summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
Commit message (Collapse)AuthorAgeFilesLines
* mtools: upgrade 4.0.48 -> 4.0.49Jinfeng Wang8 days1-1/+1
| | | | | | | | | | | | | | | | New version includes check for overlong file names, see [1]. [1] https://lists.gnu.org/archive/html/info-mtools/2025-06/msg00005.html (From OE-Core rev: c374e6cfcdd2c8ba17d82ffcfdeb97d21144e2bf) Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (From OE-Core rev: 044c2bceefcc12262cb2421e8f1da5f6c2ed9f72) Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* mtools: upgrade 4.0.47 -> 4.0.48Wang Mingyu8 days3-7/+7
| | | | | | | | | | | | | | | | | clang_UNUSED.patch disable-hardcoded-configs.patch refreshed for 4.0.48 (From OE-Core rev: d2c56de7c9d403c3432213bc20e04c2ed5f1db16) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (From OE-Core rev: 1d5aee7e67cd614073a15b47b832375428865260) Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* mtools: upgrade 4.0.46 -> 4.0.47Richard Purdie8 days4-7/+7
| | | | | | | | | | | (From OE-Core rev: cf705382534d8f5af6880511221f701a733d84d7) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (From OE-Core rev: 14ef270cc003646e6ca97ff3405507f2b9e92736) Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* mtools: upgrade 4.0.45 -> 4.0.46Wang Mingyu8 days3-12/+12
| | | | | | | | | | | | | | | | | | | | | | | | | clang_UNUSED.patch mtools-makeinfo.patch refreshed for 4.0.46 Changelog: ============= - iconv buffer overflow fixes - removed references to mread and mwrite (obsolete subcommands from mcopy) - documented mdoctorfat, and addressed 2 bugs/oversights - removed references to obsolete mread and mwrite - portability fixes (dietlibc and MacOS X) & simplification (From OE-Core rev: daab05bc863611c83223a383dd83ff2134cae6f8) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (From OE-Core rev: f5a5b2372669d8be4ae3f19ed6892264ea3999d0) Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* mtools: upgrade 4.0.44 -> 4.0.45Wang Mingyu8 days1-1/+1
| | | | | | | | | | | | | | | | | Changelog: ============ - Fixed iconv descriptor leak - Fixed size of error message buffer (From OE-Core rev: 77340d2bb1f31e305394df5d589fc0d3a0c5cd9a) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (From OE-Core rev: cc1975888ffdc58655e80d3d14450cf68ee0f719) Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* mtools: upgrade 4.0.43 -> 4.0.44Alexander Kanavin8 days4-17/+22
| | | | | | | | | | | | (From OE-Core rev: b09b06ed6351685e5351f8bf80a88d2f42093ca4) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (From OE-Core rev: dd8c333576d7ebb8abab3a62b3451439519a0caa) Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* orc: set CVE_PRODUCTPeter Marko8 days1-0/+3
| | | | | | | | | | | | | | | There are new CVEs reported for this recipe which are not for this componene, but for a component with same name from apache. sqlite> select vendor, product, id, count(*) from products where product like 'orc' group by vendor, product, id; apache|orc|CVE-2018-8015|1 apache|orc|CVE-2025-47436|4 gstreamer|orc|CVE-2024-40897|1 (From OE-Core rev: f5e320c0ea57ce1813ed09da703fe2b33f4976e6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2025-7545Deepesh Varatharajan8 days2-0/+40
| | | | | | | | | | | | | | objcopy: Don't extend the output section size Since the output section contents are copied from the input, don't extend the output section size beyond the input section size. Backport a patch from upstream to fix CVE-2025-7545 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944] (From OE-Core rev: 128e40c39d8eafdd32fea71b902b38801afec202) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2025-7546Yash Shinde8 days2-0/+59
| | | | | | | | | | | | | Report corrupted group section instead of trying to recover. CVE: CVE-2025-7546 Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b] PR 33050 [https://sourceware.org/bugzilla/show_bug.cgi?id=33050] (From OE-Core rev: 3a54f11b9462905e103e13161a77ef681f14dc92) Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: stable 2.42 branch updatesDeepesh Varatharajan2025-07-211-1/+1
