| Commit message (Collapse) | Author | Age | Files | Lines |
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Pick patch from [1] also mentioned in [2]
[1] https://github.com/vim/vim/commit/9b7dfa2948c9e1e5e32a5812812d580c7879f4a0
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-28419
(From OE-Core rev: 5e05e5e86d4ac5cc8a8d39ceb4f784feb9b0d327)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Pick patch from [1] also mentioned in [2]
[1] https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb46c3a9e76f684da2d
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-28418
(From OE-Core rev: bbbe166c9d9df9b8cf0df6f84bf1eb3c7732b7da)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop upstreamed patches.
Release information:
* https://www.python.org/downloads/release/python-31213/
* The release you're looking at is Python 3.12.13, a security bugfix
release for the legacy 3.12 series.
Handles CVE-2024-6923 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837
CVE-2025-15282 CVE-2025-59375 CVE-2026-0865 CVE-2026-24515 CVE-2026-25210
(From OE-Core rev: 8b0c626633a1e443cfb6e5f73c6120bff5f6a5ef)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
[YC: Full changelog: https://docs.python.org/release/3.12.13/whatsnew/changelog.html#python-3-12-13]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current version of this script in Scarthgap is outdated, since it
still uses data from linux_kernel_cves. This repository was archived in
2024.
To avoid any risks of conflicts, and/or a patch series longer than it
needs to be, I copied the generate-cve-exclusions.py script from
oe-core's master branch (rev. "e954a94b5b528b2430e8da331107d7d58287f89b") as-is.
(From OE-Core rev: 66a13f93403533b95ed27eed24931aa310f8ce79)
Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Pick patch from [1] also mentioned in [2]
[1] https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-27135
(From OE-Core rev: 892fdc819660ab67d9930e0ccb71e4138fcf1750)
Signed-off-by: Anil Dongare <adongare@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running glibc tests under user mode NFS, tst-syslog was causing a hang. The
hang was traced to unfsd exitting with a buffer overflow being detected.
This was traced down to mksocket() where we'd see:
socket path '/media/build/poky/build/build-st-2118464/tmp/work/x86-64-v3-poky-linux/glibc-testsuite/2.42+git/build-x86_64-poky-linux/testroot.root/dev/log' is too long at 141 vs 108
There is a length check in mknod_args() but obj may not be setup at this point by
cat_name() since the functions can be executed out of order according to C.
To avoid this, make the order explict. This means the length is checked and we
avoid the buffer overflow. This will likely cause the glibc test to fail however
it won't hang, which is a win.
[YOCTO #16113]
(From OE-Core rev: 34f34512e5eeefc24b36b102a36fc90f14e2f7d2)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Hemanth Kumar M D <Hemanth.KumarMD@windriver.com>
(cherry picked from commit e51d5e19cb1ba1d5ad7442064b64821d178bc9ca)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pick patch as per [1]
[1] https://sqlite.org/src/info/3d459f1fb1bd1b5e
[2] https://sqlite.org/forum/forumpost/761eac3c82
[3] https://gist.github.com/cnwangjihe/f496393f30f5ecec5b18c8f5ab072054
(From OE-Core rev: e948f33fa6bf69619b406ccd8dc4e5470e223335)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Pick patch from [1] also mentioned in NVD report with [2]
[1] https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-33412
(From OE-Core rev: dcedbba9b4d8a4cb02e2a7a291b934ea3bf7bdce)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Pick patch from [1] also mentioned in [2]
[1] https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-26269
(From OE-Core rev: 1d870ab25eea1c0204fb7abe109251aa55326b76)
Signed-off-by: Anil Dongare <adongare@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Pick patch from [1] also mentioned in [2]
[1] https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-25749
(From OE-Core rev: ce685e18a6dd7137094a10a9051aefc123a0f2e4)
Signed-off-by: Anil Dongare <adongare@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both CVEs are disputed by third parties. The observed behavior
(double free / invalid pointer free in readelf) only occurred in
pre-release code and did not affect any tagged version [1][2].
