summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ref-manual/variables.rst: document INHIBIT_UPDATERCD_BBCLASSAlper Ak2025-05-271-0/+19
| | | | | | | | | | | | Fix [YOCTO #15753] (From yocto-docs rev: 3996388e337377bedc113d072a51fe9d68dd40c6) Signed-off-by: Alper Ak <alperyasinak1@gmail.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 5f5a406d4acdfcbf655ac014d0d2807056f95291) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual/variables.rst: document SSTATE_SKIP_CREATIONEtienne Cordonnier2025-05-271-0/+20
| | | | | | | | | | (From yocto-docs rev: 40045299491087d3f7d269b696ae48d513dae435) Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 3982720668aafa18c9ed27304d09f896740b1653) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual/variables.rst: document INHIBIT_DEFAULT_RUST_DEPSAlper Ak2025-05-271-0/+17
| | | | | | | | | | | | Fix [YOCTO #15755] (From yocto-docs rev: 2eb345ffa74d58d209a6a8deb27b228c37628034) Signed-off-by: Alper Ak <alperyasinak1@gmail.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit fd143a04bab38f6aeec23ec229657b16fcaecdf1) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* conf.py: tweak SearchEnglish to be hyphen-friendlyEnrico Jörns2025-05-271-0/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This modifies the default indexer split() and js splitQuery() methods to support searching for words with hyphens. While this might not be an ideal, rock solid, and fully future-proof solution, it allows at least to search for strings inlcuding hyphens, such as 'bitbake-layers', 'send-error-report', or 'oe-core'. Below is a bit more detailed explanation of the two modifications done: 1) The default split regex in the sphinx-doc SearchLanguage base class is: | _word_re = re.compile(r'\w+') which we simply extend to include hyphens '-'. This will result in a searchindex.js that contains words with hyphens, too. 2) The 'searchtool.js' code notes for its splitQuery() implementation: | /** | * Default splitQuery function. Can be overridden in ``sphinx.search`` with a | * custom function per language. | * | * The regular expression works by splitting the string on consecutive characters | * that are not Unicode letters, numbers, underscores, or emoji characters. | * This is the same as ``\W+`` in Python, preserving the surrogate pair area. | */ | if (typeof splitQuery === "undefined") { | var splitQuery = (query) => query | .split(/[^\p{Letter}\p{Number}_\p{Emoji_Presentation}]+/gu) | .filter(term => term) // remove remaining empty strings | } The hook for this is documented in the sphinx-docs 'SearchLanguage' base class. | .. attribute:: js_splitter_code | | Return splitter function of JavaScript version. The function should be | named as ``splitQuery``. And it should take a string and return list of | strings. | | .. versionadded:: 3.0 We use this to define a simplified splitQuery() function with a split argument that splits on empty spaces only. We extend SearchEnglish (which extends SearchLanguage) here to retain the stemmer code and stopwords for English. [YOCTO #14534] (From yocto-docs rev: ce18901b1059746069a0dea8893ba4a357772b51) Signed-off-by: Enrico Jörns <ejo@pengutronix.de> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit d4a98ee19e0cbd6be96923dc72faee143a6b294b) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual/variables.rst: document the INITRAMFS_MAXSIZE variableChristos Gavros2025-05-271-0/+14
| | | | | | | | | | | | | | | | | | This variable specifies the maximum allowed size of the initramfs image in Kbytes. Fixes [YOCTO #15797] CC: Yoann Congal <yoann.congal@smile.fr> CC: Randy MacLeod <randy.macleod@windriver.com> CC: Antonin Godard <antonin.godard@bootlin.com> (From yocto-docs rev: 123d1ec8e532751ac416c21e3eaa92fd904e2171) Signed-off-by: Christos Gavros <gavrosc@yahoo.com> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 07bcdddaf71c76cdec186cf0ddd97a47eec54972) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual/variables.rst: document the IMAGE_ROOTFS_MAXSIZE variableChristos Gavros2025-05-271-3/+27
