summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Revert "sqlite3: patch CVE-2025-7458"kirkstoneSteve Sakoman6 days3-125/+0
| | | | | | | | | We have found that since this patch SELECT queries with COUNT(DISTINCT(column)) seem to cause sqlite to segfault This reverts commit 4d5093e5103016c08b3a32fd83b1ec9edd87cd5a. Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libarchive: patch regression of patch for CVE-2025-5918Peter Marko9 days3-1/+53
| | | | | | | | | | | Picked commit per [1]. [1] https://security-tracker.debian.org/tracker/CVE-2025-5918 (From OE-Core rev: c947e01b3c27e9f08dc55ee4939d5537318f12e3) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dpkg: patch CVE-2025-6297Peter Marko9 days2-0/+126
| | | | | | | | | | | Pick commit per [1] from 1.22.x branch. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-6297 (From OE-Core rev: aaf58c4ad69203a6437362ef130e8ed3ce267e81) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glib-2.0: patch CVE-2025-7039Peter Marko9 days3-0/+85
| | | | | | | | | | | | Pick commit per [1]. Also pick commit which changed the same code before to apply it cleanly. [1] https://security-tracker.debian.org/tracker/CVE-2025-7039 (From OE-Core rev: 79355004da104587b2fb40dcb76053431c6a6182) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: ignore CVE-2024-7730Peter Marko9 days1-0/+3
| | | | | | | | | | This CVE is for virtio-snd which was introduced in 8.2.0. Therefore ignore this CVE for version 6.2.0. (From OE-Core rev: 93545ef00c4930dd297649934bee0e95c520ee16) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gstreamer1.0-plugins-base: fix CVE-2025-47807Hitendra Prajapati9 days2-0/+50
| | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/9e2238adc1cad1fba5aad23bc8c2a6c2a65794d2 (From OE-Core rev: 8452fbdee00d27f2390dafa9d2ef14e7458baa70) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-49180Vijay Anusuri9 days3-0/+98
| | | | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/0235121c6a7a6eb247e2addb3b41ed6ef566853d (From OE-Core rev: 88abe8ec73f822b461670557539a7df0875325cc) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-49179Vijay Anusuri9 days2-0/+68
| | | | | | | | | | | | | import patch from debian to fix CVE-2025-49179 Upstream-Status: Backport [import from debian xorg-server_21.1.7-3+deb12u10.diff.gz Upstream commit https://gitlab.freedesktop.org/xorg/xserver/-/commit/2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4] (From OE-Core rev: da1b72e407190a81ac3bcc74a0ea51b4160cb5a9) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-49178Vijay Anusuri9 days2-0/+50
| | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 (From OE-Core rev: 8d29231af51de235b99be0eeb71dfab41d67589d) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* openssl: fix CVE-2023-50781Jiaying Song9 days7-1/+1806
| | | | | | | | | | | | | | | | | | | | | | | | A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. The CVE-2023-50781 in M2Crypto is addressed by modifying OpenSSL because M2Crypto relies on OpenSSL for its cryptographic operations.The issue stems from OpenSSL’s RSA PKCS#1 v1.5 padding verification being vulnerable to Bleichenbacher-type attacks.To mitigate this, OpenSSL introduced an implicit rejection mechanism in the RSA PKCS#1 v1.5 padding.Therefore, resolving the vulnerability requires changes within OpenSSL itself to ensure M2Crypto’s security. References: https://nvd.nist.gov/vuln/detail/CVE-2023-50781 https://github.com/openssl/openssl/pull/13817/commits https://todo.sr.ht/~mcepl/m2crypto/342?__goaway_challenge=meta-refresh&__goaway_id=45a03d6accb7b343867110db1f7fb334 (From OE-Core rev: d24c4923d6f7a25bdc3ec5d4ac6bee32bb0bae88) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libubootenv: backport patch to fix unknown type name 'size_t'Youngseok Jeong2025-08-222-1/+32
| | | | | | | | | | | | | | | | Fix: ../recipe-sysroot/usr/include/libuboot.h:29:2: error: unknown type name 'size_t' size_t envsize; ^ This error can be avoided by using CXXFLAGS:append = " -include cstddef" but this way would be needed in all recipes that use libuboot.h. Therefore, Backport the patch to include <cstddef> in C++ builds. (From OE-Core rev: e401a16d8e26d25cec95fcea98d6530036cffca1) Signed-off-by: Youngseok Jeong <youngseok1.jeong@lge.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glib-2.0: ignore CVE-2025-4056Peter Marko2025-08-221-0/+3
