summaryrefslogtreecommitdiffstats
path: root/meta
Commit message (Collapse)AuthorAgeFilesLines
...
* libsoup-2.4: Fix CVE-2024-52532Vijay Anusuri2025-05-144-0/+127
| | | | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be & https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c & https://gitlab.gnome.org/GNOME/libsoup/-/commit/4c9e75c6676a37b6485620c332e568e1a3f530ff (From OE-Core rev: dfde13ecffad3426846bd4b366d1e0cdb77b1be0) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup-2.4: Fix CVE-2024-52531Vijay Anusuri2025-05-143-0/+169
| | | | | | | | | | | | | | | | | | | | import patch from ubuntu to fix CVE-2024-52531 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches?h=ubuntu/jammy-security Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/825fda3425546847b42ad5270544e9388ff349fe] Reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/ https://ubuntu.com/security/CVE-2024-52531 (From OE-Core rev: c7ab8b45b1f533ca1b27b07c30f44b7b64a3cfde) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup-2.4: Fix CVE-2024-52530Vijay Anusuri2025-05-142-1/+152
| | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b (From OE-Core rev: ef1bff79d6b84eacccff2a3f8a5c3b8ed92fe0c4) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bluez5: backport a patch to fix btmgmt -iJeroen Hofstee2025-05-082-0/+30
| | | | | | | | | | Without this patch btmgmt will always use hci0 in non interactive mode. (From OE-Core rev: 45c50169fa7e34349acf3e24fc19e573cbab4e65) Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bluez5: make media control a PACKAGECONFIG optionJeroen Hofstee2025-05-081-0/+2
| | | | | | | | | | | | | | | | | | When not building with the default PACKAGECONFIG options, the build can fail with: undefined reference to `media_player_controller_create' undefined reference to `media_player_set_status' Otherwise. So disable it when not set and enable it by default. The packageconfig option is the same as in Styhead. https://github.com/openembedded/openembedded-core/commit/ebbdb7cf5c0a3f0e6773704d4c4cc570358ec611#diff-9d9284f6f27a81c75dffffd6d601b40c8266ae12e678d0a49c46bdb8356a0e91R52 (From OE-Core rev: 82448a6c8b720cefc200513daa41115961b43e8f) Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: stable 2.42 branch updatesDeepesh Varatharajan2025-05-081-1/+1
| | | | | | | | | | | | | Below commit on binutils-2.42 stable branch is updated. 6558f9f5f0c s390: Add support for z17 as CPU name Testing was done and there were no regressions found (From OE-Core rev: 08d6ca500e6dd571f5882f82f6ad804bd2eec8c8) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc: stable 2.39 branch updatesDeepesh Varatharajan2025-05-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 3463100f2d x86: Detect Intel Diamond Rapids e09436c2cb x86: Handle unknown Intel processor with default tuning 7620d98186 x86: Add ARL/PTL/CWF model detection support 765ff3d0d4 x86: Optimize xstate size calculation 65ae73be01 x86: Use `Avoid_Non_Temporal_Memset` to control non-temporal path 2be36448c4 x86: Tunables may incorrectly set Prefer_PMINUB_for_stringop (bug 32047) bde201e92c x86: Disable non-temporal memset on Skylake Server 38a7632f2d x86: Fix value for `x86_memset_non_temporal_threshold` when it is undesirable cc59fa5dbc x86: Enable non-temporal memset tunable for AMD 0da58e8be0 x86: Add seperate non-temporal tunable for memset 837a36c371 x86: Link tst-gnu2-tls2-x86-noxsave{,c,xsavec} with libpthread 87ab0c7f7f x86: Use separate variable for TLSDESC XSAVE/XSAVEC state size (bug 32810) 60cd7123a6 x86: Skip XSAVE state size reset if ISA level requires XSAVE 4cf3f9df54 x86_64: Add atanh with FMA 01ed435e2e x86_64: Add sinh with FMA 0edcc77fe7 x86_64: Add tanh with FMA 7ecf0d3bde x86-64: Exclude FMA4 IFUNC