CVE_STATUS[CVE-2025-69650] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
CVE_STATUS[CVE-2025-69651] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
[1] https://www.cve.org/CVERecord?id=CVE-2025-69650
[2] https://www.cve.org/CVERecord?id=CVE-2025-69651
(From OE-Core rev: 55a0d8abad8a81f7d900557c2eb2d9327ee115df)
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
(cherry picked from commit 9c6df56fe18237880c391798c2083dca595566f4)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pick up patch from NVD report.
More details :
[1]: https://nvd.nist.gov/vuln/detail/CVE-2026-26157
[2]: https://nvd.nist.gov/vuln/detail/CVE-2026-26158
Note:
We use patch from busybox mirror that looks trustworthy https://gogs.librecmc.org/OWEALS/busybox.
(From OE-Core rev: 086785b621a782aa87546921c58e1049528be3b3)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These tests are either unstable under load, or just unstable.
A ticket has been filed upstream[1] but for now disable them.
[ YOCTO #15467 ]
[1] https://core.tcl-lang.org/tcl/tktview/3764f4e81f1483ab554c6d60f8483887bde28221
(From OE-Core rev: 96574e448abd040743655fb29cd1eeb6735e9df2)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8f1538518fd3a3017189b38437691ce358a2566a)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pick relevant part of snapshot commit 20251213, see [1].
That has:
add a limit-check in infocmp -i option (report/example by Yixuan Cao).
[1] https://invisible-island.net/ncurses/NEWS.html#index-t20251213
References:
1. https://github.com/Cao-Wuhui/CVE-2025-69720
2. https://nvd.nist.gov/vuln/detail/CVE-2025-69720
3. https://access.redhat.com/errata/RHSA-2026:5913
(From OE-Core rev: a4364099e0593757bc848dc766843d7651550224)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
pick patch from ubuntu per [1]
[1] http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz
[2] https://ubuntu.com/security/CVE-2026-3784
[3] https://curl.se/docs/CVE-2026-3784.html
(From OE-Core rev: 1142953d395cd8de187fbd0dc8c143b953c42612)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
pick patches from ubuntu per [1]
[1] http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz
[2] https://ubuntu.com/security/CVE-2026-3783
[3] https://curl.se/docs/CVE-2026-3783.html
(From OE-Core rev: f09125ca033126260c3d66daaa04fffb0d1480f3)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
pick patches from ubuntu per [1]
[1] http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_8.5.0-2ubuntu10.8.debian.tar.xz
[2] https://ubuntu.com/security/CVE-2026-1965
[3] https://curl.se/docs/CVE-2026-1965.html
(From OE-Core rev: 0fc5d35a56900701b5ec8b53646448dd5fac537a)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pick patch according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-4111
[2] https://github.com/libarchive/libarchive/pull/2877
[3] https://access.redhat.com/errata/RHSA-2026:5063
(From OE-Core rev: c938ecea4304a57edb824f121e0ca8f79b45bb7e)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: d6562c14947cfa84c42c2936e7eed3755fab4c05)
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 217ede26d64901d9a38fc119efa684487714c08a)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Considering that *detail* is an actual variable, not a string, remove the
quotes to make the 'in' statement coherent.
(From OE-Core rev: 8071a93c6b619dc9fcc2a7f1bcf94994499defbe)
Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>
Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
| |
(From OE-Core rev: 52380df998b3a8fe6a091f8547434a3231320a8e)
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Picked commits which mentions this CVE per [1].
[1] https://ubuntu.com/security/CVE-2025-14831
[2] https://security-tracker.debian.org/tracker/CVE-2025-14831
[3] https://gitlab.com/gnutls/gnutls/-/issues/1773
(From OE-Core rev: d0e844108702e553950cab60d51f1cc4cfeed993)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Pick patch mentioned in NVD
[1] https://nvd.nist.gov/vuln/detail/CVE-2026-27459
[2] https://ubuntu.com/security/CVE-2026-27459
(From OE-Core rev: 94c6f16933b9ff4c4a2ea46be1e3fc5f2979a49d)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Pick patch mentioned in NVD
[1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448
[2] https://ubuntu.com/security/CVE-2026-27448
(From OE-Core rev: 6349510d2ae9d8f4ad1c52d7356d2359b7bf4826)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the
source code files that are used during compilation.
