summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* jq: upgrade 1.8.0 -> 1.8.1Wang Mingyu2025-09-071-3/+3
| | | | | | | | | License-Update: Add LICENSE notice of NetBSD's strptime() to COPYING Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* jq: Add tzdata to ptest rdepsKhem Raj2025-09-071-0/+2
| | | | | | | | This is needed for some ptests to pass Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* libvncserver: fix generated LibVNCServerTargets.cmakeMarc Ferland2025-09-071-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The currently generated LibVNCServerTargets.cmake will include the following 'set_target_properties': set_target_properties(LibVNCServer::vncclient PROPERTIES INTERFACE_INCLUDE_DIRECTORIES "${_IMPORT_PREFIX}/include" INTERFACE_LINK_LIBRARIES "systemd;/usr/lib/libz.so;/usr/lib/liblzo2.so;/usr/lib/libjpeg.so;/usr/lib/libgcrypt.so;/usr/lib/libgnutls.so" ) INTERFACE_LINK_LIBRARIES here points to absolute paths which hardcodes the library paths. From CMake doc [1]: Note that it is not advisable to populate the INTERFACE_LINK_LIBRARIES of a target with absolute paths to dependencies. That would hard-code into installed packages the library file paths for dependencies as found on the machine the package was made on. This breaks krfb build (kde desktop sharing server) since CMake cannot find these libraries. Removing the absolute paths solves the issue. Note: I also added a 'inherit pkgconfig' since libvncserver uses it to detect libsystemd presence. 1: https://cmake.org/cmake/help/latest/prop_tgt/INTERFACE_LINK_LIBRARIES.html Signed-off-by: Marc Ferland <marc.ferland@sonatest.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 215694286716cf83bf9e52c5e61b4cbc861098fc) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* freerdp3: add bindir to SYSROOT_DIRSMarc Ferland2025-09-071-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is required in order to build krdp (KDE's remote desktop integration). The do_configure task for krdp expects both 'winpr-makecert3' and 'winpr-hash3' to be present, failure to do so results in: | CMake Error at /path/to/krdp/6.4.4/recipe-sysroot/usr/lib/cmake/WinPR3/WinPRTargets.cmake:98 (message): | The imported target "winpr-makecert" references the file | | "/path/to/krdp/6.4.4/recipe-sysroot/usr/bin/winpr-makecert3" | | but this file does not exist. Possible reasons include: | | * The file was deleted, renamed, or moved to another location. | | * An install or uninstall procedure did not complete successfully. | | * The installation package was faulty and contained | | "/path/to/6.4.4/recipe-sysroot/usr/lib/cmake/WinPR3/WinPRTargets.cmake" | | but not all the files it references. | | Call Stack (most recent call first): | /path/to/krdp/6.4.4/recipe-sysroot/usr/lib/cmake/WinPR3/WinPRConfig.cmake:44 (include) | /path/to/krdp/6.4.4/recipe-sysroot-native/usr/share/cmake-3.31/Modules/CMakeFindDependencyMacro.cmake:76 (find_package) | /path/to/krdp/6.4.4/recipe-sysroot/usr/lib/cmake/FreeRDP3/FreeRDPConfig.cmake:2 (find_dependency) | CMakeLists.txt:45 (find_package) | | | -- Configuring incomplete, errors occurred! Signed-off-by: Marc Ferland <marc.ferland@sonatest.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6c30f47645c3c16b81801d4427d04c2385daa4cd) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* nginx: patch CVE-2025-53859Peter Marko2025-09-072-0/+132
| | | | | | | | | Pick patch from nginx site which is also mentioned in [1]. [1] https://security-tracker.debian.org/tracker/CVE-2025-53859 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-protobuf: upgrade from 5.29.4 to 5.29.5Chen Qi2025-09-071-1/+1
| | | | | | | | | protobuf is upgraded from 5.29.4 to 5.29.5. Upgrade python3-protobuf to sync. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* protobuf: upgrade from 5.29.4 to 5.29.5Chen Qi2025-09-071-1/+1
| | | | | | | | | | | | This is a small version bump. It includes to following two commits to fix CVE-2025-4565. 05ba1a810 Add recursion depth limits to pure python 1ef3f01c4 Internal pure python fixes Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* lcov: Add missing RDEPENDS for nativesdkJef Driesen2025-09-071-0/+6