functions for -mapxf e1fe22368e nptl: clear the whole rseq area before registration dd8c0c3bbd math: Improve layout of exp/exp10 data a1b09e59e2 AArch64: Use prefer_sve_ifuncs for SVE memset d0e2133470 AArch64: Add SVE memset 0cc12d9c47 math: Improve layout of expf data 0cd10047bf AArch64: Remove zva_128 from memset dd1e63ab58 AArch64: Optimize memset 65a96a6f2b AArch64: Improve generic strlen 4073e4ee2c AArch64: Improve codegen for SVE logs 78abd3ef6e AArch64: Improve codegen in SVE tans a10183b633 AArch64: Improve codegen of AdvSIMD atan(2)(f) dcd1229e5b AArch64: Improve codegen of AdvSIMD logf function family 72156cb90b AArch64: Improve codegen in AdvSIMD logs 5e354bf4e2 AArch64: Simplify rounding-multiply pattern in several AdvSIMD routines 80df456112 aarch64: Avoid redundant MOVs in AdvSIMD F32 logs d591876303 aarch64: Fix AdvSIMD libmvec routines for big-endian f6d48470ae assert: Add test for CVE-2025-0395 Testresults: Before update |After update |Difference PASS: 5068 |PASS: 5072 |PASS: +4 FAIL: 120 |FAIL: 120 |FAIL: 0 XPASS: 4 |XPASS: 4 |XPASS: 0 XFAIL: 16 |XFAIL: 16 |XFAIL: 0 UNSUPPORTED: 157|UNSUPPORTED: 157|UNSUPPORTED: 0 (From OE-Core rev: f14c2e6a6ba72673a0e30cde48ec1d5573be3e01) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sqlite3: mark CVE-2025-29087 as patchedPeter Marko2025-05-081-0/+1
| | | | | | | | | | | | | | Description of CVE-2025-29087 and CVE-2025-3277 are very similar. There is no lonk from NVD, but [1] and [2] from Debian mark these two CVEs as duplicates with the same link for patch. [1] https://security-tracker.debian.org/tracker/CVE-2025-29087 [2] https://security-tracker.debian.org/tracker/CVE-2025-3277 (From OE-Core rev: 3f951941c758b6982a3cd30d085460756b7fefd9) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* elfutils: Fix CVE-2025-1371Soumya Sambu2025-05-082-0/+42
| | | | | | | | | | | | | | | | | | | | | A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-1371 https://ubuntu.com/security/CVE-2025-1371 Upstream patch: https://sourceware.org/cgit/elfutils/commit/?id=b38e562a4c907e08171c76b8b2def8464d5a104a (From OE-Core rev: 11c44bde4f3d9e63506ece2f9b27114914aacc4b) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: patch CVE-2025-46420Ashish Sharma2025-05-082-0/+61
| | | | | | | | | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/c9083869ec2a3037e6df4bd86b45c419ba295f8e] (From OE-Core rev: 0e4a77c928e2eb0e8b012f2bba13b2ef3929cb34) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR"Peter Marko2025-05-021-2/+0
| | | | | | | | | | | | | | This reverts commit 7adaec468d3a61d88c990b1b319b34850bee7e44. It does not seem to fix the issue it was supposed to fix. Additionally it breaks code which decides in full/partial update, because it manipulates timestamp that code is relying on. (From OE-Core rev: 00dd4901e364d16d96cfab864823a9cfdd336eeb) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ebc65fdddd7ce51f0f1008baa30d0ae7918ae0bb) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* buildtools-tarball: Make buildtools respects host CA certificatesChangqing Li2025-05-025-15/+88
| | | | | | | | | | | | | | | | | | | | | | | To adapt user network enviroment, buildtools should first try to use the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these envs is not set, then use the auto-detected ca file and ca path, and finally use the CA certificates in buildtools. nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work nativesdk-curl don't set default ca file, need SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO also works nativesdk-python3-requests will use cacert.pem under python module certifi by default, need to set REQUESTS_CA_BUNDLE (From OE-Core rev: 