summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* protobuf: fix CVE-2025-4565Chen Qi2025-07-022-0/+377
| | | | | | | | Backport patch with adjustments for 3.19.6 version to fix CVE-2025-4565. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-protobuf: fix RDEPENDSChen Qi2025-07-021-0/+1
| | | | | | | python3-ctypes is needed as a runtime dependency. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* protobuf: fix ptest with python PACKAGECONFIG enabledChen Qi2025-07-022-2/+3
| | | | | | | | | | | 1. RDEPENDS on python3-protobuf instead of python-protobuf. The latter is not available anywhere. 2. Use use python3 interpreter. 3. Fix run-ptest to avoid test failure. An extra '\n' is needed to break out the loop. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* xfce4 update HOMEPAGEsJason Schonberg2025-07-0229-29/+29
| | | | | | | | | | | | | | https://goodies.xfce.org/ states "Starting this month (November 2019), a project is starting to migrate the goodies.xfce.org documentation to https://docs.xfce.org/start. The goal is to remove deprecated projects and, eventually, de-commission the goodies.xfce.org URLs. Additional information will be posted on https://wiki.xfce.org/projects/goodies-decomm/start as the project proceeds." This patch updates the URLs being used in the HOMEPAGEs to reflect where the address is actually resolving. Signed-off-by: Jason Schonberg <schonm@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* canutils: use https instead of git protocolBastian Krause2025-07-021-1/+1
| | | | | | | | The git server at git.pengutronix.de no longer supports the git protocol, so switch to https. Signed-off-by: Bastian Krause <bst@pengutronix.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libsocketcan: use https instead of git protocolBastian Krause2025-07-021-1/+1
| | | | | | | | The git server at git.pengutronix.de no longer supports the git protocol, so switch to https. Signed-off-by: Bastian Krause <bst@pengutronix.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-aiohttp: fix CVE-2024-42367Jiaying Song2025-07-022-0/+66
| | | | | | | | | | | | | | | | | | | | | | | | | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing the `Path.stat()` and `Path.open()` to send the file. Version 3.10.2 contains a patch for the issue. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-42367 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj Upstream patch: https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* postgresql: upgrade 14.17 -> 14.18Yogita Urade2025-07-022-3/+3
| | | | | | | | | | | | | Upgrade includes fix for CVE-2025-4207 Release notes: https://www.postgresql.org/docs/release/14.18/ 0001-configure.ac-bypass-autoconf-2.69-version-check.patch refreshed for 14.18 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* redis: Fix CVE-2025-21605Vijay Anusuri2025-07-022-0/+63
| | | | | | | Upstream-Status: Backport from https://github.com/redis/redis/commit/42fb340ce426364d64f5dccc9c2549e58f48ac6f Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* syslog-ng: fix CVE-2024-47619Yogita Urade2025-07-022-0/+287
| | | | | | | | | | | | | | | | | | | syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-47619 Upstream patch: https://github.com/syslog-ng/syslog-ng/commit/12a0624e4c275f14cee9a6b4f36e714d2ced8544 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* proftpd: Fix CVE-2024-57392Vijay Anusuri2025-07-022-0/+43
| | | | | | | Upstream-Status: Backport from https://github.com/proftpd/proftpd/commit/981a37916fdb7b73435c6d5cdb01428b2269427d Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tcpdump: patch CVE-2024-2397Ashish Sharma2025-07-022-0/+127
| | | | | | | Upstream-Status: Backport from https://github.com/the-tcpdump-group/tcpdump/commit/b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2 Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* imagemagick: Fix CVE vulnerablitiesSana Kazi2025-07-027-1/+448
| | | | | | | | | | | | | | Fix following CVEs for imagemagick: CVE-2021-20311, CVE-2021-20312, CVE-2021-20313 CVE-2021-20309, CVE-2021-20310, CVE-2021-3610 CVE-2022-0284, CVE-2022-2719 fix-cipher-leak.patch fixes CVE-2021-20311, CVE-2021-20312, CVE-2021-20313 Ignore following CVES as current version is not affected by them: CVE-2014-9826, CVE-2016-7538, CVE-2017-5506 Signed-off-by: Sana Kazi <sanakazi720@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lmsensors: Fix build without sensordLeonard Anderweit2025-07-021-2/+3
