summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support
Commit message (Collapse)AuthorAgeFilesLines
...
* buildtools-tarball: move setting of envvars to respective envfileChangqing Li2025-05-022-0/+12
| | | | | | | | | | | | * make git,curl,python3-requests align with openssl, move the setting of envvars into respective envfile * for environment.d-openssl.sh, also check if ca-certificates.crt exist before export envvars (From OE-Core rev: 5f4fd544d3df7365224599c9efdce4e545f51d5e) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: fix CVE-2025-0167Yogita Urade2025-04-282-0/+179
| | | | | | | | | | | | | | | | | | | | | | When asked to use a `.netrc` file for credentials *and* to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-0167 Upstream patch: https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e (From OE-Core rev: b74dba43f2d6896245232373f2a9fdf07086a237) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: fix CVE-2024-11053Yogita Urade2025-04-284-0/+1214
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. CVE-2024-11053-0001 is the dependent commit, CVE-2024-11053-0002 is actual CVE fix and the actual fix caused a regression that was fixed by CVE-2024-11053-0003. Reference: https://curl.se/docs/CVE-2024-11053.html https://git.launchpad.net/ubuntu/+source/curl/commit/?h=applied/ubuntu/noble-devel&id=9ea469c352a313104f750dea93e78df8d868c435 Upstream patches: https://github.com/curl/curl/commit/9bee39bfed2c413b4cc4eb306a57ac92a1854907 https://github.com/curl/curl/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af3194 https://github.com/curl/curl/commit/9fce2c55d4b0273ac99b59bd8cb982a6d96b88cf (From OE-Core rev: 084d8ca3b47b47333edba87f6aa427a12ee574f2) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sqlite3: patch CVE-2025-29088Peter Marko2025-04-282-0/+180
| | | | | | | | | | | | Pick commit [1] mentioned in [2]. [1] https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-29088 (From OE-Core rev: 6a65833a53487571b1ed0831dcc0b1fb04946557) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sqlite3: patch CVE-2025-3277Peter Marko2025-04-282-1/+31
| | | | | | | | | | | | Pick commit [1] mentioned in [2]. [1] https://sqlite.org/src/info/498e3f1cf57f164f [2] https://nvd.nist.gov/vuln/detail/CVE-2025-3277 (From OE-Core rev: 2f800295919ac337f038e1678f4c0abb2a6e7f95) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: Fix CVE-2025-32906Vijay Anusuri2025-04-283-0/+146
| | | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f (From OE-Core rev: c3ba6b665a907b8f8340aedcbf51bef79f1048b8) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: Fix CVE-2025-32912Vijay Anusuri2025-04-283-0/+73
| | | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f (From OE-Core rev: f18f762edd7ffa02ead1f382856066d2157015ed) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: Fix CVE-2025-32911 & CVE-2025-32913Vijay Anusuri2025-04-283-0/+118
| | | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0 (From OE-Core rev: c1bf4fca316c67b9ce1134c7e5bdc9c0ac9ab878) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: Fix CVE-2025-32909Vijay Anusuri2025-04-282-0/+37
| | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/comm it/ba4c3a6f988beff59e45801ab36067293d24ce92 (From OE-Core rev: 9eba43f18664a20d7f5dc8942eb39cfbd83c066e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: Fix CVE-2025-32910Vijay Anusuri2025-04-284-0/+277
| | | | | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe & https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a & https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832 (From OE-Core rev: c9c6c8c5be4df8cb2c44f1e6fe0954c9ee666e5a) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.1.1115 -> 9.1.1198Vijay Anusuri2025-04-011-2/+2
| | | | | | | | | | | | | | | | This includes CVE-fix for CVE-2025-27423 and CVE-2025-29768 Changes between 9.1.1115 -> 9.1.1198 ==================================== https://github.com/vim/vim/compare/v9.1.1115...v9.1.1198 (From OE-Core rev: a6cf72f3a01d8e6ea310d6759d5b98813e3edaac) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8e540bd287fd56e3a714f81395b59dd508a6d957) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* icu: Adjust ICU_DATA_DIR path on big endian targetsMakarios Christakis2025-03-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | On big-endian systems the preprocessor define ICU_DATA_DIR is currently being set to a path ending