summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* python3-astroid: upgrade 3.3.5 -> 3.3.7Wang Mingyu2024-12-241-1/+1
| | | | | | | | | | Changelog: =========== - Fix inability to import collections.abc in python 3.13.1. - Fix crash when typing._alias() call is missing arguments. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* python3-apispec: upgrade 6.7.1 -> 6.8.0Wang Mingyu2024-12-241-1/+1
| | | | | | | | | | Changelog: ========= - Allow properties on $ref objects for OpenAPI 3.1 - Fix nullable nested schemas with metadata in OpenAPI 3.0 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* python3-apiflask: upgrade 2.2.1 -> 2.3.2Wang Mingyu2024-12-241-1/+1
| | | | | | | | | | | | | Changelog: =========== - Fix response headers to be compliant with the OpenAPI specification for versions 3.0.0+ - Fix input data loading implementation when input validation is skipped - Include input documentation in API spec when specifying validation=False on @input decorator - Support skipping the validation for the request body with @input(validation=False) - Enable CI test for Python 3.13. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* python3-anyio: upgrade 4.6.2 -> 4.7.0Wang Mingyu2024-12-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | Changelog: =========== - Updated TaskGroup to work with asyncio's eager task factories - Added the wait_readable() and wait_writable() functions which will accept an object with a .fileno() method or an integer handle, and deprecated their now obsolete versions (wait_socket_readable() and wait_socket_writable()) - Changed EventAdapter (an Event with no bound async backend) to allow set() to work even before an async backend is bound to it - Added support for wait_readable() and wait_writable() on ProactorEventLoop (used on asyncio + Windows by default) - Fixed a misleading ValueError in the context of DNS failures - Fixed the return type annotations of readinto() and readinto1() methods in the anyio.AsyncFile class - Fixed TaskInfo.has_pending_cancellation() on asyncio returning false positives in cleanup code on Python >= 3.11 - Fixed cancelled cancel scopes on asyncio calling asyncio.Task.uncancel when propagating a CancelledError on exit to a cancelled parent scope1 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* python3-aiosignal: upgrade 1.3.1 -> 1.3.2Wang Mingyu2024-12-241-1/+1
| | | | | | | | | | | Changelog: =========== - Dropped Python 3.7 support. - Dropped Python 3.8 support. - Remove redundant wheel dep from pyproject.toml Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* ostree: upgrade 2024.9 -> 2024.10Wang Mingyu2024-12-241-1/+1
| | | | | | | | | | | | | | | | | Changelog: ========== - prepare-root: Add composefs.enabled=verity - README: Update buildstream URL to new github repo - composefs: Ensure buffer is suitably aligned for struct fsverity_digest - core: Always sort incoming xattrs - Fix ci - sign-ed25519: Fix error message of validate_length - rofiles-fuse: when fuse execution fails, rofiles-fuse still returns exit code 0 - libostree/deploy: enable composefs by default - man: Note semantics combining root.transient with composefs.enabled Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nvmetcli: upgrade 0.7 -> 0.8Wang Mingyu2024-12-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | Changelog: ============= - fix common misspellings from codespell project - nvmetcli: set up the target only after the network is configured - nvmetcli: fixup ana groupid setting for namespaces - Documentation: fix typo - nvmetcli: add a tcp example json - nvmetcli: Correct xrange usage for py3 - nvmetcli: Allow different devices for make test - nvmetcli: Report save name correctly - test_nvmet.py: test_invalid_input fails for py3 - nvme.py: Make modprobe work for kmod lib too - nvme.py: Sync the containing directory - nvme.py: Explicit close is redundant - nvmetcli: Improve IOError handling on restore - README: Update URL for configshell-fb - nvmetcli: don't remove ANA Group 1 on clear Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nano: upgrade 8.2 -> 8.3Wang Mingyu2024-12-241-1/+1
| | | | | | | | | | Changelog: ============ - A build failure with gcc-15 is fixed. - Several translations were updated. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* libsdl2-image: upgrade 2.8.2 -> 2.8.3Wang Mingyu2024-12-241-1/+1
