summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* python3-django: fix intendation error in CVE patchGyorgy Sarvari2026-01-151-9/+9
| | | | | | | | | This change is for python3-django_2.2.28. This patch contains an incorrect intendation, making the tests fail. This change fixes that. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-django: Fix missing JSONField in django.db.modelsHaixiao Yan2026-01-152-0/+78
| | | | | | | | | | | | | | | | Fix the following error introduced by CVE-2024-42005.patch: AttributeError: module 'django.db.models' has no attribute 'JSONField' The patch assumes JSONField is available from django.db.models, which is not the case for this Django version. Revert the changes in the following files to restore compatibility: tests/expressions/models.py tests/expressions/test_queryset_values.py Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-django: Fix undefined _lazy_re_compileHaixiao Yan2026-01-152-0/+50
| | | | | | | | | | Fix the following error introduced by CVE-2024-27351.patch and CVE-2025-32873.patch: NameError: name '_lazy_re_compile' is not defined Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* libsodium: patch CVE-2025-69277Peter Marko2026-01-122-0/+63
| | | | | | | | | Pick patch per [1]. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-69277 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* memcached: ignore disputed CVE-2022-26635Peter Marko2026-01-091-0/+3
| | | | | | | | | | | | | | | | | | | Per [1] this is a problem of applications using memcached inproperly. This should not be a CVE against php-memcached, but for whatever software the issue was actually found in. php-memcached and libmemcached provide a VERIFY_KEY flag if they're too lazy to filter untrusted user input. [1] https://github.com/php-memcached-dev/php-memcached/issues/519 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 889ccce6848276fa68b3736b345552a533bc6bd2) Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* wireshark: ignore CVE-2024-24476, CVE-2024-24478 and CVE-2024-24479Gyorgy Sarvari2026-01-091-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-24476 https://nvd.nist.gov/vuln/detail/CVE-2024-24478 https://nvd.nist.gov/vuln/detail/CVE-2024-24479 Upstream disputes all three vulnerabilities[1]. Looking at the history, even though they were valid issues for some period of time, none of them made it to an actual stable release: the vulnerabilities were caused, caught and fixed in the same development cycle between two releases. CVE-2024-24476: vulnerability introduced with[2], fixed with[3] CVE-2024-24478: vulnerability introduced with[4], fixed with[5] CVE-2024-24479: vulnerability introduced with[6], fixed with[7] Ignore all three of these vulnerabilities, as they are not present in the used recipe version. [1]: https://www.wireshark.org/docs/relnotes/wireshark-4.2.4.html [2]: https://github.com/wireshark/wireshark/commit/395e3b6cb595bfc610f3c26e7e9eb1f8729fd952 [3]: https://github.com/wireshark/wireshark/commit/108217f4bb1afb8b25fc705c2722b3e328b1ad78 [4]: https://github.com/wireshark/wireshark/commit/a9a62ff576ae79e0d6afb3214a5d409ec4cdf9d7 [5]: https://github.com/wireshark/wireshark/commit/80a4dc55f4d2fa33c2b36a99406500726d3faaef [6]: https://github.com/wireshark/wireshark/commit/53ec634ac2bf5f87a594aa72f16ca21c25a146a9 [7]: https://github.com/wireshark/wireshark/commit/c3720cff158c265dec2a0c6104b1d65954ae6bfd Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* wireshark: upgrade 3.4.12 -> 3.4.16Gyorgy Sarvari2026-01-092-147/+1
| | | | | | | | | | | | | | These are all bugfix releases. Drop CVE-2022-3190.patch, as it is included in 3.4.16. Changelogs: 3.4.13: https://www.wireshark.org/docs/relnotes/wireshark-3.4.13.html 3.4.14: https://www.wireshark.org/docs/relnotes/wireshark-3.4.14.html 3.4.15: https://www.wireshark.org/docs/relnotes/wireshark-3.4.15.html 3.4.16: https://www.wireshark.org/docs/relnotes/wireshark-3.4.16.html Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* wireshark: fix CVE-2025-11626Hitendra Prajapati2026-01-092-0/+100
| | | | | | | Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/513e5d49724f4a0695c5d2a08ce422c09cb999c8 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-tqdm: patch CVE-2024-34062Gyorgy Sarvari2026-01-082-0/+65
| | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-34062 Pick the patch mentioned by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-tornado: patch CVE-2024-52804Gyorgy Sarvari2026-01-082-1/+145
| | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-52804 Pick the patch mentioned by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-tornado: patch CVE-2023-28370Gyorgy Sarvari2026-01-082-0/+40
| | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-28370 The NVD advisory mentions that the vulnerability was fixed in v6.3.2. I checked the commits in that tag, and picked the only one that's commit message described the same vulnerability as the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* openflow: don't overwrite CVE_CHECK_IGNOREGyorgy Sarvari2026-01-081-4/+4