with the ${PV} of the recipe. The PV version string has changed to a '-' separator since oe-core commit cebe8439cdc656d53355506a31a3782312bf03c5 whereas the build system installs the data files into a path ending with the dot-separated version of ICU. This causes the ICU data file to not be detected at runtime, consequently breaking any dependant applications. We therefore substitute ${PV} with the dot-separated version string of ICU, as returned from the icu_install_folder function, on the ICU_DATA_DIR define on big-endian targets. (From OE-Core rev: 345ebe7046eab4a0588aa33c595f48cfe90f899e) Signed-off-by: Makarios Christakis <makchrbiz@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 28cdc0110def011e3d690da1d591076385267ef7) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxslt: upgrade 1.1.39 -> 1.1.43Vijay Anusuri2025-03-261-2/+2
| | | | | | | | | | | | | | | | Include fixes for CVE-2024-24855 and CVE-2024-55549 Release Notes: https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.43 Remove mem-debug option [1] [1] https://gitlab.gnome.org/GNOME/libxslt/-/commit/c65a7c05f98ea4e9fae1247510b45db9dd3ec907 (From OE-Core rev: 7196f0a9a9f31c8692cd54877e6a34d10947b5c7) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.1.1043 -> 9.1.1115Divya Chellam2025-03-151-2/+2
| | | | | | | | | | | | | This includes CVE-fix for CVE-2025-26603 and CVE-2025-1215 Changes between 9.1.1043 -> 9.1.1115 ==================================== https://github.com/vim/vim/compare/v9.1.1043...v9.1.1115 (From OE-Core rev: f390badfe5b3a1a8cc70051075a5e641ff5abf2c) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libtasn1: upgrade 4.19.0 -> 4.20.0Vijay Anusuri2025-03-101-4/+3
| | | | | | | | | | | | | | | | * Noteworthy changes in release 4.20.0 (2025-02-01) [stable] - The release tarball is now reproducible. - We publish a minimal source-only tarball generated by 'git archive'. - Update gnulib files and various build/maintenance fixes. - Fix CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or SET OF elements License-Update: file COPYING.LESSER renamed to COPYING.LESSERv2 & Copyright year updated to 2025 (From OE-Core rev: fc5814dfa49c67157def00b323656f15e8bc457b) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: ignore CVE-2025-0725Poonam Jadhav2025-03-081-0/+2
| | | | | | | | | | | | CVE-2025-0725 can only trigger for curl when using a runtime zlib version 1.2.0.3 or older and scarthgap supports zlib 1.3.1 version, hence ignore cve for scarthgap https://curl.se/docs/CVE-2025-0725.html (From OE-Core rev: 8c3b4a604b40260e7ca9575715dd8017e17d35c0) Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libcap: fix CVE-2025-1390Hitendra Prajapati2025-02-282-0/+37
| | | | | | | | | Upstream-Status: Backport from https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878 (From OE-Core rev: b975db55f6e0d551e69c870620292b58425f9aab) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* icu: remove host references in nativesdk to fix reproducibilityOleksandr Hnatiuk2025-02-211-9/+24
| | | | | | | | | | | | | | | | | Fix is only done for target. Use same code for nativesdk. Backport from poky master: https://git.yoctoproject.org/poky/commit/?id=c63b8f28ac52047fad689b78d605aa792baf1ad8 (From OE-Core rev: dc6306883cc2c7d4d98d595442e5bf4037a160c5) (From OE-Core rev: fc46705cc629a151f85717a57f7d789de8fd9b64) Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com> Signed-off-by: Oleksandr Hnatiuk <ohnatiuk@cisco.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c63b8f28ac52047fad689b78d605aa792baf1ad8) Signed-off-by: Bhabu Bindu <bindu.bhabu@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.1.0764 -> 9.1.1043Divya Chellam2025-02-211-2/+2
| | | | | | | | | | | | | This includes CVE-fix for CVE-2025-22134 and CVE-2025-24014 Changes between 9.1.0764 -> 9.1.1043 ==================================== https://github.com/vim/vim/compare/v9.1.0764...v9.1.1043 (From OE-Core rev: 00b97ae6e1aa2c1cad2ff23e4eedab1d55af6f4f) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gnutls: patch CVE-2024-12243Peter Marko2025-02-212-0/+1150