0653b96bac6d0800dc5154557706a323418808be) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* buildtools-tarball: add envvars into BB_ENV_PASSTHROUGH_ADDITIONSChangqing Li2025-05-023-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | Here is one testcase: For recipe tensorflow-lite-host-tools_2.18.0.bb, refer [1], do_configure[network] = "1" and it will git clone some repos in CMakeLists.txt When buildtools is used and nativesdk-git is installed into sdk, do_configure failed with error: [1/9] Performing download step (git clone) for 'protobuf-populate' Cloning into 'protobuf'... fatal: unable to access 'https://github.com/protocolbuffers/protobuf/': error setting certificate file: /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-wrlinuxsdk-linux/etc/ssl/certs/ca-certificates.crt Fix by adding GIT_SSL_CAINFO in BB_ENV_PASSTHROUGH_ADDITIONS, so that user can export GIT_SSL_CAINFO=${GIT_SSL_CAINFO} in their do_configure:prepend() to fix above do_configure failure CURL_CA_BUNDLE and REQUESTS_CA_BUNDLE is similar envvars, so all add into BB_ENV_PASSTHROUGH_ADDITIONS [1] https://github.com/nxp-imx/meta-imx/blob/styhead-6.12.3-1.0.0/meta-imx-ml/recipes-libraries/tensorflow-lite/tensorflow-lite-host-tools_2.18.0.bb (From OE-Core rev: 27f018d8e8ace97d0b1cdfb8782a2a7a0a319816) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* buildtools-tarball: move setting of envvars to respective envfileChangqing Li2025-05-028-8/+42
| | | | | | | | | | | | * make git,curl,python3-requests align with openssl, move the setting of envvars into respective envfile * for environment.d-openssl.sh, also check if ca-certificates.crt exist before export envvars (From OE-Core rev: 5f4fd544d3df7365224599c9efdce4e545f51d5e) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* initscripts: add function log_success_msg/log_failure_msg/log_warning_msgChangqing Li2025-05-022-1/+21
| | | | | | | | | | | | | | | | | | | | | * add function log_success_msg/log_failure_msg/log_warning_msg, some packages still use these functions, like mariadb, refer [1], without these function, with sysV init manager, mariadb will report error: root@qemux86-64:~# /etc/init.d/mysqld status /etc/init.d/mysqld: line 383: log_success_msg: command not found * remove RCONFLICTS with lsbinitscripts, LSB support already remove in [2] [1] https://github.com/MariaDB/server/blob/main/support-files/mysql.server.sh#L104 [2] https://git.openembedded.org/openembedded-core/commit/?id=fb064356af615d67d85b65942103bf943d84d290 [3] https://refspecs.linuxbase.org/LSB_4.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptfunc.html (From OE-Core rev: 90cf409ba74c4bb398199667ea2819759a720373) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tzdata/tzcode-native: upgrade 2025a -> 2025bPriyal Doshi2025-05-021-3/+3
| | | | | | | | | (From OE-Core rev: 0d93972dc2d67853b7ddb0d9e55522930fb51df2) Signed-off-by: Priyal Doshi <pdoshi@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b1ff8b45da27b533477cf6d9ace7a47f7f3a28b1) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* perl: upgrade 5.38.2 -> 5.38.4Archana Polampalli2025-05-021-1/+1
| | | | | | | | | | | update include fix for CVE-2024-56406 https://perldoc.perl.org/5.38.4/perl5384delta (From OE-Core rev: a9edffbd3c129966d4028505940ae6286273f399) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* perlcross: 1.6 -> 1.6.2Archana Polampalli2025-05-021-1/+1
| | | | | | | | | | | https://github.com/arsv/perl-cross/releases/tag/1.6.2 Provide support for Perl 5.38.4 (From OE-Core rev: 53dc46381ee3c8b04e507707d96f048b8a31e709) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* perlcross: update 1.5.2 -> 1.6Alexander Kanavin2025-05-024-26/+29