| | | | | | | | | | | | | | | | | | | When building with sensord disabled (PACKAGECONFIG = ""), do_install would fail because it tried to build sensord which was skiped in do_compile. Error log: make: *** No rule to make target 'rrd.h', needed by 'prog/sensord/rrd.rd'. Stop. Avoid building sensord in do_install by explicitly setting PROG_EXTRA. (master rev: fc88c96c4e40d9dbc6097c4679ac79ed55356730) Fixes: 86b20b84ec27 (lmsensors: Clean stale files for sensord to avoid incorrect GCC header dependencies) Signed-off-by: Leonard Anderweit <l.anderweit@phytec.de> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* poppler: fix CVE-2025-43903Yogita Urade2025-05-252-0/+55
| | | | | | | | | | | | | | | NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-43903 Upstream patch: https://gitlab.freedesktop.org/poppler/poppler/-/commit/f1b9c830f145a0042e853d6462b2f9ca4016c669 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-twisted: Fix CVE-2024-41671Soumya Sambu2025-05-253-0/+232
| | | | | | | | | | | | | | | | | | Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1. References: https://nvd.nist.gov/vuln/detail/CVE-2024-41671 https://ubuntu.com/security/CVE-2024-41671 Upstream patches: https://github.com/twisted/twisted/commit/f1cb4e616e9f23b4dd044a6db44365060950c64f https://github.com/twisted/twisted/commit/ef2c755e9e9d57d58132af790bd2fd2b957b3fb1 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* frr: fix CVE-2024-55553Zhang Peng2025-05-252-0/+305
| | | | | | | | | | | | | | | | | | | | | | | CVE-2024-55553: In FRRouting (FRR) before 10.3 from 6.0 onward, all routes are re-validated if the total size of an update received via RTR exceeds the internal socket's buffer size, default 4K on most OSes. An attacker can use this to trigger re-parsing of the RIB for FRR routers using RTR by causing more than this number of updates during an update interval (usually 30 minutes). Additionally, this effect regularly occurs organically. Furthermore, an attacker can use this to trigger route validation continuously. Given that routers with large full tables may need more than 30 minutes to fully re-validate the table, continuous issuance/withdrawal of large numbers of ROA may be used to impact the route handling performance of all FRR instances using RPKI globally. Additionally, the re-validation will cause heightened BMP traffic to ingestors. Fixed Versions: 10.0.3, 10.1.2, 10.2.1, >= 10.3. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-55553] [https://frrouting.org/security/cve-2024-55553/] Upstream patch: backport [https://github.com/FRRouting/frr/commit/b0800bfdf04b4fcf48504737ebfe4ba7f05268d3] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* poppler: fix CVE-2025-32365Yogita Urade2025-05-252-0/+42
| | | | | | | | | | | | | | | Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32365 Upstream patch: https://gitlab.freedesktop.org/poppler/poppler/-/commit/1f151565bbca5be7449ba8eea6833051cc1baa41 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* poppler: fix CVE-2025-32364Yogita Urade2025-05-252-0/+29
| | | | | | | | | | | | | | | A floating-point exception in the PSStack::roll function of Poppler before 25.04.0 can cause an application to crash when handling malformed inputs associated with INT_MIN. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32364 Upstream patch: https://gitlab.freedesktop.org/poppler/poppler/-/commit/d87bc726c7cc98f8c26b60ece5f20236e9de1bc3 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* net-snmp: fix memory leakJinfeng Wang2025-04-202-0/+33
| | | | | | | Backport patch [1] to fix memory leak by freeing tclist [1] https://github.com/net-snmp/net-snmp/commit/4bd0d9a8a2860c2c46307aef5ee1ccc69f7e3b62 Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
* netplan: Fix CVE-2022-4968Jinfeng Wang2025-04-202-0/+443
| | | | | | | | Backport patch[1] to fix CVE-2022-4968. [1] https://github.com/canonical/netplan/commit/4c39b75b5c6ae7d976bda6da68da60d9a7f085ee Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
* lmsensors: Clean stale files for sensord to avoid incorrect GCC header ↵Haixiao Yan2025-04-201-1/+4
| | | | | | | | | | | | | | | | | | | | | dependencies After upgrading GCC—for example, from 14.1.0 to 14.2.0—building lmsensors that was previously compiled with GCC 14.1.0 may fail with an error like: lmsensors/3.6.0/recipe-sysroot-native/usr/lib/x86_64-wrs-linux/gcc/x86_64-wrs-linux/ 14.1.0/include/stddef.h can't find, which is needed by 'prog/sensord/args.rd'. This occurs because prog/sensord/args.rd still references stale headers from the older GCC version. The root cause is that stale *.rd and *.ro files under prog/sensord are not properly cleaned during do_configure. This patch ensures those files are removed to prevent broken dependencies when GCC is upgraded. Also remove the same statement in do_compile. (master rev: 86b20b84ec278cacf4975b7933d46b894d74796e) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* corosync: fix CVE-2025-30472Jiaying Song2025-04-202-0/+75
