[04/11] migration-guides/release-notes-5.2.rst: add security fixes

Add security fixes by going through the log between yocto-5.1 and
walnascar branch tip on Poky.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 .../migration-guides/release-notes-5.2.rst         | 67 ++++++++++++++++++++++
 1 file changed, 67 insertions(+)

Hi all.

* CVEs that have been fixed but are not on the list

< +   * -  ``gstreamer1.0``
< +     - :cve_nist:`2024-47606`
< +   * -  ``gstreamer1.0-plugins-base``
< +     - :cve_nist:`2024-47538`, :cve_nist:`2024-47541`, :cve_nist:`2024-47542`,  :cve_nist:`2024-47600`, 
:cve_nist:`2024-47607`, :cve_nist:`2024-47615`, :cve_nist:`2024-47835`
< +   * -  ``gstreamer1.0-plugins-good``
< +     - :cve_nist:`2024-47537`, :cve_nist:`2024-47539`, :cve_nist:`2024-47540`, :cve_nist:`2024-47543`, 
:cve_nist:`2024-47544`, :cve_nist:`2024-47545`, :cve_nist:`2024-47546`, :cve_nist:`2024-47596`, :cve_nist:`2024-47597`, 
:cve_nist:`2024-47598`, :cve_nist:`2024-47599`, :cve_nist:`2024-47601`, :cve_nist:`2024-47602`, :cve_nist:`2024-47603`, 
:cve_nist:`2024-47606`, :cve_nist:`2024-47613`, :cve_nist:`2024-47774`, :cve_nist:`2024-47775`, :cve_nist:`2024-47776`, 
:cve_nist:`2024-47777`, :cve_nist:`2024-47778`, :cve_nist:`2024-47834`
see https://gstreamer.freedesktop.org/security/

< +   * - ``openssh``
< +     - :cve_nist:`2025-26465`, :cve_nist:`2025-26466`
see https://www.openssh.com/txt/release-9.9p2

< +   * - ``socat``
< +     - :cve_nist:`2024-54661`
see http://www.dest-unreach.org/socat/

* CVEs already fixed in previous releases

 > +   * - ``libssh2``
 > +     - :cve_nist:`2023-48795`

The patch for CVE-2023-28795, which is no longer needed due to libssh2 upgrading to 1.11.1, was committed on 2024/01/24 and has 
already been fixed at the time of the scarthgap release, so we do not consider it necessary to post it to this list of fixes.
see: 
https://git.yoctoproject.org/poky/commit/meta/recipes-support/libssh2/libssh2?h=walnascar&id=3adac25f899054b7d1d8c14458a1a4cd310abbd7


* CVE numbers that should be changed in ascending order

 > +   * - ``expat``
 > +     - :cve_nist:`2024-50602`, :cve_nist:`2024-8176`
< +   * - ``expat``
< +     - :cve_nist:`2024-8176`, :cve_nist:`2024-50602`


 > +   * - ``grub``
 > +     - :cve_nist:`2024-45781`, :cve_nist:`2024-45782`, :cve_nist:`2024-56737`, :cve_nist:`2024-45780`, 
:cve_nist:`2024-45783`, :cve_nist:`2025-0624`, :cve_nist:`2024-45774`, :cve_nist:`2024-45775`, :cve_nist:`2025-0622`, 
:cve_nist:`2024-45776`, :cve_nist:`2024-45777`, :cve_nist:`2025-0690`, :cve_nist:`2025-1118`, :cve_nist:`2024-45778`, 
:cve_nist:`2024-45779`, :cve_nist:`2025-0677`, :cve_nist:`2025-0684`, :cve_nist:`2025-0685`, :cve_nist:`2025-0686`, 
:cve_nist:`2025-0689`, :cve_nist:`2025-0678`, :cve_nist:`2025-1125`
< +   * - ``grub``
< +     - :cve_nist:`2024-45774`, :cve_nist:`2024-45775`, :cve_nist:`2024-45776`, :cve_nist:`2024-45777`, 
:cve_nist:`2024-45778`, :cve_nist:`2024-45779`, :cve_nist:`2024-45780`, :cve_nist:`2024-45781`, :cve_nist:`2024-45782`, 
:cve_nist:`2024-45783`, :cve_nist:`2024-56737`, :cve_nist:`2025-0622`, :cve_nist:`2025-0624`, :cve_nist:`2025-0677`, 
:cve_nist:`2025-0678`, :cve_nist:`2025-0684`, :cve_nist:`2025-0685`, :cve_nist:`2025-0686`, :cve_nist:`2025-0689`, 
:cve_nist:`2025-0690`, :cve_nist:`2025-1118`, :cve_nist:`2025-1125`

