 0001-Fix-build-with-gcc-15.patch removed since it's included in 2.6.2 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit dfbe08b6c3d842bf4add77580a579f76a1cd4cee) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* usb-modeswitch-data: upgrade 20191128 -> 20251207Wang Mingyu2026-01-201-1/+1
| | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8f2c436db5b4e6ba59550ad63f73a61dd459ba45) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libsdl3: upgrade 3.2.26 -> 3.2.28Wang Mingyu2026-01-201-1/+1
| | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 26e3ef119b00bf1910306a2153891140a3df2389) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* liblognorm: upgrade 2.0.7 -> 2.0.8Liu Yiding2026-01-201-2/+1
| | | | | | | | | | | | | | | | | Change log ========== Version 2.0.8, 2025-12-04 - fix potential segfault on some platforms Thanks to Julian Thomas for a fix - fix memory leak when a custom type in rules does not match Thanks to Meric Sentunali for the fix and Julian Thomas for alerting me of the missing merge. Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit c627784366f53c880719994e09f393265d894d35) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* parallel: upgrade 20251022 -> 20251122Wang Mingyu2026-01-201-1/+1
| | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit c9c4b5a88718822697ad41d86b8b89961fb23c10) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-psycopg: upgrade 3.2.12 -> 3.2.13Wang Mingyu2026-01-201-1/+1
| | | | | | | | | | | | | | | Changelog: ============== - Show the host name in the error message in case of name resolution error - Fix Cursor.copy() and AsyncCursor.copy() to hold the connection lock for the entire operation, preventing concurrent access issues - Fix GSSAPI check with C extension built with libpq < v16 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 4b297312d7d256ddbca007f9fbdb1daa337fe431) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libcoap: set CVE version suffixPeter Marko2026-01-201-0/+2
| | | | | | | | | CVE metrics currently report CVE-2025-34468 as open. CPE is <=4.3.5, while recipe version is 4.3.5a which is a higher version, however by default cve-check only compares numbers. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libsodium: patch CVE-2025-69277Peter Marko2026-01-202-0/+63
| | | | | | | | | Pick patch per [1]. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-69277 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* net-snmp: patch CVE-2025-68615Peter Marko2026-01-202-0/+34
| | | | | | | | | Pick patch per [1]. [1] https://security-tracker.debian.org/tracker/CVE-2025-68615 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 5.2.8 -> 5.2.9Gyorgy Sarvari2026-01-061-1/+1
| | | | | | | | | | | | Includes fix for CVE-2025-13372 and CVE-2025-64460 Changelog: https://github.com/django/django/blob/5.2.9/docs/releases/5.2.9.txt Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 2538918df1826b965215e0441c7aa6d0958f1911) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 4.2.26 -> 4.2.27Gyorgy Sarvari2026-01-061-1/+1
| | | | | | | | | | | | Contains fix for CVE-2025-13372 and CVE-2025-64460 Changelog: https://github.com/django/django/blob/4.2.27/docs/releases/4.2.27.txt Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit fae6fe9b4156fae7696a7978700c823f414da8f7) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-configobj: ignore CVE-2023-26112Gyorgy Sarvari2026-01-061-0/+2
| | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-26112 The used version (5.0.9) contains the fix[1] already - ignore the CVE. [1]: https://github.com/DiffSK/configobj/commit/7c618b0bbaff6ecaca51a6f05b29795d1377a4a5 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* postgresql: upgrade 17.6 -> 17.7Gyorgy Sarvari2026-01-062-3/+3
| | | | | | | | | | | | | It contains fixes for CVE-2025-12817 and CVE-2025-12818. Changelog: https://www.postgresql.org/docs/release/17.7/ Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8217b90e941619820c88dbdb4db5e35d171a4157) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* php: upgrade 8.4.15 -> 8.4.16Gyorgy Sarvari2026-01-061-1/+1
| | | | | | | | | | This is a bugfix release, containing fixes for CVE-2025-14177, CVE-2025-14178 and CVE-2025-14180. Changelog: https://www.php.net/ChangeLog-8.php#8.4.16 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* openvpn: upgrade 2.6.16 -> 2.6.17Gyorgy Sarvari2026-01-061-1/+1
| | | | | | | Contains fix for CVE-2025-13751 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libwebsockets: fix CVE-2025-11678Hugo SIMELIERE2026-01-062-0/+129
| | | | | | | | | | | | | | Backport a fix from Debian: https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11678.patch Upstream commit: https://github.com/warmcat/libwebsockets/commit/2bb9598562b37c942ba5b04bcde3f7fdf66a9d3a Signed-off-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit 5fab8bd31b32892acf3d8b56b240a7958890beac) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libwebsockets: fix CVE-2025-11677Hugo SIMELIERE2026-01-062-0/+162
| | | | | | | | | | | | | | Backport a fix from Debian: https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11677.patch Upstream commit: https://github.com/warmcat/libwebsockets/commit/2f082ec31261f556969160143ba94875d783971a Signed-off-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit da04d7003e65af77667e2c18fa988f0ada62f744) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libcoap: ignore CVE-2025-50518Gyorgy Sarvari2026-01-061-0/+2
| | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-50518 The vulnerability is disputed by upstream, because the vulnerability requires a user error, incorrect library usage. See also an upstream discussion in a related (rejected) PR: https://github.com/obgm/libcoap/pull/1726 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 598176e1cb6c928e322e26d358e8d01ba9d5af0a) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* imagemagick: upgrade 7.1.2-8 -> 7.1.2-12Gyorgy Sarvari2026-01-061-1/+1
| | | | | | | Contains fix for CVE-2025-65955 and CVE-2025-69204. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* gimp: patch CVE-2025-14425Gyorgy Sarvari2026-01-062-0/+80
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14425 Backport the patch referenced by the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 49732c90c0a4e1b3fc3679456ce2bd2819b144d0) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* gimp: patch CVE-2025-14424Gyorgy Sarvari2026-01-062-0/+35
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14424 Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit b16c1a543ac5e997d6d3aa27978393106d5a8937) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* gimp: patch CVE-2025-14423Gyorgy Sarvari2026-01-062-0/+107
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14423 Pick the patch references by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6aa5720e76d632f62f53ed7be7fe649138fbd55c) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* gimp: patch CVE-2025-14422Gyorgy Sarvari2026-01-062-5/+73
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14422 Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit a0b41204afe57f9b2b3f2e8ff496be72d04e0eb7) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* freerdp3: ignore CVE-2025-68118Gyorgy Sarvari2026-01-061-0/+1
| | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68118 It is a Windows only vulnerability, ignore it. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* fetchmail: patch CVE-2025-61962Ankur Tyagi2026-01-062-0/+52
| | | | | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2025-61962 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit 0d9da1105276f04cb23046de5f31fc75f09e2e89) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-04-22 00:36:07 +0000