| | | | | | | | | | | | | | | | | | | | NVD report [1] says: A flaw was found in GLib. A denial of service on **Windows platforms** may occur if an application attempts to spawn a program using long command lines. The fix [3] (linked from [2]) also changes only files glib/gspawn-win32-helper.c glib/gspawn-win32.c [1] https://nvd.nist.gov/vuln/detail/CVE-2025-4056 [2] https://gitlab.gnome.org/GNOME/glib/-/issues/3668 [3] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4570 (From OE-Core rev: 8c69793deb78cf9718801825477938c22e229eca) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* git: fix CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835Hitendra Prajapati2025-08-222-0/+2501
| | | | | | | | | Upstream-Status: Backport from from https://github.com/git/git/commit/d61cfed2c23705fbeb9c0d08f59e75ee08738950 (From OE-Core rev: a24e44f92114f995e034923a62b96947dc99d6e8) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-49177Vijay Anusuri2025-08-222-0/+55
| | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96b1c701c3bb47617d965522c34befa6af (From OE-Core rev: b876a8c8dc9ffe288a41b18a61b4758ec52a115e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-49176Vijay Anusuri2025-08-223-0/+131
| | | | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/03731b326a80b582e48d939fe62cb1e2b10400d9 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/4fc4d76b2c7aaed61ed2653f997783a3714c4fe1 (From OE-Core rev: d1b634ce77b5d47b086a2c757acf50e6e002494b) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-49175Vijay Anusuri2025-08-222-0/+92
| | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/0885e0b26225c90534642fe911632ec0779eebee (From OE-Core rev: 23c1a62bced088cbc5eb31937bbc1e5d864213ab) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gstreamer1.0-plugins-good: fix CVE-2025-47183 & CVE-2025-47219Hitendra Prajapati2025-08-224-0/+274
| | | | | | | | | | * CVE-2025-47183 - Upstream-Status: Backport from https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c4d0f4bbd9a8e97f119a4528b9f4662a6b80922c && https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/d76cae74dad89994bfcdad83da6ef1ad69074332 * CVE-2025-47219 - Upstream-Status: Backport from https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b80803943388050cb870c95934fc52feeffb94ac (From OE-Core rev: 0d923b416717d91142cced53961d853007a09daa) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gstreamer1.0-plugins-base: fix CVE-2025-47806 & CVE-2025-47808Hitendra Prajapati2025-08-223-0/+88
| | | | | | | | | | | | Backport fixes for: * CVE-2025-47806 - Upstream-Status: Backport from https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/da4380c4df0e00f8d0bad569927bfc7ea35ec37d * CVE-2025-47808 - Upstream-Status: Backport from https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/6b19f117518a765a25c99d1c4b09f2838a8ed0c9 (From OE-Core rev: 974670b83970f78edcb9f7d09ba34ec3a327320a) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* systemd: Fix manpage build after CVE-2025-4598Dan McGregor2025-08-221-4/+3
| | | | | | | | | | | | The previous fix missed another cherry-pick that fixed building manpages after the coredump patch. The version-info.xml file doesn't exist in 250. It was introduced later, so remove the reference to it. (From OE-Core rev: 0a383ef579ffe5f5c4ef2c78040540f1332e4ea6) Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual/classes.rst: document the testexport classAntonin Godard2025-08-181-0/+16
| | | | | | | | | | | | | This class has been in OE-Core for a while but never documented in the reference manual. Add some description for it and link to the existing documentation on it. (From yocto-docs rev: 1576091585f8ffdcadd8b8eee525614ab16b6fa0) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 362a331255525fc853dab3af4ec905c417fabb0b) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual/variables.rst: document SPL_DTB_BINARYAntonin Godard2025-08-182-0/+8
