<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta, branch scarthgap-5.0.13</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=scarthgap-5.0.13</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=scarthgap-5.0.13'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2025-10-13T19:48:55+00:00</updated>
<entry>
<title>build-appliance-image: Update to scarthgap head revision</title>
<updated>2025-10-13T19:48:55+00:00</updated>
<author>
<name>Steve Sakoman</name>
<email>steve@sakoman.com</email>
</author>
<published>2025-10-13T19:47:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=f16cffd030d21d12dd57bb95cfc310bda41f8a1f'/>
<id>urn:sha1:f16cffd030d21d12dd57bb95cfc310bda41f8a1f</id>
<content type='text'>
(From OE-Core rev: 7af6b75221d5703ba5bf43c7cd9f1e7a2e0ed20b)

Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>oeqa/sdk/cases/buildcpio.py: use gnu mirror instead of main server</title>
<updated>2025-10-13T19:42:58+00:00</updated>
<author>
<name>Steve Sakoman</name>
<email>steve@sakoman.com</email>
</author>
<published>2025-10-08T21:23:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=2eb674803a8814861496294ed419d6a166603f59'/>
<id>urn:sha1:2eb674803a8814861496294ed419d6a166603f59</id>
<content type='text'>
ftp.gnu.org is the main server of the GNU project, however download speed
can vary greatly based on one's location.

Using ftpmirror.gnu.org should redirect the request to the closest up-to-date mirror,
which should result sometimes in significantly faster download speed, depending
on one's location. This should also distribute the traffic more across the mirrors.

This information was sourced from https://www.gnu.org/prep/ftp.html

(From OE-Core rev: b0ce480eca6397fab71082ed202c3cf9dd02456f)

Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>selftest/cases/meta_ide.py: use use gnu mirror instead of main server</title>
<updated>2025-10-13T19:42:58+00:00</updated>
<author>
<name>Steve Sakoman</name>
<email>steve@sakoman.com</email>
</author>
<published>2025-10-08T21:21:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=6e74167ad419395d3e8b0c1790cf6eb78306baa7'/>
<id>urn:sha1:6e74167ad419395d3e8b0c1790cf6eb78306baa7</id>
<content type='text'>
ftp.gnu.org is the main server of the GNU project, however download speed
can vary greatly based on one's location.

Using ftpmirror.gnu.org should redirect the request to the closest up-to-date mirror,
which should result sometimes in significantly faster download speed, depending
on one's location. This should also distribute the traffic more across the mirrors.

This information was sourced from https://www.gnu.org/prep/ftp.html

(From OE-Core rev: aa7ff5a115f55c092f8ca5badad63734c8f4f5b7)

Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>conf/bitbake.conf: use gnu mirror instead of main server</title>
<updated>2025-10-13T19:42:58+00:00</updated>
<author>
<name>Gyorgy Sarvari</name>
<email>skandigraun@gmail.com</email>
</author>
<published>2025-05-27T17:07:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=697d7cc740df3565f68ba3c0996a17d2560d6d7b'/>
<id>urn:sha1:697d7cc740df3565f68ba3c0996a17d2560d6d7b</id>
<content type='text'>
ftp.gnu.org is the main server of the GNU project, however download speed
can vary greatly based on one's location.

Using ftpmirror.gnu.org should redirect the request to the closest up-to-date mirror,
which should result sometimes in significantly faster download speed, depending
on one's location. This should also distribute the traffic more across the mirrors.

This information was sourced from https://www.gnu.org/prep/ftp.html .

(From OE-Core rev: ef14bcae0f3f27acdd4e591fac69515aa912f194)

Signed-off-by: Gyorgy Sarvari &lt;skandigraun@gmail.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit d8c6f01d7467e018aa0ed27a87850d9e4434a47a)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>openssl: upgrade 3.2.4 -&gt; 3.2.6</title>
<updated>2025-10-13T19:42:58+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-10-06T09:36:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=2f0df0334ac81d00e17b72d510368557fc0643c2'/>
<id>urn:sha1:2f0df0334ac81d00e17b72d510368557fc0643c2</id>
<content type='text'>
3.2.6 has fixed 3.2.5 regression which broke python3 ptests so we can
upgrade now. We can also drop CVE-2025-27587 patch which was taken
instead of 3.2.5 upgrade under:
https://github.com/openssl/openssl/pull/28198

Release information:
https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-3017-and-openssl-3018-30-sep-2025

OpenSSL 3.2.6 is a security patch release. The most severe CVE fixed in this release is Moderate.
This release incorporates the following bug fixes and mitigations:
* Fix Out-of-bounds read &amp; write in RFC 3211 KEK Unwrap. (CVE-2025-9230)
* Fix Timing side-channel in SM2 algorithm on 64 bit ARM. (CVE-2025-9231)
* Fix Out-of-bounds read in HTTP client no_proxy handling. (CVE-2025-9232)

Release information:
https://github.com/openssl/openssl/blob/openssl-3.2/NEWS.md#major-changes-between-openssl-324-and-openssl-325-1-jul-2025

OpenSSL 3.2.5 is a bug fix release.
This release incorporates the following bug fixes and mitigations:
* Miscellaneous minor bug fixes.

