summaryrefslogtreecommitdiffstats
path: root/meta
Commit message (Collapse)AuthorAgeFilesLines
...
* vim: Fix CVE-2026-28419Hitendra Prajapati2026-05-042-0/+87
| | | | | | | | | | | | | Pick patch from [1] also mentioned in [2] [1] https://github.com/vim/vim/commit/9b7dfa2948c9e1e5e32a5812812d580c7879f4a0 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-28419 (From OE-Core rev: 5e05e5e86d4ac5cc8a8d39ceb4f784feb9b0d327) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* vim: Fix CVE-2026-28418Hitendra Prajapati2026-05-042-0/+79
| | | | | | | | | | | | | Pick patch from [1] also mentioned in [2] [1] https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb46c3a9e76f684da2d [2] https://nvd.nist.gov/vuln/detail/CVE-2026-28418 (From OE-Core rev: bbbe166c9d9df9b8cf0df6f84bf1eb3c7732b7da) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* python3: upgrade 3.12.12 -> 3.12.13Vijay Anusuri2026-05-045-828/+1
| | | | | | | | | | | | | | | | | | | Drop upstreamed patches. Release information: * https://www.python.org/downloads/release/python-31213/ * The release you're looking at is Python 3.12.13, a security bugfix release for the legacy 3.12 series. Handles CVE-2024-6923 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 CVE-2025-15282 CVE-2025-59375 CVE-2026-0865 CVE-2026-24515 CVE-2026-25210 (From OE-Core rev: 8b0c626633a1e443cfb6e5f73c6120bff5f6a5ef) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> [YC: Full changelog: https://docs.python.org/release/3.12.13/whatsnew/changelog.html#python-3-12-13] Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* linux/generate-cve-exclusions: backport script from master branchJoão Marcos Costa (Schneider Electric)2026-05-041-32/+90
| | | | | | | | | | | | | | | | The current version of this script in Scarthgap is outdated, since it still uses data from linux_kernel_cves. This repository was archived in 2024. To avoid any risks of conflicts, and/or a patch series longer than it needs to be, I copied the generate-cve-exclusions.py script from oe-core's master branch (rev. "e954a94b5b528b2430e8da331107d7d58287f89b") as-is. (From OE-Core rev: 66a13f93403533b95ed27eed24931aa310f8ce79) Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* nghttp2: Fix CVE-2026-27135Anil Dongare2026-05-042-1/+113
| | | | | | | | | | | | Pick patch from [1] also mentioned in [2] [1] https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-27135 (From OE-Core rev: 892fdc819660ab67d9930e0ccb71e4138fcf1750) Signed-off-by: Anil Dongare <adongare@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* unfs3: Fix race issue causing a glibc test hangHemanth Kumar M D2026-05-042-0/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | When running glibc tests under user mode NFS, tst-syslog was causing a hang. The hang was traced to unfsd exitting with a buffer overflow being detected. This was traced down to mksocket() where we'd see: socket path '/media/build/poky/build/build-st-2118464/tmp/work/x86-64-v3-poky-linux/glibc-testsuite/2.42+git/build-x86_64-poky-linux/testroot.root/dev/log' is too long at 141 vs 108 There is a length check in mknod_args() but obj may not be setup at this point by cat_name() since the functions can be executed out of order according to C. To avoid this, make the order explict. This means the length is checked and we avoid the buffer overflow. This will likely cause the glibc test to fail however it won't hang, which is a win. [YOCTO #16113] (From OE-Core rev: 34f34512e5eeefc24b36b102a36fc90f14e2f7d2) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Hemanth Kumar M D <Hemanth.KumarMD@windriver.com> (cherry picked from commit e51d5e19cb1ba1d5ad7442064b64821d178bc9ca) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* sqlite3: Fix CVE-2025-70873Vijay Anusuri2026-05-042-0/+34
| | | | | | | | | | | | | | Pick patch as per [1] [1] https://sqlite.org/src/info/3d459f1fb1bd1b5e [2] https://sqlite.org/forum/forumpost/761eac3c82 [3] https://gist.github.com/cnwangjihe/f496393f30f5ecec5b18c8f5ab072054 (From OE-Core rev: e948f33fa6bf69619b406ccd8dc4e5470e223335) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* vim: Fix CVE-2026-33412Hitendra Prajapati2026-05-042-0/+62
| | | | | | | | | | | | Pick patch from [1] also mentioned in NVD report with [2] [1] https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a [2] https://nvd.nist.gov/vuln/detail/CVE-2026-33412 (From OE-Core rev: dcedbba9b4d8a4cb02e2a7a291b934ea3bf7bdce) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* vim: Fix CVE-2026-26269Anil Dongare2026-05-042-0/+151