| | | | | | | | | | | | | | | | | | | | Below commit on binutils-2.42 stable branch are updated. x86: Check MODRM for call and jmp in binutils older than 2.45 Test Results: Before After Diff No. of expected passes 302 302 0 No. of unexpected failures 2 2 0 No. of untested testcases 1 1 0 No. of unsupported tests 7 7 0 Testing was done and there were no regressions found (From OE-Core rev: 412def8923a89f3c385eae25901bed0c07859029) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* git: Upgrade 2.44.3 -> 2.44.4Vijay Anusuri2025-07-211-1/+1
| | | | | | | | | | | | | Addresses the security issues - CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386. Release Notes: https://github.com/git/git/blob/v2.44.4/Documentation/RelNotes/2.44.4.txt (From OE-Core rev: 3a9fdcb2ea0dd2744f59a62f2722bfa276302324) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: update CVE productPeter Marko2025-07-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | There are two "new" CVEs reported for python3, their CPEs are: * CVE-2020-1171: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0) * CVE-2020-1192: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0) These are for "Visual Studio Code Python extension". Solve this by addding CVE vendor to python CVE product to avoid confusion with Microsoft as vendor. Examining CVE DB for historical python entries shows: sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython' ...> or product like 'python%3' group by vendor, product; microsoft|python|2 python|python|1054 python_software_foundation|python|2 Note that this already shows that cpython product is not used, so CVE-2023-33595 mentioned in 62598e1138f21a16d8b1cdd1cfe902aeed854c5c was updated. But let's keep it for future in case new CVE starts with that again. (From OE-Core rev: 72369cd66f78a371608c3fff205e0e96c248f2b3) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: fix CVE-2025-50181Yogita Urade2025-07-112-0/+287
| | | | | | | | | | | | | | | | | | | | | urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-50181 Upstream patch: https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857 (From OE-Core rev: cf10eafb333daf8acfd3b8bfcb42c1fe6c26a8a5) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tcf-agent: correct the SRC_URIGuocai He2025-07-071-2/+2
| | | | | | | | | The SRC_URI is changed to git://gitlab.eclipse.org/eclipse/tcf/tcf.agent.git (From OE-Core rev: 175cd54fd57266d7dea07121861a4f15be00a882) Signed-off-by: Guocai He <guocai.he.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2025-4673Praveen Kumar2025-07-072-0/+69
| | | | | | | | | | | | | | | | Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-4673 Upstream-patch: https://github.com/golang/go/commit/b897e97c36cb62629a458bc681723ca733404e32 (From OE-Core rev: 72279bbc1ff2d85563c5245195435f078c5d1a68) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cmake: Correctly handle cost data of tests with arbitrary chars in nameMoritz Haase2025-06-253-1/+207
| | | | | | | | | | | | | | | | | | | | | | | ctest automatically optimizes the order of (parallel) test execution based on historic test case runtime via the COST property (see [0]), which can have a significant impact on overall test run times. Sadly this feature is broken in CMake < 4.0.0 for test cases that have spaces in their name (see [1]). This commit is a backport of f24178f3 (which itself backports the upstream fix). The patch was adapted slightly to apply cleanly to the older CMake version in scarthgap. As repeated test runs are expected to mainly take place inside the SDK, the patch is only applied to 'nativesdk' builds. [0]: https://cmake.org/cmake/help/latest/prop_test/COST.html [1]: https://gitlab.kitware.com/cmake/cmake/-/issues/26594 Reported-By: John Drouhard <john@drouhard.dev> (From OE-Core rev: cfa97a50e06fb0fcc7cbc0ada54ce7ad5ba29ebe) Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: set status of CVE-2024-3566Peter Marko2025-06-252-0/+2
