summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* libpng: patch CVE-2025-64506Peter Marko2025-12-052-0/+58
| | | | | | | | | Pick commit per NVD report. (From OE-Core rev: eb4af9b4cea963b650be217d33bc12f560ed84a6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libpng: patch CVE-2025-64505Peter Marko2025-12-054-0/+329
| | | | | | | | | | Pick commit per NVD report. Add two patches to apply it cleanly. (From OE-Core rev: 1470546924765d134c83b50e62974f048614b121) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gnutls: patch CVE-2025-9820Peter Marko2025-12-052-0/+251
| | | | | | | | | | | | | This CVE is announced under [1]. Pick commit which mentions this CVE per [2]. [1] https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-11-18 [2] https://security-tracker.debian.org/tracker/CVE-2025-9820 (From OE-Core rev: 946f776b6f7ceacf76a643c5776b0efedb000efd) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* flac: patch seeking bugGyorgy Sarvari2025-12-012-1/+36
| | | | | | | | | | | | | | | | While working on audiofile recipe from meta-oe, a test that is using flac to convert a flac file failed with this particular version of the recipe. Bisecting the issue pointed to a code snippet that later was modifed with the patch that is introduced here: in version 1.3.4 there is a bug with seeking in flac files, returning incorrect pointers. This backported patch fixes this (and fixes the ptest also, that triggered this). (From OE-Core rev: ceef3cde9b761b7b5de6f7b6b1fb8e99663af9ca) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libarchive: patch CVE-2025-60753Peter Marko2025-12-012-0/+77
| | | | | | | | | | | | | Pick patch from [3] marked in [2] mentioned in [1]. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-60753 [2] https://github.com/libarchive/libarchive/issues/2725 [3] https://github.com/libarchive/libarchive/pull/2787 (From OE-Core rev: e3e9dd59a32541b36d6c1036b8f83af52bef92cd) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libarchive: patch 3.8.3 security issue 2Peter Marko2025-12-012-0/+29
| | | | | | | | | | | | Pick patch [2] as listed in [1]. [1] https://github.com/libarchive/libarchive/releases/tag/v3.8.3 [2] https://github.com/libarchive/libarchive/pull/2768 (From OE-Core rev: 332f07635ccb4965a001f6536620c9d0b1a9c056) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libarchive: patch 3.8.3 security issue 1Peter Marko2025-12-015-0/+435
| | | | | | | | | | | | | Pick patch [2] as listed in [1]. To apply it cleanly, add three additional patches from branch patch/3.8. [1] https://github.com/libarchive/libarchive/releases/tag/v3.8.3 [2] https://github.com/libarchive/libarchive/pull/2753 (From OE-Core rev: 201eed780c73335c9278db17fe39fb453e16af08) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: fix CVE-2025-6075Praveen Kumar2025-12-012-0/+365
| | | | | | | | | | | | | | | | If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-6075 Upstream-patch: https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca (From OE-Core rev: 9a7f33d85355ffbe382aa175c04c64541e77b441) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2024-41123Divya Chellam2025-12-016-0/+415
| | | | | | | | | | | | | | | | | | | | | | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-41123 Upstream-patches: https://github.com/ruby/rexml/commit/2c39c91a65d69357cfbc35dd8079b3606d86bb70 https://github.com/ruby/rexml/commit/4444a04ece4c02a7bd51e8c75623f22dc12d882b https://github.com/ruby/rexml/commit/ebc3e85bfa2796fb4922c1932760bec8390ff87c https://github.com/ruby/rexml/commit/6cac15d45864c8d70904baa5cbfcc97181000960 https://github.com/ruby/rexml/commit/e2546e6ecade16b04c9ee528e5be8509fe16c2d6 (From OE-Core rev: 6b2a2e689a69deef6098f6c266542234e46fb24b) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2024-39908Divya Chellam2025-12-0113-0/+689