| | | | | | | | | | | | Pick patch from [1] also mentioned in [2] [1] https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-26269 (From OE-Core rev: 1d870ab25eea1c0204fb7abe109251aa55326b76) Signed-off-by: Anil Dongare <adongare@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* vim: Fix CVE-2026-25749Anil Dongare2026-05-042-0/+65
| | | | | | | | | | | | Pick patch from [1] also mentioned in [2] [1] https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-25749 (From OE-Core rev: ce685e18a6dd7137094a10a9051aefc123a0f2e4) Signed-off-by: Anil Dongare <adongare@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* binutils: mark CVE-2025-69650 and CVE-2025-69651 as disputedAdarsh Jagadish Kamini2026-05-041-0/+2
| | | | | | | | | | | | | | | | | | | Both CVEs are disputed by third parties. The observed behavior (double free / invalid pointer free in readelf) only occurred in pre-release code and did not affect any tagged version [1][2]. CVE_STATUS[CVE-2025-69650] = "disputed: observed behavior only in pre-release code, does not affect any tagged version" CVE_STATUS[CVE-2025-69651] = "disputed: observed behavior only in pre-release code, does not affect any tagged version" [1] https://www.cve.org/CVERecord?id=CVE-2025-69650 [2] https://www.cve.org/CVERecord?id=CVE-2025-69651 (From OE-Core rev: 55a0d8abad8a81f7d900557c2eb2d9327ee115df) Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> (cherry picked from commit 9c6df56fe18237880c391798c2083dca595566f4) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* busybox: fix for CVE-2026-26157, CVE-2026-26158Hitendra Prajapati2026-05-043-0/+237
| | | | | | | | | | | | | | | | | Pick up patch from NVD report. More details : [1]: https://nvd.nist.gov/vuln/detail/CVE-2026-26157 [2]: https://nvd.nist.gov/vuln/detail/CVE-2026-26158 Note: We use patch from busybox mirror that looks trustworthy https://gogs.librecmc.org/OWEALS/busybox. (From OE-Core rev: 086785b621a782aa87546921c58e1049528be3b3) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* tcl: skip http11 testsRoss Burton2026-05-041-0/+3
| | | | | | | | | | | | | | | | | | | These tests are either unstable under load, or just unstable. A ticket has been filed upstream[1] but for now disable them. [ YOCTO #15467 ] [1] https://core.tcl-lang.org/tcl/tktview/3764f4e81f1483ab554c6d60f8483887bde28221 (From OE-Core rev: 96574e448abd040743655fb29cd1eeb6735e9df2) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8f1538518fd3a3017189b38437691ce358a2566a) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* ncurses: fix for CVE-2025-69720Hitendra Prajapati2026-05-042-0/+43
| | | | | | | | | | | | | | | | | | | | Pick relevant part of snapshot commit 20251213, see [1]. That has: add a limit-check in infocmp -i option (report/example by Yixuan Cao). [1] https://invisible-island.net/ncurses/NEWS.html#index-t20251213 References: 1. https://github.com/Cao-Wuhui/CVE-2025-69720 2. https://nvd.nist.gov/vuln/detail/CVE-2025-69720 3. https://access.redhat.com/errata/RHSA-2026:5913 (From OE-Core rev: a4364099e0593757bc848dc766843d7651550224) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* curl: patch CVE-2026-3784Vijay Anusuri2026-05-042-0/+78
| | | | | | | | | | | | | | pick patch from ubuntu per [1] [1] http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz [2] https://ubuntu.com/security/CVE-2026-3784 [3] https://curl.se/docs/CVE-2026-3784.html (From OE-Core rev: 1142953d395cd8de187fbd0dc8c143b953c42612) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* curl: patch CVE-2026-3783Vijay Anusuri2026-05-042-0/+154
| | | | | | | | | | | | | | pick patches from ubuntu per [1] [1] http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz [2] https://ubuntu.com/security/CVE-2026-3783 [3] https://curl.se/docs/CVE-2026-3783.html (From OE-Core rev: f09125ca033126260c3d66daaa04fffb0d1480f3) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* curl: patch CVE-2026-1965Vijay Anusuri2026-05-043-0/+138
| | | | | | | | | | | | | | pick patches from ubuntu per [1] [1] http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz [2] https://ubuntu.com/security/CVE-2026-1965 [3] https://curl.se/docs/CVE-2026-1965.html (From OE-Core rev: 0fc5d35a56900701b5ec8b53646448dd5fac537a) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* libarchive: Fix CVE-2026-4111Vijay Anusuri2026-05-043-0/+342
