Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=scarthgap 2026-02-27T17:45:06+00:00 2026-02-27T17:45:06+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-01-25T09:46:20+00:00 urn:sha1:34deee3e528805c79340860a42cbdb94af67d5c7 Details https://nvd.nist.gov/vuln/detail/CVE-2026-24401 (From OE-Core rev: 030a3fff4b05b785f6ed1a97310b8386628adbf9) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 183d0ee54f1c194e245a7bbf243c19b3c2acf4f5) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-27T17:45:06+00:00 Amaury Couderc amaury.couderc@est.tech 2026-02-09T14:21:48+00:00 urn:sha1:49dc4dd983e7a9b502fbee2cf9f2aad5aa4e211f (From OE-Core rev: bfd12b872d922116c1a793cd9debb5ee773bfeaf) Signed-off-by: Amaury Couderc <amaury.couderc@est.tech> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 5ec4156330c765bc52dbce28dbba6def9868d30f) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-27T17:45:06+00:00 Amaury Couderc amaury.couderc@est.tech 2026-02-09T14:21:00+00:00 urn:sha1:0d954471b5e161db24547eff3b503ceeebb29512 (From OE-Core rev: 1eebd6d5bd5d930aa8ec68f73789ff0bd742441c) Signed-off-by: Amaury Couderc <amaury.couderc@est.tech> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 9f2ed8adc37a42b561b3c4853cf8106fba39889e) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-27T17:45:06+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-01-25T09:40:19+00:00 urn:sha1:a57370d30cf961c4ad0158eef0d7990111eda07e Backport the patch[1] from the PR[2] mentioned in the nvd[3]. [1] https://github.com/avahi/avahi/commit/2d48e42d44a183f26a4d12d1f5d41abb9b7c6355 [2] https://github.com/avahi/avahi/pull/806 [3] https://nvd.nist.gov/vuln/detail/CVE-2025-68276 Dropped CI changes from the original PR during backport. (From OE-Core rev: 4da15f7fad8df7ba5fae29bc72156b189e993d58) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-08-20T14:37:19+00:00 Zhang Peng peng.zhang1.cn@windriver.com 2025-07-31T06:06:42+00:00 urn:sha1:0263c3dfa4fe1b26619f028a6a1c242e7e221dbf CVE-2024-52615: A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-52615] [https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g] Upstream patches: [https://github.com/avahi/avahi/commit/4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942] (From OE-Core rev: ec22ec26b3f40ed5e0d84d60c29d8c315cf72e23) Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-01-24T15:59:38+00:00 Zhang Peng peng.zhang1.cn@windriver.com 2025-01-16T13:51:38+00:00 urn:sha1:0d1f714793cb73f3e4a95e67e2f7d5ebd98a3462 CVE-2024-52616: A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-52616] [https://github.com/avahi/avahi/security/advisories/GHSA-r9j3-vjjh-p8vm] Upstream patches: [https://github.com/avahi/avahi/commit/f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7] (From OE-Core rev: 28de3f131b17dc4165df927060ee51f0de3ada90) Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2023-12-21T10:38:30+00:00 Vijay Anusuri vanusuri@mvista.com 2023-12-12T09:05:18+00:00 urn:sha1:198d891baa5dbeaca0e02e1904208d0edd30d495 import patches from ubuntu to fix CVE-2023-1981 CVE-2023-38469-2 CVE-2023-38470-2 CVE-2023-38471-2 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/jammy-security Upstream commit https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f & https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237 & https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c & https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460] Ref: https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/nanbield-nut&id=a9203c46cd64c3ec5e5b00e381bbac85733f85df (From OE-Core rev: 2b0d8a63a212897b33e85cc3694cd9a3d6e09ca8) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-12-06T22:55:49+00:00 Ross Burton ross.burton@arm.com 2023-12-04T10:41:04+00:00 urn:sha1:a9168feacb6d3d19a2658fe8c80cc25248f9a14e Avahi has moved to a new parent organisation on GitHub, so update the URLs to match. (From OE-Core rev: 02caef1567186f250e64ae3ef84fcff33d7323e4) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-11-20T15:30:52+00:00 Meenali Gupta meenali.gupta@windriver.com 2023-11-16T11:19:25+00:00 urn:sha1:34f496c2d47f1ab34a8330a0830726f24e7ba6cc A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function. (From OE-Core rev: fbe506e7af1ce47f6d04c122cb77573e0527ab91) Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-11-20T15:30:52+00:00 Meenali Gupta meenali.gupta@windriver.com 2023-11-16T11:44:50+00:00 urn:sha1:9580629d5b34aa8a02f88582e15e179a900d9034 A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function. (From OE-Core rev: 988d115ca18db1872d7a4dab39040029e5c61d6b) Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>