 > +   * - ``libarchive``
 > +     - :cve_nist:`2024-57970`, :cve_nist:`2025-25724`, :cve_nist:`2025-1632`
< +   * - ``libarchive``
< +     - :cve_nist:`2024-57970`, :cve_nist:`2025-1632`, :cve_nist:`2025-25724`

 > +   * - ``libxml2``
 > +     - :cve_nist:`2025-24928`, :cve_nist:`2024-56171`
< +   * - ``libxml2``
< +     - :cve_nist:`2024-56171`, :cve_nist:`2025-24928`

 > +   * - ``tiff``
 > +     - :cve_nist:`2023-52356`, :cve_nist:`2023-6228`, :cve_nist:`2023-6277`
< +   * - ``tiff``
< +     - :cve_nist:`2023-6277`, :cve_nist:`2023-52356`, :cve_nist:`2023-6228`

 > +   * - ``vim``
 > +     - :cve_nist:`2024-45306`, :cve_nist:`2024-47814`, :cve_nist:`2025-22134`, :cve_nist:`2025-24014`, 
:cve_nist:`2025-26603`, :cve_nist:`2025-1215`, :cve_nist:`2025-27423`, :cve_nist:`2025-29768`
< +   * - ``vim``
< +     - :cve_nist:`2024-45306`, :cve_nist:`2024-47814`, :cve_nist:`2025-1215`, :cve_nist:`2025-22134`, :cve_nist:`2025-24014`, 
:cve_nist:`2025-26603`, :cve_nist:`2025-27423`, :cve_nist:`2025-29768`