| | | | | | | | | | The recipe contains two CVE_CHECK_IGNORE declarations, and the second one overwrites the first one - however the first one is also important. Instead of overwriting it, just append them to each other. Also, move the operations closer to each other, so it's easier to see what's going on. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* php: ignore CVE-2024-3566Jeroen Hofstee2026-01-081-0/+1
| | | | | | | | | | | CVE-2024-3566 only effects Microsoft Windows. Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit d68c56e1ed2adc8246a18424ed5d9ede5e8254a0) Adapted to Kirkstone. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* net-snmp: Fix for CVE-2025-68615Vijay Anusuri2026-01-082-0/+34
| | | | | | | | | Upstream-Status: Backport from https://github.com/net-snmp/net-snmp/commit/b4e6f826d9ddcc2d72eac432746807e1234266db Reference: https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-m2crypto: ignore CVE-2009-0127Gyorgy Sarvari2026-01-081-0/+3
| | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2009-0127 The vulnerability is disputed[1] by upstream: "There is no vulnerability in M2Crypto. Nowhere in the functions are the return values of OpenSSL functions interpreted incorrectly. The functions provide an interface to their users that may be considered confusing, but is not incorrect, nor it is a vulnerability." [1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-waitress: patch CVE-2024-49769Gyorgy Sarvari2026-01-087-0/+406
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-49769 Pick the patch that is referenced in the NVD report (which is a merge commit. The patches here are the individual patches from that merge). Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-waitress: patch CVE-2024-49768Gyorgy Sarvari2026-01-085-0/+350
| | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-49768 Pick the patch mentioned in the NVD report (which is a merge commit, and the patches here are the individual commits from that merge) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-werkzeug: ignore CVE-2024-49766 and CVE-2025-66221Gyorgy Sarvari2026-01-081-0/+3
| | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-49766 https://nvd.nist.gov/vuln/detail/CVE-2025-66221 Both vulnerabilities affect Windows only - ignore them. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-waitress: upgrade 2.1.1 -> 2.1.2wangmy2026-01-081-1/+1
| | | | | | | | | | | | Remove change of default for clear_untrusted_proxy_headers Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit ef4e48c7a06b16755181a11d1d2d0d823353a95d) Contains fix for CVE-2022-31015 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* Add missing HOMEPAGEs to xfce recipesJason Schonberg2026-01-0810-0/+10
| | | | | | | | Signed-off-by: Jason Schonberg <schonm@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 4d964d4d79388c8c2db8d8a3fec029a656f9f937) Signed-off-by: Jason Schonberg <schonm@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-mpmath: patch CVE-2021-29063Gyorgy Sarvari2026-01-082-0/+52
| | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2021-29063 Pick the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-pyjwt: patch CVE-2022-29217Gyorgy Sarvari2026-01-082-0/+296
| | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2022-29217 Pick the patch referenced by the NVD advsory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-joblib: upgrade 1.1.0 -> 1.1.1Gyorgy Sarvari2026-01-081-1/+1
| | | | | | The only change is a fix for CVE-2022-21797 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-ipython: patch CVE-2023-24816Gyorgy Sarvari2026-01-082-0/+95
| | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-24816 Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* tinyproxy: patch CVE-2025-63938Gyorgy Sarvari2026-01-082-0/+42
| | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-63938 Pick the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-flask: patch CVE-2023-30861Gyorgy Sarvari2026-01-082-0/+95
| | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30861 Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-configobj: patch CVE-2023-26112Gyorgy Sarvari2026-01-082-1/+27
| | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-26112 Pick the patch that resolves the issue referenced in the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-cbor2: ignore CVE-2025-64076Gyorgy Sarvari2026-01-081-0/+3
| | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64076 The vunerability was introduced in v5.6.0[1], the recipe version doesn't contain the vulnerable piece of code. [1]: https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-protobuf: set CVE_PRODUCTPeter Marko2026-01-081-0/+2
| | | | | | | | | Similarly to c++ protobuf, add products matching historical entries. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit ae7556a737f7d21b0e345226fdab4a286d2f85db) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python-grpcio(-tools): add grpc:grpc to cve productPeter Marko2026-01-082-0/+4