| | | | | | | | Changelog: Fixed handling of grayscale images with alpha Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* libcapture-tiny-perl: upgrade 0.48 -> 0.50Wang Mingyu2024-12-241-2/+2
| | | | | | | | | | | | License-Update: add year and name of copyright owner Changelog: ========== - Stringify '$]' for far future compatibility. - Fixed docs about custom files for capture Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* ctags: upgrade 6.1.20241215.0 -> 6.1.20241222.0Wang Mingyu2024-12-241-1/+1
| | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* python3-pyproj: cleanup dependenciesYi Zhao2024-12-231-2/+2
| | | | | | | | Drop python3-cython-native from DEPENDS since we already inherit cython bbclass. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* python3-kivy: cleanup dependenciesYi Zhao2024-12-231-2/+0
| | | | | | | | Drop python3 and python3-cython-native from DEPENDS since we already inherit setuptools3 and cython bbclasses. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* python3-yarl: upgrade 1.18.0 -> 1.18.3Tom Geelen2024-12-211-1/+1
| | | | | Signed-off-by: Tom Geelen <t.f.g.geelen@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* python3-sqlalchemy: upgrade 2.0.35 -> 2.0.36Tom Geelen2024-12-211-1/+1
| | | | | Signed-off-by: Tom Geelen <t.f.g.geelen@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* python3-pytest-asyncio: upgrade 0.23.6 -> 0.24.0Tom Geelen2024-12-211-1/+3
| | | | | Signed-off-by: Tom Geelen <t.f.g.geelen@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* python3-pyjwt: upgrade 2.9.0 -> 2.10.1Tom Geelen2024-12-211-1/+1
| | | | | Signed-off-by: Tom Geelen <t.f.g.geelen@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* python3-propcache: upgrade 0.2.0 -> 0.2.1Tom Geelen2024-12-211-1/+1
| | | | | Signed-off-by: Tom Geelen <t.f.g.geelen@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* python3-pillow: upgrade 10.4.0 -> 11.0.0Tom Geelen2024-12-212-5/+5
| | | | | Signed-off-by: Tom Geelen <t.f.g.geelen@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* python3-aiohttp: upgrade 3.11.8 -> 3.11.11Tom Geelen2024-12-211-1/+1
| | | | | Signed-off-by: Tom Geelen <t.f.g.geelen@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* python3-gpiod: update v2.2.2 -> v2.2.3Bartosz Golaszewski2024-12-201-1/+1
| | | | | | | | Small bugfix release addressing a potential crash due to a bad usage of PyDict_Next() in the C extension. Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* weechat: upgrade 4.0.4 -> 4.5.0Peter Marko2024-12-202-42/+3
| | | | | | | | | | | | | Solves CVE-2024-46613 Update dependencies: - remove openssl and icu - add cjson and gettext-native Remove patch to find gcrypt which is no longer needed. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* wireshark: upgrade 4.2.8 -> 4.2.9Peter Marko2024-12-201-1/+1
| | | | | | | | | | | Solves CVE-2024-9781 Release notes: https://www.wireshark.org/docs/relnotes/wireshark-4.2.7.html https://www.wireshark.org/docs/relnotes/wireshark-4.2.8.html Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* sassc: ignore CVE-2022-43357Peter Marko2024-12-201-0/+2
| | | | | | | | | | | | | | | | | | | This CVE is fixed in current libsass recipe version. So wrapper around it will also not show this problem. It's usual usecase is to be statically linked with libsass which is probably the reason why this is listed as vulnerable component. [1] links [2] as issue tracker which points to [3] as fix. [4] as base repository for the recipe is not involved and files from [3] are not present in this repository. [1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357 [2] https://github.com/sass/libsass/issues/3177 [3] https://github.com/sass/libsass/pull/3184 [4] https://github.com/sass/sassc/ Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* libmemcached: ignore CVE-2023-27478Peter Marko2024-12-201-0/+2
| | | | | | | | | | | | | | | | | Per [1] this is fixed by [2]. The commit message says that it is reverting feature added in: $ git tag --no-contains d7a0084 | grep 1.0.18 1.0.18 This recipe is for the original memcached which is unmaintained now. Hence the ignore instead of upgrade. [1] https://nvd.nist.gov/vuln/detail/CVE-2023-27478 [2] https://github.com/awesomized/libmemcached/commit/48dcc61a Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* libmemcached: merge inc into bbPeter Marko2024-12-202-19/+17