It uses debugsource information generated during do_package.
This enables an external tool to use the SPDX information to disregard
vulnerabilities that are not compiled.
As example, when used with the default config with linux-yocto, the spdx size is
reduced from 156MB to 61MB.
(From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968)
Adapted to existing files for SPDX3.0
Tested with:
- bitbake world on oe-core
- oe-selftest --run-tests spdx.SPDX30Check
Regarding SPDX2.2, the respective backport was already performed in
OE-Core rev: a2866934e58fb377a73e87576c8594988a63ad1b
(From OE-Core rev: 1c7dfab26d69a87bb026e05b3bbf6a266858c0d1)
Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2026-26007 is fixed upstream in version 46.0.5.
Our current version (42.0.5, scarthgap) is still reported as vulnerable
by NVD.
Backport the upstream fix to address this CVE.
Upstream commit:
https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c
CVE report:
https://nvd.nist.gov/vuln/detail/CVE-2026-26007
(From OE-Core rev: a363958725430237160b0a83a6a6acbe8380fba3)
Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This release mostly changes code and commentary. The only changed data
are leap second table expiration and pre-1976 time in Baja California.
Full release notes:
https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/TAGXKYLMAQRZRFTERQ33CEKOW7KRJVAK/
(From OE-Core rev: 7255b0ff315367abb5f0c6f00974bf30f7861d1b)
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 452334219309793ad74abd6ff390dcb06cab929b)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pip vendors distlib which ships Windows launcher template binaries
(*.exe) under pip/_vendor/distlib. These files are only used on
Windows systems but are installed and packaged for target, native,
and nativesdk builds.
Remove the distlib *.exe templates when not building for a mingw
(mingw32/mingw64) host to avoid shipping unused Windows binaries and
reduce package noise.
(From OE-Core rev: 9f2a6cfda6a2305f52411ca8121f27c8a5a91fa2)
Signed-off-by: Krupal Ka Patel <krkapate@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 90d208fbb06b6e6b5aaddb0048fd6e2e1d46c8bd)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
setuptools installs Windows launcher executables (cli*.exe, gui*.exe)
into site-packages. These binaries are only used on Windows platforms
but are packaged for target, native, and nativesdk builds.
Remove the Windows launcher executables when not building for a mingw
(mingw32/mingw64) host to avoid shipping unused Windows binaries.
(From OE-Core rev: a618c504ba69d20eec08944c577b15a48b1ac578)
Signed-off-by: Krupal Ka Patel <krkapate@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cf7c79f3962f2be99cfda47e8cc730091e6a18cb)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pick patch according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-32746
[2] https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html
[3] https://codeberg.org/inetutils/inetutils/pulls/17/files
(From OE-Core rev: 53a3cdf7b55b76ec64a314f5fafced4a803ac12f)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes [YOCTO #16130]
When extracting the instance name from a template instances such as
'example@host.domain.com.service', the systemctl replacement script will
split the instance on the first period, producing an instance argument of
'host' and a template of 'example@.domain.com.service'. This is incorrect,
as systemd will split on the last period, producing an instance argument of
'host.domain.com' and a template of 'example@.service'.
When constructing the template name, the script will also pass the string
as is to re.sub(), which will try to process any backslash escapes in the
string. These are legal in systemd unit names and should be preserved.
They also are not valid Python escape sequences. Use re.escape() to
preserve anything in the unit name that might be considered a regex
exscape.