| | | | | | | | | | | | | | | | | | | | | These grpc python modules contain parts of grpc core. Each CVE needs to be assessed if the patch applies also to core parts included in each module. Note that so far there was never a CVE specific for python module, only for grpc:grpc and many of those needed to be fixed at leasts in grpcio: sqlite> select vendor, product, count(*) from products where product like '%grpc%' group by vendor, product; grpc|grpc|21 grpck|grpck|1 linuxfoundation|grpc_swift|9 microsoft|grpconv|1 opentelemetry|configgrpc|1 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit f993cb2ecb62193bcce8d3d0e06e180a7fef44b8) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* lldpd: patch CVE-2021-43612Gyorgy Sarvari2026-01-082-6/+99
| | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2021-43612 Pick the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* spitools: upgrade 1.0.1 -> 1.0.2Gyorgy Sarvari2026-01-081-2/+2
| | | | | | | | | | This is a bugfix release, with some ioctl handling fixes. Changelog: - Adjust the handling of SPI_IOC_RD_LSB_FIRST ioctl call - Parameter for SPI_IOC_WR_LSB_FIRST ioctl is {0, 1}. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* tree: upgrade 2.0.2 -> 2.0.4Gyorgy Sarvari2026-01-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: 2.0.4: - Fix missing comma in JSON output. 2.0.3: - Fix segfault when filelimit is used and tree encounters a directory it cannot enter. - Use += when assigning CFLAGS and LDFLAGS in the Makefile allowing them to be modified by environment variables during make. (Ben Brown) Possibly assumes GNU make. - Fixed broken -x option (stops recursing.) - Fix use after free (causing segfault) for dir/subdir in list.c - Fixes for .gitignore functionality - Fixed * handing in patmatch. Worked almost like ** before, now properly stops at /'s. These issues were the result of forgetting that patmatch() was just to match filenames to patterns, not paths. - Patterns starting with / are actually relative to the .gitignore file, not the root of the filesystem, go figure. - Patterns without /'s in .gitignore apply to any file in any directory under the .gitignore, not just the .gitignore directory - Remove "All rights reserved" from copyright statements. A left-over from trees original artistic license. - Add in --du and --prune to --help output - Fixed segfault when an unknown directory is given with -X - Fixed output up for -X and -J options. - Remove one reference to strnlen which isn't necessary since it may not be available on some OS's. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* usb-modeswitch: upgrade 2.6.0 -> 2.6.2Gyorgy Sarvari2026-01-081-2/+1
| | | | | | | | | | | | | | Changelog: 2.6.2: - Bug in C code (with gcc 1.5) fixed 2.6.1: - Wrapper now handles devices with non-continuous interface numbering: www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?f=2&t=2915&p=19605 - catch error with retrieving the active configuration, exit gracefully: https://bugs.launchpad.net/bugs/1880191 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* xdg-user-dirs: upgrade 0.17 -> 0.18Gyorgy Sarvari2026-01-081-2/+1
| | | | | | | | | Changelog: - Fixed minor leak - Documentation fixes - Updated translations Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* recipes-core/toybox: Switch SRC_URI to HTTPS for reliable fetchSanjay Chitroda2026-01-081-1/+1
| | | | | | | | | The upstream site (landley.net) serves inconsistent content when using HTTP, causing checksum mismatches during do_fetch. Using HTTPS ensures stable downloads and resolves checksum failures. Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* netdata: ignore CVE-2024-32019Gyorgy Sarvari2026-01-081-0/+3
| | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32019 The vulnerability affects the ndsudo binary, part of netdata. This binary was introduced in version 1.45.0[1], and the recipe contains v1.34.1 - which is not vulnerable yet. Ignore the CVE due to this. [1]: https://github.com/netdata/netdata/commit/0c8b46cbfd05109a45ee4de27f034567569fa3fa Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* nodejs: ignore CVE-2024-36137Gyorgy Sarvari2026-01-081-1/+1
| | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36137 The vulnerability affects the permission model, which was introduced[1] in v20 - the recipe version isn't vulerable yet. [1]: https://github.com/nodejs/node/commit/00c222593e49d817281bc88a322f41f8dca95885 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* nodejs: ignore CVE-2024-3566 and CVE-2024-36138Gyorgy Sarvari2026-01-081-0/+3
| | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-3566 https://nvd.nist.gov/vuln/detail/CVE-2024-36138 This vulnerabilities affect Windows only. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* sassc: ignore CVE-2022-43357Peter Marko2026-01-081-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | This CVE is fixed in current libsass recipe version. So wrapper around it will also not show this problem. It's usual usecase is to be statically linked with libsass which is probably the reason why this is listed as vulnerable component. [1] links [2] as issue tracker which points to [3] as fix. [4] as base repository for the recipe is not involved and files from [3] are not present in this repository. [1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357 [2] https://github.com/sass/libsass/issues/3177 [3] https://github.com/sass/libsass/pull/3184 [4] https://github.com/sass/sassc/ Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 576b84263bac4dda26d84d116a9e7628a126f866) Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE) Kirkstone has also the fixed libsass version (3.6.6), the CVE can be considered fixed. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* phpmyadmin: ignore CVE-2020-22452Gyorgy Sarvari2026-01-081-0/+3