On 2025/03/28 22:07, Antonin Godard via lists.yoctoproject.org wrote:
> Add security fixes by going through the log between yocto-5.1 and
> walnascar branch tip on Poky.
> 
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> ---
>   .../migration-guides/release-notes-5.2.rst         | 67 ++++++++++++++++++++++
>   1 file changed, 67 insertions(+)
> 
> diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
> index 1e05631d9..d583f3e9d 100644
> --- a/documentation/migration-guides/release-notes-5.2.rst
> +++ b/documentation/migration-guides/release-notes-5.2.rst
> @@ -765,6 +765,73 @@ The following changes have been made to the :term:`LICENSE` values set by recipe
>   Security Fixes in |yocto-ver|
>   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   
> +The following CVEs have been fixed:
> +
> +.. list-table::
> +   :widths: 30 70
> +   :header-rows: 1
> +
> +   * - Recipe
> +     - CVE IDs
> +   * - ``barebox``
> +     - :cve_nist:`2025-26721`, :cve_nist:`2025-26722`, :cve_nist:`2025-26723`, :cve_nist:`2025-26724`, :cve_nist:`2025-26725`
> +   * - ``binutils``
> +     - :cve_nist:`2024-53589`, :cve_nist:`2025-1153`
> +   * - ``curl``
> +     - :cve_nist:`2024-8096`, :cve_nist:`2024-9681`, :cve_nist:`2024-11053`, :cve_nist:`2025-0167`, :cve_nist:`2025-0665`, :cve_nist:`2025-0725`
> +   * - ``expat``
> +     - :cve_nist:`2024-50602`, :cve_nist:`2024-8176`
> +   * - ``ghostscript``
> +     - :cve_nist:`2024-46951`, :cve_nist:`2024-46952`, :cve_nist:`2024-46953`, :cve_nist:`2024-46954`, :cve_nist:`2024-46955`, :cve_nist:`2024-46956`
> +   * - ``gnutls``
> +     - :cve_nist:`2024-12243`
> +   * - ``go``
> +     - :cve_nist:`2024-34155`, :cve_nist:`2024-34156`, :cve_nist:`2024-34158`, :cve_nist:`2024-45336`, :cve_nist:`2024-45341`, :cve_nist:`2025-22866`, :cve_nist:`2025-22870`
> +   * - ``grub``
> +     - :cve_nist:`2024-45781`, :cve_nist:`2024-45782`, :cve_nist:`2024-56737`, :cve_nist:`2024-45780`, :cve_nist:`2024-45783`, :cve_nist:`2025-0624`, :cve_nist:`2024-45774`, :cve_nist:`2024-45775`, :cve_nist:`2025-0622`, :cve_nist:`2024-45776`, :cve_nist:`2024-45777`, :cve_nist:`2025-0690`, :cve_nist:`2025-1118`, :cve_nist:`2024-45778`, :cve_nist:`2024-45779`, :cve_nist:`2025-0677`, :cve_nist:`2025-0684`, :cve_nist:`2025-0685`, :cve_nist:`2025-0686`, :cve_nist:`2025-0689`, :cve_nist:`2025-0678`, :cve_nist:`2025-1125`
> +   * - ``libarchive``
> +     - :cve_nist:`2024-57970`, :cve_nist:`2025-25724`, :cve_nist:`2025-1632`
> +   * - ``libcap``
> +     - :cve_nist:`2025-1390`
> +   * - ``libsndfile1``
> +     - :cve_nist:`2024-50612`
> +   * - ``libssh2``
> +     - :cve_nist:`2023-48795`
> +   * - ``libtasn1``
> +     - :cve_nist:`2024-12133`
> +   * - ``libxml2``
> +     - :cve_nist:`2025-24928`, :cve_nist:`2024-56171`
> +   * - ``ofono``
> +     - :cve_nist:`2024-7539`, :cve_nist:`2024-7540`, :cve_nist:`2024-7541`, :cve_nist:`2024-7542`
> +   * - ``omvf``
> +     - :cve_nist:`2023-45236`, :cve_nist:`2023-45237`, :cve_nist:`2024-25742`
> +   * - ``openssl``
> +     - :cve_nist:`2024-9143`, :cve_nist:`2024-12797`, :cve_nist:`2024-13176`
> +   * - ``orc``
> +     - :cve_nist:`2024-40897`
> +   * - ``python3``
> +     - :cve_nist:`2025-0938`, :cve_nist:`2024-12254`
> +   * - ``qemu``
> +     - :cve_nist:`2024-6505`
> +   * - ``rsync``
> +     - :cve_nist:`2024-12084`, :cve_nist:`2024-12085`, :cve_nist:`2024-12086`, :cve_nist:`2024-12087`, :cve_nist:`2024-12088`, :cve_nist:`2024-12747`
> +   * - ``ruby``
> +     - :cve_nist:`2024-41123`, :cve_nist:`2024-41946`
> +   * - ``rust``
> +     - :cve_nist:`2024-43402`
> +   * - ``tiff``
> +     - :cve_nist:`2023-52356`, :cve_nist:`2023-6228`, :cve_nist:`2023-6277`
> +   * - ``vim``
> +     - :cve_nist:`2024-45306`, :cve_nist:`2024-47814`, :cve_nist:`2025-22134`, :cve_nist:`2025-24014`, :cve_nist:`2025-26603`, :cve_nist:`2025-1215`, :cve_nist:`2025-27423`, :cve_nist:`2025-29768`
> +   * - ``webkitgtk``
> +     - :cve_nist:`2025-24143`, :cve_nist:`2025-24150`, :cve_nist:`2025-24158`, :cve_nist:`2025-24162`
> +   * - ``wpa-supplicant``
> +     - :cve_nist:`2024-5290`
> +   * - ``xserver-xorg``
> +     - :cve_nist:`2024-9632`, :cve_nist:`2025-26594`, :cve_nist:`2025-26595`, :cve_nist:`2025-26596`, :cve_nist:`2025-26597`, :cve_nist:`2025-26598`, :cve_nist:`2025-26599`, :cve_nist:`2025-26600`, :cve_nist:`2025-26601`
> +   * - ``xwayland``
> +     - :cve_nist:`2024-9632`, :cve_nist:`2025-26594`, :cve_nist:`2025-26595`, :cve_nist:`2025-26596`, :cve_nist:`2025-26597`, :cve_nist:`2025-26598`, :cve_nist:`2025-26599`, :cve_nist:`2025-26600`, :cve_nist:`2025-26601`
> +
>   Recipe Upgrades in |yocto-ver|
>   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6658): https://lists.yoctoproject.org/g/docs/message/6658
> Mute This Topic: https://lists.yoctoproject.org/mt/111953531/7581020
> Group Owner: docs+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/docs/unsub [ypa.takayasu.ito@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Hi Takayasu,