| | | | | | | | | | | | | | Corosync through 3.1.9, if encryption is disabled or the attacker knows the encryption key, has a stack-based buffer overflow in orf_token_endian_convert in exec/totemsrp.c via a large UDP packet. References: https://nvd.nist.gov/vuln/detail/CVE-2025-30472 Upstream patches: https://github.com/corosync/corosync/commit/7839990f9cdf34e55435ed90109e82709032466a Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
* openvpn: renew the sample keysHaixiao Yan2025-03-292-0/+1
| | | | | | | | | | | | | Renew the sample keys to fix the test issue: WARNING: Your certificate has expired! The renewed sample keys from [1] contain binary files which can't be patched by quilt, so archive the files into sample-keys-renew-for-the-next-10-years.tar.gz. [1] https://github.com/OpenVPN/openvpn/commit/98e70e7 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* chrony: fix do_fetch errorJiaying Song2025-03-291-1/+1
| | | | | | | | | | | Change the SRC_URI to the correct value due to the following error: WARNING: chrony-4.5-r0.wr2401 do_fetch: Failed to fetch URL https://download.tuxfamily.org/chrony/chrony-4.5.tar.gz, attempting MIRRORS if available Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8ffe8112f733c6812732b0fcfa8db7d3849914d0) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* eject: fix do_fetch errorJiaying Song2025-03-291-1/+1
| | | | | | | | | | | | Change the SRC_URI to the correct value due to the following error: WARNING: eject-2.1.5-r0.wr2401 do_fetch: Failed to fetch URL http://sources.openembedded.org/eject-2.1.5.tar.gz, attempting MIRRORS if available Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit da361d2d7cf4501ab7a88bc898be187243005c47) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* xfce-dusk-gtk3: fix do_fetch errorJiaying Song2025-03-291-2/+1
| | | | | | | | | | | Change the SRC_URI to the correct value due to the following error: WARNING: xfce-dusk-gtk3-1.3-r0 do_fetch: Failed to fetch URL http://sources.openembedded.org/141404-xfce_dusk_gtk3-1_3.tar.gz;subdir=xfce-dusk-gtk3-1.3, attempting MIRRORS if available Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 4e8c4736ac361f6d2cf9a59074e4f9bbd748c303) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* geoip: fix do_fetch errorWang Mingyu2025-03-291-4/+4
| | | | | | | | | | | Change the SRC_URI to the correct value due to the following error: ERROR: geoip-1.6.12-r0 do_fetch: Bitbake Fetcher Error: FetchError('Unable to fetch URL from any source.', 'http://sources.openembedded.org/GeoIP.dat.20181205.gz;apply=no;name=GeoIP-dat;') Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit aadc2ac9dc49dfb5a2066401f22e7b553b324313) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Revert "net-snmp: fix memory leak"Armin Kuster2025-03-202-41/+0
| | | | | | | | | | | | | | | | | | | | This reverts commit d0c2a3d383dac9fe7e85b7d87784b7f5b5c62c5e. Please revert my patch. After I rebase the latest codes from kirkstone. I found my patch had a bad character. This caused net-snmp do_patch failure. After some tries, I still failed to resolve this. The cherry-pick in my side picked copyright change. But after sending the patch via git send-mail, the character changed. Sorry again. Thanks. Jinfeng Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libmodbus: patch CVE-2024-10918Peter Marko2025-03-204-1/+518
| | | | | | | | | | | Pick commit mentioning the bug and two follow-up commits mentioning the first commit. Tested by running the test-suite (test starter scripts were copied from scarthgap version which has them working). Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lapack: upgrade 3.10.0 -> 3.10.1wangmy2025-03-071-2/+2
| | | | | | | | | | Changelog: http://netlib.org/lapack/lapack-3.10.1.html Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Piotr Lewicki <piotr.l.lewicki@hitachienergy.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-grpcio(-tools): fix build concurrency issuePeter Marko2025-03-062-0/+8
