<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/recipes-devtools, branch yocto-4.0.29</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-4.0.29</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-4.0.29'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2025-08-04T13:40:00+00:00</updated>
<entry>
<title>binutils: Fix CVE-2025-7545</title>
<updated>2025-08-04T13:40:00+00:00</updated>
<author>
<name>Deepesh Varatharajan</name>
<email>Deepesh.Varatharajan@windriver.com</email>
</author>
<published>2025-07-29T09:15:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=31dd8d47a6ce0f4298e92e537b7cf836a093dfab'/>
<id>urn:sha1:31dd8d47a6ce0f4298e92e537b7cf836a093dfab</id>
<content type='text'>
objcopy: Don't extend the output section size
Since the output section contents are copied from the input, don't
extend the output section size beyond the input section size.

Backport a patch from upstream to fix CVE-2025-7545
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944]

(From OE-Core rev: 4f461ed46b7694fc4815c7f0504b9cefe5da8e19)

Signed-off-by: Deepesh Varatharajan &lt;Deepesh.Varatharajan@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>ruby: correct fix for CVE-2024-43398</title>
<updated>2025-07-30T14:47:48+00:00</updated>
<author>
<name>Rob Woolley</name>
<email>rob.woolley@windriver.com</email>
</author>
<published>2025-07-24T20:12:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8fa7ff501e27a0ccd9bfc3f3e58a26949cdfc1f0'/>
<id>urn:sha1:8fa7ff501e27a0ccd9bfc3f3e58a26949cdfc1f0</id>
<content type='text'>
The previous fix for CVE-2024-43398 did not include patches
to provide context for the changes it made.

This caused an exception at run-time when ruby parsed
rexml/parsers/baseparser.rb. This was first observed when using
ruby-native to build the sdformat recipe.

With these additional backports, the sdformat build proceeds
successfully. The REXML library was also tested manually on-target
with a script that used REXML::Document.new file to parse an
XML file.

(From OE-Core rev: 6bf00fde2d4043c6b558733a33041ce5694342d3)

Signed-off-by: Rob Woolley &lt;rob.woolley@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>orc: set CVE_PRODUCT</title>
<updated>2025-07-30T14:47:48+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-07-20T21:10:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=db3621b9837ae1efe7c30e359e5a64a4ca1cbbd2'/>
<id>urn:sha1:db3621b9837ae1efe7c30e359e5a64a4ca1cbbd2</id>
<content type='text'>
There are new CVEs reported for this recipe which are not for this
componene, but for a component with same name from apache.

sqlite&gt; select vendor, product, id, count(*) from products where product like 'orc' group by vendor, product, id;
apache|orc|CVE-2018-8015|1
apache|orc|CVE-2025-47436|4
gstreamer|orc|CVE-2024-40897|1

(From OE-Core rev: c31dec7b32fe34fafd61dd593a2884eee13084fb)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>binutils: Fix CVE-2025-7546</title>
<updated>2025-07-30T14:47:48+00:00</updated>
<author>
<name>Yash Shinde</name>
<email>Yash.Shinde@windriver.com</email>
</author>
<published>2025-07-17T12:02:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=47c3b0bc3f2088710f0260702babac05cf6b69ab'/>
<id>urn:sha1:47c3b0bc3f2088710f0260702babac05cf6b69ab</id>
<content type='text'>
Report corrupted group section instead of trying to recover.

CVE: CVE-2025-7546
Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b]
PR  33050 [https://sourceware.org/bugzilla/show_bug.cgi?id=33050]

(From OE-Core rev: 5860b954681c37ac6685631cce439fd349093689)

Signed-off-by: Yash Shinde &lt;Yash.Shinde@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>tcf-agent: correct the SRC_URI</title>
<updated>2025-07-18T15:32:26+00:00</updated>
<author>
<name>Guocai He</name>
<email>guocai.he.cn@windriver.com</email>
</author>
<published>2025-07-15T00:34:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=f4219fb3e291eaffbb475b91ad4a8c4772a9c7d3'/>
<id>urn:sha1:f4219fb3e291eaffbb475b91ad4a8c4772a9c7d3</id>
<content type='text'>
The SRC_URI is changed to git://gitlab.eclipse.org/eclipse/tcf/tcf.agent.git

(From OE-Core rev: d9f424921179a52ffe053411c44f20e44e7deba1)

Signed-off-by: Guocai He &lt;guocai.he.cn@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>bintuils: stable 2.38 branch update</title>
<updated>2025-07-18T15:32:26+00:00</updated>
<author>
<name>Deepesh Varatharajan</name>
<email>Deepesh.Varatharajan@windriver.com</email>
</author>
<published>2025-07-15T07:47:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=9b3bd34826f0fe3d532e16881cc026b04c67bd3b'/>
<id>urn:sha1:9b3bd34826f0fe3d532e16881cc026b04c67bd3b</id>
<content type='text'>
Below commit on binutils-2.38 stable branch are updated.