| | | | | | | | | | | | This variable is part of uboot-sign but not documented. (From yocto-docs rev: 1a07897a273867b4cf26759e88e423c552a09c4a) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 05eb461cb1da76ad9cbaf634da7f47447b3f6765) [fix minor conflicts in classes.rst] Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual/variables.rst: document the FIT_CONF_PREFIX variableAntonin Godard2025-08-181-0/+4
| | | | | | | | | | | | Added by commit 7892ee3dc37d ("kernel-fitimage: allow overriding FIT configuration prefix") in OE-Core, but never documented. (From yocto-docs rev: cb410326e2093fd3bbfe4417c9d73ba0d379df7d) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 860891492b96eb127af5e7bab6348fca12167c68) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* overview-manual/yp-intro.rst: fix broken link to articleErik Lindsten2025-08-181-1/+1
| | | | | | | | | | (From yocto-docs rev: c1aacca22e2ebd4e03076c2a3809caf38f3f3a5a) Signed-off-by: Erik Lindsten <erik@awto.se> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit b9680ad83ad3fc5e2b87594f7c62c057134d198b) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual/system-requirements.rst: update supported distributionsAntonin Godard2025-08-181-19/+48
| | | | | | | | | | | | | | | | | Update the distributions to match the list of workers on the Autobuilder. This list was generated with the help of yocto-autobuilder-helper/scripts/yocto-supported-distros. Also: - Sort the lists alphabetically. - Fill the second list with EOL distros still running on the Autobuilder. (From yocto-docs rev: 207477ddfead183f9df06215b1acb453138708cb) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go-helloworld: fix licenseQuentin Schulz2025-08-181-2/+2
| | | | | | | | | | | | | | | The example repo doesn't seem to have ever been under MIT to begin with but rather Apache-2.0. The license file exists in the sources, so use that one instead of taking it from the OE-Core license directory. License-Update: Incorrect license is now proper (From OE-Core rev: 3d1c037a7cb7858a4e3c33a94f5d343a81aac5f7) Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gnupg: disable tests to avoid running target binaries at build timeGuocai He2025-08-181-0/+1
| | | | | | | | | | | | | | | | | | | | By default, the tests are built and run at do_compile and we can see errors like below in log.do_compile: gnupg-2.3.7/tests/cms/inittests: line 99: ../../sm/gpgsm: cannot execute binary file: Exec format error Note that the do_compile process still succeeds. However, we'd better avoid executing these target binaries at build time. (From OE-Core rev: b02f99a0b82ed55a07c00b32805ad676c04ee4ab) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (master rev: 74d48497470ce209bc6bdf49c2e2cfda67dce6ae) Signed-off-by: Guocai He <guocai.he.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxslt: fix CVE-2023-40403Hitendra Prajapati2025-08-186-0/+1044
| | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libxslt/-/commit/adebe45f6ef9f9d036acacd8aec7411d4ea84e25 && https://gitlab.gnome.org/GNOME/libxslt/-/commit/1d9820635c271b35f88431f33ea78dc8be349e5b && https://gitlab.gnome.org/GNOME/libxslt/-/commit/ccec6fa31d11ab0a5299f15ea184c7a457e92940 && https://gitlab.gnome.org/GNOME/libxslt/-/commit/82f6cbf8ca61b1f9e00dc04aa3b15d563e7bbc6d && https://gitlab.gnome.org/GNOME/libxslt/-/commit/452fb4ca9b9803448826008b9573987c615912a1 (From OE-Core rev: b77845d6fed5385de5789f8864fc399f82209ea1) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libarchive: patch CVE-2025-5918Peter Marko2025-08-184-0/+730
| | | | | | | | | | Pick 2 commits as in scarthgap branch plus one additional precondition to apply those. (From OE-Core rev: e43507dad134c5036be1c79a37f73c34f4fb6292) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: ignore CVE-2025-0913Peter Marko2025-08-181-1/+1
| | | | | | | | | | | | | | | | | | This is problem on Windows platform only. Per NVD report [1], CPE has "and" clause Running on/with cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* Also linked patch [2] changes Windows files only (and tests). [1] https://nvd.nist.gov/vuln/detail/CVE-2025-0913 [2] https://go-review.googlesource.com/c/go/+/672396 (From OE-Core rev: 473da932a8f94b7454e0e13912753a7e7545fc17) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: patch CVE-2025-8194Peter Marko2025-08-182-3/+223