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2020-22452 The fix is present in the recipe version (5.1.4)[1] [1]: https://github.com/phpmyadmin/phpmyadmin/pull/16004/commits/ca42395ee4b2936d3702524f8fb8bec1e9502bc7 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* nodejs: patch CVE-2024-27983Gyorgy Sarvari2026-01-082-0/+41
| | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-27983 Pick the patch that mentions this CVE ID explcitly in its commit message. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* nodejs: ignore CVE-2024-22017Gyorgy Sarvari2026-01-081-0/+3
| | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-22017 The vulnerability is related to the io_uring usage of libuv. Libuv first introduced io_uring support in v1.45[1]. oe-core ships a non-vulnerable version (1.44.2), and nodejs vendors also an older version (1.43). Mark this CVE as ignored for this recipe version. [1]: https://github.com/libuv/libuv/commit/d2c31f429b87b476a7f1344d145dad4752a406d4 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* nodejs: patch CVE-2023-39333Gyorgy Sarvari2026-01-082-0/+58
| | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39333 Backport the patch that mentions this CVE ID explicitly in its commit message. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* nodejs: ignore CVE-2023-30583, CVE-2023-30584 and CVE-2023-30587Gyorgy Sarvari2026-01-081-0/+3
| | | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30583 https://nvd.nist.gov/vuln/detail/CVE-2023-30584 https://nvd.nist.gov/vuln/detail/CVE-2023-30587 None of these vulnerabilities are present in the recipe version. CVE-2023-30583: While the main feature (blob) was intruced in v16, the vulnerable code (load blobs from file) was introduced in v20[1], and as such, the vulnerability is not present in the recipe version. CVE-2023-30584, CVE-2023-30587: The whole vulnerable feature (permission model) was introduced[2] in v20. Ignore these CVE IDs. [1]: https://github.com/nodejs/node/commit/950cec4c2642c15e2913f35babadda56c1d8a723 [2]: https://github.com/nodejs/node/commit/00c222593e49d817281bc88a322f41f8dca95885 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* fio: ignore CVE-2025-10824Gyorgy Sarvari2026-01-081-0/+3
| | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-10824 The upstream maintainer wasn't able to reproduce the issue[1], and the related bug is closed without further action. [1]: https://github.com/axboe/fio/issues/1981 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit a275078cbeaa0fafcfa4eb60ca69f05a8fe3df99) Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_STATUS) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* python3-django: ignore CVE-2024-22199Gyorgy Sarvari2026-01-081-0/+2
| | | | | | | | | This CVE is not for python-django, but for some go project which shares the same name. Ignore this CVE due to this. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* proftpd: set status of CVE-2001-0027Peter Marko2026-01-081-0/+3
| | | | | | | | | | | | | | | | | | | | | | | This ancient CVE [1] is unversioned ("*") in NVD DB. "mod_sqlpw module in ProFTPD does not reset a cached password..." Looking at history and changelog, the module was removed [2] around the time when this CVE was published, likely as reaction to this CVE. "mod_sqlpw.c, mod_mysql.c and mod_pgsql.c have been REMOVED from the distribution. They are currently unmaintained and have numerous bugs." Note: It was later re-introduced as mod_sql when it got fixed under new maintainer. [1] https://nvd.nist.gov/vuln/detail/CVE-2001-0027 [2] https://github.com/proftpd/proftpd/blob/v1.3.8b/NEWS#L3362 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 03a1b56bc7ce88a3b0ad6790606b0498899cc1e3) Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* civetweb: patch CVE-2025-9648Ankur Tyagi2026-01-082-0/+235
| | | | | | | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2025-9648 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit eb338ebb606f22363be5b4114e25a10b494b4f55) Rebased patch on Kirkstone's civetweb. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* atop: patch CVE-2025-31160Gyorgy Sarvari2026-01-082-0/+608
| | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-31160 Backport the patch that's subject references the CVE id explicitly. I was able to verify the patch with a reproducer[1] (which is mentioned in a reference[2] in the nvd report). Without the patch atop crashed, with the patch it worked fine (both with and without -k/-K flags). [1]: https://blog.bismuth.sh/blog/bismuth-found-the-atop-bug [2]: https://gist.github.com/kallsyms/3acdf857ccc5c9fbaae7ed823be0365e Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>