| | | | | | | | | | | | | | Pick patch according to [1] [1] https://security-tracker.debian.org/tracker/CVE-2026-4111 [2] https://github.com/libarchive/libarchive/pull/2877 [3] https://access.redhat.com/errata/RHSA-2026:5063 (From OE-Core rev: c938ecea4304a57edb824f121e0ca8f79b45bb7e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* tzdata/tzcode-native: upgrade 2025c -> 2026aJinfeng Wang2026-05-041-3/+3
| | | | | | | | | | | (From OE-Core rev: d6562c14947cfa84c42c2936e7eed3755fab4c05) Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 217ede26d64901d9a38fc119efa684487714c08a) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* spdx30_tasks: fix condition in create_spdxJoão Marcos Costa (Schneider Electric)2026-05-041-1/+1
| | | | | | | | | | | | Considering that *detail* is an actual variable, not a string, remove the quotes to make the 'in' statement coherent. (From OE-Core rev: 8071a93c6b619dc9fcc2a7f1bcf94994499defbe) Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com> Reviewed-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* build-appliance-image: Update to scarthgap head revisionyocto-5.0.17Paul Barker2026-04-021-1/+1
| | | | | | (From OE-Core rev: 52380df998b3a8fe6a091f8547434a3231320a8e) Signed-off-by: Paul Barker <paul@pbarker.dev>
* gnutls: Fix CVE-2025-14831Vijay Anusuri2026-04-0210-0/+1640
| | | | | | | | | | | | | | Picked commits which mentions this CVE per [1]. [1] https://ubuntu.com/security/CVE-2025-14831 [2] https://security-tracker.debian.org/tracker/CVE-2025-14831 [3] https://gitlab.com/gnutls/gnutls/-/issues/1773 (From OE-Core rev: d0e844108702e553950cab60d51f1cc4cfeed993) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* python3-pyopenssl: Fix CVE-2026-27459Vijay Anusuri2026-04-022-0/+110
| | | | | | | | | | | | | Pick patch mentioned in NVD [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27459 [2] https://ubuntu.com/security/CVE-2026-27459 (From OE-Core rev: 94c6f16933b9ff4c4a2ea46be1e3fc5f2979a49d) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* python3-pyopenssl: Fix CVE-2026-27448Vijay Anusuri2026-04-022-0/+128
| | | | | | | | | | | | | Pick patch mentioned in NVD [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448 [2] https://ubuntu.com/security/CVE-2026-27448 (From OE-Core rev: 6349510d2ae9d8f4ad1c52d7356d2359b7bf4826) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* spdx: add option to include only compiled sourcesJoão Marcos Costa (Schneider Electric)2026-04-022-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the source code files that are used during compilation. It uses debugsource information generated during do_package. This enables an external tool to use the SPDX information to disregard vulnerabilities that are not compiled. As example, when used with the default config with linux-yocto, the spdx size is reduced from 156MB to 61MB. (From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968) Adapted to existing files for SPDX3.0 Tested with: - bitbake world on oe-core - oe-selftest --run-tests spdx.SPDX30Check Regarding SPDX2.2, the respective backport was already performed in OE-Core rev: a2866934e58fb377a73e87576c8594988a63ad1b (From OE-Core rev: 1c7dfab26d69a87bb026e05b3bbf6a266858c0d1) Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* python3-cryptography: Fix CVE-2026-26007Nguyen Dat Tho2026-04-022-0/+150
| | | | | | | | | | | | | | | | | | | CVE-2026-26007 is fixed upstream in version 46.0.5. Our current version (42.0.5, scarthgap) is still reported as vulnerable by NVD. Backport the upstream fix to address this CVE. Upstream commit: https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c CVE report: https://nvd.nist.gov/vuln/detail/CVE-2026-26007 (From OE-Core rev: a363958725430237160b0a83a6a6acbe8380fba3) Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* tzdata,tzcode-native: Upgrade 2025b -> 2025cPaul Barker2026-04-021-3/+3
| | | | | | | | | | | | | | | | | | This release mostly changes code and commentary. The only changed data are leap second table expiration and pre-1976 time in Baja California. Full release notes: https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/TAGXKYLMAQRZRFTERQ33CEKOW7KRJVAK/ (From OE-Core rev: 7255b0ff315367abb5f0c6f00974bf30f7861d1b) Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 452334219309793ad74abd6ff390dcb06cab929b) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* python3-pip: drop unused Windows distlib launcher templatesKrupal Ka Patel2026-03-251-0/+9