| | | | | | | | | | When building an SDK with lcov included, gcov isn't included in the SDK by default. Running lcov to generate coverage fails, because it tries to use the gcov binary from the host system instead and that cause problems if the gcc versions do not match. Signed-off-by: Jef Driesen <jefdriesen@telenet.be> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* postgresql: upgrade 17.5 -> 17.6Yogita Urade2025-09-072-5/+5
| | | | | | | | | | | | | | | Includes fix for CVE-2025-8713, CVE-2025-8714, CVE-2025-8715 License-Update: Align organization wording in copyright statement Changelog: https://www.postgresql.org/docs/release/17.6/ Refreshed 0003-configure.ac-bypass-autoconf-2.69-version-check.patch for 17.6 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* fcgi: patch CVE-2025-23016Peter Marko2025-09-072-0/+41
| | | | | | | Pick commit referencing this CVE. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* fontforge: patch CVE-2024-25081 and CVE-2024-25082Peter Marko2025-09-072-0/+182
| | | | | | | | | | | | | Pick commit from PR [1] linked from [2] and [3] which mlso entions both these CVEs. [1] https://github.com/fontforge/fontforge/pull/5367 [2] https://nvd.nist.gov/vuln/detail/CVE-2024-25081 [3] https://nvd.nist.gov/vuln/detail/CVE-2024-25082 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* libbpf: patch CVE-2025-29481Peter Marko2025-09-072-0/+103
| | | | | | | | | | | Backport patch which mentions PoC [1] which is also linked from [2]. [1] https://github.com/libbpf/libbpf/commit/806b4e0a9f658d831119cece11a082ba1578b800 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-29481 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* corosync: patch CVE-2025-30472Peter Marko2025-09-072-0/+70
| | | | | | | | | | | | Pick commit from [1] mentioned in [2] from [3] [1] https://github.com/corosync/corosync/issues/778 [2] https://github.com/corosync/corosync/pull/779 [3] https://nvd.nist.gov/vuln/detail/CVE-2025-30472 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* corosync: upgrade 3.1.6 -> 3.1.9Peter Marko2025-09-071-7/+3
| | | | | | | | | | | | dbus dir was changed from sysconfdir to datadir drop unused configure code License-Update: copyright years refreshed Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* corosync: fix upstream version checkPeter Marko2025-09-071-3/+3
| | | | | | | | | | | | | | | github-releases is needed that it work at all: ERROR: Automatic discovery of latest version/revision failed - you must provide a version using the --version/-V option, or for recipes that fetch from an SCM such as git, the --srcrev/-S option. UPSTREAM_CHECK_GITTAGREGEX is needed to get correct version, otherwise: $ devtool latest-version corosync ... INFO: Current version: 3.1.6 INFO: Latest version: 414.336.75.75.75 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* libssh: upgrade 0.11.1 -> 0.11.2Wang Mingyu2025-09-071-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Security: * CVE-2025-4877 - Write beyond bounds in binary to base64 conversion * CVE-2025-4878 - Use of uninitialized variable in privatekey_from_file() * CVE-2025-5318 - Likely read beyond bounds in sftp server handle management * CVE-2025-5351 - Double free in functions exporting keys * CVE-2025-5372 - ssh_kdf() returns a success code on certain failures * CVE-2025-5449 - Likely read beyond bounds in sftp server message decoding * CVE-2025-5987 - Invalid return code for chacha20 poly1305 with OpenSSL * Compatibility * Fixed compatibility with CPM.cmake * Compatibility with OpenSSH 10.0 * Tests compatibility with new Dropbear releases * Removed p11-kit remoting from the pkcs11 testsuite * Bugfixes * Implement missing packet filter for DH GEX * Properly process the SSH2_MSG_DEBUG message * Allow escaping quotes in quoted arguments to ssh configuration * Do not fail with unknown match keywords in ssh configuration * Process packets before selecting signature algorithm during authentication * Do not fail hard when the SFTP status message is not sent by noncompliant servers Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* iperf3: Fix CVE-2025-54349Jinfeng Wang2025-09-062-0/+99
