| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This release mostly changes code and commentary. The only changed data
are leap second table expiration and pre-1976 time in Baja California.
Full release notes:
https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/TAGXKYLMAQRZRFTERQ33CEKOW7KRJVAK/
(From OE-Core rev: 7255b0ff315367abb5f0c6f00974bf30f7861d1b)
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 452334219309793ad74abd6ff390dcb06cab929b)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes [YOCTO #16128]
Backport of upstream bug fix from lighttpd-1.4.75. Version 1.4.74 introduced a bug that
would append a trailing slash to files in a directory listing. When the user attempts to
download one of these files, the web browser could not save the file with a trailing
slash. As a consequence, every web browser tested would generate a random character string
for the saved file name.
(From OE-Core rev: 797f15116901328a9a58868edeea44614dc29043)
Signed-off-by: Fred Bacon <bacon@aerodyne.com>
[Yoann: Fixed Upstream-Status: Backport URL]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Pick patch from PR mentioned in v3.8.5 release notes.
(From OE-Core rev: c316c6e50e73a681c22fa03cdb59a0317495a418)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patch for CVE-2025-61915 by mistake causes fatal error on unknown
directives in configuration files.
The default configuration already contains unknown directive in
non-systemd setups:
Unknown directive IdleExitTimeout on line 32 of /etc/cups/cupsd.conf
Backport fix for this from 2.4.x branch which reverts this behavior.
(From OE-Core rev: 2f36a12a72cf1f91a2d6ee68bd04292979608eb9)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream Repository: https://github.com/OpenPrinting/cups.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-61915
Type: Security Fix
CVE: CVE-2025-61915
Score: 6.7
Patch: https://github.com/OpenPrinting/cups/commit/db8d560262c2
(From OE-Core rev: ca252aac4e50b7ed8864bf7482a86fe7129e737e)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream Repository: https://github.com/OpenPrinting/cups.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-58436
Type: Security Fix
CVE: CVE-2025-58436
Score: 5.5
Patch: https://github.com/OpenPrinting/cups/commit/5d414f1f91bd
(From OE-Core rev: 6a721aad5f531ac74996386cbaaa0173c2c5001a)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Pick patch from [3] marked in [2] mentioned in [1].
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-60753
[2] https://github.com/libarchive/libarchive/issues/2725
[3] https://github.com/libarchive/libarchive/pull/2787
(From OE-Core rev: 1fbd9eddbdf0da062df0510cabff6f6ee33d5752)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Pick patch [2] as listed in [1].
[1] https://github.com/libarchive/libarchive/releases/tag/v3.8.3
[2] https://github.com/libarchive/libarchive/pull/2768
(From OE-Core rev: efe032eef7034009f1202985b2036fc79e06bddf)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Pick patch [2] as listed in [1].
To apply it cleanly, add two additional patches from branch patch/3.8.
[1] https://github.com/libarchive/libarchive/releases/tag/v3.8.3
[2] https://github.com/libarchive/libarchive/pull/2753
(From OE-Core rev: 11f782c1ae9962a2faa98bff3566e49fbf6db017)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When building an image including iptable built with the libnftnl
PACKAGECONFIG, one hits
Downloading file:.../oe-rootfs-repo/armv8a/libkmod2 * check_data_file_clashes: Package iptables wants to install file .../rootfs/etc/ethertypes
But that file is already provided by package * netbase
This used to be handled by
0003-Makefile.am-do-not-install-etc-ethertypes.patch, but that patch
got removed with the 1.8.9->1.8.10 upgrade (commit 4616ada82e70).
I think the rationale for dropping the patch was wrong; the commit log
talks about xtables.conf, which is indeed gone from upstream, but said
patch didn't change anything about xtables.conf, it did
-dist_conf_DATA = etc/ethertypes etc/xtables.conf
+dist_conf_DATA = etc/xtables.conf
However, instead of patching iptables to not install ethertypes, and
having to forward-port that patch, it is much simpler to just remove
the file in this do_install:append.
(From OE-Core rev: a970b6c927fb4c04473484f6e4b0a9853c8a5896)
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2025-6018 is a local privilege escalation in PAM that requires
`user_readenv=1` to be enabled in the PAM configuration. The default
configuration does not enable reading user environment files (user_readenv
is 0 by default). Hence this vulnerability cannot be exploited using the
default configuration.
(From OE-Core rev: 3f2a9ad03326dc87681cf47ed5f73712ebaa624c)
Signed-off-by: Anders Heimer <anders.heimer@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
| |
Pick commit mentioned in the NVD report.
