summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* libssh: Fix CVE-2026-3731Deepak Rathore2026-03-263-0/+139
| | | | | | | | | | | Pick the patch [1] and [2] as mentioned in [3] [1] https://git.libssh.org/projects/libssh.git/commit/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8 [2] https://git.libssh.org/projects/libssh.git/commit/?id=02c6f5f7ec8629a7cff6a28cde9701ab10304540 [3] https://security-tracker.debian.org/tracker/CVE-2026-3731 Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* exiv2: patch CVE-2026-27631Gyorgy Sarvari2026-03-263-0/+91
| | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27631 Backport the patches referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* exiv2: patch CVE-2026-27596Gyorgy Sarvari2026-03-263-0/+97
| | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27596 Backport the commits referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* exiv2: patch CVE-2026-25884Gyorgy Sarvari2026-03-263-1/+100
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25884 Backport the commits referenced by the NVD advisory. One of the patches contain some binary data (for test data), which needs to be applied with git PATCHTOOL.. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* ettercap: patch CVE-2026-3603Gyorgy Sarvari2026-03-262-1/+51
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3606 Pick the commit that is marked to solve the related Github issue[1]. Its commit message also references the CVE ID explicitly. [1]: https://github.com/Ettercap/ettercap/issues/1297 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 4.2.28 -> 4.2.29Gyorgy Sarvari2026-03-261-1/+1
| | | | | | | Contains fixes for CVE-2026-25673 and CVE-2026-25674. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 5.2.11 -> 5.2.12Gyorgy Sarvari2026-03-261-1/+1
| | | | | | | | | | | | Ptests passed successfully. Changelog: https://docs.djangoproject.com/en/6.0/releases/5.2.12/ - Fixed CVE-2026-25673 and CVE-2026-25674 - Fixed NameError when inspecting functions making use of deferred annotations in Python 3.14. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* zfs: upgrade 2.2.8 -> 2.2.9Ankur Tyagi2026-03-265-16/+98
| | | | | | | | | | | | | Also include tag in the SRC_URI and refreshed patches. Backported patch 0004-linux-use-sys-stat.h-instead-of-linux-stat.h.patch to resolve build failure with musl. Release Notes: https://github.com/openzfs/zfs/releases/tag/zfs-2.2.9 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* owfs: upgrade 3.2p3 -> 3.2p4Gyorgy Sarvari2026-03-263-51/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Drop patch that's included in this release. Changelog: v3.2p4 is mainly a bugfix & cleanup release. Enhancements Add support for InfernoEmbedded soft-devices (GH-21) Bug fixes Fix bug (GH-55) related to split packet (GH-64) Fix copy paste bug (474f06d) Add \r to Http header to satisfy RFC2616 specification (GH-20) Maintenance build system cleanup (GH-72, GH-27, GH-16) Fix missing files in source distribution (GH-70, GH-69) Fix compilation with GCC10 (GH-62) Minor fixes Fix typos (GH-43 GH-23) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 58259850fe6302a752548e910198fa080b49ea66) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* packagegroups: fix foldernameGyorgy Sarvari2026-03-261-0/+0
| | | | | | | | | | The correct folder name is "packagegroups", not "packageconfigs". Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 93e33ae8090ad30bb1a145e0fbb677e3e51a0ca4) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* btrfsmaintenance: upgrade 0.5 -> 0.5.2Liu Yiding2026-03-262-11/+11
| | | | | | | | | | | | | | | 1.Changelog: fix syntax error in run_task, preventing jobs to start start scrub jobs sequentially if RAID5 or RAID6 data profile is found fix btrfsmaintenance-refresh.service description 2.Update 0001-change-sysconfig-path-to-etc-default.patch for 0.5.2 Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 7adb1a61d26d14132f98c5373d2cee2e91b84361) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* postfix: upgrade 3.10.6 -> 3.10.8Wang Mingyu2026-03-091-1/+1
| | | | | | | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 09cc9579d41843bcb74ab7f6f052517d282d6613) Release Notes: https://www.postfix.org/announcements/postfix-3.10.7.html https://www.postfix.org/announcements/postfix-3.10.8.html Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libcacard: upgrade 2.8.1 -> 2.8.2Wang Mingyu2026-03-091-2/+2
| | | | | | | | | | | | | | | | Changelog: ========== - Sort certificates by underlying objects CKA_ID to provide deterministic object order - Avoid using uninitialized memory - Improve test coverage and build scripts - Improve compatibility with modern compilers (avoid strict warnings) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit bf0ea3fc286a432e6eb6c1e538d4db4a7455d7f4) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* open62541: upgrade 1.3.15 -> 1.3.17Ankur Tyagi2026-03-091-1/+1
| | | | | | | | | Release Notes: https://github.com/open62541/open62541/releases/tag/v1.3.17 https://github.com/open62541/open62541/releases/tag/v1.3.16 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* networkmanager-openvpn: upgrade 1.12.3 -> 1.12.5Liu Yiding2026-03-091-1/+3
| | | | | | | | | | | | Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit fcebca61e5cec25f4e34aefa8967cf71a07704ec) Release Notes: https://github.com/NetworkManager/NetworkManager-openvpn/blob/1.12.5/NEWS Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* networkmanager: upgrade 1.52.0 -> 1.52.2Liu Yiding2026-03-091-2/+2
| | | | | | | | | | | | Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 14c9d10173aa57ab780bdcf83dbc8859f90291e4) Release Notes: https://github.com/NetworkManager/NetworkManager/blob/1.52.2/NEWS Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nopoll: upgrade 0.4.7.b429 -> 0.4.9.b462Ankur Tyagi2026-03-091-1/+1
| | | | | | | | | | | | | | | 0.4.9 ----- Stable release with bug fixing, support for Debian Buster, Debian Bullseye and Ubuntu Focal https://github.com/ASPLes/nopoll/blob/master/doc/release-notes/nopoll-0.4.9.txt 0.4.8 ----- Stable release with bug fixing, support for Debian Buster, Debian Bullseye and Ubuntu Focal https://github.com/ASPLes/nopoll/blob/master/doc/release-notes/nopoll-0.4.8.txt Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nopoll: Upgrade to 0.4.7.b429Jason Schonberg2026-03-091-2/+1
| | | | | | | | | | | | | | Signed-off-by: Jason Schonberg <schonm@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 5f7c5c664162f0e08363783acb7756e9cbfb2cc5) Stable release with bug fixing, support for Debian Stretch and Ubuntu Bionic Release Notes: https://github.com/ASPLes/nopoll/blob/master/doc/release-notes/nopoll-0.4.7.txt Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* frr: upgrade 10.4.2 -> 10.4.3Ankur Tyagi2026-03-091-1/+1
| | | | | | | | Release Notes: https://github.com/FRRouting/frr/releases/tag/frr-10.4.3 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* zabbix: mark CVE-2026-23925 as patchedGyorgy Sarvari2026-03-091-0/+2
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-23925 The vulnerability has been fixed since 7.0.18[1], however NVD tracks this CVE without version information. [1]: https://github.com/zabbix/zabbix/commit/89dec866ec7f8230b25f06ac000575e3b7bd4025 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libjxl: mark CVE-2025-12474 and CVE-2026-1837 patchedGyorgy Sarvari2026-03-091-0/+3
| | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-12474 https://nvd.nist.gov/vuln/detail/CVE-2026-1837 Both CVEs have been fixed in v0.11.2, but NVD tracks these vulnerabilities without version information. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* pipewire: update 1.4.9 -> 1.4.10Markus Volk2026-03-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | PipeWire 1.4.10 (2026-01-16) This is a small bugfix release that is API and ABI compatible with previous 1.x releases. Highlights - Fix a regression in restoring volumes on nodes. - Clean up timed out stream on pulse-server. - Backport filter-graph channel support. - More small fixes and improvements. PipeWire - Backport the timer queue from 1.5. modules - Fix module leak in module-eq. (#5045) - Fix profiling of multiple drivers when profile.interval.ms is set. (#5061) - Allow both sink and source pulse tunnels with the same name. (#5079) SPA - Emit props