| | | | | | | | | | | | | | | | | This variable specifies the maximum allowed size of the generated image in kilobytes. CC: Yoann Congal <yoann.congal@smile.fr> CC: Randy MacLeod <randy.macleod@windriver.com> CC: Antonin Godard <antonin.godard@bootlin.com> CC: Quentin Schulz <quentin.schulz@cherry.de> (From yocto-docs rev: d45174d03e1ccd422b9210e3ba1f648d2f6b5173) Signed-off-by: Christos Gavros <gavrosc@yahoo.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit f3ddc92081363aa7ef7d4fc2c3b918f32f7bda05) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sphinx-lint: unbalanced inline literal markupTrevor Woerner2025-05-2715-28/+28
| | | | | | | | | | | | | | Fix as many instances of unbalanced-inline-literals-delimiters as reported by 'make sphinx-lint' as possible. Sphinx and/or its linter seem to get tripped up randomly when references contain links to heading which contain literals enclosed in double-back-tics, and not all of them can be "fixed" to pass both building and linting. (From yocto-docs rev: 0ba5429953dfa0cdc983ed13ddd06351116031c7) Signed-off-by: Trevor Woerner <twoerner@gmail.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sphinx-lint: missing space after literalTrevor Woerner2025-05-271-1/+1
| | | | | | | | | | | Fix all instances of missing-space-after-literal as reported by 'make sphinx-lint'. (From yocto-docs rev: b562ea5563adc744703b10e0c9a530ed7476d51a) Signed-off-by: Trevor Woerner <twoerner@gmail.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sphinx-lint: trailing whitespaceTrevor Woerner2025-05-271-1/+1
| | | | | | | | | | Fix all instances of trailing-whitespace as reported by 'make sphinx-lint'. (From yocto-docs rev: d754df8f2084ad45305cfd9c1cf35da727240aa4) Signed-off-by: Trevor Woerner <twoerner@gmail.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libatomic-ops: Update GITHUB_BASE_URINguyen Dat Tho2025-05-271-2/+2
| | | | | | | | | | libatomic-ops moves to new repo https://github.com/ivmai/libatomic_ops according to topic: https://github.com/bdwgc/libatomic_ops/issues/66 (From OE-Core rev: 29d920f4c2249df7a69f00100924b4525e03c0d9) Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* systemd: Password agents shouldn't be optionalVyacheslav Yurkov2025-05-271-10/+0
| | | | | | | | | | | | | If extra-utils package is not included in the image, you'll always see a warning that password agent is missing whenever you start/stop a service: Failed to execute /usr/bin/systemd-tty-ask-password-agent: No such file or directory (From OE-Core rev: 180455ee76a3819933f45ddd6ce9a5610b3ba947) Signed-off-by: Vyacheslav Yurkov <uvv.mail@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2025-1153Sunil Dora2025-05-274-0/+7806
| | | | | | | | | | | | | PR 32603 [https://sourceware.org/bugzilla/show_bug.cgi?id=32603] Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0b7f992b78fe0984fc7d84cc748d0794e4a400e3 && https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=31e9e2e8d1090da0c1da97a70005d8841fff8ddd && https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fe459e33c676883b5f28cc96c00e242973d906a9] (From OE-Core rev: c8cb463ccee514935fe14544173c85001d66e60b) Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup-2.4: Fix CVE-2025-46420Ashish Sharma2025-05-272-0/+61
| | | | | | | | | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/c9083869ec2a3037e6df4bd86b45c419ba295f8e] (From OE-Core rev: 7c963f68cb8dfdea3e1664078037303ea3f29e65) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glib-2.0: fix CVE-2025-4373Praveen Kumar2025-05-273-0/+151
| | | | | | | | | | | | | | | | | | | | A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite. References: https://nvd.nist.gov/vuln/detail/CVE-2025-4373 https://security-tracker.debian.org/tracker/CVE-2025-4373 Upstream-patches: https://gitlab.gnome.org/GNOME/glib/-/commit/cc647f9e46d55509a93498af19659baf9c80f2e3 https://gitlab.gnome.org/GNOME/glib/-/commit/4d435bb4809793c445846db8fb87e3c9184c4703 (From OE-Core rev: 02e2f5211962394ec3d66882daab240cb465ef85) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* connman :fix CVE-2025-32366Praveen Kumar2025-05-272-0/+42