| | | | | | | | | | Pick commit [1] as listed in [2]. [1] https://github.com/esnet/iperf/commit/42280d2292ed5f213bfcb33b2206ebcdb151ae66 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-54349 Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* c-ares: backport a patch for a memory leakJason Schonberg2025-09-062-0/+22
| | | | | Signed-off-by: Jason Schonberg <schonm@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* CVE-2025-53643.patch: Add CVE IDRobert Yang2025-09-061-0/+2
| | | | | Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* poppler: upgrade 25.06.0 -> 25.08.0Yogita Urade2025-09-061-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This upgrade includes fix for CVE-2025-50420. poppler 25.08.0 changelog: ========================== core: * FormWidgetSignature::signDocumentWithAppearance: add imagePath parameter * Fix parsing Distinguished Names that end with a hex string * Fix crashes in malformed documents glib: * Add poppler_page_render_transparent_selection() * Add missing since to the documentation poppler 25.07.0 changelog: ========================== core: * Changed rendering of malformed documents to mimic what Adobe Reader does. Issue #1602 * Improvemenst in signature validation in the NSS backend * Add more detailed output when signing fails * Internal code improvements * Fix crashes in malformed documents utils: * pdfsig: command line option for allowing PGP signatures in GnuPG backend Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* softhsm: switch source to GitHub repositoryJiaying Song2025-09-061-2/+3
| | | | | | | | The original source URL is unavailable, so it has been replaced with the official GitHub repository. Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* yaffs2-utils: correct the SRC_URIJiaying Song2025-09-061-1/+1
| | | | | Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* libconfig: switch source to GitHub repositoryJiaying Song2025-09-061-3/+3
| | | | | | | | | The original tarball URL no longer provides version 1.7.3 or any other historical releases.To ensure reproducible builds, the source has been switched to the official GitHub repository. Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* passwdqc: correct the SRC_URIJiaying Song2025-09-061-1/+1
| | | | | Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* logcheck: correct the SRC_URIJiaying Song2025-09-061-1/+1
| | | | | | | | The original tarball URL is no longer valid, as it has been moved to an archive location. This update points to the new location. Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* debootstrap: correct the SRC_URIJiaying Song2025-09-061-1/+1
| | | | | | | | The original tarball URL is no longer valid, as it has been moved to an archive location. This update points to the new location. Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* php: fix removal of --with-zlib-dir configure optionGijs Peskens2025-09-061-1/+1
| | | | | | | | | | | | | | PHP has removed the --with-zlib-dir configure option since that is now taken over by pkg-config, this breaks building PHP on Walnascar when zip is enabled via PACKAGECONFIG. So remove it. Signed-off-by: Gijs Peskens <gijs.peskens@munisense.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 90fa225b86fa3df35b3273a5522b72e95ae258d7) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* php: upgrade 8.4.8 -> 8.4.10Jason Schonberg2025-09-061-1/+1
| | | | | | | | | | | | | | | This is a security update. There are fixes for memory leaks, segfaults and CVEs. CVE-2025-1735 CVE-2025-1220 CVE-2025-6491 Changelog: https://www.php.net/ChangeLog-8.php#8.4.10 Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* php: upgrade 8.4.6 -> 8.4.8Jason Schonberg2025-09-061-2/+2
| | | | | | | | Changelog: https://www.php.net/ChangeLog-8.php#8.4.8 Changelog: https://www.php.net/ChangeLog-8.php#8.4.7 Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* php: sort PACKAGECONFIG optionsJeroen Hofstee2025-09-061-12/+10