| | | | | | | | | | | (From OE-Core rev: dee97a3d3127eeba77bc6be05dea25f89aa734e5) (From OE-Core rev: e78d04202b7e73b22d8434b148c52bc4bd539f81) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* git: Upgrade 2.44.1 -> 2.44.3Soumya Sambu2025-05-021-1/+1
| | | | | | | | | | | | Addresses the security issues - CVE-2024-50349 and CVE-2024-52006 Release Notes: https://github.com/git/git/blob/v2.44.3/Documentation/RelNotes/2.44.3.txt (From OE-Core rev: f4f7a3af706bd6923362633a56423526a5264c6c) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glib-2.0: patch CVE-2025-3360Peter Marko2025-05-027-1/+336
| | | | | | | | | | | | Backport commits from [1] fixing [2] for 2.82.x. [1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4499 [2] https://gitlab.gnome.org/GNOME/glib/-/issues/3647 (From OE-Core rev: 2047764e0126ee6273d9c340235ddc2e3cdfea2f) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: patch CVE-2025-32415Peter Marko2025-05-022-0/+40
| | | | | | | | | Pick commit from 2.13 branch as 2.12 branch is unmaintained now. (From OE-Core rev: 2335d4f0d1826647eaee224c469331980fc84ed2) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: patch CVE-2025-32414Peter Marko2025-05-022-0/+75
| | | | | | | | | Pick commit which has been backported to 2.12 release branch. (From OE-Core rev: 187052ce4ddd43b46b8335cc955a63ca19ee6994) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ppp: patch CVE-2024-58250Peter Marko2025-05-022-1/+195
| | | | | | | | | | | | | | | | Backport patch to remove vulnerable component. This is a breaking change, but there will be no other fix for this CVE as upstream did the deletion without providing a fix first. If someone really needs this feature, which the commit message describes as deprecated, bbappend with patch removal is possible. License-Update: passprompt plugin removed (From OE-Core rev: 5350ef531ded14f0b4c32c211aaf993354be1ec9) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libpam: Update fix for CVE-2024-10041Shubham Kulkarni2025-05-023-1/+79
| | | | | | | | | | | | | | | Initially, PAM community fixed CVE-2024-10041 in the version v1.6.0 via commit b3020da. But not all cases were covered with this fix and issues were reported after the release. In the v1.6.1 release, PAM community fixed these issues via commit b7b9636. Backport this commit b7b9636, which Fixes: b3020da ("pam_unix/passverify: always run the helper to obtain shadow password file entries") Backport from https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620 (From OE-Core rev: 78a04ce17e7d828c0cf8cae2164882683d46275e) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bluez5: add missing tools to noinst-tools packageGuðni Már Gilbert2025-04-281-1/+7
| | | | | | | | | | | | | | | | | | This change will prevent these tools from being installed if the image doesn't install bluez5-noinst-tools package. BlueZ 5.66: tools/mesh-tester BlueZ 5.66: tools/ioctl-tester BlueZ 5.65: tools/iso-tester BlueZ 5.56: tools/btpclientctl BlueZ 5.51: tools/bcmfw BlueZ 5.49: tools/rtlfw BlueZ 5.47: tools/btconfig (not a new tool, but it was moved from bin_PROGRAMS to noinst_PROGRAMS) (From OE-Core rev: 87cadf62ba0d6b0fc3dc0151a5d320919b7eb1ab) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-jinja2: upgrade 3.1.4 -> 3.1.6Soumya Sambu2025-04-281-1/+4
| | | | | | | | | | | | | Includes fix for - CVE-2024-56326, CVE-2025-27516, CVE-2024-56201 Changelog: https://github.com/pallets/jinja/blob/3.1.6/CHANGES.rst https://github.com/pallets/jinja/blob/3.1.5/CHANGES.rst (From OE-Core rev: a935ef8f205c9510ebc5539c133960bc72504902) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* systemd: upgrade 255.17 -> 255.18Guðni Már Gilbert2025-04-2828-34/+34