| | | | | | | | | | | | | | | | | | | Set GRPC_PYTHON_BUILD_EXT_COMPILER_JOBS to limit spawned compiler processes. Without this it uses all available CPUs (via multiprocessing.cpu_count()) and can exhaust build host since there are lot of files to compile (e.g. with 128 cores it manages to spawn 128 gcc processes) Note that this is a general problem for all setuptools based builds with build_ext compilation which can either compile with 1 thread or cpu_count threads. grpcio hot-patches setuptools and allows to set specific build concurrency value. (From master rev: fe582374d3ba474164005942799eb2bddc52a080) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: fix CVE-2025-23419Changqing Li2025-03-062-0/+89
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2025-23419: When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Refer: https://nvd.nist.gov/vuln/detail/CVE-2025-23419 This partially cherry picked from commit 13935cf9fdc3c8d8278c70716417d3b71c36140e, the original patch had 2 parts. One fixed problem in `http/ngx_http_request` module and the second fixed problem in `stream/ngx_stream_ssl_module` module. The fix for `stream/ngx_stream_ssl_module can't be aplied because, the 'stream virtual servers' funcionality was added later in this commit: https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de. Therefore only `http/ngx_http_request` part was backported. Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* abseil-cpp: fix CVE-2025-0838Changqing Li2025-03-062-0/+115
| | | | | | | | | | | | | | | | | | | | | Backport a patch to fix CVE-2025-0838 CVE-2025-0838: There exists a heap buffer overflow vulnerable in Abseil-cpp. The sized constructors, reserve(), and rehash() methods of absl::{flat,node}hash{set,map} did not impose an upper bound on their size argument. As a result, it was possible for a caller to pass a very large size that would cause an integer overflow when computing the size of the container's backing store, and a subsequent out-of-bounds memory write. Subsequent accesses to the container might also access out-of-bounds memory. We recommend upgrading past commit 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1 Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-0838 Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* postgresql: upgrade 14.14 -> 14.17Vijay Anusuri2025-03-062-3/+3
| | | | | | | | | | | | | | | License-Update: Update license year to 2025 Includes fix for CVE-2025-1094 Changelog: https://www.postgresql.org/docs/release/14.17/ Refreshed 0003-configure.ac-bypass-autoconf-2.69-version-check.patch for 14.17 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dlt-daemon: fix CVE-2023-36321Yogita Urade2025-03-062-0/+33
| | | | | | | | | | | | | | | Connected Vehicle Systems Alliance (COVESA) up to v2.18.8 wwas discovered to contain a buffer overflow via the component /shared/dlt_common.c. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-36321 Upstream patch: https://github.com/michael-methner/dlt-daemon/commit/8ac9a080bee25e67e49bd138d81c992ce7b6d899 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dlt-daemon: fix CVE-2022-39836 and CVE-2022-39837Yogita Urade2025-03-062-0/+252
| | | | | | | | | | | | | | | | | | | | | | | | CVE-2022-39836: An issue was discovered in Connected Vehicle Systems Alliance (COVESA) dlt-daemon through 2.18.8. Due to a faulty DLT file parser, a crafted DLT file that crashes the process can be created. This is due to missing validation checks. There is a heap-based buffer over-read of one byte. CVE-2022-39837: An issue was discovered in Connected Vehicle Systems Alliance (COVESA) dlt-daemon through 2.18.8. Due to a faulty DLT file parser, a crafted DLT file that crashes the process can be created. This is due to missing validation checks. There is a NULL pointer dereference. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-39836 https://nvd.nist.gov/vuln/detail/CVE-2022-39837 Upstream patch: https://github.com/COVESA/dlt-daemon/commit/855e0017a980d2990c16f7dbf3b4983b48fac272 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* freediameter: fix do_fetch warningHaixiao Yan2025-03-061-5/+3
| | | | | | | | | | Update SRC_URI to fix do_fetch warning. The SRC_URI http://www.freediameter.net/hg/freeDiameter/archive/1.4.0.tar.gz is not available, which has moved to https://github.com/freeDiameter/freeDiameter.git. Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* net-snmp: fix memory leakJinfeng Wang2025-03-062-0/+41