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings. Reference: https://security-tracker.debian.org/tracker/CVE-2024-39908 Upstream-patches: https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420 https://github.com/ruby/rexml/commit/d146162e9a61574499d10428bc0065754cd26601 https://github.com/ruby/rexml/commit/b5bf109a599ea733663150e99c09eb44046b41dd https://github.com/ruby/rexml/commit/b8a5f4cd5c8fe29c65d7a00e67170223d9d2b50e https://github.com/ruby/rexml/commit/0af55fa49d4c9369f90f239a9571edab800ed36e https://github.com/ruby/rexml/commit/c1b64c174ec2e8ca2174c51332670e3be30c865f https://github.com/ruby/rexml/commit/9f1415a2616c77cad44a176eee90e8457b4774b6 https://github.com/ruby/rexml/commit/c33ea498102be65082940e8b7d6d31cb2c6e6ee2 https://github.com/ruby/rexml/commit/a79ac8b4b42a9efabe33a0be31bd82d33fd50347 https://github.com/ruby/rexml/commit/67efb5951ed09dbb575c375b130a1e469f437d1f https://github.com/ruby/rexml/commit/1f1e6e9b40bf339894e843dfd679c2fb1a5ddbf2 https://github.com/ruby/rexml/commit/910e5a2b487cb5a30989884a39f9cad2cc499cfc (From OE-Core rev: 6e0b70843422cd7cdb25a9e1520dd64bf701fea6) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2024-35176Divya Chellam2025-12-012-0/+113
| | | | | | | | | | | | | | | | | | | | REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-35176 Upstream-patch: https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb (From OE-Core rev: a89fcaf0c3ac2afd95e836bc1356832296135696) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-idna: Fix CVE-2024-3651Vijay Anusuri2025-12-012-0/+2486
| | | | | | | | | | | | | | import patch from debian to fix CVE-2024-3651 Upstream-Status: Backport [import from debian 3.3-1+deb12u1 Upstream commit https://github.com/kjd/idna/commit/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7] (From OE-Core rev: 7359d3cdf2210e81a26d8712769f7e23bfbc1bb7) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* oe-build-perf-report: relax metadata matching rulesRichard Purdie2025-11-241-3/+6
| | | | | | | | | | | | | | | | | | | | | | As the poky repository is no longer used, measurements are indexed using the oe-core commit. But as bitbake, oe-core and meta-yocto are now retrieved from separate gits, while measuring performances for a given branch at some time interval, we can get the same commit for oe-core but different ones for bitbake or meta-yocto. As a consequence, metadata associated with the same index (oe-core commit) might differ. To work around this, relax the equality checks for commit, commit_time and commit_count since they might no longer match. Ideally we'd group them into separate results but for now, treat them as being the same. [Based on work from Mathieu Dubois-Briand but fixed differently] (From OE-Core rev: ff72b41a3f0bf1820405b8782f0d125cd10e3406) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e7dc42e30c76bf0fbb4d3cc019bbec675bac55fa) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* musl: patch CVE-2025-26519Gyorgy Sarvari2025-11-243-1/+80
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26519 Pick the patches that are attached to the musl advisory: https://www.openwall.com/lists/musl/2025/02/13/1 (From OE-Core rev: e1c1b4b5100e08b63a2e6e5ff608f79e7b202649) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix for CVE-2025-62231Vijay Anusuri2025-11-242-0/+54
| | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/3baad99f9c15028ed8c3e3d8408e5ec35db155aa (From OE-Core rev: 24a1574d6f61a45ce104ab6ee01697df2575fd51) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix for CVE-2025-62230Vijay Anusuri2025-11-243-0/+157
| | | | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/865089ca70840c0f13a61df135f7b44a9782a175 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/87fe2553937a99fd914ad0cde999376a3adc3839 (From OE-Core rev: a481fe0dcca8213eca845d5f1fdde3f0d15c8aed) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix for CVE-2025-62229Vijay Anusuri2025-11-242-0/+90
| | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b13f631b66c20f5bc8db7b68211dcbd1d0 (From OE-Core rev: 5c6a07f215e00392b1831ed89ac0f8180823e124) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* elfutils: Fix CVE-2025-1377Soumya Sambu2025-11-242-0/+69
| | | | | | | | | | | | | | | | | | | | A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-1377 Upstream patch: https://sourceware.org/git/?p=elfutils.git;a=commit;h=fbf1df9ca286de3323ae541973b08449f8d03aba (From OE-Core rev: e4e8392e688ceb0d8e68fe48118383c031178b5e) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* elfutils: Fix CVE-2025-1376Soumya Sambu2025-11-242-0/+59