(From OE-Core rev: a63bb2ccc8294c8a97f5957f1ca9f0a4880713ac)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
| |
Pick commit mentioned in the NVD report.
(From OE-Core rev: 2f1d5b9ad1af6d2b28e9e7b46aadd879a67b8fc6)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
| |
Pick commit mentioned in the NVD report.
(From OE-Core rev: 4a2f47d9541d7a13da7a9ce16bd5088870c45ec4)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This example no longer works on more recent kernels:
genl-family-get
error: Invalid argument
dmesg says:
netlink: 'genl-family-get': attribute type 1 has an invalid length.
Fix this and also zero out the reserved field in the genl header,
while not validated yet for dumps this could change.
Upstream-Status: Backport [https://git.netfilter.org/libmnl/patch/?id=54dea548d796653534645c6e3c8577eaf7d77411]
Reported-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
(From OE-Core rev: bae5ecea1c40847ffc3760173192f85e28ed9d7b)
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 54dea548d796653534645c6e3c8577eaf7d77411)
Signed-off-by: Divyanshu Rathore <divyanshu.rathore@bmwtechworks.in>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Upstream-Status: Backport from
https://github.com/OpenPrinting/cups/commit/595d691075b1d396d2edfaa0a8fd0873a0a1f221
& https://github.com/OpenPrinting/cups/commit/e58cba9d6fceed4242980e51dbd1302cf638ab1d
(From OE-Core rev: 6f3b7e6efdf14d080b74a48d8cdc445255e9025f)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Removed CVE-2024-47175 patches which is fixed by upgrade
system-cups.slice added to FILES
Changelog
==========
v2.4.11
CUPS 2.4.11 brings several bug fixes regarding IPP response validation, processing PPD values, Web UI support (checkbox support, modifying printers) and others fixes.
Detailed list of changes is available in CHANGES.md
(From OE-Core rev: 117a401756a3cf26d1fc0a6694b0c42967e00fec)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
| |
Upstream-Status: Backport from https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628
(From OE-Core rev: 2be498fd0872d7ccbf0e9b2eb0a1d4879823c968)
Signed-off-by: Stanislav Vovk <stanislav.vovk@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
| |
This comment should not have been merged.
It shows that the license did not change.
(From OE-Core rev: a19afb7db1b9995ce433f8bfeb5406c9fd1fdc19)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes build with GCC-15 which is defaulting to C23
For scarthgap also add it in BUILD_CFLAGS.
(From OE-Core rev: 874701c4fd96134e18f73eba4bd5c8b513ad251b)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update declarations to allow building with gcc-15 with C23 std
being default now.
Fixes:
error: conflicting types for 'xdr_opaque_auth
(From OE-Core rev: 65036ab0a519c14338fb26ac8162d159d965da2b)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add a patch to remove redundant declarations
(From OE-Core rev: b84d6ceb89277462d7069defaeb9ecfed9c30d56)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Picked commit per [1].
[1] https://security-tracker.debian.org/tracker/CVE-2025-5918
(From OE-Core rev: d2b8d2f7d579779a9effcff677960dbc576b1cc8)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* fixes builds on host with gcc-15:
http://errors.yoctoproject.org/Errors/Details/853016/
../../bash-5.2.37/builtins/mkbuiltins.c:268:29: error: too many arguments to function ‘xmalloc’; expected 0, have 1
268 | error_directory = xmalloc (2 + strlen (argv[arg_index]));
| ^~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(From OE-Core rev: 55c144bd17665f70cd15e36f3405f502a962f039)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
GCC 15 defaults to C23 and bash is not yet ready for that
so keep using C17 like GCC 14 for now
(From OE-Core rev: adf63fe5f76cbd0fd93ce5fa23229a388211e992)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
| |
(From OE-Core rev: 67c47f0ed5ba852930e0815691ee7ec06dec1d0e)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
| |
According to the NVD entry, it is only applicable when built
for native Windows (MinGW-w64 or MSVC).
(From OE-Core rev: 04ce4704e603cd66f30ffc001541c6497d84050e)
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The example repo doesn't seem to have ever been under MIT to begin with
but rather Apache-2.0. It was then changed to the license used by the
goland projectm that is BSD-3-Clause, 2 years ago in commit 00c7068f9d83
("all: update to Go license").
The license file exists in the sources, so use that one instead of
taking it from the OE-Core license directory.