| | | | | | | | | | Pick commit from 3.12 branch mentioned in NVD report. https://nvd.nist.gov/vuln/detail/CVE-2025-8194 (From OE-Core rev: 4ae9daf3d05530952a8b002257dd9afda2e077e4) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: fix CVE-2025-8177Yogita Urade2025-08-182-0/+36
| | | | | | | | | | | | | | | | | | | | | A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The manipulation leads to buffer overflow. An attack has to be approached locally. The patch is named e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a patch to fix this issue. This vulnerability only affects products that are no longer supported by the maintainer. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-8177 Upstream patch: https://gitlab.com/libtiff/libtiff/-/commit/e8de4dc1f923576dce9d625caeebd93f9db697e1 (From OE-Core rev: fbf3238630c104c9e17d6e902986358cea5986ff) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: fix CVE-2025-8176Yogita Urade2025-08-184-0/+123
| | | | | | | | | | | | | | | | | | | | | | | | A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as critical. This vulnerability affects the function get_histogram of the file tools/tiffmedian.c. The manipulation leads to use after free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a patch to fix this issue. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-8176 Upstream patches: https://gitlab.com/libtiff/libtiff/-/commit/3994cf3b3bc6b54c32f240ca5a412cffa11633fa https://gitlab.com/libtiff/libtiff/-/commit/ce46f002eca4148497363f80fab33f9396bcbeda https://gitlab.com/libtiff/libtiff/-/commit/ecc4ddbf1f0fed7957d1e20361e37f01907898e0 (From OE-Core rev: 5dbc4ccce8676b016de8c1393c2f0d0f74eb9337) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* build-appliance-image: Update to kirkstone head revisionyocto-4.0.29kirkstone-4.0.29Steve Sakoman2025-08-081-1/+1
| | | | | | (From OE-Core rev: bd620eb14660075fd0f7476bbbb65d5da6293874) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* poky.conf: bump version for 4.0.29Steve Sakoman2025-08-081-1/+1
| | | | | | (From meta-yocto rev: e916d3bad58f955b73e2c67aba975e63cd191394) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc: stable 2.35 branch updatesPeter Marko2025-08-083-252/+2
| | | | | | | | | | | | | | | | | | | This is a single commit bump containing only CVE fix $ git log --oneline d80401002011f470d9c6eb604bf734715e9b3a8c..a66bc3941ff298e474d5f02d0c3303401951141f a66bc3941f posix: Fix double-free after allocation failure in regcomp (bug 33185) Test results didn't change except newly added test succeeding. (tst-regcomp-bracket-free) Also add CVE-2025-0395 ignore which was already included in previous hash bumps. Also drop an unreferenced patch. (From OE-Core rev: 3921549f6420e44a250d06cdef2c9d423fb6e39f) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sqlite3: ignore CVE-2025-3277Peter Marko2025-08-081-0/+2
| | | | | | | | | | | | | | | The vulnerable code was introduced in 3.44.0 via [1]. (See fix commit [2]) Also Debian says "not vulnerabele yet for 3.40.1 in [3] [1] https://github.com/sqlite/sqlite/commit/e1e67abc5cf67f931aab1e471eda23d73f51d456 [2] https://sqlite.org/src/info/498e3f1cf57f164f [3] https://security-tracker.debian.org/tracker/CVE-2025-3277 (From OE-Core rev: ebacd5cd2827c1a9a45a92353518f9d976597526) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sqlite3: patch CVE-2025-7458Peter Marko2025-08-083-0/+125
| | | | | | | | | | | | | | Pick patch [1] listed in [2]. Also pick another patch which is precondition to this one introducing variable needed for the check. [1] https://sqlite.org/src/info/12ad822d9b827777 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458 (From OE-Core rev: 4d5093e5103016c08b3a32fd83b1ec9edd87cd5a) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* avahi: fix CVE-2024-52615Zhang Peng2025-08-082-0/+229
| | | | | | | | | | | | | | | | | | CVE-2024-52615: A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-52615] [https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g] Upstream patches: [https://github.com/avahi/avahi/commit/4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942] (From OE-Core rev: 7bd9fee6d654326ea921b51113de99f793e11545) Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual/start.rst: added missing command in Optimize your VHDX file using ↵Marco Cavallini2025-08-041-0/+1