9bee8d65d32 x86: Check MODRM for call and jmp in binutils older than 2.45

                                 Before  After  Diff
No. of expected passes            280     280    0
No. of unexpected failures        2       2      0
No. of untested testcases         1       1      0
No. of unsupported tests          7       7      0

Testing was done and there were no regressions found

(From OE-Core rev: 7ac807166dfb6723f4e0b53c21f434e21d25563e)

Signed-off-by: Deepesh Varatharajan &lt;Deepesh.Varatharajan@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: update CVE product</title>
<updated>2025-07-18T15:32:26+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-07-09T18:54:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=843820d9e41afef1ca550074077e48828f55edb7'/>
<id>urn:sha1:843820d9e41afef1ca550074077e48828f55edb7</id>
<content type='text'>
There are two "new" CVEs reported for python3, their CPEs are:
* CVE-2020-1171: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (&lt; 2020.5.0)
* CVE-2020-1192: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (&lt; 2020.5.0)
These are for "Visual Studio Code Python extension".

Solve this by addding CVE vendor to python CVE product to avoid
confusion with Microsoft as vendor.

Examining CVE DB for historical python entries shows:
sqlite&gt; select vendor, product, count(*) from products where product = 'python' or product = 'cpython'
   ...&gt; or product like 'python%3' group by vendor, product;
microsoft|python|2
python|python|1054
python_software_foundation|python|2

(From OE-Core rev: 06f615e6939a22bc8f12b30d8dea582ab3ccebe6)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3-urllib3: fix CVE-2025-50181</title>
<updated>2025-07-09T15:23:23+00:00</updated>
<author>
<name>Yogita Urade</name>
<email>yogita.urade@windriver.com</email>
</author>
<published>2025-07-03T04:46:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=50856ee7a62ac5ef4fda6f3613f0f3f8ec688d79'/>
<id>urn:sha1:50856ee7a62ac5ef4fda6f3613f0f3f8ec688d79</id>
<content type='text'>
urllib3 is a user-friendly HTTP client library for Python. Prior to
2.5.0, it is possible to disable redirects for all requests by
instantiating a PoolManager and specifying retries in a way that
disable redirects. By default, requests and botocore users are not
affected. An application attempting to mitigate SSRF or open redirect
vulnerabilities by disabling redirects at the PoolManager level will
remain vulnerable. This issue has been patched in version 2.5.0.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-50181

Upstream patch:
https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857

(From OE-Core rev: 574146765ea3f9b36532abf4ebc8bd2976396f0b)

Signed-off-by: Yogita Urade &lt;yogita.urade@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: fix CVE-2025-4673</title>
<updated>2025-06-27T15:09:27+00:00</updated>
<author>
<name>Praveen Kumar</name>
<email>praveen.kumar@windriver.com</email>
</author>
<published>2025-06-25T05:57:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=696457962724a51e786dc87cb1bf13f5a3bd0d3a'/>
<id>urn:sha1:696457962724a51e786dc87cb1bf13f5a3bd0d3a</id>
<content type='text'>
Proxy-Authorization and Proxy-Authenticate headers persisted on
cross-origin redirects potentially leaking sensitive information.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-4673

Upstream-patch:
https://github.com/golang/go/commit/b897e97c36cb62629a458bc681723ca733404e32

(From OE-Core rev: c07547c19e5372ed5eaac8530b2dd651302542a8)

Signed-off-by: Praveen Kumar &lt;praveen.kumar@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>cmake: Correctly handle cost data of tests with arbitrary chars in name</title>
<updated>2025-06-25T15:11:58+00:00</updated>
<author>
<name>Moritz Haase</name>
<email>Moritz.Haase@bmw.de</email>
</author>
<published>2025-06-20T07:02:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=9bc0069f8b3968250c4245c8a81b65fdacabfba5'/>
<id>urn:sha1:9bc0069f8b3968250c4245c8a81b65fdacabfba5</id>
<content type='text'>
ctest automatically optimizes the order of (parallel) test execution based on
historic test case runtime via the COST property (see [0]), which can have a
significant impact on overall test run times. Sadly this feature is broken in
CMake &lt; 4.0.0 for test cases that have spaces in their name (see [1]).

This commit is a backport of f24178f3 (which itself backports the upstream fix).
the patch was adapted slightly to apply cleanly to the older CMake version in
kirkstone. As repeated test runs are expected to mainly take place inside the
SDK, the patch is only applied to 'nativesdk' builds.

[0]: https://cmake.org/cmake/help/latest/prop_test/COST.html
[1]: https://gitlab.kitware.com/cmake/cmake/-/issues/26594

Reported-By: John Drouhard &lt;john@drouhard.dev&gt;
(From OE-Core rev: f6a160f7ea57af6dfeca003e6c05aa42419fb755)

Signed-off-by: Moritz Haase &lt;Moritz.Haase@bmw.de&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
</feed>