events in all cases. (#4610) - Backport some filter-graph changes to make it adapt better to the number of channels of the stream. - Fix some port errors in filter-graph. (#4700) - Avoid a memcpy in the convolver. - Handle some DBus errors better instead of crashing. - Fix AVX2 functions and flags. (#5072) - Limit resampler phases to avoid crashes (#5073) - Support some more channel downmix positions. pulse-server - Clean up timed out streams. (#4901) - Add message to force mono mixdown. GStreamer - Avoid scaling overflow in the clock. Signed-off-by: Markus Volk <f_l_k@t-online.de> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit b7bd06e9b4ff1bf55b5ba8943c2547ec8ff6dba7) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libmediaart-2.0: upgrade 1.9.6 -> 1.9.7Gyorgy Sarvari2026-03-091-1/+1
| | | | | | | | | | | | | | This is a bugfix release, fixing some memory leaks and compiler warning (and it also has a couple of commits related to the project's own CI system, which doesn't affect the application) Changelog: https://gitlab.gnome.org/GNOME/libmediaart/-/blob/master/NEWS Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 3f6b25f18a00e46bc3b0a72fb8c2f39b28e191a3) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libde265: upgrade 1.0.15 -> 1.0.16Ankur Tyagi2026-03-091-2/+2
| | | | | | | | | | | | | | | Also included tag in the SRC_URI. This release fixes some rare decoding errors and some build issues. Changelog: https://github.com/strukturag/libde265/compare/v1.0.15...v1.0.16 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 625a2be8a8fff0ff8705bf35a858f832e5a27660) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* exiftool: ignore CVE-2026-3102Gyorgy Sarvari2026-03-091-0/+2
| | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3102 The vulnerability impacts only MacOS - ignore it. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-protobuf: mark CVE-2026-0994 patchedGyorgy Sarvari2026-03-091-0/+1
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994 It is fixed already in the currently used version, however NVD tracks it without any version info, so it still shows up in CVE reports. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* unbound: patch CVE-2025-5994Gyorgy Sarvari2026-03-092-0/+280
| | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-5994 Backport the patch[1] provided by upstream, which is linked in the upstream advisory[2] referenced by the NVD report. Tests passed successfully in a locally prepared ptest image. [1]: https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-5994_2.diff [1]: https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* streamripper: ignore CVE-2020-37065Gyorgy Sarvari2026-03-091-0/+2
| | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2020-37065 The vulnerability is about a 3rd party Windows-only GUI frontend for the streamripper library, and not for the CLI application that the recipe builds. Due to this ignore this CVE. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 1571c1a8e5e876db9db744d0a3e3256ac585242b) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-pillow: patch CVE-2026-25990Gyorgy Sarvari2026-03-092-0/+156
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25990 Backport the patch referenced by the NVD advisory. Note that the patch contain some new binary test data, which requires "git" PATCHTOOL - other tools fail to apply binary patches. All ptests passed successfully: Testsuite summary TOTAL: 5011 PASS: 4577 SKIP: 431 XFAIL: 3 FAIL: 0 XPASS: 0 ERROR: 0 DURATION: 59 END: /usr/lib/python3-pillow/ptest 2026-03-06T17:58 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-nltk: upgrade 3.9.2 -> 3.9.3Gyorgy Sarvari2026-03-091-1/+1
| | | | | | | | | | | | | | | | | | Contains fix for CVE-2026-14009. Changelog: * Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader * Block path traversal/arbitrary reads in nltk.data for protocol-less refs * Block path traversal/abs paths in corpus readers and FS pointers * Validate external StanfordSegmenter JARs using SHA256 * Add optional sandbox enforcement for filestring() * Maintenance: downloader/zipped models, CI/tooling updates Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 14d464c15094d1758dc14706646a8aa645a3bf34) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libheif: patch CVE-2025-68431Gyorgy Sarvari2026-03-092-1/+29
| | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68431 Backport the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* imagemagick: upgrade 7.1.2-13 -> 7.1.2-15Wang Mingyu2026-03-091-1/+1
| | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 853aecb2f9d8ff277c8e47499bbc24f9595e603e) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* ceres-solver: Don't fail if .git/hooks/commit-msg can't be touchedPeter Kjellerstedt2026-03-061-1/+1
| | | | | | | | | | | The .git/hooks/commit-msg Git hook may already exist and not be writable. E.g., in our environment it is a symbolic link to a script in /usr/share. Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit a22fe21c597b1f7439d863342591d7947ec2ccca) Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-flask: Upgrade 3.1.2 -> 3.1.3Leon Anavi2026-03-061-2/+2
| | | | | | | | | | | | | Upgrade to release 3.1.3: - The session is marked as accessed for operations that only access the keys but not the values, such as in and len. Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 0badc6de53e06045d943143ef70773d6959f1a08) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-werkzeug: upgrade 3.1.5 -> 3.1.6Gyorgy Sarvari2026-03-061-1/+1
| | | | | | | | | | | | Contains fix for CVE-2026-27199 Changelog: safe_join on Windows does not allow special devices names in multi-segment paths Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 9cbc4befe55716bfcf60616cd695318a5477b32d) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-sqlparse: upgrade 0.5.4 -> 0.5.5Wang Mingyu2026-03-061-1/+1
| | | | | | | | | | | | | | Changelog: ========== * Fix DoS protection to raise SQLParseError instead of silently returning None when grouping limits are exceeded * Fix splitting of BEGIN TRANSACTION statements Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 48617f70328d1a2abc2787594df028a3031e5268) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-greenlet: upgrade 3.2.4 -> 3.2.5Ankur Tyagi2026-03-061-1/+1
| | | | | | | | | Fix a crash on Python 3.9 if there are active greenlets during interpreter shutdown https://greenlet.readthedocs.io/en/latest/changes.html#id4 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-filelock: Upgrade 3.20.2 -> 3.20.3Leon Anavi2026-03-061-1/+1
| | | | | | | | | | | Upgrade to release 3.20.3: - Fix TOCTOU symlink vulnerability in SoftFileLock Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-filelock: Upgrade 3.20.1 -> 3.20.2Leon Anavi2026-03-061-1/+1
| | | | | | | | | | | | | Upgrade to release 3.20.2: - Support Unix systems without O_NOFOLLOW - [pre-commit.ci] pre-commit autoupdate Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8b5e1f5dbf6bfe9dd6725d5dd04cd4c6aff73c86) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-filelock: upgrade 3.20.0 -> 3.20.1Wang Mingyu2026-03-061-1/+1
| | | | | | | | | | | Changelog: CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit c2710a2df9bbafa9fabe87610f29864c56476b9d) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* valkey: upgrade 8.1.4 -> 8.1.6Ankur Tyagi2026-03-061-2/+2
| | | | | | | | | | | | Includes fix for CVE-2026-21863, CVE-2025-67733 and various bug fixes. Also include tag in the SRC_URI. https://github.com/valkey-io/valkey/releases/tag/8.1.5 https://github.com/valkey-io/valkey/releases/tag/8.1.6 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* nbench-byte: Fix sysinfo generation in parallel buildDaniel Klauer2026-03-063-1/+99
| | | | | | | | | | | | | | | | | | The project Makefile uses a script (sysinfo.sh) to non-atomically generate two .c files (sysinfo.c, sysinfoc.c) which are then included in the build. Since the script always overwrites both .c files, the Makefile should only invoke it once, not twice in parallel. Otherwise the .c files may be corrupted and cause random build failures in parallel builds. Requires at least GNU make 4.3, for Grouped Targets support [1]. [1] https://lists.gnu.org/archive/html/info-gnu/2020-01/msg00004.html Reviewed-by: Silvio Fricke <silvio.fricke@gin.de> Signed-off-by: Daniel Klauer <daniel.klauer@gin.de> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit add2d94ab7d4170cece4e20af829a7221c572d5f) Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* xrdp: patch CVE-2025-68670Ankur Tyagi2026-03-062-0/+79
| | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68670 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* minidlna: ignore CVE-2024-51442Gyorgy Sarvari2026-03-061-0/+1
| | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-51442 The description of the vulnerability says "attacker [...] execute arbitrary OS commands via a specially crafted minidlna.conf configuration file". There is no official fix for this CVE, and upstream seems to be inactive for the past 3 years. The reason for ignoring this CVE is that the referenced minidlna.conf file is in the /etc folder, and the file is not world-writable. Which means that this vulnerability can be exploited only when someone is root - but if the attacker is already root, they don't need to resort to minidlna config-file modifications to execute any command they want. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* gimp: ignore already fixed CVEsGyorgy Sarvari2026-03-061-1/+4
| | | | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0797 https://nvd.nist.gov/vuln/detail/CVE-2026-2044 https://nvd.nist.gov/vuln/detail/CVE-2026-2045 https://nvd.nist.gov/vuln/detail/CVE-2026-2047 https://nvd.nist.gov/vuln/detail/CVE-2026-2048 All these CVEs are already fixed in the recipe version, however NVD tracks them currently without CPE info. Ignore them. Relevant upstream commits: CVE-2026-0797: https://gitlab.gnome.org/GNOME/gimp/-/commit/ca449c745d58daa3f4b1ed4c2030d35d401a009d Note that the commit referenced by NVD is incorrect. This commit was identified from the relevant upstream Gitlab issue: https://gitlab.gnome.org/GNOME/gimp/-/issues/15555 CVE-2026-2044: https://gitlab.gnome.org/GNOME/gimp/-/commit/3b5f9ec2b4c03cf4a51a5414f2793844c26747e5 CVE-2026-2045: https://gitlab.gnome.org/GNOME/gimp/-/commit/bb896f67942557658b3fbfc67a1c073775c002c7 CVE-2026-2047: https://gitlab.gnome.org/GNOME/gimp/-/commit/5873e16f80cf4152d25a4c86b08553008a331e90 CVE-2026-2048: https://gitlab.gnome.org/GNOME/gimp/-/commit/fa69ac5ec5692f675de5c50a6df758f7d3e45117 Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* gnome-shell: ignore CVE-2021-3982Gyorgy Sarvari2026-03-061-0/+1
| | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3982 The vulnerability is about a privilege escalation, in case the host distribution sets CAP_SYS_NICE capability on the gnome-shell binary. OE distros don't do that, and due to this this recipe is not affected by this issue. The CVE is ignored. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* libjxl: upgrade 0.11.1 -> 0.11.2Ankur Tyagi2026-03-061-2/+2
| | | | | | | | | | | | | - fix tile dimension in low memory rendering pipeline (CVE-2025-12474) - fix number of channels for gray-to-gray color transform (CVE-2026-1837) - djxl: reject decoding JXL files if "packed" representation size overflows size_t https://github.com/libjxl/libjxl/releases/tag/v0.11.2 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* protobuf: ignore CVE-2026-0994Gyorgy Sarvari2026-03-061-0/+2
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994 The vulnerability impacts only the python bindings of protobuf, which is in a separate recipe (python3-protobuf, where it is patched). Ignore this CVE in this recipe due to this. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* postgresql: upgrade 17.7 -> 17.8Ankur Tyagi2026-03-067-21/+15
| | | | | | | | | | | | | | | License-Update: Update license year to 2026 Refreshed patches for version 17.8 Includes fix for CVE-2026-2003, CVE-2026-2004, CVE-2026-2005, CVE-2026-2006 Release Notes: https://www.postgresql.org/docs/release/17.8/ Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* openjpeg: patch CVE-2023-39327Gyorgy Sarvari2026-03-062-0/+51
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39327 Take the patch that is used by OpenSUSE to mitigate this vulnerability. Upstream seems to be unresponsive to this issue. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-04-22 00:59:26 +0000