| | | | | | | | | After removing old libmemcached recipe version, these is no reasons anymore to have this split. The memcached resurrected project uses cmake and different urls. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* libmemcached: remove recipe for version 1.0.7Peter Marko2024-12-201-4/+0
| | | | | | | This no longer compiles with latest toolchains. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* php: upgrade 8.2.20 -> 8.2.26Peter Marko2024-12-208-11/+12
| | | | | | | | | | | | | | | | Solves dozens of vulnerabilities. See https://php.watch/versions/8.2/releases/8.2.21 https://php.watch/versions/8.2/releases/8.2.22 https://php.watch/versions/8.2/releases/8.2.23 https://php.watch/versions/8.2/releases/8.2.24 https://php.watch/versions/8.2/releases/8.2.25 https://php.watch/versions/8.2/releases/8.2.26 Removes CVE-2024-11233, CVE-2024-11234 and CVE-2024-11236 from current cve metrics. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* memcached: upgrade 1.6.17 -> 1.6.33Peter Marko2024-12-203-116/+10
| | | | | | | | | Solves CVE-2023-46852 and CVE-2023-46853. Upgrade done via "devtool upgrade". Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* memcached: add UPSTREAM_CHECK_URIPeter Marko2024-12-201-0/+2
| | | | | | | | Download URL is not listable so devtool upgrade fails. Using homepage works as it contains link to latest release, Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* opensc: mark CVE-2024-8443 as fixedPeter Marko2024-12-201-0/+2
| | | | | | | | | | | | | | | | | NVD tracks this CVE as version-less. Per [1] this is fixed by following commits: $ git tag --contains b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc 0.26.0 0.26.0-rc1 $ git tag --contains 02e847458369c08421fd2d5e9a16a5f272c2de9e 0.26.0 0.26.0-rc1 [1] https://github.com/OpenSC/OpenSC/wiki/CVE-2024-8443 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* opensc: upgrade 0.25.1 -> 0.26.0Peter Marko2024-12-201-2/+2
| | | | | | | | Solves CVE-2024-45615, CVE-2024-45616, CVE-2024-45617, CVE-2024-45618, CVE-2024-45619 and CVE-2024-45620. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* postgresql: upgrade 16.4 -> 16.5Yogita Urade2024-12-202-4/+4
| | | | | | | | | | | | | | Includes fix for CVE-2024-10976, CVE-2024-10977, CVE-2024-10978 and CVE-2024-10979 Changelog: https://www.postgresql.org/docs/release/16.5/ 0003-configure.ac-bypass-autoconf-2.69-version-check.patch Refreshed for 16.5 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* 7zip: Fix build with clangKhem Raj2024-12-202-18/+32
| | | | Signed-off-by: Khem Raj <raj.khem@gmail.com>
* xfce4-pulseaudio-plugin: Fix build with libwindowing 4.19.6Khem Raj2024-12-192-0/+26
| | | | Signed-off-by: Khem Raj <raj.khem@gmail.com>
* emlog: set CVE_PRODUCTPeter Marko2024-12-191-0/+2
| | | | | | | | This will remove false-positive CVE-2024-50655 from reports. There are different emlog components from other vendors around. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* memcached: ignore disputed CVE-2022-26635Peter Marko2024-12-191-0/+2
| | | | | | | | | | | | | | Per [1] this is a problem of applications using memcached inproperly. This should not be a CVE against php-memcached, but for whatever software the issue was actually found in. php-memcached and libmemcached provide a VERIFY_KEY flag if they're too lazy to filter untrusted user input. [1] https://github.com/php-memcached-dev/php-memcached/issues/519 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* swagger-ui: mark CVE-2016-1000229 as fixedPeter Marko2024-12-191-0/+2
| | | | | | | | as per https://github.com/swagger-api/swagger-ui/issues/1865 NVD tracks this CVE as version-less. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: ignore disputed CVE CVE-2007-0086Peter Marko2024-12-191-0/+1
| | | | | | | | | | | | | | | | This CVE is officially disputed by Redhat with official statement in https://nvd.nist.gov/vuln/detail/CVE-2007-0086 Red Hat does not consider this issue to be a security vulnerability. The pottential attacker has to send acknowledgement packets periodically to make server generate traffic. Exactly the same effect could be achieved by simply downloading the file. The statement that setting the TCP window size to arbitrarily high value would permit the attacker to disconnect and stop sending ACKs is false, because Red Hat Enterprise Linux limits the size of the TCP send buffer to 4MB by default. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* spice-gtk: mark CVE-2012-4425 as fixedPeter Marko2024-12-191-0/+2