| | | | | | | | | | Backport following patch to address this CVE: https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892 (From OE-Core rev: e5316a9019e6b9ad5a66b6070ea863705a26c633) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gnupg: upgrade 2.4.4 -> 2.4.5Wang Mingyu2025-02-121-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: ========== * gpg,gpgv: New option --assert-pubkey-algo. * gpg: Emit status lines for errors in the compression layer. * gpg: Fix invocation with --trusted-keys and --no-options. * gpgsm: Allow for a longer salt in PKCS#12 files. * gpgtar: Make --status-fd=2 work on Windows. * scd: Support for the ACR-122U NFC reader. * scd: Suport D-TRUST ECC cards. * scd: Allow auto detaching of kernel drivers; can be disabled with the new compatibility-flag ccid-no-auto-detach. * scd: Allow setting a PIN length of 6 also with a reset code for openpgp cards. * agent: Allow GET_PASSPHRASE in restricted mode. * dirmngr: Trust system's root CAs for checking CRL issuers. * dirmngr: Fix regression in 2.4.4 in fetching keys via hkps. * gpg-wks-client: Make option --mirror work properly w/o specifying domains. * g13,gpg-wks-client: Allow command style options as in "g13 mount foo". * Allow tilde expansion for the foo-program options. * Make the getswdb.sh tool usable outside the GnuPG tree. (From OE-Core rev: a596d0e3802486dce9eeee2a9cbfdc6372a182d5) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* boost: fix do_fetch errorJiaying Song2025-01-251-1/+1
| | | | | | | | | | Change the SRC_URI to the correct value due to the following error: WARNING: boost-native-1.84.0-r0 do_fetch: Checksum failure encountered with download of https://boostorg.jfrog.io/artifactory/main/release/1.84.0/source/boost_1_84_0.tar.bz2 - will attempt other sources if available (From OE-Core rev: 7ecd0d5584b7692b58ac8039b4107c4e0836d553) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libgcrypt: Fix building error with '-O2' in sysroot pathRobert Yang2024-12-063-40/+65
| | | | | | | | | | | | | | | | | * Backport a patch to fix: $ . oe-init-build-env build-O2 $ bitbake libgcrypt random/rndjent.c:40:10: fatal error: stdio.h: No such file or directory * Remove 0002-libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch which is fixed by the backported patch. Note, master branch's libgcrypt_1.11.0.bb has already fixed this problem. (From OE-Core rev: c091ae2c6d45a95f0707b649bbe556275420e5e9) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: fix CVE-2024-52530, CVE-2024-52531Changqing Li2024-12-065-0/+446
| | | | | | | | | | | | | | | | | | | | | | | | CVE-2024-52531: GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. Input received over the network cannot trigger this. Refer: https://nvd.nist.gov/vuln/detail/CVE-2024-52531 CVE-2024-52530: GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header. Refer: https://nvd.nist.gov/vuln/detail/CVE-2024-52530 (From OE-Core rev: 0af9ac076cdbab70f526520acbbb0c38d237c407) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* shared-mime-info: drop itstool-native from DEPENDSGuðni Már Gilbert2024-11-261-1/+1
| | | | | | | | | | | | itstool was dropped as a dependency in shared-mime-info release v2.2 (2022-03-27) (From OE-Core rev: 604afb6f71e6bcefc89319d8066a87c27bb55352) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: fix CVE-2024-52532Hitendra Prajapati2024-11-263-1/+82
| | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be && https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c (From OE-Core rev: 5a28744c74270905d4b29285589a399df4c9cb68) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* enchant2: fix do_fetch errorJiaying Song2024-11-181-1/+1
| | | | | | | | | | Change the SRC_URI to the correct value due to the following error: WARNING: enchant2-2.6.7-r0 do_fetch: Failed to fetch URL https://github.com/AbiWord/enchant/releases/download/v2.6.7/enchant-2.6.7.tar.gz, attempting MIRRORS if available (From OE-Core rev: 15337a58f77de3d0a30b73fcd836349df811ca39) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: patch CVE-2024-9681Peter Marko2024-11-182-0/+86
| | | | | | | | | | | | Picked commit [1] per solution described in [2]. [1] https://github.com/curl/curl/commit/a94973805df96269bf [2] https://curl.se/docs/CVE-2024-9681.html (From OE-Core rev: 19663c559b72a0d14ddd0792be325284a6e16edc) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* icu: update patch Upstream-StatusRoss Burton2024-10-301-3/+1
| | | | | | | | | (From OE-Core rev: d49f8eaf777152237b626750c17dbbcadd4c1939) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 717eb63df55f11d3eb4353ae1364a5781adfce76) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sqlite3: upgrade 3.45.1 -> 3.45.3Anuj Mittal2024-10-301-1/+1