On Sat Apr 12, 2025 at 6:38 PM CEST, Takayasu Ito wrote:
> Hi all.
>
> * CVEs that have been fixed but are not on the list
>
> < +   * -  ``gstreamer1.0``
> < +     - :cve_nist:`2024-47606`
> < +   * -  ``gstreamer1.0-plugins-base``
> < +     - :cve_nist:`2024-47538`, :cve_nist:`2024-47541`, :cve_nist:`2024-47542`,  :cve_nist:`2024-47600`, 
> :cve_nist:`2024-47607`, :cve_nist:`2024-47615`, :cve_nist:`2024-47835`
> < +   * -  ``gstreamer1.0-plugins-good``
> < +     - :cve_nist:`2024-47537`, :cve_nist:`2024-47539`, :cve_nist:`2024-47540`, :cve_nist:`2024-47543`, 
> :cve_nist:`2024-47544`, :cve_nist:`2024-47545`, :cve_nist:`2024-47546`, :cve_nist:`2024-47596`, :cve_nist:`2024-47597`, 
> :cve_nist:`2024-47598`, :cve_nist:`2024-47599`, :cve_nist:`2024-47601`, :cve_nist:`2024-47602`, :cve_nist:`2024-47603`, 
> :cve_nist:`2024-47606`, :cve_nist:`2024-47613`, :cve_nist:`2024-47774`, :cve_nist:`2024-47775`, :cve_nist:`2024-47776`, 
> :cve_nist:`2024-47777`, :cve_nist:`2024-47778`, :cve_nist:`2024-47834`
> see https://gstreamer.freedesktop.org/security/
>
> < +   * - ``openssh``
> < +     - :cve_nist:`2025-26465`, :cve_nist:`2025-26466`
> see https://www.openssh.com/txt/release-9.9p2
>
> < +   * - ``socat``
> < +     - :cve_nist:`2024-54661`
> see http://www.dest-unreach.org/socat/
>
> * CVEs already fixed in previous releases
>
>  > +   * - ``libssh2``
>  > +     - :cve_nist:`2023-48795`
>
> The patch for CVE-2023-28795, which is no longer needed due to libssh2 upgrading to 1.11.1, was committed on 2024/01/24 and has 
> already been fixed at the time of the scarthgap release, so we do not consider it necessary to post it to this list of fixes.
> see: 
> https://git.yoctoproject.org/poky/commit/meta/recipes-support/libssh2/libssh2?h=walnascar&id=3adac25f899054b7d1d8c14458a1a4cd310abbd7
>
>
> * CVE numbers that should be changed in ascending order
>
>  > +   * - ``expat``
>  > +     - :cve_nist:`2024-50602`, :cve_nist:`2024-8176`
> < +   * - ``expat``
> < +     - :cve_nist:`2024-8176`, :cve_nist:`2024-50602`
>
>
>  > +   * - ``grub``
>  > +     - :cve_nist:`2024-45781`, :cve_nist:`2024-45782`, :cve_nist:`2024-56737`, :cve_nist:`2024-45780`, 
> :cve_nist:`2024-45783`, :cve_nist:`2025-0624`, :cve_nist:`2024-45774`, :cve_nist:`2024-45775`, :cve_nist:`2025-0622`, 
> :cve_nist:`2024-45776`, :cve_nist:`2024-45777`, :cve_nist:`2025-0690`, :cve_nist:`2025-1118`, :cve_nist:`2024-45778`, 
> :cve_nist:`2024-45779`, :cve_nist:`2025-0677`, :cve_nist:`2025-0684`, :cve_nist:`2025-0685`, :cve_nist:`2025-0686`, 
> :cve_nist:`2025-0689`, :cve_nist:`2025-0678`, :cve_nist:`2025-1125`
> < +   * - ``grub``
> < +     - :cve_nist:`2024-45774`, :cve_nist:`2024-45775`, :cve_nist:`2024-45776`, :cve_nist:`2024-45777`, 
> :cve_nist:`2024-45778`, :cve_nist:`2024-45779`, :cve_nist:`2024-45780`, :cve_nist:`2024-45781`, :cve_nist:`2024-45782`, 
> :cve_nist:`2024-45783`, :cve_nist:`2024-56737`, :cve_nist:`2025-0622`, :cve_nist:`2025-0624`, :cve_nist:`2025-0677`, 
> :cve_nist:`2025-0678`, :cve_nist:`2025-0684`, :cve_nist:`2025-0685`, :cve_nist:`2025-0686`, :cve_nist:`2025-0689`, 
> :cve_nist:`2025-0690`, :cve_nist:`2025-1118`, :cve_nist:`2025-1125`
>
>  > +   * - ``libarchive``
>  > +     - :cve_nist:`2024-57970`, :cve_nist:`2025-25724`, :cve_nist:`2025-1632`
> < +   * - ``libarchive``
> < +     - :cve_nist:`2024-57970`, :cve_nist:`2025-1632`, :cve_nist:`2025-25724`
>
>  > +   * - ``libxml2``
>  > +     - :cve_nist:`2025-24928`, :cve_nist:`2024-56171`
> < +   * - ``libxml2``
> < +     - :cve_nist:`2024-56171`, :cve_nist:`2025-24928`
>
>  > +   * - ``tiff``
>  > +     - :cve_nist:`2023-52356`, :cve_nist:`2023-6228`, :cve_nist:`2023-6277`
> < +   * - ``tiff``
> < +     - :cve_nist:`2023-6277`, :cve_nist:`2023-52356`, :cve_nist:`2023-6228`
>
>  > +   * - ``vim``
>  > +     - :cve_nist:`2024-45306`, :cve_nist:`2024-47814`, :cve_nist:`2025-22134`, :cve_nist:`2025-24014`, 
> :cve_nist:`2025-26603`, :cve_nist:`2025-1215`, :cve_nist:`2025-27423`, :cve_nist:`2025-29768`
> < +   * - ``vim``
> < +     - :cve_nist:`2024-45306`, :cve_nist:`2024-47814`, :cve_nist:`2025-1215`, :cve_nist:`2025-22134`, :cve_nist:`2025-24014`, 
> :cve_nist:`2025-26603`, :cve_nist:`2025-27423`, :cve_nist:`2025-29768`