| | | | | | | | | | | | | | | | | | | | pip vendors distlib which ships Windows launcher template binaries (*.exe) under pip/_vendor/distlib. These files are only used on Windows systems but are installed and packaged for target, native, and nativesdk builds. Remove the distlib *.exe templates when not building for a mingw (mingw32/mingw64) host to avoid shipping unused Windows binaries and reduce package noise. (From OE-Core rev: 9f2a6cfda6a2305f52411ca8121f27c8a5a91fa2) Signed-off-by: Krupal Ka Patel <krkapate@cisco.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 90d208fbb06b6e6b5aaddb0048fd6e2e1d46c8bd) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* python3-setuptools: drop Windows launcher executables on non-mingw buildsKrupal Ka Patel2026-03-251-0/+9
| | | | | | | | | | | | | | | | | | setuptools installs Windows launcher executables (cli*.exe, gui*.exe) into site-packages. These binaries are only used on Windows platforms but are packaged for target, native, and nativesdk builds. Remove the Windows launcher executables when not building for a mingw (mingw32/mingw64) host to avoid shipping unused Windows binaries. (From OE-Core rev: a618c504ba69d20eec08944c577b15a48b1ac578) Signed-off-by: Krupal Ka Patel <krkapate@cisco.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit cf7c79f3962f2be99cfda47e8cc730091e6a18cb) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* inetutils: Fix CVE-2026-32746Vijay Anusuri2026-03-252-0/+41
| | | | | | | | | | | | | | Pick patch according to [1] [1] https://security-tracker.debian.org/tracker/CVE-2026-32746 [2] https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html [3] https://codeberg.org/inetutils/inetutils/pulls/17/files (From OE-Core rev: 53a3cdf7b55b76ec64a314f5fafced4a803ac12f) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* systemd-systemctl: Fix instance name parsing with escapes or periodsTrent Piepho2026-03-251-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | Fixes [YOCTO #16130] When extracting the instance name from a template instances such as 'example@host.domain.com.service', the systemctl replacement script will split the instance on the first period, producing an instance argument of 'host' and a template of 'example@.domain.com.service'. This is incorrect, as systemd will split on the last period, producing an instance argument of 'host.domain.com' and a template of 'example@.service'. When constructing the template name, the script will also pass the string as is to re.sub(), which will try to process any backslash escapes in the string. These are legal in systemd unit names and should be preserved. They also are not valid Python escape sequences. Use re.escape() to preserve anything in the unit name that might be considered a regex exscape. (From OE-Core rev: 0514c317523330f75937123c45bb0528e4830f61) Signed-off-by: Trent Piepho <trent.piepho@igorinstitute.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* python3-pip: Fix CVE-2026-1703Vijay Anusuri2026-03-252-1/+40
| | | | | | | | | | | | | | Pick patch according to [1] [1] https://security-tracker.debian.org/tracker/CVE-2026-1703 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-1703 [3] https://github.com/pypa/pip/pull/13777 (From OE-Core rev: 29c72a4729a42f75af47b6a7e04c9d52155e3c1f) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* go: Fix CVE-2025-61726.patch variable orderingEduardo Ferreira2026-03-251-10/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 6a1ae4e792 (go 1.22.12: Fix CVE-2025-61726, 2026-02-11) introduced a patch backporting a fix for CVE-2025-61726, but this patch also introduced a bug. From Go's source code[1], they say that the 'All' table from 'godebugs' should be populated alphabetically by Name. And 'Lookup'[2] function uses binary search to try and find the variable. Here's the trace: Mar 06 11:33:33 toradex-smarc-imx95-12594035 systemd[1]: Started Docker Application Container Engine. Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 2026/03/06 11:34:53 http: panic serving @: godebug: Value of name not listed in godeb ugs.All: urlmaxqueryparams Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: goroutine 78 [running]: Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*conn).serve.func1() Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http/server.go:1903 +0xb0 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?}) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: runtime/panic.go:770 +0x124 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.deferwrap1() Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:383 +0x2c Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End(0x40011b4a80, {0x0, 0x0, 0x40 006441c0?}) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:421 +0x898 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?}) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: runtime/panic.go:770 +0x124 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value.func1() Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug/godebug.go:141 +0xd8 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).doSlow(0x22?, 0x55748a9b60?) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:74 +0x100 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).Do(...) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:65 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value(0x5575b21be0) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug/godebug.go:138 +0x50 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.urlParamsWithinMax(0x1) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:968 +0x3c Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.parseQuery(0x400069a630, {0x0, 0x0}) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:985 +0xdc Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.ParseQuery(...) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:958 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*Request).ParseForm(0x4000bdab40) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http/request.go:1317 +0x33c Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils.ParseForm(0x0?) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils/httputils.go:104 +0x20 The 'Lookup' function was failing due to the wrong ordering and returning 'nil', which was not being checked properly and caused this issue. The fix was to just reorder the line where 'urlmaxqueryparams' is being added to respect the alphabetical ordering. And for that the whole CVE patch was generated again. This change was validated with docker-moby (original issue), where a container run successfully and no traces in the logs. [1] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20 [2] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100 (From OE-Core rev: b670b11ff4845b64f861041681ace9c21db16eed) Signed-off-by: Eduardo Ferreira <eduardo.barbosa@toradex.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* freetype: Fix CVE-2026-23865Vijay Anusuri2026-03-252-0/+55
| | | | | | | | | | | | | Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-23865 https://security-tracker.debian.org/tracker/CVE-2026-23865 Picked patch mentioned in NVD (From OE-Core rev: b371b1b670123c9f231ed8b450ad868b6c4f9549) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* tiff: ignore CVE-2025-61143, CVE-2025-61144 and CVE-2025-61145Ankur Tyagi2026-03-251-1/+1
| | | | | | | | | | | | | | | | | | | These CVEs are for tools which were removed in v4.6.0[1] [1]https://gitlab.com/libtiff/libtiff/-/commit/eab89a627f0a65e9a1a47c4b30b4802c80b1ac45 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-61143 https://nvd.nist.gov/vuln/detail/CVE-2025-61144 https://nvd.nist.gov/vuln/detail/CVE-2025-61145 (From OE-Core rev: e5ec16fbe4ce402b92107d2491c4e08fa2432f1a) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> [YC: NVD patches for these CVEs only modify the tools which are not in the tarball we use] Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* lsb.py: strip ' from os-release fileMartin Jansa2026-03-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In gentoo the file looks like this: NAME='Gentoo' ID='gentoo' PRETTY_NAME='Gentoo Linux' VERSION='2.18' VERSION_ID='2.18' HOME_URL='https://www.gentoo.org/' SUPPORT_URL='https://www.gentoo.org/support/' BUG_REPORT_URL='https://bugs.gentoo.org/' ANSI_COLOR='1;32' ' were added with: https://github.com/gentoo/gentoo/commit/2f590e35c9d3d13d5673163527120b2de97fdc80 before that the os-release file looked like this: NAME=Gentoo ID=gentoo PRETTY_NAME="Gentoo Linux" ANSI_COLOR="1;32" HOME_URL="https://www.gentoo.org/" SUPPORT_URL="https://www.gentoo.org/support/" BUG_REPORT_URL="https://bugs.gentoo.org/" VERSION_ID="2.18" The ' is stripped from the ID later in distro_identifier with: # Filter out any non-alphanumerics and convert to lowercase distro_id = re.sub(r'\W', '', distro_id).lower() but not from version which results in a weird NATIVELSBSTRING like: NATIVELSBSTRING = "gentoo-'2.18'" And similarly the directory name in sstate-cache: oe-core $ ls -d sstate-cache/gentoo-* "sstate-cache/gentoo-'2.18'" sstate-cache/gentoo-2.18 (From OE-Core rev: 9906255a99f13bf6feefca11e8305364efce6450) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 55f82653deb1ea8f1304fcba4d588bd55695b616) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* wireless-regdb: upgrade 2025.10.07 -> 2026.02.04Ankur Tyagi2026-03-251-1/+1