(From OE-Core rev: ef6bbf39c10ff7bd8ad36d5d2f59ddd0756e0141)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: fix CVE-2025-47906</title>
<updated>2025-10-13T19:42:58+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2025-10-09T03:13:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=e085cf0d53faa7760cc2d43417bce2b28c79669d'/>
<id>urn:sha1:e085cf0d53faa7760cc2d43417bce2b28c79669d</id>
<content type='text'>
If the PATH environment variable contains paths which are executables
(rather than just directories), passing certain strings to LookPath
("", ".", and ".."), can result in the binaries listed in the PATH
 being unexpectedly returned.

(From OE-Core rev: ed6df1883225ec08e637a0d7a15a6a5da4665d8d)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>ffmpeg: ignore 8 CVEs fixed in 6.1.1 and 6.1.3 releases</title>
<updated>2025-10-13T19:42:58+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-10-08T21:10:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8c8680d4c04f4cd8f4fd50bf8390343d438203d7'/>
<id>urn:sha1:8c8680d4c04f4cd8f4fd50bf8390343d438203d7</id>
<content type='text'>
Following are mentioned in commit upgrading the recipe to 6.1.3:
* CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2024-31578 CVE-2024-31582

Following are fixed via mentioned commits already in 6.1.1:
* CVE-2023-50009: https://github.com/FFmpeg/FFmpeg/commit/162b4c60c8f72be2e93b759f3b1e14652b70b3ba
* CVE-2023-50010: https://github.com/FFmpeg/FFmpeg/commit/e809c23786fe297797198a7b9f5d3392d581daf1
* CVE-2024-31585: https://github.com/FFmpeg/FFmpeg/commit/3061bf668feffc7c1f0b244205167b3b86da8015

(From OE-Core rev: 8286570b3baf275ff48c45ca0864348a8d3faa01)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>tiff: ignore 5 CVEs</title>
<updated>2025-10-13T19:42:58+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-10-08T20:42:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=ac57f3b9d27dc48a8aefa5f70fcad29cce0a180f'/>
<id>urn:sha1:ac57f3b9d27dc48a8aefa5f70fcad29cce0a180f</id>
<content type='text'>
These CVEs are for tools which were removed in v4.6.0 via [1] and
re-introduced again in v4.7.0 via [2].

[1] https://gitlab.com/libtiff/libtiff/-/commit/eab89a627f0a65e9a1a47c4b30b4802c80b1ac45
[2] https://gitlab.com/libtiff/libtiff/-/commit/9ab54a858049bef020d578c71d82669531551c00

(From OE-Core rev: faf1e12ae0f9de56402830460315e5be0d13f4a5)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>pulseaudio: ignore CVE-2024-11586</title>
<updated>2025-10-13T19:42:58+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@arm.com</email>
</author>
<published>2025-10-08T19:26:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=aca68169cc0be4babadd9096e2a1001f8ed2f98f'/>
<id>urn:sha1:aca68169cc0be4babadd9096e2a1001f8ed2f98f</id>
<content type='text'>
As per the linked ticket, this issue is related to an Ubuntu-specific
patch that we don't have.

(From OE-Core rev: dc81fdc6bdf8ab39b7f2fd994d50256430c36558)

(From OE-Core rev: 72e63e44a0c6ad5a408c4dc59a24288c36463439)

(From OE-Core rev: 4cdcb27238be40e815ce5a0b67ce419331079801)

Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>expat: follow-up for CVE-2024-8176</title>
<updated>2025-10-13T19:42:58+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-10-08T18:49:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=da7d29485ca5168accbd50a081edce789c0060a9'/>
<id>urn:sha1:da7d29485ca5168accbd50a081edce789c0060a9</id>
<content type='text'>
Expat release 2.7.3 implemented a follow-up for this CVE.
References:
* https://github.com/libexpat/libexpat/blob/R_2_7_3/expat/Changes
* https://security-tracker.debian.org/tracker/CVE-2024-8176
* https://github.com/libexpat/libexpat/pull/1059

(From OE-Core rev: 5bbb9ee52674f5aa6eed5d6cf3f515704092994d)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
</feed>