| | | | | | | | | | | | | | | | | NVD ([1]) tracks this as: cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* Running on/with cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* Yocto cve-check ignores the "Running on/with", so it needs to be ignored explicitly. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-3566 (From OE-Core rev: b8841097eaf7545abf56eb52a122e113b54ba2a7) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gcc: Upgrade to GCC 13.4Deepesh Varatharajan2025-06-2013-667/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a bugfix release in GCC13 release series 100+ bugfixes https://gcc.gnu.org/bugzilla/buglist.cgi?bug_status=RESOLVED&resolution=FIXED&target_milestone=13.4 Dropped the following patches: 0028-gcc-Fix-c-tweak-for-Wrange-loop-construct.patch https://github.com/gcc-mirror/gcc/commit/179dc0f0fe01012675c1b430591b9891ce96c26e gcc.git-ab884fffe3fc82a710bea66ad651720d71c938b8.patch https://github.com/gcc-mirror/gcc/commit/5ceea2ac106d6dd1aa8175670b15a801316cf1c9 #GCC 13.3 #GCC 13.4 #Diff No. of expected passes            148863 149440 +577 No. of unexpected failures        14 14 0 No. of expected failures          1415 1414 -1 No. of unresolved testcases       25384 25660 +276 No. of unsupported tests          2692 2689 -3 (From OE-Core rev: 7af83314fea5948937403b5d59ba5df6fecdd81a) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-requests: upgrade 2.32.3 -> 2.32.4Jiaying Song2025-06-201-1/+1
| | | | | | | | | | Changelog: https://requests.readthedocs.io/en/latest/community/updates/#release-history (From OE-Core rev: 0f0a06ccef45792f65b823ecc0ef10525d94084f) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: upgrade 3.12.9 -> 3.12.11Peter Marko2025-06-139-64/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Drop upstreamed patch and refresh remaining patches. * https://www.python.org/downloads/release/python-31210/ Python 3.12.10 is the latest maintenance release of Python 3.12, and the last full maintenance release. Subsequent releases of 3.12 will be security-fixes only. * https://www.python.org/downloads/release/python-31211/ Security content in this release * gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330] [CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. * gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler. * gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. gh-133767 got meawhile CVE-2025-4516 assigned. (From OE-Core rev: 6cca08b2857efd5481e837ecd6bb295cb8a99ee1) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2025-5244Deepesh Varatharajan2025-06-112-0/+26
| | | | | | | | | | | | | PR32858 ld segfault on fuzzed object We missed one place where it is necessary to check for empty groups. Backport a patch from upstream to fix CVE-2025-5244 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d1458933830456e54223d9fc61f0d9b3a19256f5] (From OE-Core rev: 31fc180f606c5bb141c9c6dd85a7b1d876e1d692) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2025-5245Deepesh Varatharajan2025-06-112-0/+39
| | | | | | | | | | | | | PR32829, SEGV on objdump function debug_type_samep u.kenum is always non-NULL, see debug_make_enum_type. Backport a patch from upstream to fix CVE-2025-5245 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a] (From OE-Core rev: 8202e66670327b02ec3de18b5af4a8b09abdc50d) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-setuptools: Fix CVE-2025-47273Vijay Anusuri2025-06-113-0/+115
| | | | | | | | | | | Upstream-Status: Backport from https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a & https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b (From OE-Core rev: 9769cd99c32faf7d95a7cab07b8550b438ccaf0c) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: set CVE_STATUS for CVE-2025-1180Harish Sadineni2025-06-021-0/+1
| | | | | | | | | | CVE-2025-1180 is fixed with patch from CVE-2025-1176. More details about CVE is here: https://nvd.nist.gov/vuln/detail/CVE-2025-1179 (From OE-Core rev: 9c63f1c73426532a94f01fbbe26c9f52a3c4fdf7) Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2025-27221Divya Chellam2025-06-023-0/+132
| | | | | | | | | | | | | | | | | | | In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. Reference: https://security-tracker.debian.org/tracker/CVE-2025-27221 Upstream-patches: https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495 https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5 (From OE-Core rev: 421d7011269f4750f5942b815d68f77fa4559d69) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2025-1179Harish Sadineni2025-06-023-0/+1357