| | | | | | | | | | | | | | | | | | | | | | A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-1376 Upstream patch: https://sourceware.org/git/?p=elfutils.git;a=commit;h=b16f441cca0a4841050e3215a9f120a6d8aea918 (From OE-Core rev: 1126e5c1e63b876499c78ac403d1327645edf1c7) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* migration-guides: add release notes for 4.0.31Lee Chee Yang2025-11-192-0/+211
| | | | | | | | | | (From yocto-docs rev: 4b9df539fa06fb19ed8b51ef2d46e5c56779de81) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 992d0725e8b4fdcdc2e9a101ce51ebef94a00112) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* documentation: link to the Releases page on yoctoproject.org instead of wikiRoss Burton2025-11-195-12/+12
| | | | | | | | | | | | | | | We have a machine-generated Releases page[1] which is preferable to the wiki. [1] https://www.yoctoproject.org/development/releases/ (From yocto-docs rev: 492619059cbbe2d1ebc347c3e86072f32d7d064a) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 46a9172fd17aa518028e35b8c874e74889079094) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* overview-manual: migrate to SVG + fix typoQuentin Schulz2025-11-193-2/+174
| | | | | | | | | | | | | | | | | | The original PNG had a typo (YP-Comptible instead of YP-Compatible). Instead of patching a PNG, let's migrate to an SVG with the typo already fixed. [AG: fix conflicts] Reported-by: Robert P. J. Day <rpjday@crashcourse.ca> (From yocto-docs rev: bb9887a98bb64ebaa23b772fd0f3c22f13e996e7) Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 9f3c2a9113b329f7efdd22d3b3fbe272a44bc654) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual: debugging: use bitbake-getvar in Viewing Variable Values sectionQuentin Schulz2025-11-191-14/+20
| | | | | | | | | | | | | | | | | | We should recommend using bitbake-getvar command wherever possible as its output is much less confusing and overwhelming than bitbake -e. Unfortunately, bitbake-getvar currently doesn't list Python tasks or functions, unlike bitbake -e, so keep the latter for some corner cases. [AG: Moroever -> Moreover typo fix] (From yocto-docs rev: 382c8eee275eb4773d4e2183f5fe19837a6a3b0b) Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 41e4e05369c4e028c679749b7b62434327927a09) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: variables: migrate the OVERRIDES note to bitbake-getvarQuentin Schulz2025-11-191-2/+2
| | | | | | | | | | | | | Wherever possible, we should use bitbake-getvar as it's the recommended tool so let's do that. (From yocto-docs rev: 7981bc2bd09b2d618563710474525febabaf6103) Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 2293a3f2767895e9fb5c3e8f3ec11bb4951a7127) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* kernel-dev: common: migrate bitbake -e to bitbake-getvarQuentin Schulz2025-11-191-7/+5
| | | | | | | | | | | | | | | It's recommended to use bitbake-getvar for a few releases now so let's use that instead of bitbake -e. While at it, use a cross-reference for "OpenEmbedded Build System". (From yocto-docs rev: 7f6dc007a888784a678859690dbfddd5a1fe28a0) Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 54585646d8220f8de1ba2c7246cb3f2fcbc59583) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* kernel-dev: add disable config exampleWalter Werner SCHNEIDER2025-11-191-3/+5
| | | | | | | | | | | | | Makes it more clear that the configuration fragment can also be used to disable a configuration. (From yocto-docs rev: c4bfc16b2e13444547342204a6f75fd1cf343533) Signed-off-by: Walter Werner SCHNEIDER <contact@schnwalter.eu> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit d38ef467081ee73bf23f240ace54b849a3a87612) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual/new-recipe.rst: typo, "whith" -> "which"Robert P. J. Day2025-11-191-1/+1
| | | | | | | | | | | | Fix typo "whith", should be "which". (From yocto-docs rev: 1a54d05d8bd5484e17cbc060fc57fd2f7afb683f) Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit f98b25f7f7522cf223beb001cabef870d6dd8c10) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual/new-recipe.rst: replace 'bitbake -e' with 'bitbake-getvar'Robert P. J. Day2025-11-191-2/+2
