linux/poky.git/meta/recipes-support, branch scarthgap-5.0.13

vim: upgrade 9.1.1652 -> 9.1.1683

2025-09-30T15:01:59+00:00

Handles CVE-2025-9389 Changes between 9.1.1652 -> 9.1.1683 ==================================== https://github.com/vim/vim/compare/v9.1.1652...v9.1.1683 (From OE-Core rev: 55e0c38dc28b73fa689446e2d5e564d235a24084) Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman

p11-kit: backport fix for handle USE_NLS from master

2025-09-30T15:01:59+00:00

Disable NLS in the build when USE_NLS is off. (From OE-Core rev: b94798ecd535956ef4565663710ea9a701ff21ed) This change corresponds to upstream eeb3974472429a99a724f324dc8a63e435741f68 from master . Since the p11-kit version are different between master & scarthgap applied the patch manually (From OE-Core rev: 96602ea67463170c4cadf748525f5615ce9bbd91) Signed-off-by: Philip Lorenz Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie Signed-off-by: AshishKumar Mishra Signed-off-by: Steve Sakoman

shared-mime-info: Handle USE_NLS

2025-09-30T15:01:59+00:00

Skip building of translations when NLS is disabled. (From OE-Core rev: b58a3f4e9c78522423a94821b7ba7a35eb18f75a) (From OE-Core rev: 49a9aebc0e9f668cf2896d0b522f8194bb4049ad) Signed-off-by: Philip Lorenz Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie Signed-off-by: AshishKumar Mishra Signed-off-by: Steve Sakoman

curl: fix CVE-2025-9086

2025-09-30T15:01:59+00:00

1, A cookie is set using the secure keyword for https://target 2, curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set 3, The same cookie name is set - but with just a slash as path (path="/"). Since this site is not secure, the cookie should just be ignored. 4, A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-9086 Upstream patch: https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6 (From OE-Core rev: b0cc7001a628deaa96d1aebb5ded52797898a0be) Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman

libxslt: apply patch for CVE-2025-7424

2025-09-30T15:01:59+00:00

This patch is taken from the upstream bug, and is used by Apple in their build of WebKit. (From OE-Core rev: f59e07fd9f6c437e30431607763672fde42511ad) Signed-off-by: Ross Burton Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie Signed-off-by: Anil Dongare Signed-off-by: Steve Sakoman

buildtools-tarball: fix unbound variable issues under 'set -u'

2025-09-22T20:17:52+00:00

When Bash runs with 'set -u' (nounset), accessing an unset variable directly (e.g. [ -z "$SSL_CERT_FILE" ]) causes a fatal "unbound variable" error. As a result, the fallback logic to set SSL_CERT_FILE/SSL_CERT_DIR is never triggered and the script aborts. The current code assumes these variables may be unset or empty, but does not guard against 'set -u'. This breaks builds in stricter shell environments or when users explicitly enable 'set -u'. Fix this by using parameter expansion with a default value, e.g. "${SSL_CERT_FILE:-}", so that unset variables are treated as empty strings. This preserves the intended logic (respect host env first, then CAFILE/CAPATH, then buildtools defaults) and makes the script robust under 'set -u'. (From OE-Core rev: 4cf131ebd157b79226533b5a5074691dd0e1a4ab) Signed-off-by: Haixiao Yan Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 4d880c2eccd534133a2a4e6579d955605c0956ec) Signed-off-by: Steve Sakoman

curl: update CVE_STATUS for CVE-2025-5025

2025-09-09T16:08:09+00:00

This CVE applies only when curl is built with wolfSSL support. Revised CVE_STATUS description to align with CVE details. Reference: https://github.com/openembedded/openembedded-core/commit/93ae0758ef35 (From OE-Core rev: fddc4dcc89a9491abdf8f5d0ea4df9a6526b1538) Signed-off-by: Vrushti Dabhi Signed-off-by: Steve Sakoman

libgpg-error: fix build with gcc-15

2025-09-01T15:30:56+00:00

Backport a fix for native build with gcc-15 on host (From OE-Core rev: cef0a6c3245a2556614f7e009c2e00e1eb16e08e) Signed-off-by: Martin Jansa Signed-off-by: Steve Sakoman

gdbm: Use C11 standard

2025-09-01T15:30:56+00:00

GCC15 is switching defaults to C23 and gdbm is not yet ready to compile using C23 std. For scarthgap also add it in BUILD_CFLAGS. (From OE-Core rev: 97989d81c5e30434594beadd9449e907e98d3ceb) Signed-off-by: Khem Raj Signed-off-by: Richard Purdie Signed-off-by: Martin Jansa Signed-off-by: Steve Sakoman

gmp: Fix build with older gcc versions

2025-09-01T15:30:56+00:00

The fix to make this work with GCC15/C23 caused problems with older gcc versions. Add a fix for that. (From OE-Core rev: 237085506a454fb927389d681f30c8c995bc7b2b) Signed-off-by: Khem Raj Signed-off-by: Richard Purdie Signed-off-by: Martin Jansa Signed-off-by: Steve Sakoman