(From OE-Core rev: 0514c317523330f75937123c45bb0528e4830f61)
Signed-off-by: Trent Piepho <trent.piepho@igorinstitute.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pick patch according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-1703
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-1703
[3] https://github.com/pypa/pip/pull/13777
(From OE-Core rev: 29c72a4729a42f75af47b6a7e04c9d52155e3c1f)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 6a1ae4e792 (go 1.22.12: Fix CVE-2025-61726, 2026-02-11)
introduced a patch backporting a fix for CVE-2025-61726, but
this patch also introduced a bug.
From Go's source code[1], they say that the 'All' table from 'godebugs'
should be populated alphabetically by Name. And 'Lookup'[2] function uses
binary search to try and find the variable.
Here's the trace:
Mar 06 11:33:33 toradex-smarc-imx95-12594035 systemd[1]: Started Docker Application Container Engine.
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 2026/03/06 11:34:53 http: panic serving @: godebug: Value of name not listed in godeb
ugs.All: urlmaxqueryparams
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: goroutine 78 [running]:
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*conn).serve.func1()
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http/server.go:1903 +0xb0
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: runtime/panic.go:770 +0x124
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.deferwrap1()
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:383 +0x2c
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End(0x40011b4a80, {0x0, 0x0, 0x40
006441c0?})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:421 +0x898
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: runtime/panic.go:770 +0x124
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value.func1()
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug/godebug.go:141 +0xd8
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).doSlow(0x22?, 0x55748a9b60?)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:74 +0x100
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).Do(...)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:65
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value(0x5575b21be0)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug/godebug.go:138 +0x50
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.urlParamsWithinMax(0x1)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:968 +0x3c
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.parseQuery(0x400069a630, {0x0, 0x0})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:985 +0xdc
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.ParseQuery(...)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:958
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*Request).ParseForm(0x4000bdab40)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http/request.go:1317 +0x33c
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils.ParseForm(0x0?)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils/httputils.go:104 +0x20
The 'Lookup' function was failing due to the wrong ordering and returning 'nil',
which was not being checked properly and caused this issue.
The fix was to just reorder the line where 'urlmaxqueryparams' is being
added to respect the alphabetical ordering. And for that the whole CVE
patch was generated again.
This change was validated with docker-moby (original issue), where a container
run successfully and no traces in the logs.
[1] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20
[2] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100
(From OE-Core rev: b670b11ff4845b64f861041681ace9c21db16eed)
Signed-off-by: Eduardo Ferreira <eduardo.barbosa@toradex.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-23865
https://security-tracker.debian.org/tracker/CVE-2026-23865
Picked patch mentioned in NVD
(From OE-Core rev: b371b1b670123c9f231ed8b450ad868b6c4f9549)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These CVEs are for tools which were removed in v4.6.0[1]
[1]https://gitlab.com/libtiff/libtiff/-/commit/eab89a627f0a65e9a1a47c4b30b4802c80b1ac45
Details:
https://nvd.nist.gov/vuln/detail/CVE-2025-61143
https://nvd.nist.gov/vuln/detail/CVE-2025-61144
https://nvd.nist.gov/vuln/detail/CVE-2025-61145
(From OE-Core rev: e5ec16fbe4ce402b92107d2491c4e08fa2432f1a)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
[YC: NVD patches for these CVEs only modify the tools which are not in
the tarball we use]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In gentoo the file looks like this:
NAME='Gentoo'
ID='gentoo'
PRETTY_NAME='Gentoo Linux'
VERSION='2.18'
VERSION_ID='2.18'
HOME_URL='https://www.gentoo.org/'
SUPPORT_URL='https://www.gentoo.org/support/'
BUG_REPORT_URL='https://bugs.gentoo.org/'
ANSI_COLOR='1;32'
' were added with:
https://github.com/gentoo/gentoo/commit/2f590e35c9d3d13d5673163527120b2de97fdc80
before that the os-release file looked like this:
NAME=Gentoo
ID=gentoo
PRETTY_NAME="Gentoo Linux"
ANSI_COLOR="1;32"
HOME_URL="https://www.gentoo.org/"
SUPPORT_URL="https://www.gentoo.org/support/"
BUG_REPORT_URL="https://bugs.gentoo.org/"
VERSION_ID="2.18"
The ' is stripped from the ID later in distro_identifier with:
# Filter out any non-alphanumerics and convert to lowercase
distro_id = re.sub(r'\W', '', distro_id).lower()
but not from version which results in a weird NATIVELSBSTRING like:
NATIVELSBSTRING = "gentoo-'2.18'"
And similarly the directory name in sstate-cache:
oe-core $ ls -d sstate-cache/gentoo-*
"sstate-cache/gentoo-'2.18'" sstate-cache/gentoo-2.18
(From OE-Core rev: 9906255a99f13bf6feefca11e8305364efce6450)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 55f82653deb1ea8f1304fcba4d588bd55695b616)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: a26cdcc31b97b5eed545b9859bee8b5c098d394b)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f86c38b13121788fe6a654df04800d24b2b28b61)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
[YC: logs: https://git.kernel.org/pub/scm/linux/kernel/git/wens/wireless-regdb.git/log/?h=master-2026-02-04]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pick patch according to [1] (equivalent to patch from [2]).