| | | | | | | | | | | | | | | | | CVE-2025-1179-pre.patch is dependency patch for CVE-2025-1179.patch Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141322.html && https://sourceware.org/pipermail/binutils/2025-May/141321.html] CVE: CVE-2025-1179 cherry picked from upstream commit: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=67e30b15212adc1502b898a1ca224fdf65dc110d https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1d68a49ac5d71b648304f69af978fce0f4413800 (From OE-Core rev: 8f54548f784ef60eaf7fb6b3f539d48b0f7192a3) Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2025-1153Sunil Dora2025-05-274-0/+7806
| | | | | | | | | | | | | PR 32603 [https://sourceware.org/bugzilla/show_bug.cgi?id=32603] Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0b7f992b78fe0984fc7d84cc748d0794e4a400e3 && https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=31e9e2e8d1090da0c1da97a70005d8841fff8ddd && https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fe459e33c676883b5f28cc96c00e242973d906a9] (From OE-Core rev: c8cb463ccee514935fe14544173c85001d66e60b) Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: stable 2.42 branch updatesDeepesh Varatharajan2025-05-081-1/+1
| | | | | | | | | | | | | Below commit on binutils-2.42 stable branch is updated. 6558f9f5f0c s390: Add support for z17 as CPU name Testing was done and there were no regressions found (From OE-Core rev: 08d6ca500e6dd571f5882f82f6ad804bd2eec8c8) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* elfutils: Fix CVE-2025-1371Soumya Sambu2025-05-082-0/+42
| | | | | | | | | | | | | | | | | | | | | A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-1371 https://ubuntu.com/security/CVE-2025-1371 Upstream patch: https://sourceware.org/cgit/elfutils/commit/?id=b38e562a4c907e08171c76b8b2def8464d5a104a (From OE-Core rev: 11c44bde4f3d9e63506ece2f9b27114914aacc4b) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* buildtools-tarball: Make buildtools respects host CA certificatesChangqing Li2025-05-022-6/+28
| | | | | | | | | | | | | | | | | | | | | | | To adapt user network enviroment, buildtools should first try to use the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these envs is not set, then use the auto-detected ca file and ca path, and finally use the CA certificates in buildtools. nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work nativesdk-curl don't set default ca file, need SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO also works nativesdk-python3-requests will use cacert.pem under python module certifi by default, need to set REQUESTS_CA_BUNDLE (From OE-Core rev: 0653b96bac6d0800dc5154557706a323418808be) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* buildtools-tarball: add envvars into BB_ENV_PASSTHROUGH_ADDITIONSChangqing Li2025-05-022-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Here is one testcase: For recipe tensorflow-lite-host-tools_2.18.0.bb, refer [1], do_configure[network] = "1" and it will git clone some repos in CMakeLists.txt When buildtools is used and nativesdk-git is installed into sdk, do_configure failed with error: [1/9] Performing download step (git clone) for 'protobuf-populate' Cloning into 'protobuf'... fatal: unable to access 'https://github.com/protocolbuffers/protobuf/': error setting certificate file: /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-wrlinuxsdk-linux/etc/ssl/certs/ca-certificates.crt Fix by adding GIT_SSL_CAINFO in BB_ENV_PASSTHROUGH_ADDITIONS, so that user can export GIT_SSL_CAINFO=${GIT_SSL_CAINFO} in their do_configure:prepend() to fix above do_configure failure CURL_CA_BUNDLE and REQUESTS_CA_BUNDLE is similar envvars, so all add into BB_ENV_PASSTHROUGH_ADDITIONS [1] https://github.com/nxp-imx/meta-imx/blob/styhead-6.12.3-1.0.0/meta-imx-ml/recipes-libraries/tensorflow-lite/tensorflow-lite-host-tools_2.18.0.bb (From OE-Core rev: 27f018d8e8ace97d0b1cdfb8782a2a7a0a319816) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* buildtools-tarball: move setting of envvars to respective envfileChangqing Li2025-05-024-0/+25