| | | | | | | | | | | | This backports commit bb896f6b6f92 ("php: sort PACKAGECONFIG options"), which was missing in 8.4.5 and helps in reducing unnecessary diffs in future upgrades. Reference: https://git.openembedded.org/meta-openembedded/commit/meta-oe?id=bb896f6b6f92863e8f5c49e5a1f7d9bcb2578db0 Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-moteus: upgrade 0.3.88 -> 0.3.89Richard Leitner2025-09-061-1/+1
| | | | | | | | | | | | | | | | | | | Update python3-moteus to the latest release. Since no formal changelog is available, here's the git shortlog of the moteus python library [1] for the corresponding release: Josh Pieper (2): Add some more register definitions Add --version options to moteus_tool and tview [1] https://github.com/mjbots/moteus/commits/main/lib/python Signed-off-by: Richard Leitner <dev@g0hl1n.net> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 0285799f54661ceb649c8a7d9d4e0522d615a1aa) Signed-off-by: Richard Leitner <dev@g0hl1n.net> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* v4l-utils: Fix QA and build errors related to _TIME_BITS on 32-bitJiaying Song2025-09-062-4/+39
| | | | | | | | | | | | | | * Remove GLIBC_64BIT_TIME_FLAGS="" to enable _TIME_BITS=64 by default, which avoids the following QA issue during builds on 32-bit systems: WARNING: lib32-v4l-utils-1.24.1+git-r0 do_package_qa: QA Issue: /usr/bin/cec-compliance uses 32-bit api 'time' * Undefine _TIME_BITS to fix the build error: /usr/include/features-time64.h:26:5: error: #error "_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64" Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* wxwidgets: fix CVE-2024-58249Zhang Peng2025-09-062-0/+179
| | | | | | | | | | | | | | CVE-2024-58249: In wxWidgets before 3.2.7, a crash can be triggered in wxWidgets apps when connections are refused in wxWebRequestCURL. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-58249] Upstream patches: [https://github.com/wxWidgets/wxWidgets/commit/f2918a9ac823074901ce27de939baa57788beb3d] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* thin-provisioning-tools: fix bindgen build error with clang on octeontx2Bo Sun2025-09-061-1/+4
| | | | | | | | | | | | | | | | Remove unsupported '-mcpu=octeontx2+crypto' from BINDGEN_EXTRA_CLANG_ARGS as clang does not recognize 'octeontx2' as a valid target CPU, causing bindgen to fail when generating Rust bindings. Since bindgen only parses headers using Clang, CPU-specific options like -mcpu are generally unnecessary. Fixes build failure: | error: unsupported argument 'octeontx2+crypto' to option '-mcpu=' | error: unknown target CPU 'octeontx2' Signed-off-by: Bo Sun <bo.sun.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* apache2: upgrade 2.4.63 -> 2.4.64Wang Mingyu2025-09-061-1/+1
| | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 207b98bcd720fc4253b13284962ea1b0f84bf7e9) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* valkey: upgrade 8.1.1 -> 8.1.3Yi Zhao2025-09-062-2/+2
| | | | | | | | | | | | | | ChangeLog: https://github.com/valkey-io/valkey/releases/tag/8.1.2 https://github.com/valkey-io/valkey/releases/tag/8.1.3 Security fixes: CVE-2025-27151 CVE-2025-32023 CVE-2025-48367 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* ][PATCH] ufs-utils: fix crash for ufs-utils list_bsgwalnascar-nextYi Zhao2025-07-272-0/+40
| | | | | | | | | | | | | | | | | The full_path buffer in find_bsg_device function consists of: path + '/' + files->d_name + '\0' So the buffer size should be: strlen(path) + strlen(files->d_name) + 2, not: strlen(path) + strlen(files->d_name) + 1. Backport a patch to fix crash when running 32-bit binary on 64-bit system: $ ufs-utils list_bsg malloc(): invalid next size (unsorted) Aborted (core dumped) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* mariadb: upgrade 11.4.5 -> 11.4.6Yogita Urade2025-07-276-80/+16
| | | | | | | | | | | | | | | | This upgrade includes fix for CVE-2023-52971 Changelog: https://mariadb.com/kb/en/mariadb-11-4-6-changelog/ refresh 0001-Add-missing-includes-cstdint-and-cstdio.patch Droped 3871.patch and mm_malloc.patch as these are available in 11.4.6 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* mbedtls: upgrade 3.6.3.1 -> 3.6.4gudni2025-07-271-2/+2