This CVE is needed if util-linux >= 2.40 is used which is not the case
in Yocto scarthgap, however it's always possible that users update
packages in their layers.
[1] https://security-tracker.debian.org/tracker/CVE-2026-28372
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-28372
(From OE-Core rev: 2ab4f313ebd2c8f2d801dc3f53df3a0741cf848e)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
[YC: replaced kirkstone by scarthap]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This addresses CVE-2025-60876[1], which allows malicious URLs to inject
HTTP headers. It has been accepted by Debian[2] and is tracked here [4].
The upstream fix has been submitted [3] and is pending merge.
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-60876
[2] https://bugs.debian.org/1120795
[3] https://lists.busybox.net/pipermail/busybox/2025-November/091840.html
[4] https://security-tracker.debian.org/tracker/CVE-2025-60876
Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-November/091840.html]
(From OE-Core rev: 077f258eb2125359ffe3982c58433ee14cb21f09)
Signed-off-by: Livin Sunny <livinsunny519@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f12af98df8f627c6d1836d27be48bac542a4f00e)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix a problem with `devtool modify` as suggested by Marcus Flyckt on
the mailing list:
```
I encountered an issue with `do_config` when using `devtool modify`
on `u-boot-imx`.
```
[...]
| cp: cannot stat '[...]/u-boot-imx/2024.04/build/imx8mp_wl400s_defconfig/.config': No such file or directory
| WARNING: exit code 1 from a shell command.
ERROR: Task ([...]/sources/poky/../meta-freescale/recipes-bsp/u-boot/u-boot-imx_2024.04.bb:do_configure) failed with exit code '1'
NOTE: Tasks Summary: Attempted 963 tasks of which 962 didn't need to be rerun and 1 failed.
Summary: 1 task failed:
[...]/sources/poky/../meta-freescale/recipes-bsp/u-boot/u-boot-imx_2024.04.bb:do_configure
Summary: There was 1 ERROR message, returning a non-zero exit code
```
The issue seems to originate from the following lines in
`workspace/appends/u-boot-imx_2024.04.bbappend`:
```
do_configure:append() {
if [ ${@oe.types.boolean(d.getVar("KCONFIG_CONFIG_ENABLE_MENUCONFIG"))} = True ]; then
cp ${KCONFIG_CONFIG_ROOTDIR}/.config ${S}/.config.baseline
ln -sfT ${KCONFIG_CONFIG_ROOTDIR}/.config ${S}/.config.new
fi
}
```
For some reason `KCONFIG_CONFIG_ROOTDIR` does not point to the
correct directory. It gets its value in `uboot-config.bbclass`:
```
if len(ubootconfig) == 1:
d.setVar('KCONFIG_CONFIG_ROOTDIR', os.path.join(d.getVar("B"), d.getVar("UBOOT_MACHINE").strip()))
```
So the main issue is that B gets expanded in this expression, and
then later B gets changed by `externalsrc.bbclass`.