| | | | | | | | | | | | | The update includes 82 commits. Full list of changes can be found on Github [1] All patches were refreshed with devtool. [1] systemd/systemd-stable@v255.17...v255.18 (From OE-Core rev: 121e1fb42c4c909115bc550585b2ebcb3a13e0a5) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: fix CVE-2025-0167Yogita Urade2025-04-282-0/+179
| | | | | | | | | | | | | | | | | | | | | | When asked to use a `.netrc` file for credentials *and* to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-0167 Upstream patch: https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e (From OE-Core rev: b74dba43f2d6896245232373f2a9fdf07086a237) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: fix CVE-2024-11053Yogita Urade2025-04-284-0/+1214
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. CVE-2024-11053-0001 is the dependent commit, CVE-2024-11053-0002 is actual CVE fix and the actual fix caused a regression that was fixed by CVE-2024-11053-0003. Reference: https://curl.se/docs/CVE-2024-11053.html https://git.launchpad.net/ubuntu/+source/curl/commit/?h=applied/ubuntu/noble-devel&id=9ea469c352a313104f750dea93e78df8d868c435 Upstream patches: https://github.com/curl/curl/commit/9bee39bfed2c413b4cc4eb306a57ac92a1854907 https://github.com/curl/curl/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af3194 https://github.com/curl/curl/commit/9fce2c55d4b0273ac99b59bd8cb982a6d96b88cf (From OE-Core rev: 084d8ca3b47b47333edba87f6aa427a12ee574f2) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sqlite3: patch CVE-2025-29088Peter Marko2025-04-282-0/+180
| | | | | | | | | | | | Pick commit [1] mentioned in [2]. [1] https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-29088 (From OE-Core rev: 6a65833a53487571b1ed0831dcc0b1fb04946557) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sqlite3: patch CVE-2025-3277Peter Marko2025-04-282-1/+31
| | | | | | | | | | | | Pick commit [1] mentioned in [2]. [1] https://sqlite.org/src/info/498e3f1cf57f164f [2] https://nvd.nist.gov/vuln/detail/CVE-2025-3277 (From OE-Core rev: 2f800295919ac337f038e1678f4c0abb2a6e7f95) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: patch CVE-2025-1182Ashish Sharma2025-04-282-0/+34
| | | | | | | | | Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=b425859021d17adf62f06fb904797cf8642986ad] (From OE-Core rev: d27416eb05643afcd80435dd7ed27d6cd3d85650) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: Fix CVE-2025-32906Vijay Anusuri2025-04-283-0/+146
| | | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f (From OE-Core rev: c3ba6b665a907b8f8340aedcbf51bef79f1048b8) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: Fix CVE-2025-32912Vijay Anusuri2025-04-283-0/+73
| | | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f (From OE-Core rev: f18f762edd7ffa02ead1f382856066d2157015ed) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: Fix CVE-2025-32911 & CVE-2025-32913Vijay Anusuri2025-04-283-0/+118
| | | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0 (From OE-Core rev: c1bf4fca316c67b9ce1134c7e5bdc9c0ac9ab878) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: Fix CVE-2025-32909Vijay Anusuri2025-04-282-0/+37
| | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/comm it/ba4c3a6f988beff59e45801ab36067293d24ce92 (From OE-Core rev: 9eba43f18664a20d7f5dc8942eb39cfbd83c066e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: Fix CVE-2025-32910Vijay Anusuri2025-04-284-0/+277
| | | | | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe & https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a & https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832 (From OE-Core rev: c9c6c8c5be4df8cb2c44f1e6fe0954c9ee666e5a) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* build-appliance-image: Update to scarthgap head revisionyocto-5.0.9scarthgap-5.0.9Steve Sakoman2025-04-191-1/+1