| | | | | | | | | | | | | | | | | | | | Fixes several security vulnerabilities: CVE-2025-49601, CVE-2025-49600, CVE-2025-52496, CVE-2025-47917, CVE-2025-48965, CVE-2025-52497, and CVE-2025-49087 The framework directory has been changed into a git submodule.[1][2] The recipe now uses Git Submodule Fetcher (gitsm) Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4 [1] https://github.com/Mbed-TLS/mbedtls/commit/8cf5666a174237998a7965e284d7ba8c1655d16d [2] https://github.com/Mbed-TLS/mbedtls/commit/c90c6d8ff787ab8787d9373b0e662a95ed1f4dae Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* mbedtls: upgrade 3.6.3 -> 3.6.3.1Wang Mingyu2025-07-271-3/+4
| | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-aiohttp: fix CVE-2025-53643Jiaying Song2025-07-272-0/+528
| | | | | | | | | | | | | | | | | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-53643 Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-tornado: upgrade 6.4.2 -> 6.5Praveen Kumar2025-07-271-1/+1
| | | | | | | | Changelog: https://github.com/tornadoweb/tornado/releases/tag/v6.5.0 Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* syslog-ng: upgrade 4.8.1 -> 4.8.2Praveen Kumar2025-07-271-1/+1
| | | | | | | | | | Includes fix for CVE-2024-47619 Release notes: https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.8.2 Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* poco: patch CVE-2025-6375Peter Marko2025-07-272-0/+35
| | | | | | | | | Pick commit mentioned in [1]. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-6375 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* minifi-cpp: patch spdlog CVE-2025-6140Peter Marko2025-07-272-0/+47
| | | | | | | Same patch as in spdlog recipe. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* spdlog: patch CVE-2025-6140Peter Marko2025-07-272-1/+49
| | | | | | | | | | | Pick commit [1] mentioned in [2] as listed in [3]. [1] https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094 [2] https://github.com/gabime/spdlog/issues/3360 [3] https://nvd.nist.gov/vuln/detail/CVE-2025-6140 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libcoap: patch CVE-2024-31031Peter Marko2025-07-272-0/+83
| | | | | | | | | | | | Pick commit [1] from [2] which fixes [3] as listed in [4]. [1] https://github.com/obgm/libcoap/commit/214665ac4b44b1b6a7e38d4d6907ee835a174928 [2] https://github.com/obgm/libcoap/pull/1352 [3] https://github.com/obgm/libcoap/issues/1351 [4] https://nvd.nist.gov/vuln/detail/CVE-2024-31031 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* poppler: upgrade 25.04.0 -> 25.06.0Yogita Urade2025-07-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Includes fix for CVE-2025-52886 poppler 25.06.0 changelog: ========================== core: * Fix writing dates back to file * Internal code improvements * Fix crashes in malformed documents glib: * Add the ink annotation type * Add missing autopointers definitions utils: * pdfsig: Add assert-signer feature * pdfsig: Return error code on error poppler 25.05.0 changelog: ========================== core: * Fix re-fetching after xref reconstruction. Issue #1584 * Fix compilation with ENABLE_ZLIB_UNCOMPRESS=ON * Various annotation improvements. Issues #642, #1558, #1055 * CairoFontEngine: invalidate broken embedded fonts. Issue #1453 * Splash: Performance improvements * Internal code improvements glib: * Small signature improvements Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* xmlsec1: fix build with gnutls or openssl PACKAGECONFIG not enabledMartin Jansa2025-07-271-1/+1
| | | | | | | | | | the .pc files might not be installed based on the PACKAGECONFIG value fixes: https://git.openembedded.org/meta-openembedded/commit/?id=cce20b5124e28ee55adf03fe062084f38d065580 Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* udisks2: Hardening measure of CVE-2025-6019Changqing Li2025-07-062-0/+52
| | | | | | | | | | | | Refer [1], CVE-2025-6019 is strongly related to udisk daemon, and this is a hardening measure related to this. [1] https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt [2] https://security-tracker.debian.org/tracker/CVE-2025-6019 [3] https://ubuntu.com/blog/udisks-libblockdev-lpe-vulnerability-fixes-available Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>