| | | | | | | | | | | | | | | | | | | | | In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen) and memcpy(response+offset,*end,*rdlen) without a check for whether the sum of *end and *rdlen exceeds max. Consequently, *rdlen may be larger than the amount of remaining packet data in the current state of parsing. Values of stack memory locations may be sent over the network in a response. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32366 Upstream-patch: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4 (From OE-Core rev: 02e046149b1cc5eca5188eec7b4e1a9970b97faf) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* openssh: Fix for CVE-2025-32728Vijay Anusuri2025-05-272-0/+45
| | | | | | | | | | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367] (From OE-Core rev: 6565ae2b01d6eb1e3a83ed387a5e3b765f85b8cf) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual/variables.rst: document WIC_CREATE_EXTRA_ARGSTrevor Woerner2025-05-191-0/+14
| | | | | | | | | | | | | Fixes [YOCTO #15509] Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> (From yocto-docs rev: 38706f0e743447da9a39a6369620fa039ab6df3b) Signed-off-by: Trevor Woerner <twoerner@gmail.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit f1cdecb6da91dbfac59359c83038cb4a4c36ad0a) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* contributor-guide/submit-changes: encourage patch version changelogsTrevor Woerner2025-05-191-0/+32
| | | | | | | | | | | | | | Add a section after the 'git format-patch' information encouraging developers to add patch version changelogs to their patch updates. (From yocto-docs rev: 78fd3b3f1ec797dfe3648509a1945241b50640d5) Signed-off-by: Trevor Woerner <twoerner@gmail.com> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 2e3a37c4607b296956993e557d1786c4876e5722) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* migration-guides: add release notes for 5.0.9Lee Chee Yang2025-05-192-0/+207
| | | | | | | | | | (From yocto-docs rev: 5b91bfc02ad35fa7b391e39b9559c65dca808d1e) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 0d070439259d72f66a71c148f6c7926f6f233b6d) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual/variables.rst: update ROOT_HOME documentationEnrico Jörns2025-05-191-8/+3
| | | | | | | | | | | | | | | | | | | | | | * Since scarthgap [1], the default will be overridden when using 'systemd' as INIT_MANAGER. Reflect this in the documentation. * The distro configuration is probably the better place for customization, thus at least mention this together with the local.conf. * While at it, drop the probably redundant description on how to override weak default variables. The example on how to set "/root" is still given indirectly, anyway. [1] ebafe463 ("systemd: upgrade to 255.1") (From yocto-docs rev: f1f92f0a5a881c45ffecf9cf9bd070c992aff35a) Signed-off-by: Enrico Jörns <ejo@pengutronix.de> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 50e92009d309fc4ae406174feb8f6578142748cc) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: kernel-fitimage.bbclass does not use SPL_SIGN_KEYNAMEAdrian Freihofer2025-05-191-1/+1
| | | | | | | | | | | | | | The kernel-fitimage.bbclass uses the UBOOT_* variables. The SPL_* variables are handled by uboot-sign.bbclass. (From yocto-docs rev: 0d4cda12f2c3f89f64043c30cc0830dfa632e76e) Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 8ceffee908a039deb1021361faa7637e83ef26f3) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* migration-guides: add release notes for 4.0.26Lee Chee Yang2025-05-192-0/+264
| | | | | | | | | | (From yocto-docs rev: 4bbf915547adcd667247df22a1ff2e7e5f223c3e) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 656dc03101705bba718517b7017f71ce00541b72) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual/release-process: update releases.svgAntonin Godard2025-05-191-86/+432
| | | | | | | | | | | | | - Add the future "Whinlatter" (5.3) and "Wrynose" (6.0) releases. - Make the "Walnascar" release a current release. - Update the month in Current. (From yocto-docs rev: 0c08c88aad0a2acf04d2da0f2935f29bc6a6eb99) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit adb8573b54626e033921a9f4e3db259312b79207) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* test-manual/intro: remove Buildbot version usedAntonin Godard2025-05-191-7/+5
| | | | | | | | | | | | | | The version has changed now (3.10.12 as of writing). Avoid having to maintain this information by removing the version info from the intro. Also fix a typo ("uses now uses") and give a link to yocto-autobuilder2. Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> (From yocto-docs rev: a7000370ca9c1c623cd9272738f1a252e6556951) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 1ed64dbdf4a60b000305cdc2c67dc24f4bc97ef7) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual/sbom.rst: fix wrong build outputsAntonin Godard2025-05-191-11/+4