| | | | | | | | | | | | | | | | | | | | | DiskPart After compact vsdisk you have to detach it before exiting otherwise the vdisk remains attached. DISKPART> select vdisk file="<path_to_VHDX_file>" DISKPART> attach vdisk readonly DISKPART> compact vdisk DISKPART> detach <------------ new missing command DISKPART> exit (From yocto-docs rev: bf855ecaf4bec4cef9bbfea2e50caa65a8339828) Signed-off-by: Marco Cavallini <m.cavallini@koansoftware.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 1cc65ddf1a074f61fe5a63d222f3079b7fcb4c1e) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sqlite3: Fix CVE-2025-6965Vijay Anusuri2025-08-042-0/+116
| | | | | | | | | Upstream-Status: Backport from https://github.com/sqlite/sqlite/commit/c52e9d97d485a3eb168e3f8f3674a7bc4b419703 (From OE-Core rev: b4a2f74ba0b40abcdf56c4b58cae5f7ce145d511) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2025-7545Deepesh Varatharajan2025-08-042-0/+40
| | | | | | | | | | | | | | objcopy: Don't extend the output section size Since the output section contents are copied from the input, don't extend the output section size beyond the input section size. Backport a patch from upstream to fix CVE-2025-7545 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944] (From OE-Core rev: 4f461ed46b7694fc4815c7f0504b9cefe5da8e19) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: patch CVE-2025-6170Peter Marko2025-08-042-0/+104
| | | | | | | | | Pick commit referencing this CVE from 2.13 branch. (From OE-Core rev: 9418c88c964dffc21abe6a056db72c3c81e25137) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gnutls: patch CVE-2025-6395Peter Marko2025-08-042-0/+300
| | | | | | | | | | | Pick relevant commit from 3.8.10 release MR [1]. [1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979 (From OE-Core rev: 3680d0e2021c609f624c2170b061e6696fd8254c) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gnutls: patch CVE-2025-32990Peter Marko2025-08-042-0/+2110
| | | | | | | | | | | Pick relevant commit from 3.8.10 release MR [1]. [1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979 (From OE-Core rev: 33634900586ba8c502c3dd6bb4767da929dfd0d1) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gnutls: patch CVE-2025-32988Peter Marko2025-08-042-0/+59
| | | | | | | | | | | Pick relevant commit from 3.8.10 release MR [1]. [1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979 (From OE-Core rev: 3600752d06c14fcfa0bc1b96222cc6a164955bb5) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gnutls: patch reject zero-length version in certificate requestPeter Marko2025-08-043-1/+41
| | | | | | | | | | | | | | | | Pick relevant commit from 3.8.10 release MR [1]. The MR contains referece to undiscoled issue, so any security relevant patch should be picked. Binary test file was added as separate file as binary diffs are not supported. [1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979 (From OE-Core rev: 990bd6fab5c6004b9fbcdb9c76bcb3a96ba5887a) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gnutls: patch read buffer overrun in the "pre_shared_key" extensionPeter Marko2025-08-043-1/+38
| | | | | | | | | | | | | | | | Pick relevant commit from 3.8.10 release MR [1]. The ME contains referece to undiscoled issue, so any security relevant patch should be picked. Binary test file was added as separate file as binary diffs are not supported. [1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979 (From OE-Core rev: 33181e3e8c7427fc823f750e936732b69e247987) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gnutls: patch CVE-2025-32989Peter Marko2025-08-043-0/+56
| | | | | | | | | | | | | | Pick relevant commit from 3.8.10 release MR [1]. Binary test file was added as separate file as binary diffs are not supported. [1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979 (From OE-Core rev: fbe5f828c63071962d571a8787298aa5fd78ebe8) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dropbear: patch CVE-2025-47203Peter Marko2025-08-044-0/+521