Thanks!

Can you please send a patch on the mailing list with these additions? So that
you take credit for the changes. Please also describe how you came up with this
list.

Regards,
Antonin

Hi Antonin,

I could not post the patch because I did not have the development environment with me due to machine trouble.

On 2025/04/15 20:56, Antonin Godard wrote:
> Hi Takayasu,
> 
> On Sat Apr 12, 2025 at 6:38 PM CEST, Takayasu Ito wrote:
>> Hi all.
>>
>> * CVEs that have been fixed but are not on the list
>>
>> < +   * -  ``gstreamer1.0``
>> < +     - :cve_nist:`2024-47606`
>> < +   * -  ``gstreamer1.0-plugins-base``
>> < +     - :cve_nist:`2024-47538`, :cve_nist:`2024-47541`, :cve_nist:`2024-47542`,  :cve_nist:`2024-47600`,
>> :cve_nist:`2024-47607`, :cve_nist:`2024-47615`, :cve_nist:`2024-47835`
>> < +   * -  ``gstreamer1.0-plugins-good``
>> < +     - :cve_nist:`2024-47537`, :cve_nist:`2024-47539`, :cve_nist:`2024-47540`, :cve_nist:`2024-47543`,
>> :cve_nist:`2024-47544`, :cve_nist:`2024-47545`, :cve_nist:`2024-47546`, :cve_nist:`2024-47596`, :cve_nist:`2024-47597`,
>> :cve_nist:`2024-47598`, :cve_nist:`2024-47599`, :cve_nist:`2024-47601`, :cve_nist:`2024-47602`, :cve_nist:`2024-47603`,
>> :cve_nist:`2024-47606`, :cve_nist:`2024-47613`, :cve_nist:`2024-47774`, :cve_nist:`2024-47775`, :cve_nist:`2024-47776`,
>> :cve_nist:`2024-47777`, :cve_nist:`2024-47778`, :cve_nist:`2024-47834`
>> see https://gstreamer.freedesktop.org/security/
>>
>> < +   * - ``openssh``
>> < +     - :cve_nist:`2025-26465`, :cve_nist:`2025-26466`
>> see https://www.openssh.com/txt/release-9.9p2
>>
>> < +   * - ``socat``
>> < +     - :cve_nist:`2024-54661`
>> see http://www.dest-unreach.org/socat/
>>
>> * CVEs already fixed in previous releases
>>
>>   > +   * - ``libssh2``
>>   > +     - :cve_nist:`2023-48795`
>>
>> The patch for CVE-2023-28795, which is no longer needed due to libssh2 upgrading to 1.11.1, was committed on 2024/01/24 and has
>> already been fixed at the time of the scarthgap release, so we do not consider it necessary to post it to this list of fixes.
>> see:
>> https://git.yoctoproject.org/poky/commit/meta/recipes-support/libssh2/libssh2?h=walnascar&id=3adac25f899054b7d1d8c14458a1a4cd310abbd7
>>
>>
>> * CVE numbers that should be changed in ascending order
>>
>>   > +   * - ``expat``
>>   > +     - :cve_nist:`2024-50602`, :cve_nist:`2024-8176`
>> < +   * - ``expat``
>> < +     - :cve_nist:`2024-8176`, :cve_nist:`2024-50602`
>>
>>
>>   > +   * - ``grub``
>>   > +     - :cve_nist:`2024-45781`, :cve_nist:`2024-45782`, :cve_nist:`2024-56737`, :cve_nist:`2024-45780`,