License-Update: Incorrect license is now proper
(From OE-Core rev: fa45d6d5bec8fe503ff6b9166a3b4af31ea95369)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was added by original commit for CVE-2025-6020-01.patch
https://github.com/linux-pam/linux-pam/commit/475bd60c552b98c7eddb3270b0b4196847c0072e#diff-05f443e6acbe32a148a45648148739bf6f02f13acc5c20c6037bf933223d4d77
but removed here in the rebase, causing:
../../../Linux-PAM-1.5.3/modules/pam_namespace/pam_namespace.c:326:11: error: call to undeclared function 'dirname'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
326 | parent = dirname(buf);
| ^
../../../Linux-PAM-1.5.3/modules/pam_namespace/pam_namespace.c:326:9: error: incompatible integer to pointer conversion assigning to 'char*' from 'int' [-Wint-conversion]
326 | parent = dirname(buf);
| ^ ~~~~~~~~~~~~
(From OE-Core rev: 6d88a28ac7b6ff61808eb46e5c85dabd17c77f2e)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
| |
Upstream-Status: Backport from https://github.com/linux-pam/linux-pam/commit/475bd60c552b98c7eddb3270b0b4196847c0072e && https://github.com/linux-pam/linux-pam/commit/592d84e1265d04c3104acee815a503856db503a1 && https://github.com/linux-pam/linux-pam/commit/976c20079358d133514568fc7fd95c02df8b5773
(From OE-Core rev: dd5bbac75b1d8f7ebd83d5c9945bd860e397ba07)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
===========
* Fixed CVE-2025-32462. Sudo's -h (--host) option could be specified
when running a command or editing a file. This could enable a
local privilege escalation attack if the sudoers file allows the
user to run commands on a different host.
* Fixed CVE-2025-32463. An attacker can leverage sudo's -R
(--chroot) option to run arbitrary commands as root, even if
they are not listed in the sudoers file. The chroot support has
been deprecated an will be removed entirely in a future release.
License-Update: Copyright updated to 2025
0001-sudo.conf.in-fix-conflict-with-multilib.patch refreshed for 1.9.17
(From OE-Core rev: b04af6db102c97f3d4338dbcfdcab927b5194a69)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
| |
This CVE is fixed in the following version bump
This reverts commit d01f888a5ec43fdc8e7bd496ae9317c0fa28da9b.
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
| |
Pick commit referencing this CVE.
(From OE-Core rev: a8193571c8cdba55f568d831a4546e0fed892be0)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In http://ftp.debian.org/debian/pool/main/m/minicom/, the
tarball of minicom_2.9.orig.tar.bz2 can not be found.
So the old SRC_URI should be updated.
(From OE-Core rev: 49fcec2041071d44289e03cac087de6b929d6153)
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
| |
Upstream-Status: Backport from https://github.com/sudo-project/sudo/commit/d530367828e3713d09489872743eb92d31fb11ff
(From OE-Core rev: d01f888a5ec43fdc8e7bd496ae9317c0fa28da9b)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A vulnerability has been identified in the libarchive library. This flaw can be triggered whe
n file streams are piped into bsdtar, potentially allowing for reading past the end of the fi
le. This out-of-bounds read can lead to unintended consequences, including unpredictable prog
ram behavior, memory corruption, or a denial-of-service condition.
CVE-2025-5918-0001 is the dependent commit and CVE-2025-5918-0002 is the actual CVE fix.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5918
Upstream-patches:
https://github.com/libarchive/libarchive/commit/89b8c35ff4b5addc08a85bf5df02b407f8af1f6c
https://github.com/libarchive/libarchive/commit/dcbf1e0ededa95849f098d154a25876ed5754bcf
(From OE-Core rev: 369c164a163b2c7f15ee5fc41130be9feaf7245e)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-
one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-
byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, lea
ding to unpredictable program behavior, crashes, or in specific circumstances, could be lever
aged as a building block for more sophisticated exploitation.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5917
Upstream-patch:
https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85
(From OE-Core rev: 2b6832b05bab414df1da7c74a0c6a5e5a9d75b29)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A vulnerability has been identified in the libarchive library. This flaw
involves an integer overflow that can be triggered when processing a Web
Archive (WARC) file that claims to have more than INT64_MAX - 4 content
bytes. An attacker could craft a malicious WARC archive to induce this
overflow, potentially leading to unpredictable program behavior, memory
corruption, or a denial-of-service condition within applications that
process such archives using libarchive.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5916
Upstream-patch:
https://github.com/libarchive/libarchive/commit/ef093729521fcf73fa4007d5ae77adfe4df42403
(From OE-Core rev: 9c74d3a096fed68d173f8711b373a42f158d6cc7)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A vulnerability has been identified in the libarchive library. This flaw can lead to a heap b
uffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer
-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memo
ry buffer, which can result in unpredictable program behavior, crashes (denial of service), o
r the disclosure of sensitive information from adjacent memory regions.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5915
Upstream-patches:
https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c
(From OE-Core rev: 99fdc86ad57db4d8829a33033918cf78419977af)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A vulnerability has been identified in the libarchive library, specifically within the archiv
e_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultim
ately lead to a double-free condition. Exploiting a double-free vulnerability can result in m
emory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service
condition.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-5914
Upstream-patch:
https://github.com/libarchive/libarchive/commit/09685126fcec664e2b8ca595e1fc371bd494d209
(From OE-Core rev: b7d8249bda296620a5bbf592f4cdf566b4537563)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the input compiler enables AVX, stack realignment requirements
causes gcc to fail to omit %rbp use, due to which the test fails to
clobber %rbp in inline asm. Disable AVX to build the test on x86_64 so
that the test continues working.