| | | | | | | | | | | | | | Replace the legacy call to 'bitbake -e' to get the value of a recipe's variable with the newer call to 'bitbake-getvar'. (From yocto-docs rev: d7ef362307daf2e8d9b62ec895e080654abfef8b) Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit ed7c0766ef5f13b90943a69e64f8e8713d05e864) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual/layers.rst: document "bitbake-layers show-machines"Robert P. J. Day2025-11-191-0/+2
| | | | | | | | | | | | | | The "show-machines" subcommand is not mentioned in the docs; add it. [AG: fix conflicts] (From yocto-docs rev: 09bbdc6bc5f9ae77f120185d1324f1166ac1f9d5) Signed-off-by: Robert P. J. Day <Crpjday@crashcourse.ca> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit b4320cdc4df08c59a24d5247b3895dd602554fa0) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual/new-recipe.rst: update "recipetool -h" outputRobert P. J. Day2025-11-191-11/+12
| | | | | | | | | | | | | Update the output of "recipetool -h" to include the missing "edit" subcommand. (From yocto-docs rev: 2a85eab0c51a78ab00168e23274d479cf3aedb24) Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 092d688349b0b6bb10ae6fbbab7d82801964daf5) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* goarch.bbclass: do not leak TUNE_FEATURES into crosssdk task signaturesAlexander Kanavin2025-11-191-0/+3
| | | | | | | | | | | | | | | | | | | The default assignments look like this: TARGET_GO386 = "${@go_map_386(d.getVar('TARGET_ARCH'), d.getVar('TUNE_FEATURES'), d)}" TUNE_FEATURES is a target-specific variable, and so should be used only for target builds. The change is similar to what is already done for native packages. (From OE-Core rev: cfff8e968257c44880caa3605e158764ed5c6a2a) (From OE-Core rev: 8aad87c12a809d790175b9848f5802d0a28eecac) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* babeltrace2: fetch with https protocolGyorgy Sarvari2025-11-191-1/+1
| | | | | | | | | | The source doesn't support the default "git" protocol anymore for anonymous download, causing fetching failures. (From OE-Core rev: 4351a427b2ec270ea5e4c698fe4c213036c1241b) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xf86-video-intel: correct SRC_URI as freedesktop anongit is downAlexander Kanavin2025-11-191-2/+1
| | | | | | | | | | | | (From OE-Core rev: 04037a14e1431c4a51f5d51885974732a6108368) (From OE-Core rev: e2c288a92f06af82559cf33db6c988b9dbc8b7ea) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 9649bec517996558e01d668d2b59e68306a3a647) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* efibootmgr: update SRC_URI branchGyorgy Sarvari2025-11-191-1/+1
| | | | | | | | | master branch was renamed to main (From OE-Core rev: 2c5b195e974ac54610d7b50c014752875004b0b9) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: Upgrade 1.26.18 -> 1.26.20Soumya Sambu2025-11-191-1/+1
| | | | | | | | | | | | | Includes fix for CVE-2024-37891 Changelog: ---------- https://github.com/urllib3/urllib3/blob/1.26.20/CHANGES.rst (From OE-Core rev: 2e805113fe0488224f05524360eeff729dd12d91) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-62231Vijay Anusuri2025-11-192-0/+54
| | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/3baad99f9c15028ed8c3e3d8408e5ec35db155aa (From OE-Core rev: 05fe08caa0d4bd30510b496a300731a9754f24b8) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-62230Vijay Anusuri2025-11-193-0/+157
| | | | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/865089ca70840c0f13a61df135f7b44a9782a175 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/87fe2553937a99fd914ad0cde999376a3adc3839 (From OE-Core rev: 215d63fd22b40148625215aac5c4e7f2629f5814) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-62229Vijay Anusuri2025-11-192-0/+90
| | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b13f631b66c20f5bc8db7b68211dcbd1d0 (From OE-Core rev: d1d0955ad41827f9c75ae726e7c725d2f82b6d18) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rust-cross-canadian: Ignore CVE-2024-43402Saquib Iltaf2025-11-191-0/+2
| | | | | | | | | | | Ignore CVE-2024-43402 as its not applicable. CVEs are specific to Microsoft Windows. (From OE-Core rev: 3044ae9e6e84faada8c1425238e9e9c3060b1a3a) Signed-off-by: Saquib Iltaf <saquib.iltaf@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: ignore CVE-2025-10966Peter Marko2025-11-191-0/+2