| | | | | | | | | | | | | (From OE-Core rev: a26cdcc31b97b5eed545b9859bee8b5c098d394b) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f86c38b13121788fe6a654df04800d24b2b28b61) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> [YC: logs: https://git.kernel.org/pub/scm/linux/kernel/git/wens/wireless-regdb.git/log/?h=master-2026-02-04] Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* inetutils: patch CVE-2026-28372Peter Marko2026-03-252-0/+87
| | | | | | | | | | | | | | | | | | Pick patch according to [1] (equivalent to patch from [2]). This CVE is needed if util-linux >= 2.40 is used which is not the case in Yocto scarthgap, however it's always possible that users update packages in their layers. [1] https://security-tracker.debian.org/tracker/CVE-2026-28372 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-28372 (From OE-Core rev: 2ab4f313ebd2c8f2d801dc3f53df3a0741cf848e) Signed-off-by: Peter Marko <peter.marko@siemens.com> [YC: replaced kirkstone by scarthap] Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* busybox: Fixes CVE-2025-60876Livin Sunny2026-03-162-0/+43
| | | | | | | | | | | | | | | | | | | | | | | This addresses CVE-2025-60876[1], which allows malicious URLs to inject HTTP headers. It has been accepted by Debian[2] and is tracked here [4]. The upstream fix has been submitted [3] and is pending merge. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-60876 [2] https://bugs.debian.org/1120795 [3] https://lists.busybox.net/pipermail/busybox/2025-November/091840.html [4] https://security-tracker.debian.org/tracker/CVE-2025-60876 Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-November/091840.html] (From OE-Core rev: 077f258eb2125359ffe3982c58433ee14cb21f09) Signed-off-by: Livin Sunny <livinsunny519@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f12af98df8f627c6d1836d27be48bac542a4f00e) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* uboot-config: Fix devtool modifyTom Hochstein2026-03-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a problem with `devtool modify` as suggested by Marcus Flyckt on the mailing list: ``` I encountered an issue with `do_config` when using `devtool modify` on `u-boot-imx`. ``` [...] | cp: cannot stat '[...]/u-boot-imx/2024.04/build/imx8mp_wl400s_defconfig/.config': No such file or directory | WARNING: exit code 1 from a shell command. ERROR: Task ([...]/sources/poky/../meta-freescale/recipes-bsp/u-boot/u-boot-imx_2024.04.bb:do_configure) failed with exit code '1' NOTE: Tasks Summary: Attempted 963 tasks of which 962 didn't need to be rerun and 1 failed. Summary: 1 task failed: [...]/sources/poky/../meta-freescale/recipes-bsp/u-boot/u-boot-imx_2024.04.bb:do_configure Summary: There was 1 ERROR message, returning a non-zero exit code ``` The issue seems to originate from the following lines in `workspace/appends/u-boot-imx_2024.04.bbappend`: ``` do_configure:append() { if [ ${@oe.types.boolean(d.getVar("KCONFIG_CONFIG_ENABLE_MENUCONFIG"))} = True ]; then cp ${KCONFIG_CONFIG_ROOTDIR}/.config ${S}/.config.baseline ln -sfT ${KCONFIG_CONFIG_ROOTDIR}/.config ${S}/.config.new fi } ``` For some reason `KCONFIG_CONFIG_ROOTDIR` does not point to the correct directory. It gets its value in `uboot-config.bbclass`: ``` if len(ubootconfig) == 1: d.setVar('KCONFIG_CONFIG_ROOTDIR', os.path.join(d.getVar("B"), d.getVar("UBOOT_MACHINE").strip())) ``` So the main issue is that B gets expanded in this expression, and then later B gets changed by `externalsrc.bbclass`. `d.getVar("B", False)` does not solve the issue, however the proposed change does. ``` - https://lists.yoctoproject.org/g/yocto/topic/109254298#msg64152] Fixes [YOCTO #15603] Suggested-by: Marcus Flyckt <marcus.flyckt@gmail.com> (From OE-Core rev: 6a19e284baaadfdf080ebc5decf065e468655732) Signed-off-by: Tom Hochstein <tom.hochstein@oss.nxp.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 57b21065a25100c31515b32fd7c77bde3355d684) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: upgrade 3.2.6 -> 3.5.5Peter Marko2026-03-169-203/+119