| | | | | | | | | | | | | | | | | | CVE patch [1] as mentioned in [2] relies on several patches not yet available in version 2020.81 we have in kirkstone. The good folks from Debian did the hard work identifying them as they have the same version in bullseye release. The commits were picked from [3] and they have their references to dropbear upstream commits. [1] https://github.com/mkj/dropbear/commit/e5a0ef27c227f7ae69d9a9fec98a056494409b9b [2] https://security-tracker.debian.org/tracker/CVE-2025-47203 [3] https://salsa.debian.org/debian/dropbear/-/commit/7f48e75892c40cfc6336137d62581d2c4ca7d84c (From OE-Core rev: 91eeffaf14917c7c994a8de794b915231e69c5d6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* db: ignore implicit-int and implicit-function-declaration issues fatal with ↵Martin Jansa2025-07-301-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | gcc-14 * many configure tests (which might not fail before) are failing with gcc-14: # grep implicit build/config.log conftest.c:47:1: error: return type defaults to 'int' [-Wimplicit-int] conftest.c:47:1: error: return type defaults to 'int' [-Wimplicit-int] conftest.c:47:1: error: return type defaults to 'int' [-Wimplicit-int] conftest.c:47:1: error: return type defaults to 'int' [-Wimplicit-int] conftest.c:47:1: error: return type defaults to 'int' [-Wimplicit-int] conftest.c:47:1: error: return type defaults to 'int' [-Wimplicit-int] conftest.c:50:17: error: implicit declaration of function 'exit' [-Wimplicit-function-declaration] conftest.c:50:17: warning: incompatible implicit declaration of built-in function 'exit' [-Wbuiltin-declaration-mismatch] conftest.c:53:9: error: implicit declaration of function 'msem_init' [-Wimplicit-function-declaration] conftest.c:54:9: error: implicit declaration of function 'msem_lock' [-Wimplicit-function-declaration] conftest.c:55:9: error: implicit declaration of function 'msem_unlock' [-Wimplicit-function-declaration] conftest.c:56:9: error: implicit declaration of function 'exit' [-Wimplicit-function-declaration] conftest.c:56:9: warning: incompatible implicit declaration of built-in function 'exit' [-Wbuiltin-declaration-mismatch] conftest.c:50:9: error: implicit declaration of function '_spin_lock_try' [-Wimplicit-function-declaration] conftest.c:51:9: error: implicit declaration of function '_spin_unlock' [-Wimplicit-function-declaration] * I have noticed this on db-native build on host with gcc-14 where it caused fatal do_configure error: http://errors.yoctoproject.org/Errors/Details/784164/ checking for mutexes... UNIX/fcntl configure: error: Support for FCNTL mutexes was removed in BDB 4.8. the config.log confirms it's because implicit-int: configure:22798: checking for mutexes configure:22925: gcc -o conftest -isystem/OE/build/oe-core/tmp-glibc/work/x86_64-linux/db-native/5.3.28/recipe-sysroot-native/usr/include -O2 -pipe -isystem/OE/build/oe-core/tmp-glibc/work/x86_64-linux/db-native/5.3.28/recipe-sysroot-native/usr/include -D_GNU_SOURCE -D_REENTRANT -L/OE/build/oe-core/tmp-glibc/work/x86_64-linux/db-native/5.3.28/recipe-sysroot-native/usr/lib -L/OE/build/oe-core/tmp-glibc/work/x86_64-linux/db-native/5.3.28/recipe-sysroot-native/lib -Wl,--enable-new-dtags -Wl,-rpath-link,/OE/build/oe-core/tmp-glibc/work/x86_64-linux/db-native/5.3.28/recipe-sysroot-native/usr/lib -Wl,-rpath-link,/OE/build/oe-core/tmp-glibc/work/x86_64-linux/db-native/5.3.28/recipe-sysroot-native/lib -Wl,-rpath,/OE/build/oe-core/tmp-glibc/work/x86_64-linux/db-native/5.3.28/recipe-sysroot-native/usr/lib -Wl,-rpath,/OE/build/oe-core/tmp-glibc/work/x86_64-linux/db-native/5.3.28/recipe-sysroot-native/lib -Wl,-O1 conftest.c -lpthread >&5 conftest.c:47:1: error: return type defaults to 'int' [-Wimplicit-int] 47 | main() { | ^~~~ configure:22925: $? = 1 configure: program exited with status 1 * comparing target db with and without this change shows following diff in log.do_configure: db $ diff 5.3.28*/temp/log.do_configure 268c268 < checking for mutexes... POSIX/pthreads/library --- > checking for mutexes... POSIX/pthreads/library/x86_64/gcc-assembly 271c271 < checking for atomic operations... no --- > checking for atomic operations... x86/gcc-assembly (From OE-Core rev: 4d3ce333c10fadf746b6d8b55a88777c97e11ffa) (From OE-Core rev: 277b5ec3c0212ca8600dd89d0a33f784a060131f) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 6108da955e7c553247ff5356cf1c990b3d334edf) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-09-07 09:12:18 +0000