| | | | | | | | | | | | Per [1] this CVE applies only when wolfssl backed is used. 8.17.0 removed WolfSSL support completely. [1] https://curl.se/docs/CVE-2025-10966.html (From OE-Core rev: 41c4735658e9ba5322bd06ef50aa3a1edb1f7fd8) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Don't use ftp.gnome.orgJason Schonberg2025-11-065-5/+5
| | | | | | | | | | | http://ftp.gnome.org/pub/gnome redirects to https://download.gnome.org bitbake.conf defines ${GNOME_MIRROR} to be https://download.gnome.org/sources/ (From OE-Core rev: 1e1993b72f2b6109ce3d0ef950553b74b2b37b27) Signed-off-by: Jason Schonberg <schonm@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bind: upgrade 9.18.33 -> 9.18.41Praveen Kumar2025-11-061-1/+1
| | | | | | | | | | | | | | This upgrade fixes CVE-2025-8677,CVE-2025-40778 and CVE-2025-40780. Changelog ========== https://downloads.isc.org/isc/bind9/9.18.41/doc/arm/html/changelog.html (From OE-Core rev: deca51264991a2f6c6e450f8fa8b4a233280b700) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2024-24783Hitendra Prajapati2025-11-062-0/+84
| | | | | | | | | Upstream-Status: Backport https://github.com/golang/go/commit/be5b52bea674190ef7de272664be6c7ae93ec5a0 (From OE-Core rev: b7d89fae22b317199b8f72978712075078a17005) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: patch CVE-2025-11413Peter Marko2025-11-062-0/+39
| | | | | | | | | | | | | | | | | | | | | | | | Pick commit per NVD CVE report. Note that there were two patches for this, first [1] and then [2]. The second patch moved the original patch to different location. Cherry-pick of second patch is successful leaving out the code removing the code from first location, so the patch attached here is not identical to the upstream commit but is identical to applying both and merging them to a single patch. [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=1108620d7a521f1c85d2f629031ce0fbae14e331 [2] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0 (From OE-Core rev: 98df728e6136d04af0f4922b7ffbeffb704de395) (From OE-Core rev: 8d1a830c713a299f67fc512ed8bc0be21be4b9f0) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: patch CVE-2025-11412Peter Marko2025-11-062-0/+36
| | | | | | | | | | | | | | Pick commit per NVD CVE report. (From OE-Core rev: 6b94ff6c584a31d2b1e06d1e1dc19392d759b4b7) (From OE-Core rev: 9130f3471f4814979cfdfa66ca118929f240cb30) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* wpa-supplicant: patch CVE-2025-24912Peter Marko2025-11-063-0/+151
| | | | | | | | | | | | | | | | Pick patches as listed in NVD CVE report. Note that Debian lists one of the patches as introducing the vulnerability. This is against what the original report [1] says. Also the commit messages provide hints that the first patch fixes this issue and second is fixing problem with the first patch. [1] https://jvn.jp/en/jp/JVN19358384/ (From OE-Core rev: d0907754e0b44c5e41242bc1603278f86101fa31) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* openssh: fix CVE-2025-61985Archana Polampalli2025-11-062-0/+36
| | | | | | | | | | ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used. (From OE-Core rev: 5170bd2f8a63bcc310667a327ea2ab96c783c4f6) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* u-boot: fix CVE-2024-42040Hongxu Jia2025-11-062-1/+59
| | | | | | | | | | | | Backport a patch [1] from upstrem to fix CVE-2024-42040 [2] [1] https://source.denx.de/u-boot/u-boot/-/commit/81e5708cc2c865df606e49aed5415adb2a662171 [2] https://nvd.nist.gov/vuln/detail/CVE-2024-42040 (From OE-Core rev: f5b980ade1e952a181cb51d60268942095627c0d) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* build-appliance-image: Update to kirkstone head revisionyocto-4.0.31kirkstone-4.0.31Steve Sakoman2025-10-311-1/+1
| | | | | | (From OE-Core rev: 99204008786f659ab03538cd2ae2fd23ed4164c5) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* poky.conf: bump version for 4.0.31Steve Sakoman2025-10-311-1/+1
| | | | | | (From meta-yocto rev: 3b2df00345b46479237fe0218675a818249f891c) Signed-off-by: Steve Sakoman <steve@sakoman.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-04-22 12:08:43 +0000