| | | | | | | | | | | | | | | | | Openssl 3.2 has reached EOL. Some projects would like to use LTS version due to criticality and exposure of this component, so upgrade to 3.5 branch. Copy recipe from oe-core master fd3b1efb6f7ffb5505ff7eb95cae222e1db9f776 which is the last revision before disabling TLS 1/1.1 by default. Single change is replacing UNPACKDIR by WORKIDR (one occurence). (From OE-Core rev: c4fc6ee6986fbd05d72bf1e6bb1d2c4eee84e5db) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* harfbuzz: Fix CVE-2026-22693Hugo SIMELIERE2026-03-162-1/+36
| | | | | | | | | | | | | | Pick patch mentioned in NVD report [1] [1] https://nvd.nist.gov/vuln/detail/CVE-2026-22693 (From OE-Core rev: 541482f93d8447f7a027bacb99a6782ac5ed2a6e) Signed-off-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* zlib: Fix CVE-2026-27171Hugo SIMELIERE2026-03-162-0/+64
| | | | | | | | | | | | | | | Pick patch from [1] also mentioned in [2] [1] https://github.com/madler/zlib/issues/904 [2] https://security-tracker.debian.org/tracker/CVE-2026-27171 (From OE-Core rev: cf95e20db688fb155ba0dc7968c816937190234f) Signed-off-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ffmpeg: set status for CVE-2025-12343Peter Marko2026-03-161-1/+1
| | | | | | | | | | | | | | | | Per [1] is patch for this CVE [2]. This is equivalent of [3] which is included in n6.1.3. [1] https://security-tracker.debian.org/tracker/CVE-2025-12343 [2] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/b8d5f65b9e89d893f27cf00799dbc15fc0ca2f8e [3] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/6250ed77a6fb5bb089e533e30985d197e8323dcf (From OE-Core rev: b839647eb0627598a9e1667d18802b6b03637abf) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ffmpeg: set status for CVE-2025-10256Peter Marko2026-03-161-1/+1
| | | | | | | | | | | | | | | | Per [1] is patch for this CVE [2]. This is equivalent of [3] which is included in n6.1.3. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-10256 [2] https://github.com/FFmpeg/FFmpeg/commit/a25462482c02c004d685a8fcf2fa63955aaa0931 [3] https://github.com/FFmpeg/FFmpeg/commit/00b5af29a4203a31574c11b3df892d78d5d862ec (From OE-Core rev: 8a24195c27d440fa851da555f1147230564674b0) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gdk-pixbuf: Fix CVE-2025-6199Shaik Moin2026-03-162-0/+37
| | | | | | | | | | | | | | | | Backport the fix for CVE-2025-6199 Add below patch to fix CVE-2025-6199.patch Reference: In Ubuntu and debian, fixed patch is given -> [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32] (From OE-Core rev: de8c5d9964086e960e6df1f58a6d675fdb761286) Signed-off-by: Shaik Moin <moins@kpit.com> [YC: Link to Debian security tracker: https://security-tracker.debian.org/tracker/CVE-2025-6199 ] Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* build-appliance-image: Update to scarthgap head revisionRichard Purdie2026-02-271-1/+1
| | | | | | (From OE-Core rev: a9a785d7fa0cfe2a9087dbcde0ef9f0d2a441375) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* u-boot: move CVE patches out of the common .inc fileYoann Congal2026-02-272-11/+11
| | | | | | | | | | | | | | | | | An external layer might use the u-boot*.inc files but have a different base version for which the CVE patches don't apply. Move the CVE patches in the leaf recipe. See related patch in kirkstone: [kirkstone][PATCH] u-boot: move CVE patch out of u-boot-common.inc https://lists.openembedded.org/g/openembedded-core/topic/117385432 (From OE-Core rev: f4ced8ff03147dd532a88cf3ce08d61fab057522) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* alsa-lib: patch CVE-2026-25068Peter Marko2026-02-272-0/+35
| | | | | | | | | | | | | | | Pick patch mentioned in NVD report. It also includes CVE ID in commit message. Use older SNDERR funtion as new one is not yet available. This was copied from Debian patch. (From OE-Core rev: 517bda641fcccbeae1988092196dc44ab7cc1491) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gnupg: patch CVE-2025-68973Peter Marko2026-02-272-0/+109
| | | | | | | | | | | | | Pick patch from 2.4 branch per [1]. [1] https://security-tracker.debian.org/tracker/CVE-2025-68973 (From OE-Core rev: 66df136096c6a7e29edea0fbc0132b234032965f) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>