`d.getVar("B", False)` does not solve the issue, however the
proposed change does.
```
- https://lists.yoctoproject.org/g/yocto/topic/109254298#msg64152]
Fixes [YOCTO #15603]
Suggested-by: Marcus Flyckt <marcus.flyckt@gmail.com>
(From OE-Core rev: 6a19e284baaadfdf080ebc5decf065e468655732)
Signed-off-by: Tom Hochstein <tom.hochstein@oss.nxp.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 57b21065a25100c31515b32fd7c77bde3355d684)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Openssl 3.2 has reached EOL.
Some projects would like to use LTS version due to criticality and
exposure of this component, so upgrade to 3.5 branch.
Copy recipe from oe-core master fd3b1efb6f7ffb5505ff7eb95cae222e1db9f776
which is the last revision before disabling TLS 1/1.1 by default.
Single change is replacing UNPACKDIR by WORKIDR (one occurence).
(From OE-Core rev: c4fc6ee6986fbd05d72bf1e6bb1d2c4eee84e5db)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pick patch mentioned in NVD report [1]
[1] https://nvd.nist.gov/vuln/detail/CVE-2026-22693
(From OE-Core rev: 541482f93d8447f7a027bacb99a6782ac5ed2a6e)
Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pick patch from [1] also mentioned in [2]
[1] https://github.com/madler/zlib/issues/904
[2] https://security-tracker.debian.org/tracker/CVE-2026-27171
(From OE-Core rev: cf95e20db688fb155ba0dc7968c816937190234f)
Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per [1] is patch for this CVE [2].
This is equivalent of [3] which is included in n6.1.3.
[1] https://security-tracker.debian.org/tracker/CVE-2025-12343
[2] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/b8d5f65b9e89d893f27cf00799dbc15fc0ca2f8e
[3] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/6250ed77a6fb5bb089e533e30985d197e8323dcf
(From OE-Core rev: b839647eb0627598a9e1667d18802b6b03637abf)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per [1] is patch for this CVE [2].
This is equivalent of [3] which is included in n6.1.3.
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-10256
[2] https://github.com/FFmpeg/FFmpeg/commit/a25462482c02c004d685a8fcf2fa63955aaa0931
[3] https://github.com/FFmpeg/FFmpeg/commit/00b5af29a4203a31574c11b3df892d78d5d862ec
(From OE-Core rev: 8a24195c27d440fa851da555f1147230564674b0)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport the fix for CVE-2025-6199
Add below patch to fix
CVE-2025-6199.patch
Reference: In Ubuntu and debian, fixed patch is given -> [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32]
(From OE-Core rev: de8c5d9964086e960e6df1f58a6d675fdb761286)
Signed-off-by: Shaik Moin <moins@kpit.com>
[YC: Link to Debian security tracker: https://security-tracker.debian.org/tracker/CVE-2025-6199 ]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
| |
(From OE-Core rev: a9a785d7fa0cfe2a9087dbcde0ef9f0d2a441375)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An external layer might use the u-boot*.inc files but have a different
base version for which the CVE patches don't apply.
Move the CVE patches in the leaf recipe.
See related patch in kirkstone:
[kirkstone][PATCH] u-boot: move CVE patch out of u-boot-common.inc
https://lists.openembedded.org/g/openembedded-core/topic/117385432
(From OE-Core rev: f4ced8ff03147dd532a88cf3ce08d61fab057522)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pick patch mentioned in NVD report.
It also includes CVE ID in commit message.
Use older SNDERR funtion as new one is not yet available.
This was copied from Debian patch.
(From OE-Core rev: 517bda641fcccbeae1988092196dc44ab7cc1491)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Pick patch from 2.4 branch per [1].
[1] https://security-tracker.debian.org/tracker/CVE-2025-68973
(From OE-Core rev: 66df136096c6a7e29edea0fbc0132b234032965f)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|