| | | | | | | | | | | | * make git,curl,python3-requests align with openssl, move the setting of envvars into respective envfile * for environment.d-openssl.sh, also check if ca-certificates.crt exist before export envvars (From OE-Core rev: 5f4fd544d3df7365224599c9efdce4e545f51d5e) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* perl: upgrade 5.38.2 -> 5.38.4Archana Polampalli2025-05-021-1/+1
| | | | | | | | | | | update include fix for CVE-2024-56406 https://perldoc.perl.org/5.38.4/perl5384delta (From OE-Core rev: a9edffbd3c129966d4028505940ae6286273f399) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* perlcross: 1.6 -> 1.6.2Archana Polampalli2025-05-021-1/+1
| | | | | | | | | | | https://github.com/arsv/perl-cross/releases/tag/1.6.2 Provide support for Perl 5.38.4 (From OE-Core rev: 53dc46381ee3c8b04e507707d96f048b8a31e709) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* perlcross: update 1.5.2 -> 1.6Alexander Kanavin2025-05-024-26/+29
| | | | | | | | | | | (From OE-Core rev: dee97a3d3127eeba77bc6be05dea25f89aa734e5) (From OE-Core rev: e78d04202b7e73b22d8434b148c52bc4bd539f81) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* git: Upgrade 2.44.1 -> 2.44.3Soumya Sambu2025-05-021-1/+1
| | | | | | | | | | | | Addresses the security issues - CVE-2024-50349 and CVE-2024-52006 Release Notes: https://github.com/git/git/blob/v2.44.3/Documentation/RelNotes/2.44.3.txt (From OE-Core rev: f4f7a3af706bd6923362633a56423526a5264c6c) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-jinja2: upgrade 3.1.4 -> 3.1.6Soumya Sambu2025-04-281-1/+4
| | | | | | | | | | | | | Includes fix for - CVE-2024-56326, CVE-2025-27516, CVE-2024-56201 Changelog: https://github.com/pallets/jinja/blob/3.1.6/CHANGES.rst https://github.com/pallets/jinja/blob/3.1.5/CHANGES.rst (From OE-Core rev: a935ef8f205c9510ebc5539c133960bc72504902) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: patch CVE-2025-1182Ashish Sharma2025-04-282-0/+34
| | | | | | | | | Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=b425859021d17adf62f06fb904797cf8642986ad] (From OE-Core rev: d27416eb05643afcd80435dd7ed27d6cd3d85650) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: patch CVE-2025-1181Ashish Sharma2025-04-193-0/+498
| | | | | | | | | | | | | | Import patches from ubuntu: Upstream-Status: Backport [ https://git.launchpad.net/ubuntu/+source/binutils/plain/debian/patches/CVE-2025-1181-pre.patch?h=applied/ubuntu/noble-security&id=d6b5bf57cf048c42e4bcd3a4ab32116d0b809774 && https://git.launchpad.net/ubuntu/+source/binutils/plain/debian/patches/CVE-2025-1181.patch?h=applied/ubuntu/noble-security&id=d6b5bf57cf048c42e4bcd3a4ab32116d0b809774 Upstream commit: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24 ] (From OE-Core rev: abb575f6ac1f5badae2825f1cb6152379a6658ee) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: patch CVE-2025-1178 & CVE-2024-57360Ashish Sharma2025-04-193-0/+115
| | | | | | | | | | | | | Backport Fixes for: *CVE-2025-1178 - Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=75086e9de1707281172cc77f178e7949a4414ed0] *CVE-2024-57360 - Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=5f8987d3999edb26e757115fe87be55787d510b9] (From OE-Core rev: 15a7f68ce14f635acf9b988fc1958ee625de4e11) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2025-1176Ashish Sharma2025-04-192-0/+157
| | | | | | | | | | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/binutils/plain/debian/patches/CVE-2025-1176.patch?h=applied/ubuntu/jammy-security Upstream commit https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=f9978defb6fab0bd8583942d97c112b0932ac814] (From OE-Core rev: 8d02a680b415f3145f4a4ef71842f336d8e3513b) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2025-22871Hitendra Prajapati2025-04-162-0/+173
| | | | | | | | | Upstream-Status: Backport from https://github.com/golang/go/commit/15e01a2e43ecb8c7e15ff7e9d62fe3f10dcac931 (From OE-Core rev: b343da566856ad17b5dc03d42d9241bcb44cad1b) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2025-22870Archana Polampalli2025-04-162-0/+81
| | | | | | | | | | | | Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. (From OE-Core rev: 88e79f915137edc5a37a110abdc79f5800404e45) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rust-cross-canadian: Set CVE_STATUS ignore for CVE-2024-43402Virendra Thakur2025-04-071-0/+4