| | | | | | | | | | | | | | | | | This document was written with SPDX 3.0 in mind (create-spdx-3.0 class) on OE-Core's master, but Scarthgap only supports SPDX 2.2 (create-spdx-2.2). The create-spdx-2.2 class only generate a tar.zst output, so remove the other outputs listed here. Also, ancillary outputs are not only deployed in tmp/deploy/spdx/MACHINE but tmp/deploy/spdx in general. (From yocto-docs rev: deedc7395f565e9820d914de9ffc3b14f8b143eb) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc-y2038-tests: remove glibc-y2038-tests_2.39.bb reciperajmohan r2025-05-195-161/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This recipe takes longer time >20min when bitbake for package write stage. When cross-verified for longer time duration, found that do_check() stage taking 20min while other stages completes before 6min. This recipe gives only below two test binaries in the packages to test (ptest: glibc-y2038-tests): io/ftwtest io/ftwtest-time64 The above test binaries are already included for testing in recipe glibc-testsuite_2.39.bb. It is by now well established that glibc itself works as it should, that all affected 32 bit targets are configured to use 64 bit time_t, and that any lingering y2038 issues are in components other than the c library, and usually come from C programming mistakes (e.g. storing timestamps in long). So this recipe seems to be redundant and can be removed. Review comments for fixing above longer time duration ended up in removing this recipe as a proposal is below https://lists.openembedded.org/g/openembedded-core/topic/112188476#msg214636 Removed lines having reference to glibc-y2038-tests in the files. For master branch requested for integration and below is the link https://lists.openembedded.org/g/openembedded-core/message/215655 (From OE-Core rev: b214cc84a922f7a3fb7ebbc501189ce25e8bd2bd) Signed-off-by: rajmohan r <semc.2042@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-check.bbclass: Fix symlink handling also for text filesNiko Mauno2025-05-191-2/+3
| | | | | | | | | | | | | | | | | | | | | | While backporting commit 7543e4e24a8b ("cve-check.bbclass: Mitigate symlink related error") I failed to address the fact that in Scarthgap this bbclass still generates also the text CVE file, in addition to the JSON file. In order to avoid the error that occurred with JSON files from occurring now with CVE files: ERROR: core-image-base-1.0-r0 do_image_complete: Recipe core-image-base is trying to install files into a shared area when those files already exist. The files and the manifests listing them are: /home/poky/build/tmp/deploy/images/qemux86-64/.cve (matched in manifest-qemux86_64-core-image-minimal.image_complete) Please adjust the recipes so only one recipe provides a given file. update the symlink handling for the text file variant too. (From OE-Core rev: 81e702c85c62782dbedd5ca2a5e6569e6339dd60) Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* module.bbclass: add KBUILD_EXTRA_SYMBOLS to installAlon Bar-Lev2025-05-191-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Symbols are used during install as well, adding KBUILD_EXTRA_SYMBOLS enables successful installation. | DEBUG: Executing shell function do_install | NOTE: make -j 22 KERNEL_SRC=xxx/kernel-source -C xxx/drivers KDIR=xxx/kernel-source DEPMOD=echo MODLIB=xxx/image/lib/modules/6.6.75-yocto-standard-00189-g530c419bc9db INSTALL_FW_PATH=xxx/image/lib/firmware CC=aarch64-poky-linux-gcc -fuse-ld=bfd -fcanon-prefix-map LD=aarch64-poky-linux-ld.bfd OBJCOPY=aarch64-poky-linux-objcopy STRIP=aarch64-poky-linux-strip O=xxx/kernel-build-artifacts modules_install | make: Entering directory 'xxx/drivers' | make -C xxx/kernel-source M=xxx/drivers modules | make[1]: Entering directory 'xxx/kernel-source' | make[2]: Entering directory 'xxx/kernel-build-artifacts' | MODPOST xxx/drivers/Module.symvers | ERROR: modpost: "xxx" [xxx/xxx.ko] undefined! (From OE-Core rev: e8b90907f9c12808ac7137779f16edb62763e1c3) Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 0ef80eeda967a9e04ff91c3583aabbc35c9868e8) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* scripts/install-buildtools: Update to 5.0.9Aleksandar Nikolic2025-05-191-2/+2
