Mirror of git.yoctoproject.org/meta-virtualization https://git.enea.com/cgit/linux/meta-virtualization.git/atom?h=master-next 2026-04-21T13:11:11+00:00 2026-04-21T13:11:11+00:00 Himanshu Jadon hjadon@cisco.com 2026-04-21T02:43:58+00:00 urn:sha1:f8bbbf1f7d7b5c7ef6b2c9c86a93cb44524bc740 CVE_PRODUCT has been set to docker:registry to align with the NVD CPE product namespace for the distribution/registry codebase. Only a single CPE entry exists in the NVD for this product: cpe:2.3:a:docker:registry This ensures CVEs tracked for docker registry are matched for this recipe. Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-03-26T15:54:03+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2026-03-26T14:25:30+00:00 urn:sha1:5ccb61a7a67d4f4e9a31301630a3224076bcc4b4 Update all active Go library recipes to their latest releases: - go-md2man: 1.0.10 → 2.0.7 (update GO_IMPORT for v2 module path) - go-cli: 1.1.0 → 2.27.7 (moved to github.com/urfave/cli/v2) - go-connections: 0.2.1 → 0.6.0 - go-dbus: 4.0.0 → 5.2.2 (update GO_IMPORT for v5 module path) - go-distribution: 2.6.0 → 3.0.0 (repo moved to distribution/distribution) - go-fsnotify: 1.5.1 → 1.9.0 - go-logrus: 0.11.0 → 1.9.4 - go-mux: unversioned → 1.8.1 - go-patricia: 2.2.6 → 2.3.3 - go-systemd: 4 → 22.7.0 (update GO_IMPORT for v22 module path) - grpc-go: 1.59.0 → 1.79.3 Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-03-26T14:15:15+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2026-03-26T14:15:15+00:00 urn:sha1:ce4a0ce9006998863a7cb50ac2eee67d06ba3c08 Remove Go library recipes for projects that are archived, deprecated, or otherwise dead upstream: - go-capability: No releases ever published, community moved to github.com/moby/sys/capability - go-context: Superseded by Go stdlib context.Context (since Go 1.7) - go-libtrust: Archived on GitHub, no releases ever published - go-metalinter: Archived and deprecated since 2019, replaced by golangci-lint - go-pty: Archived since 2020, moved to github.com/creack/pty None of these are referenced as build dependencies by any recipe in meta-virtualization. External consumers should migrate to the upstream-recommended replacements. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-02-26T01:05:01+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2026-02-19T19:14:22+00:00 urn:sha1:ba23ccd3390b7fbebfed641ebfcd978a0ba406dd Update SUMMARY and DESCRIPTION to note that runx is unmaintained (upstream dormant since 2022) and that vxn provides the same Xen DomU container functionality with pluggable hypervisor backends. go-build is the serial FD handler companion to runx and is similarly superseded. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2025-09-04T01:40:45+00:00 Anil Dongare adongare@cisco.com 2025-08-29T05:22:27+00:00 urn:sha1:23dff61259191a203e92c2f766dccbe44e880aba Upstream Repository: https://github.com/grpc/grpc-go Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-7246 Type: Security Fix CVE: CVE-2024-7246 Score: 6.3 (Medium) Patch: https://github.com/grpc/grpc/issues/36245 Analysis: -CVE-2024-7246 describes an HTTP/2 HPACK header table poisoning issue found in the gRPC C-core implementation (grpc/grpc). -The vulnerability does not apply to the pure Go implementation (grpc-go) used in Yocto (meta-virtualization layer). -Marking as not-applicable-config (implementation difference). -The affected code path is not present in grpc-go.Hence ignoring the CVE for grpc-go. Reference: [1] https://nvd.nist.gov/vuln/detail/CVE-2024-7246 [2] https://github.com/grpc/grpc/issues/36245 [3] Upstream gRPC release notes confirming fixed versions for gRPC C-core (not grpc-go). Signed-off-by: Anil Dongare <adongare@cisco.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2025-06-26T02:55:55+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2025-06-26T02:40:08+00:00 urn:sha1:be0039855faef0f996966f3bc195ea418f2a40ab This commit updates the container recipes to the OE core UNPACKDIR changes. - We drop references to WORKDIR - We adjust destsuffix fetches to use BB_GIT_DEFAULT_DESTSUFFIX instead of 'git' - Update our GOPATH references to use UNPACKDIR - Drop S = assignemnts where possible Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2025-04-18T13:55:58+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2025-04-17T18:39:15+00:00 urn:sha1:050030c8d68194b27c3245af792b553ac6ea6b6d Notary has had the depreciated warning for quite some time, dropping the recipe. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2024-11-12T23:14:33+00:00 Martin Jansa martin.jansa@gmail.com 2024-11-11T16:36:28+00:00 urn:sha1:aca728f51b2d9aec9ce1b7fc9bf53a42ad1f7808 * master was renamed to main long time ago Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2024-05-29T13:16:56+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2024-05-24T03:43:09+00:00 urn:sha1:95852d19d2b989bb983c9128ec25f033e5b7c7ff As of commit cc4ec43a2b657fb4c58429ab14f1edc2473c1327 [go: Drop fork of unpack code, mandate GO_SRCURI_DESTSUFFIX] we require this variable in our go recipes. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2024-05-29T13:16:56+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2024-05-24T03:43:09+00:00 urn:sha1:32d60c40164de62a4ffad55702c7ab6d1e11da8f As of commit cc4ec43a2b657fb4c58429ab14f1edc2473c1327 [go: Drop fork of unpack code, mandate GO_SRCURI_DESTSUFFIX] we require this variable in our go recipes. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>