Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.2.4 2025-09-25T19:25:51+00:00 2025-09-25T19:25:51+00:00 Ross Burton ross.burton@arm.com 2025-09-24T19:37:07+00:00 urn:sha1:a20ad9c56b970bfe24163a0a6e4b5a2c719e5198 This patch is taken from the upstream bug, and is used by Apple in their build of WebKit. (From OE-Core rev: 2fd2384df66dc41b12d6fa481fbc2814141c54d1) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 19122ccb05282e9b8803c4d1aaf06b61c22a1bab) Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-09-25T19:25:51+00:00 Markus Kurz m.kurz92@gmail.com 2025-09-24T19:35:17+00:00 urn:sha1:9b55caf95e75ccc30e06725408f258ff18120e07 For the changelog see: https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.46 This is a security-only release, to address CVE-2025-58050: https://nvd.nist.gov/vuln/detail/CVE-2025-58050 (From OE-Core rev: 68deaca8f828814ea2256fd5796768c7a91ef10e) Signed-off-by: Markus Kurz <m.kurz92@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit d5b45d0db9ed40b3eef2e6a076c94da3ecc48acf) Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-09-25T19:25:51+00:00 Yogita Urade yogita.urade@windriver.com 2025-09-24T08:26:56+00:00 urn:sha1:2fdaf43bcb7f19179dda24cef24216895dfce1b1 curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-10148 Upstream patch: https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa (From OE-Core rev: 83420a408551688ebb298b88b16d2e384e9b7bfd) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-09-25T19:25:51+00:00 Yogita Urade yogita.urade@windriver.com 2025-09-24T08:26:55+00:00 urn:sha1:96c7bfd6793bf4282337e101abc10bcb8be38436 1, A cookie is set using the secure keyword for https://target 2, curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set 3, The same cookie name is set - but with just a slash as path (path="/"). Since this site is not secure, the cookie should just be ignored. 4, A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-9086 Upstream patch: https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6 (From OE-Core rev: 95ab3c3e3745e7e0ca74760683e42ae7531b4199) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-09-22T19:21:23+00:00 Haixiao Yan haixiao.yan.cn@windriver.com 2025-09-12T01:59:33+00:00 urn:sha1:619c00830682737a830dc79c48131e3767fb4c7c When Bash runs with 'set -u' (nounset), accessing an unset variable directly (e.g. [ -z "$SSL_CERT_FILE" ]) causes a fatal "unbound variable" error. As a result, the fallback logic to set SSL_CERT_FILE/SSL_CERT_DIR is never triggered and the script aborts. The current code assumes these variables may be unset or empty, but does not guard against 'set -u'. This breaks builds in stricter shell environments or when users explicitly enable 'set -u'. Fix this by using parameter expansion with a default value, e.g. "${SSL_CERT_FILE:-}", so that unset variables are treated as empty strings. This preserves the intended logic (respect host env first, then CAFILE/CAPATH, then buildtools defaults) and makes the script robust under 'set -u'. (From OE-Core rev: 3d161e94ad532f660d4a0259a32e26a32ea0c75d) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 4d880c2eccd534133a2a4e6579d955605c0956ec) Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-08-29T17:02:59+00:00 Peter Marko peter.marko@siemens.com 2025-08-25T19:31:05+00:00 urn:sha1:4011ae9f2244d9512bcb2a60d23c2dfdbcfea669 Handles CVE-2025-53905, CVE-2025-53906, CVE-2025-55157, CVE-2025-55158. Changes between 9.1.1198 -> 9.1.1652 ==================================== https://github.com/vim/vim/compare/v9.1.1198...v9.1.1652 Refresh patches. Disable newly introduced wayland support (in patch version 1485). To this belongs also adding recursion in delete command for dir auto which was newly failing as there is wayland directory inside now. If someone is interested, this can be probably enabled, but without additional work it results in compilation error due to function redefinition conflicts. (From OE-Core rev: e87d427d928234ef0441f9ce1fe8631fbe471094) (From OE-Core rev: 99e24ba524157ed70ad05b0b1a14fcca8df52246) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-08-29T17:02:59+00:00 Peter Marko peter.marko@siemens.com 2025-08-23T20:52:35+00:00 urn:sha1:16858730757977f208657a5cc0f090ea99939911 This is mentioned in [1]. NVD tracks this as version-less CVE. [1] https://gitlab.com/gnutls/gnutls/-/blob/3.8.10/NEWS?ref_type=tags#L8 (From OE-Core rev: 0c84e464d67df1111e62edc5d4f9ad398e19e40a) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-08-13T15:42:58+00:00 Jiaying Song jiaying.song.cn@windriver.com 2025-08-05T06:20:05+00:00 urn:sha1:6c48d4b799859d36ceece4b9c0ede22fb46b6ae7 The original tarball URL is no longer valid, as it has been moved to an archive location. This update points to the new location. (From OE-Core rev: 69090e41eb0a8b92e0684d391966f9627bfe5195) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-08-13T15:42:58+00:00 Gyorgy Sarvari skandigraun@gmail.com 2025-08-07T17:56:11+00:00 urn:sha1:d78c6bb1d6c80d86dcffa21c3b6ded2a43bec2d7 Skip compress-cert-conf test when running ptests, because it requires gnutls to be compiled with brotli PACKAGECONFIG, however brotli is not part of oe-core. Changelog: https://gitlab.com/gnutls/gnutls/-/blob/master/NEWS (From OE-Core rev: 2ad41436acdc5f37803ade51c98ae0dc06103e45) (From OE-Core rev: 26207963abdaeb7767e15c5fdb51b8396c80ab71) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-08-13T15:42:57+00:00 Peter Marko peter.marko@siemens.com 2025-08-04T16:41:00+00:00 urn:sha1:50b9a965514c6026f26ea048ed5f2f8b174f738e Pick patch [1] mentioned in NVD report [2] from github mirror [3]. [1] https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-6965 [3] https://github.com/sqlite/sqlite/commit/c52e9d97d485a3eb168e3f8f3674a7bc4b419703 (From OE-Core rev: de442af2a5a08518e61d0c76484a3099bac6d46d) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>