Fix compilation with gcc v13.4+. Cherry picked from oe-core, master branch.
(From OE-Core rev: 54d6fa7bc9f4ae6bdb98862488e8d09200d3bc14)
Signed-off-by: Preeti Sachan <preeti.sachan@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
| |
Backport patch for this CVE and also patch for its regression.
(From OE-Core rev: 352525443b1844cdfd28355dfc1444046bbb76e8)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A minor information leak when running Screen with setuid-root
privileges allosw unprivileged users to deduce information
about a path that would otherwise not be available.
Affected are older Screen versions, as well as version 5.0.0.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-46804
Upstream-patch:
https://cgit.git.savannah.gnu.org/cgit/screen.git/commit/?id=e0eef5aac453fa98a2664416a56c50ad1d00cb30
(From OE-Core rev: a313af8ca347797214669406ee86f5239997f7e3)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For a short time they PTY is set to mode 666, allowing any user on the
system to connect to the screen session.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-46802
Upstream-patch:
https://cgit.git.savannah.gnu.org/cgit/screen.git/commit/?id=049b26b22e197ba3be9c46e5c193032e01a4724a
(From OE-Core rev: b17e091eb4681b69c5a050d3fa0f9289f524e205)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
| |
(From OE-Core rev: 1d9be1505462822a2b75a1136a27d25b262b1feb)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cc9ba7005fb155f4d5f2be9b23c12d14362a306b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
| |
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/screen/patch/?id=aa9f51f996a22470b8461d2b6a32e62c7ec30ed5
Upstream commit https://git.savannah.gnu.org/cgit/screen.git/commit/?id=161f85b98b7e1d5e4893aeed20f4cdb5e3dfaaa4]
(From OE-Core rev: 69dd9b16fbd18a1a960887ee9479a2e731b5a184)
Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2025-47268
ping in iputils through 20240905 allows a denial of service (application
error or incorrect data collection) via a crafted ICMP Echo Reply
packet, because of a signed 64-bit integer overflow in timestamp
multiplication.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47268
Patch from:
https://github.com/iputils/iputils/commit/070cfacd7348386173231fb16fad4983d4e6ae40
(From OE-Core rev: 6b0dd564249754ab8ec20ce69b137466e051501e)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
| |
(From OE-Core rev: 0d93972dc2d67853b7ddb0d9e55522930fb51df2)
Signed-off-by: Priyal Doshi <pdoshi@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b1ff8b45da27b533477cf6d9ace7a47f7f3a28b1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initially, PAM community fixed CVE-2024-10041 in the version v1.6.0 via commit b3020da.
But not all cases were covered with this fix and issues were reported after the release.
In the v1.6.1 release, PAM community fixed these issues via commit b7b9636.
Backport this commit b7b9636, which
Fixes: b3020da ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
Backport from https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620
(From OE-Core rev: 78a04ce17e7d828c0cf8cae2164882683d46275e)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These is update with only bug and security releases.
On top of previous CVE patches, also CVE-2024-48615 is handled.
Also many security fixes without CVE assigment are included.
Note that upgrade to 3.7.5 on master required fix of test in
python3-libarchive-c, however that recipe does not yet have ptest in
scarthgap and the fix was in test only, not in productive code, so it is
not necessary in scarthgap.
Also remove CVE_STATUS which was obsolete already before this upgrade.
(From OE-Core rev: f20516a3ed8a39d7e4deddf11dd2acd871894048)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