| | | | | | | | | | (From OE-Core rev: a5c24e05e8397e2e353d2d27d9da98375f6ec036) (From OE-Core rev: 3d42e2e7328bfc0066cf3a7a90ae447f3961c5f4) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.1.0698 -> 9.1.0764Rohini Sangam2024-10-301-2/+2
| | | | | | | | | | | | | | | | | This includes CVE-fix for CVE-2024-45306 and CVE-2024-47814 Changes between 9.1.0698 -> 9.1.0764 ==================================== https://github.com/vim/vim/compare/v9.1.0698...v9.1.0764 (From OE-Core rev: 7dc4956d4eeb1ffe7fe5df1ed55197c0b5a1bc79) Signed-off-by: Rohini Sangam <rsangam@mvista.com> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 2f0e5e63399e544063c79b0b1f9555c820b0604c) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libpcre2: Update base uri PhilipHazel -> PCRE2ProjectKhem Raj2024-10-181-1/+1
| | | | | | | | | (From OE-Core rev: 31861ad29c18ee76185970335fe86441ffba0442) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit bd6d18228835773163a085070651e13ed961d66d) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ptest-runner: Update 2.4.4 -> 2.4.5Jörg Sommer2024-10-181-1/+1
| | | | | | | | | | | | | Changelog: aea9f42 ptest_list_remove: Fix pointer adjustment of prev and next (From OE-Core rev: edb7968fe272e6afd89b01471f7949ccf730f295) Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f70ec9bcd379b5fc4c85d7479d42789c2e22f4a9) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gnupg: Document CVE-2022-3219 and mark wontfixKhem Raj2024-10-111-0/+1
| | | | | | | | | | | | (From OE-Core rev: f10f9c3a8d2c17d5a6c3f0b00749e5b34a66e090) (From OE-Core rev: 1bce8a63edd93070bdd8e8a518a6d359e3fbf0ba) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: fix CVE-2024-8096Hitendra Prajapati2024-10-022-0/+208
| | | | | | | | | Upstream-Status: Backport from https://github.com/curl/curl/commit/aeb1a281cab13c7ba791cb104e556b20e713941f (From OE-Core rev: 6efcd8aea340186df484afc07a2b63a2c2a3af66) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.1.0682 -> 9.1.0698Siddharth Doshi2024-09-191-2/+2
| | | | | | | | | | | | | | | This includes CVE-fix for CVE-2024-43790 and CVE-2024-43802 Changes between 9.1.0682 -> 9.1.0698 ==================================== https://github.com/vim/vim/compare/v9.1.0682...v9.1.0698 (From OE-Core rev: 829e474534777b2154f1b1246c5792b3159dacb1) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e530265415d93e3f49ec7874cf720aad18ab2e22) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* apr: upgrade 1.7.4 -> 1.7.5Vijay Anusuri2024-09-092-2/+2
| | | | | | | | | | | | | | | | | Refreshed patch 0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch Includes security fix CVE-2023-49582 changelog: https://downloads.apache.org/apr/CHANGES-APR-1.7 (From OE-Core rev: e650030ec8fe37b84e6ae37a2305453cc59fda31) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c5d9498466526451910fa02862f8860b2bb81df8) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* apr: drop 0007-explicitly-link-libapr-against-phtread-to-make-gold-.patchAlexander Kanavin2024-09-092-51/+0
| | | | | | | | | | | | | | At some point this became unnecessary, as tested by building apr with DISTRO_FEATURES:append = " ld-is-gold" The logs do confirm that (previously) problematic binary links without errors. (From OE-Core rev: c04d1ca0d4f1c7236a5093e7be5ef51633c503fd) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c041932f14cf552b0446732ce0cca6537f3286ab) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libcap-ng: update SRC_URIChangqing Li2024-09-032-4/+6
| | | | | | | | | | | | Refer [1], people.redhat.com has certificate issue, so update SRC_URI to fix do_fetch warning [1] https://github.com/stevegrubb/libcap-ng/issues/56 (From OE-Core rev: ba5d05337c97ec14d00939f02ecdd6aeab126822) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.1.0114 -> 9.1.0682Siddharth Doshi2024-09-032-42/+2
| | | | | | | | | | | | | | | | | | | | This includes CVE-fix for CVE-2024-41957, CVE-2024-41965 and CVE-2024-43374 Changes between 9.1.0114 -> 9.1.0682 ==================================== https://github.com/vim/vim/compare/v9.1.0114...v9.1.0682 Note: ==== Removed patch "vim-add-knob-whether-elf.h-are-checked.patch" as libelf checks are removed from configure.ac as per commit https://github.com/vim/vim/commit/1acc67ac4412aa9a75d1c58ebf93f2b29585a960 (From OE-Core rev: ad71057a09ec6304cee3771122224af011ee9087) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 6d2938e53cad5d9bf2e78a5403e9f9fab1db77b4) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: Ignore CVE-2024-32928Simone Weiß2024-09-031-0/+1