| | | | | | | | Backport patch [1] to fix memory leak by freeing tclist [1] https://github.com/net-snmp/net-snmp/commit/4bd0d9a8a2860c2c46307aef5ee1ccc69f7e3b62 Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-future: upgrade 0.18.2 -> 0.18.3Wang Mingyu2025-03-061-2/+1
| | | | | | | | | | | | Full changelog: https://github.com/PythonCharmers/python-future/releases (cherry-picked from a10bda8c873e66f0d895cf8065cbc076b2055655) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* phpmyadmin: fix CVE-2025-24529/CVE-2025-24530Changqing Li2025-02-093-1/+81
| | | | | | | | | | | | | | | | CVE-2025-24529: An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab. Refer: https://nvd.nist.gov/vuln/detail/CVE-2025-24529 CVE-2025-24530: An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS. Refer: https://nvd.nist.gov/vuln/detail/CVE-2025-24530 Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* mbedtls: fix CVE-2024-28755 and CVE-2024-28836Yogita Urade2025-02-092-2/+71
| | | | | | | | | | | | | | | | | | | An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2. fix indent issue in mbedtls_3.5.2.bb file. Reference: https://security-tracker.debian.org/tracker/CVE-2024-28755 https://security-tracker.debian.org/tracker/CVE-2024-28836 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-h5py: add -Wno-error to allow building native with gcc-14 on hostMartin Jansa2025-02-091-0/+4
| | | | | Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* hdf5: add -Wno-error to allow building native with gcc-14 on hostMartin Jansa2025-02-091-0/+6
| | | | | Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libssh: Add ptestVirendra Thakur2025-02-093-3/+99
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Enable ptest for libssh , this change is backported from upstream scarthgap. Reference: https://git.openembedded.org/meta-openembedded/commit/?h=scarthgap&id=bf49bdea290ba8cf18f3fd6b47d1d71dfe499948 ~ # ptest-runner libssh START: ptest-runner 2025-01-28T14:28 BEGIN: /usr/lib/libssh/ptest PASS: torture_buffer PASS: torture_callbacks PASS: torture_channel PASS: torture_config PASS: torture_crypto PASS: torture_hashes PASS: torture_init PASS: torture_isipaddr PASS: torture_keyfiles PASS: torture_knownhosts_parsing PASS: torture_list PASS: torture_misc PASS: torture_options PASS: torture_packet PASS: torture_packet_filter PASS: torture_pki PASS: torture_pki_ecdsa PASS: torture_pki_ed25519 PASS: torture_pki_rsa PASS: torture_rand PASS: torture_threads_buffer PASS: torture_threads_crypto PASS: torture_threads_init PASS: torture_threads_pki_rsa DURATION: 119 END: /usr/lib/libssh/ptest 2025-01-28T14:29 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Virendra Thakur <virendrak@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* redis: fix CVE-2024-51741Divya Chellam2025-02-092-0/+90
| | | | | | | | | | | | | | | | | Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem is fixed in Redis 7.2.7 and 7.4.2. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-51741 Upstream-patch: https://github.com/redis/redis/commit/15e212bf69de28d2b4585aa79cc2a40f49e4a94d Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* redis: fix CVE-2024-46981Divya Chellam2025-02-094-0/+73
| | | | | | | | | | | | | | | | | | | | Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-46981 Upstream-patch: https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* redis: fix CVE-2024-31449Divya Chellam2025-02-094-0/+100
| | | | | | | | | | | | | | | | | | | | Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-31449 Upstream-patches: https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9 https://github.com/redis/redis/commit/fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71 Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* redis: fix CVE-2024-31228Divya Chellam2025-02-094-0/+138
| | | | | | | | | | | | | | | | | | | | | Redis is an open source, in-memory database that persists on disk. Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. References: https://security-tracker.debian.org/tracker/CVE-2024-31228 Upstream-patch: https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0 Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* redis: fix CVE-2024-31227Divya Chellam2025-02-092-0/+34
| | | | | | | | | | | | | | | | | | Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem exists in Redis 7 prior to versions 7.2.6 and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Reference: https://security-tracker.debian.org/tracker/CVE-2024-31227 Upstream-patch: https://github.com/redis/redis/commit/b351d5a3210e61cc3b22ba38a723d6da8f3c298a Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>