| | | | | | (From OE-Core rev: 04038ecd1edd6592b826665a2b787387bb7074fa) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* openssl: rewrite ptest installationVishwas Udupa2025-04-192-40/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | Rewrite (again) the openssl test suite installation. Depend on and reuse already installed libraries and modules instead of installing them twice. Be more selective when installing from the build tree so we don't install intermediate .c .d .o files. This further reduces the size of openssl-dbg from ~120MB to ~18MB. (From OE-Core rev: 8baa0ce7eae65026cb3a784adaf3a4fc724ce9c9) Upstream-Status: Backport[https://git.yoctoproject.org/poky/commit/?id=76212866402edb947f745f837e3c3b98b3056e58] (From OE-Core rev: b3cd05f123625c4c301fee925cdbb9641bc73412) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 76212866402edb947f745f837e3c3b98b3056e58) Signed-off-by: Vishwas Udupa <quic_vudupa@quicinc.com> Change-Id: Ifc0e3a019c2abe5142d0f1e359ae5aa33dae1608 Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libarchive: upgrade 3.7.4 -> 3.7.9Peter Marko2025-04-196-285/+5
| | | | | | | | | | | | | | | | | | These is update with only bug and security releases. On top of previous CVE patches, also CVE-2024-48615 is handled. Also many security fixes without CVE assigment are included. Note that upgrade to 3.7.5 on master required fix of test in python3-libarchive-c, however that recipe does not yet have ptest in scarthgap and the fix was in test only, not in productive code, so it is not necessary in scarthgap. Also remove CVE_STATUS which was obsolete already before this upgrade. (From OE-Core rev: f20516a3ed8a39d7e4deddf11dd2acd871894048) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: patch CVE-2025-1181Ashish Sharma2025-04-193-0/+498
| | | | | | | | | | | | | | Import patches from ubuntu: Upstream-Status: Backport [ https://git.launchpad.net/ubuntu/+source/binutils/plain/debian/patches/CVE-2025-1181-pre.patch?h=applied/ubuntu/noble-security&id=d6b5bf57cf048c42e4bcd3a4ab32116d0b809774 && https://git.launchpad.net/ubuntu/+source/binutils/plain/debian/patches/CVE-2025-1181.patch?h=applied/ubuntu/noble-security&id=d6b5bf57cf048c42e4bcd3a4ab32116d0b809774 Upstream commit: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24 ] (From OE-Core rev: abb575f6ac1f5badae2825f1cb6152379a6658ee) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: patch CVE-2025-1178 & CVE-2024-57360Ashish Sharma2025-04-193-0/+115
| | | | | | | | | | | | | Backport Fixes for: *CVE-2025-1178 - Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=75086e9de1707281172cc77f178e7949a4414ed0] *CVE-2024-57360 - Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=5f8987d3999edb26e757115fe87be55787d510b9] (From OE-Core rev: 15a7f68ce14f635acf9b988fc1958ee625de4e11) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2025-1176Ashish Sharma2025-04-192-0/+157
| | | | | | | | | | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/binutils/plain/debian/patches/CVE-2025-1176.patch?h=applied/ubuntu/jammy-security Upstream commit https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=f9978defb6fab0bd8583942d97c112b0932ac814] (From OE-Core rev: 8d02a680b415f3145f4a4ef71842f336d8e3513b) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* patch.py: set commituser and commitemail for addNoteChangqing Li2025-04-161-6/+8
| | | | | | | | | | | | | | | | | | When PATCHTOOL is set to 'git', and user don't setup user.name and user.email for git, do_patch fail with the following error, fix by passing -c options. CmdError("git notes --ref refs/notes/devtool append -m 'original patch: 0001-PATCH-increase-to-cpp17-version.patch' HEAD", 0, 'stdout: stderr: Author identity unknown *** Please tell me who you are. Run git config --global user.email "you@example.com" git config --global user.name "Your Name" (From OE-Core rev: 9de38ac99c2b19f549c00ea5277faf621c6f4e65) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: upgrade 10.04.0 -> 10.05.0Archana Polampalli2025-04-161-1/+1