| | | | | | | | | | | This CVE affects google cloud services that utilize libcurl wrongly. (From OE-Core rev: d8aeaaf2d2ac3308af1ec442795e9714f0e6fc8c) Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 27ac7879711e7119b4ec8b190b0a9da5b3ede269) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: Patch CVE-2024-7264Peter Marko2024-09-033-0/+379
| | | | | | | | | Pick commits per https://curl.se/docs/CVE-2024-7264.html (From OE-Core rev: 0f1c4b8ae80dc90ee4ed89c4b99da2dca75dd247) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libyaml: Ignore CVE-2024-35325Peter Marko2024-09-031-0/+1
| | | | | | | | | | | This is similar CVE as the previous ones from the same author. https://github.com/yaml/libyaml/issues/303 explain why this is misuse (or wrong use) of libyaml. (From OE-Core rev: f233c1b7d55fbc8c1968c105905462eed5c793e6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libyaml: ignore CVE-2024-35326Peter Marko2024-08-191-0/+1
| | | | | | | | | | | This is the same problem as already ignored CVE-2024-35328. See laso this comment in addition: https://github.com/yaml/libyaml/issues/298#issuecomment-2167684233 (From OE-Core rev: 2b6391599a621e59d48da213f18bbef9b44bec58) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: correct the PACKAGECONFIG for native/nativesdkChangqing Li2024-08-101-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | Since commit 148de08220 [ curl: Update from 8.2.1 to 8.3.0 ], --enable-crypto-auth option was removed and split into separate options for basic-auth, bearer-auth, digest-auth, kerberos-auth negotiate-auth, and aws. In this commit, --enable-crypto-auth is removed from EXTRA_OECONF, and the separate options is added into PACKAGECONFIG for target. But not added into PACKAGECONFIG for native/nativesdk, this make curl/git in buildtools not works well to connect basic auth https server. Failed commands: git ls-remote https://xxx(input username/passwd) curl -u name:passwd https://xxx Error: Authentication failed xxx HTTP/1.1 401 Unauthorized (From OE-Core rev: 67b98253ea70a1e2850a78bb101c934093d30937) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: Patch CVE-2024-6197Peter Marko2024-08-102-0/+25
| | | | | | | | | Picked commit per https://curl.se/docs/CVE-2024-6197.html (From OE-Core rev: 0f172ed0c94d287c96ec465e4724c8b47f846a4c) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gpgme: move gpgme-tool to own sub-packagePatrick Wicki2024-08-061-3/+13
| | | | | | | | | | | | | The gpgme-tool binary is licensed GPL-3.0-or-later. Split it out into its own package that can be opted out of. (From OE-Core rev: 09fe1a471c570c09e8219c6cc57eb5252a5caa54) Signed-off-by: Patrick Wicki <patrick.wicki@siemens.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit bbcd56bace90f4a148960a7108dc8d0e6c364903) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libyaml: Fix warning regarding unpatched CVENiko Mauno2024-08-061-0/+2
| | | | | | | | | | | | | | | | | This commit incorporates changes in following master branch commits: f3479f74c9 libyaml: Amend CVE status as 'upstream-wontfix' 3ebb2ca832 libyaml: Change CVE status to wontfix 56b6b35626 libyaml: Update status of CVE-2024-35328 which mitigate the following warning with cve-check.bbclass: WARNING: libyaml-native-0.2.5-r0 do_cve_check: Found unpatched CVE (CVE-2024-35328), for more information check .../tmp/work/x86_64-linux/libyaml-native/0.2.5/temp/cve.log (From OE-Core rev: a88c83ba93346b62c2a360ab71bacc57585fec60) Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libnl: change HOMEPAGEChen Qi2024-07-261-1/+1
| | | | | | | | | | | | | http://www.infradead.org/~tgr/libnl/ stops at 2014, the current official home page should be the github one. (From OE-Core rev: bc68ac83d158f3f0b2f67f89f541faecb094ea43) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit cfe7659e4c553c51d39322b378ac7fb2891c2dc6) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vte: fix CVE-2024-37535Hitendra Prajapati2024-07-233-1/+153
| | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/vte/-/commit/036bc3ddcbb56f05c6ca76712a53b89dee1369e2 && https://gitlab.gnome.org/GNOME/vte/-/commit/c313849c2e5133802e21b13fa0b141b360171d39 (From OE-Core rev: dd5482d64587124bd5060c7b3532f0e90b94c367) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-08-05 15:40:43 +0000