| | | | | | | | | Update to the 5.0.9 release of the 5.0 series for buildtools (From OE-Core rev: 653b2ce8e7b19f668f337cab8726674f595a8dbe) Signed-off-by: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* iputils: Security fix for CVE-2025-47268Yi Zhao2025-05-192-1/+146
| | | | | | | | | | | | | | | | | | | CVE-2025-47268 ping in iputils through 20240905 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-47268 Patch from: https://github.com/iputils/iputils/commit/070cfacd7348386173231fb16fad4983d4e6ae40 (From OE-Core rev: 6b0dd564249754ab8ec20ce69b137466e051501e) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc: Add single-threaded fast path to rand()Haixiao Yan2025-05-142-0/+48
| | | | | | | | | | | | Backport a patch [1] to improve performance of rand() and __random()[2] by adding a single-threaded fast path. [1] https://sourceware.org/git/?p=glibc.git;a=commit;h=be0cfd848d9ad7378800d6302bc11467cf2b514f [2] https://sourceware.org/bugzilla/show_bug.cgi?id=32777 (From OE-Core rev: 68ee8d16fa5419acba9111d3aca285be92bd93d3) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: Fix CVE-2025-32914Vijay Anusuri2025-05-142-0/+112
| | | | | | | | | | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf] (From OE-Core rev: 6dd125b619974c8102b3050900781c22c2db4b10) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* connman :fix CVE-2025-32743Praveen Kumar2025-05-142-0/+49
| | | | | | | | | | | | | | | | | | | | In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c can be NULL or an empty string when the TC (Truncated) bit is set in a DNS response. This allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code, because those lookup values lead to incorrect length calculations and incorrect memcpy operations. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32743 Upstream-patch: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f (From OE-Core rev: 9558ec2091964556b47b0909c5d243aee5bafb6f) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup-2.4: Fix CVE-2025-32909Vijay Anusuri2025-05-142-0/+37
| | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/comm it/ba4c3a6f988beff59e45801ab36067293d24ce92 (From OE-Core rev: 90359036300731b6c26b646afbf3d66127b72fa2) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup-2.4: Fix CVE-2025-32906Vijay Anusuri2025-05-143-0/+146
| | | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f (From OE-Core rev: 6e373ec360151b212ae6eedc4c663fb9e760ae75) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup-2.4: Fix CVE-2024-52532Vijay Anusuri2025-05-144-0/+127
| | | | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be & https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c & https://gitlab.gnome.org/GNOME/libsoup/-/commit/4c9e75c6676a37b6485620c332e568e1a3f530ff (From OE-Core rev: dfde13ecffad3426846bd4b366d1e0cdb77b1be0) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup-2.4: Fix CVE-2024-52531Vijay Anusuri2025-05-143-0/+169
| | | | | | | | | | | | | | | | | | | | import patch from ubuntu to fix CVE-2024-52531 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches?h=ubuntu/jammy-security Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/825fda3425546847b42ad5270544e9388ff349fe] Reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/ https://ubuntu.com/security/CVE-2024-52531 (From OE-Core rev: c7ab8b45b1f533ca1b27b07c30f44b7b64a3cfde) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup-2.4: Fix CVE-2024-52530Vijay Anusuri2025-05-142-1/+152
| | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b (From OE-Core rev: ef1bff79d6b84eacccff2a3f8a5c3b8ed92fe0c4) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bluez5: backport a patch to fix btmgmt -iJeroen Hofstee2025-05-082-0/+30
| | | | | | | | | | Without this patch btmgmt will always use hci0 in non interactive mode. (From OE-Core rev: 45c50169fa7e34349acf3e24fc19e573cbab4e65) Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bluez5: make media control a PACKAGECONFIG optionJeroen Hofstee2025-05-081-0/+2