| | | | | | | | | | | | | | | | This CVE was created because fix for CVE-2024-24576 was incomplete. Ignore the new CVE in the same way as the old one. See https://nvd.nist.gov/vuln/detail/CVE-2024-43402 As per NVD, this CVE only affects to Windows platform Reference: https://git.yoctoproject.org/meta-lts-mixins/commit/?h=scarthgap/rust&id=13f045acf6388d1e320fd4c0f3ca19ca7a75ef44 (From OE-Core rev: ef2ba1f04f6f21530dc4efe5c4f61cbb0c76c032) Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2025-27220Divya Chellam2025-04-012-0/+79
| | | | | | | | | | | | | | | | In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method. Reference: https://security-tracker.debian.org/tracker/CVE-2025-27220 Upstream-patch: https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6 (From OE-Core rev: 8c31f8e142894f103409ee10deccc22fdeea897c) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu 8.2.7: ignore CVE-2023-1386Madhu Marri2025-04-011-0/+2
| | | | | | | | | | | | | | | | | | | | Upstream Repository: https://gitlab.com/qemu-project/qemu.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1386 Type: Security Advisory CVE: CVE-2023-1386 Score: 3.3 Analysis: - According to redhat[1] this CVE has closed as not a bug. Reference: [1] https://bugzilla.redhat.com/show_bug.cgi?id=2223985 (From OE-Core rev: 6a5d9e3821246c39ec57fa483802e1bb74fca724) Signed-off-by: Madhu Marri <madmarri@cisco.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* nativesdk-libtool: sanitize the script, remove buildpathsDenys Dmytriyenko2025-03-263-14/+15
| | | | | | | | | | | | | | | | | | | Use the same sed command to sanitize libtool script for target recipe and nativesdk one. Otherwise fails with buildpaths QA error: ERROR: nativesdk-libtool-2.5.0-r0 do_package_qa: QA Issue: File /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-pokysdk-linux/usr/bin/libtool in package nativesdk-libtool contains reference to TMPDIR [buildpaths] (From OE-Core rev: f08df9adf290fb6cbebff24df6bbbbe8e5ce95e0) Upstream-Status: Backport[https://git.yoctoproject.org/poky/commit/?id=89e184da6c9d95a99fd34334df5ac6c5ae87f13a] (From OE-Core rev: a720df7ad77af1f8b1c00a211c88537e5f23edbc) Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 89e184da6c9d95a99fd34334df5ac6c5ae87f13a) Signed-off-by: Nikhil R <nikhilr5@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gcc: unify cleanup of include-fixed, apply to cross-canadianDenys Dmytriyenko2025-03-264-31/+8
| | | | | | | | | | | | | | | | | | | | Since target and cross variants were already doing similar cleanup of include-fixed headers, as those aren't used, unify the code and also apply the same to cross-canadian variant. Some of those header files get processed with a tool that leaves absolute buildpaths inside the file's commented section, causing QA errors. Since those aren't used, let's remove them. This may be a temporary solution until the tool itself gets fixed to not embed absolute buildpaths in the header files: https://lists.openembedded.org/g/openembedded-core/topic/107268307 (From OE-Core rev: 621e0ac9308cc163fb767a27d63fff6570896b92) Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Revert "gcc-cross-canadian.inc: Fix buildpaths error for pthread.h"Steve Sakoman2025-03-201-5/+0
| | | | | | | | | | | This patch is causing build failures where pthread.h does not exist: sed: can't read No such file or directory This reverts commit d3c294ee0afe4d2eb46320945d41064ebfb5cbff. Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gcc-cross-canadian.inc: Fix buildpaths error for pthread.hSana Kazi2025-03-191-0/+5
| | | | | | | | | | | | | | | | | Replace the hardcoded path with /not/exist as used for other options[--with-sysroot] to ensure pthread.h does not contain hardocded references to TMPDIR: ERROR: gcc-cross-canadian-x86-64-13.3.0-r0 do_package_qa: QA Issue: File /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-pokysdk-linux/ usr/lib/x86_64-poky-linux/gcc/x86_64-poky-linux/13.3.0/include-fixed/ pthread.h in package gcc-cross-canadian-x86-64 contains reference to TMPDIR [buildpaths] (From OE-Core rev: d3c294ee0afe4d2eb46320945d41064ebfb5cbff) Signed-off-by: Sana Kazi <sanakazi720@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>