| | | | | | | | | | It is fixed by [1] since 0.15.3. NVD tracks this CVE as version-less. [1] https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=efbf867bb88845d5edf839550b54494b1bb752b9 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* redis: ignore CVE-2022-0543Peter Marko2024-12-191-0/+1
| | | | | | | | This is Debian-specific CVE. NVD tracks this CVE as version-less. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* monkey: ignore CVE-2013-1771Peter Marko2024-12-191-0/+1
| | | | | | | | This is gentoo specific CVE. NVD tracks this as version-less CVE. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* gattlib: mark CVE-2019-6498 as fixedPeter Marko2024-12-191-0/+2
| | | | | | | | | | | | | | Our hash does not point to exact tag and CVE patch is already in. We use: 33a8a275928b186381bb0aea0f9778e330e57ec3 Fix: https://github.com/labapart/gattlib/commit/60b813a770e42fdb0e85c1d2da7a55327784b8d6 git describe --tags --match=v0.2 33a8a275928b186381bb0aea0f9778e330e57ec3 60b813a770e42fdb0e85c1d2da7a55327784b8d6 v0.2-262-g33a8a27 v0.2-85-g60b813a Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* spice: ignore CVE-2016-0749Peter Marko2024-12-191-0/+1
| | | | | | | | | | | NVD tracks this as version-less CVE for spice. It was fixed by [1] and [2] included in 0.13.2. [1] https://gitlab.freedesktop.org/spice/spice/-/commit/6b32af3e1746988bb5a5123263bcf61b65e5be7e [2] https://gitlab.freedesktop.org/spice/spice/-/commit/359ac42a7ac02dcd1013757559292006647cd5c4 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: remove old version references from CVEsPeter Marko2024-12-191-7/+7
| | | | | | | | These were not updated on recipe upgrade. To make maintenance easier, remove exact versions. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: ignore CVE-1999-0678 and CVE-1999-1412Peter Marko2024-12-191-0/+2
| | | | | | | These CVEs are specific to Debian and MAC OS X respectively. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* ace: ignore CVE-2009-1147Peter Marko2024-12-191-0/+2
| | | | | | | This CVE is for vmware ace. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* android-tools: fix warning: library search path "/usr/lib/p7zip" is unsafe ↵Hongxu Jia2024-12-191-11/+18
| | | | | | | | | for cross-compilation Refresh local patch to remove '-L/usr/lib/p7zip' Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Update p7zip to 7zipHongxu Jia2024-12-194-5/+5
| | | | | | | | Due to commit [Use 7zip 2409 to replace p7zip 16.02] applied, update affected recipes Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Use 7zip 24.09 to replace p7zip 16.02Hongxu Jia2024-12-1910-461/+111
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | According to DOC/readme.txt [1]: 7-Zip and p7zip =============== Now there are two different ports of 7-Zip for Linux/macOS: 1) p7zip - another port of 7-Zip for Linux, made by an independent developer. The latest version of p7zip now is 16.02, and that p7zip 16.02 is outdated now. http://sourceforge.net/projects/p7zip/ 2) 7-Zip for Linux/macOS - this package - it's new code with all changes from latest 7-Zip for Windows Add recipe 7-zip [2] to instead of recipe p7zip[3] in which the upstream is dead since 2016 Use git repo to instead of tarball Drop obsolete patches - CVE-2016-9296.patch - CVE-2017-17969.patch - CVE-2018-5996.patch - change_numMethods_from_bool_to_unsigned.patch - 0001-Fix-two-buffer-overflow-vulnerabilities.patch - 0001-Fix-narrowing-errors-Wc-11-narrowing.patch License-Update: DOC/License.txt: Add BSD-2-Clause & BSD-3-Clause The codec libraries was removed since 21.02 [4] Refer debian to compile 7-zip [5] Add link 7z.so to lib7z.so and create wrapper to command 7z which required running with absolute path to link the library 7z.so [1] https://salsa.debian.org/debian/7zip/-/blob/master/DOC/readme.txt?ref_type=heads [2] https://sourceforge.net/projects/p7zip/ [3] https://www.7-zip.org/ [4] https://github.com/p7zip-project/p7zip/commit/6c6ed1eba9ff0c0ded9323600f1f3c686d6b6692 [5] https://salsa.debian.org/debian/7zip/-/blob/master/debian/rules Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>