| | | | | | | | | | | | | | | | | | When not building with the default PACKAGECONFIG options, the build can fail with: undefined reference to `media_player_controller_create' undefined reference to `media_player_set_status' Otherwise. So disable it when not set and enable it by default. The packageconfig option is the same as in Styhead. https://github.com/openembedded/openembedded-core/commit/ebbdb7cf5c0a3f0e6773704d4c4cc570358ec611#diff-9d9284f6f27a81c75dffffd6d601b40c8266ae12e678d0a49c46bdb8356a0e91R52 (From OE-Core rev: 82448a6c8b720cefc200513daa41115961b43e8f) Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: stable 2.42 branch updatesDeepesh Varatharajan2025-05-081-1/+1
| | | | | | | | | | | | | Below commit on binutils-2.42 stable branch is updated. 6558f9f5f0c s390: Add support for z17 as CPU name Testing was done and there were no regressions found (From OE-Core rev: 08d6ca500e6dd571f5882f82f6ad804bd2eec8c8) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc: stable 2.39 branch updatesDeepesh Varatharajan2025-05-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 3463100f2d x86: Detect Intel Diamond Rapids e09436c2cb x86: Handle unknown Intel processor with default tuning 7620d98186 x86: Add ARL/PTL/CWF model detection support 765ff3d0d4 x86: Optimize xstate size calculation 65ae73be01 x86: Use `Avoid_Non_Temporal_Memset` to control non-temporal path 2be36448c4 x86: Tunables may incorrectly set Prefer_PMINUB_for_stringop (bug 32047) bde201e92c x86: Disable non-temporal memset on Skylake Server 38a7632f2d x86: Fix value for `x86_memset_non_temporal_threshold` when it is undesirable cc59fa5dbc x86: Enable non-temporal memset tunable for AMD 0da58e8be0 x86: Add seperate non-temporal tunable for memset 837a36c371 x86: Link tst-gnu2-tls2-x86-noxsave{,c,xsavec} with libpthread 87ab0c7f7f x86: Use separate variable for TLSDESC XSAVE/XSAVEC state size (bug 32810) 60cd7123a6 x86: Skip XSAVE state size reset if ISA level requires XSAVE 4cf3f9df54 x86_64: Add atanh with FMA 01ed435e2e x86_64: Add sinh with FMA 0edcc77fe7 x86_64: Add tanh with FMA 7ecf0d3bde x86-64: Exclude FMA4 IFUNC functions for -mapxf e1fe22368e nptl: clear the whole rseq area before registration dd8c0c3bbd math: Improve layout of exp/exp10 data a1b09e59e2 AArch64: Use prefer_sve_ifuncs for SVE memset d0e2133470 AArch64: Add SVE memset 0cc12d9c47 math: Improve layout of expf data 0cd10047bf AArch64: Remove zva_128 from memset dd1e63ab58 AArch64: Optimize memset 65a96a6f2b AArch64: Improve generic strlen 4073e4ee2c AArch64: Improve codegen for SVE logs 78abd3ef6e AArch64: Improve codegen in SVE tans a10183b633 AArch64: Improve codegen of AdvSIMD atan(2)(f) dcd1229e5b AArch64: Improve codegen of AdvSIMD logf function family 72156cb90b AArch64: Improve codegen in AdvSIMD logs 5e354bf4e2 AArch64: Simplify rounding-multiply pattern in several AdvSIMD routines 80df456112 aarch64: Avoid redundant MOVs in AdvSIMD F32 logs d591876303 aarch64: Fix AdvSIMD libmvec routines for big-endian f6d48470ae assert: Add test for CVE-2025-0395 Testresults: Before update |After update |Difference PASS: 5068 |PASS: 5072 |PASS: +4 FAIL: 120 |FAIL: 120 |FAIL: 0 XPASS: 4 |XPASS: 4 |XPASS: 0 XFAIL: 16 |XFAIL: 16 |XFAIL: 0 UNSUPPORTED: 157|UNSUPPORTED: 157|UNSUPPORTED: 0 (From OE-Core rev: f14c2e6a6ba72673a0e30cde48ec1d5573be3e01) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sqlite3: mark CVE-2025-29087 as patchedPeter Marko2025-05-081-0/+1
| | | | | | | | | | | | | | Description of CVE-2025-29087 and CVE-2025-3277 are very similar. There is no lonk from NVD, but [1] and [2] from Debian mark these two CVEs as duplicates with the same link for patch. [1] https://security-tracker.debian.org/tracker/CVE-2025-29087 [2] https://security-tracker.debian.org/tracker/CVE-2025-3277 (From OE-Core rev: 3f951941c758b6982a3cd30d085460756b7fefd9) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* elfutils: Fix CVE-2025-1371Soumya Sambu2025-05-082-0/+42
| | | | | | | | | | | | | | | | | | | | | A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-1371 https://ubuntu.com/security/CVE-2025-1371 Upstream patch: https://sourceware.org/cgit/elfutils/commit/?id=b38e562a4c907e08171c76b8b2def8464d5a104a (From OE-Core rev: 11c44bde4f3d9e63506ece2f9b27114914aacc4b) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: patch CVE-2025-46420Ashish Sharma2025-05-082-0/+61
| | | | | | | | | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/c9083869ec2a3037e6df4bd86b45c419ba295f8e] (From OE-Core rev: 0e4a77c928e2eb0e8b012f2bba13b2ef3929cb34) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR"Peter Marko2025-05-021-2/+0
| | | | | | | | | | | | | | This reverts commit 7adaec468d3a61d88c990b1b319b34850bee7e44. It does not seem to fix the issue it was supposed to fix. Additionally it breaks code which decides in full/partial update, because it manipulates timestamp that code is relying on. (From OE-Core rev: 00dd4901e364d16d96cfab864823a9cfdd336eeb) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ebc65fdddd7ce51f0f1008baa30d0ae7918ae0bb) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* buildtools-tarball: Make buildtools respects host CA certificatesChangqing Li2025-05-025-15/+88
| | | | | | | | | | | | | | | | | | | | | | | To adapt user network enviroment, buildtools should first try to use the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these envs is not set, then use the auto-detected ca file and ca path, and finally use the CA certificates in buildtools. nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work nativesdk-curl don't set default ca file, need SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO also works nativesdk-python3-requests will use cacert.pem under python module certifi by default, need to set REQUESTS_CA_BUNDLE (From OE-Core rev: 0653b96bac6d0800dc5154557706a323418808be) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* buildtools-tarball: add envvars into BB_ENV_PASSTHROUGH_ADDITIONSChangqing Li2025-05-023-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | Here is one testcase: For recipe tensorflow-lite-host-tools_2.18.0.bb, refer [1], do_configure[network] = "1" and it will git clone some repos in CMakeLists.txt When buildtools is used and nativesdk-git is installed into sdk, do_configure failed with error: [1/9] Performing download step (git clone) for 'protobuf-populate' Cloning into 'protobuf'... fatal: unable to access 'https://github.com/protocolbuffers/protobuf/': error setting certificate file: /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-wrlinuxsdk-linux/etc/ssl/certs/ca-certificates.crt Fix by adding GIT_SSL_CAINFO in BB_ENV_PASSTHROUGH_ADDITIONS, so that user can export GIT_SSL_CAINFO=${GIT_SSL_CAINFO} in their do_configure:prepend() to fix above do_configure failure CURL_CA_BUNDLE and REQUESTS_CA_BUNDLE is similar envvars, so all add into BB_ENV_PASSTHROUGH_ADDITIONS [1] https://github.com/nxp-imx/meta-imx/blob/styhead-6.12.3-1.0.0/meta-imx-ml/recipes-libraries/tensorflow-lite/tensorflow-lite-host-tools_2.18.0.bb (From OE-Core rev: 27f018d8e8ace97d0b1cdfb8782a2a7a0a319816) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* buildtools-tarball: move setting of envvars to respective envfileChangqing Li2025-05-028-8/+42
| | | | | | | | | | | | * make git,curl,python3-requests align with openssl, move the setting of envvars into respective envfile * for environment.d-openssl.sh, also check if ca-certificates.crt exist before export envvars (From OE-Core rev: 5f4fd544d3df7365224599c9efdce4e545f51d5e) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* initscripts: add function log_success_msg/log_failure_msg/log_warning_msgChangqing Li2025-05-022-1/+21
| | | | | | | | | | | | | | | | | | | | | * add function log_success_msg/log_failure_msg/log_warning_msg, some packages still use these functions, like mariadb, refer [1], without these function, with sysV init manager, mariadb will report error: root@qemux86-64:~# /etc/init.d/mysqld status /etc/init.d/mysqld: line 383: log_success_msg: command not found * remove RCONFLICTS with lsbinitscripts, LSB support already remove in [2] [1] https://github.com/MariaDB/server/blob/main/support-files/mysql.server.sh#L104 [2] https://git.openembedded.org/openembedded-core/commit/?id=fb064356af615d67d85b65942103bf943d84d290 [3] https://refspecs.linuxbase.org/LSB_4.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptfunc.html (From OE-Core rev: 90cf409ba74c4bb398199667ea2819759a720373) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>