| | | | | | | | | | | | | | | | This upgrade addresses CVEs: CVE-2025-27835 CVE-2025-27832 CVE-2025-27831 CVE-2025-27836 CVE-2025-27830 CVE-2025-27833 CVE-2025-27833 CVE-2025-27834 Changelog: https://ghostscript.readthedocs.io/en/gs10.05.0/News.html (From OE-Core rev: 2c851f74fa72c30d447d59d450eb9bc036404f55) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2025-22871Hitendra Prajapati2025-04-162-0/+173
| | | | | | | | | Upstream-Status: Backport from https://github.com/golang/go/commit/15e01a2e43ecb8c7e15ff7e9d62fe3f10dcac931 (From OE-Core rev: b343da566856ad17b5dc03d42d9241bcb44cad1b) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xz: patch CVE-2025-31115Peter Marko2025-04-165-0/+339
| | | | | | | | | | | | Cherry-pick commits from [1] linked from [2] from branch v5.4 [1] https://tukaani.org/xz/xz-cve-2025-31115.patch [2] https://tukaani.org/xz/threaded-decoder-early-free.html (From OE-Core rev: 952ea12f08a4e42f787a21fb98adaf4b17d0aee1) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xz: upgrade 5.4.6 -> 5.4.7Peter Marko2025-04-161-2/+2
| | | | | | | | | | | License-Update: homepage update in [1] [1] https://github.com/tukaani-project/xz/commit/c5c091332c6953a0ce940cb355ea9e99491429fc (From OE-Core rev: e6565ca37da4821f8e3924fe6bc6a6f4eeedd9a9) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-update-nvd2-native: add workaround for json5 style listPeter Marko2025-04-161-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | NVD responses changed to an invalid json between: * April 5, 2025 at 3:03:44 AM GMT+2 * April 5, 2025 at 4:19:48 AM GMT+2 The last response is since then in format { "resultsPerPage": 625, "startIndex": 288000, "totalResults": 288625, "format": "NVD_CVE", "version": "2.0", "timestamp": "2025-04-07T07:17:17.534", "vulnerabilities": [ {...}, ... {...}, ] } Json does not allow trailing , in responses, that is json5 format. So cve-update-nvd2-native do_Fetch task fails with log backtrace ending: ... File: '/builds/ccp/meta-siemens/projects/ccp/../../poky/meta/recipes-core/meta/cve-update-nvd2-native.bb', lineno: 234, function: update_db_file 0230: if raw_data is None: 0231: # We haven't managed to download data 0232: return False 0233: *** 0234: data = json.loads(raw_data) 0235: 0236: index = data["startIndex"] 0237: total = data["totalResults"] 0238: per_page = data["resultsPerPage"] ... File: '/usr/lib/python3.11/json/decoder.py', lineno: 355, function: raw_decode 0351: """ 0352: try: 0353: obj, end = self.scan_once(s, idx) 0354: except StopIteration as err: *** 0355: raise JSONDecodeError("Expecting value", s, err.value) from None 0356: return obj, end Exception: json.decoder.JSONDecodeError: Expecting value: line 1 column 1442633 (char 1442632) ... There was no announcement about json format of API v2.0 by nvd. Also this happens only if whole database is queried (database update is fine, even when multiple pages as queried). And lastly it's only the cve list, all other lists inside are fine. So this looks like a bug in NVD 2.0 introduced with some update. Patch this with simple character deletion for now and let's monitor the situation and possibly switch to json5 in the future. Note that there is no native json5 support in python, we'd have to use one of external libraries for it. (From OE-Core rev: 4358fdfdd7a8908df98f7c4def2c8c1a6efb7256) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 6e526327f5c9e739ac7981e4a43a4ce53a908945) Signed-off-by: Steve Sakoman <steve@sakoman.com>