>> :cve_nist:`2024-45783`, :cve_nist:`2025-0624`, :cve_nist:`2024-45774`, :cve_nist:`2024-45775`, :cve_nist:`2025-0622`,
>> :cve_nist:`2024-45776`, :cve_nist:`2024-45777`, :cve_nist:`2025-0690`, :cve_nist:`2025-1118`, :cve_nist:`2024-45778`,
>> :cve_nist:`2024-45779`, :cve_nist:`2025-0677`, :cve_nist:`2025-0684`, :cve_nist:`2025-0685`, :cve_nist:`2025-0686`,
>> :cve_nist:`2025-0689`, :cve_nist:`2025-0678`, :cve_nist:`2025-1125`
>> < +   * - ``grub``
>> < +     - :cve_nist:`2024-45774`, :cve_nist:`2024-45775`, :cve_nist:`2024-45776`, :cve_nist:`2024-45777`,
>> :cve_nist:`2024-45778`, :cve_nist:`2024-45779`, :cve_nist:`2024-45780`, :cve_nist:`2024-45781`, :cve_nist:`2024-45782`,
>> :cve_nist:`2024-45783`, :cve_nist:`2024-56737`, :cve_nist:`2025-0622`, :cve_nist:`2025-0624`, :cve_nist:`2025-0677`,
>> :cve_nist:`2025-0678`, :cve_nist:`2025-0684`, :cve_nist:`2025-0685`, :cve_nist:`2025-0686`, :cve_nist:`2025-0689`,
>> :cve_nist:`2025-0690`, :cve_nist:`2025-1118`, :cve_nist:`2025-1125`
>>
>>   > +   * - ``libarchive``
>>   > +     - :cve_nist:`2024-57970`, :cve_nist:`2025-25724`, :cve_nist:`2025-1632`
>> < +   * - ``libarchive``
>> < +     - :cve_nist:`2024-57970`, :cve_nist:`2025-1632`, :cve_nist:`2025-25724`
>>
>>   > +   * - ``libxml2``
>>   > +     - :cve_nist:`2025-24928`, :cve_nist:`2024-56171`
>> < +   * - ``libxml2``
>> < +     - :cve_nist:`2024-56171`, :cve_nist:`2025-24928`
>>
>>   > +   * - ``tiff``
>>   > +     - :cve_nist:`2023-52356`, :cve_nist:`2023-6228`, :cve_nist:`2023-6277`
>> < +   * - ``tiff``
>> < +     - :cve_nist:`2023-6277`, :cve_nist:`2023-52356`, :cve_nist:`2023-6228`
>>
>>   > +   * - ``vim``
>>   > +     - :cve_nist:`2024-45306`, :cve_nist:`2024-47814`, :cve_nist:`2025-22134`, :cve_nist:`2025-24014`,
>> :cve_nist:`2025-26603`, :cve_nist:`2025-1215`, :cve_nist:`2025-27423`, :cve_nist:`2025-29768`
>> < +   * - ``vim``
>> < +     - :cve_nist:`2024-45306`, :cve_nist:`2024-47814`, :cve_nist:`2025-1215`, :cve_nist:`2025-22134`, :cve_nist:`2025-24014`,
>> :cve_nist:`2025-26603`, :cve_nist:`2025-27423`, :cve_nist:`2025-29768`
> 
> Thanks!
> 
> Can you please send a patch on the mailing list with these additions? So that
> you take credit for the changes. Please also describe how you came up with this
> list.
> 
> Regards,
> Antonin
>

Hi Takayasu,

On Wed Apr 16, 2025 at 12:34 AM CEST, Takayasu Ito wrote:
> Hi Antonin,
>
> I could not post the patch because I did not have the development environment with me due to machine trouble.

Okay, that's fine.

Could you please explain how you obtained these results?
It's not straightforward for me to assert the validity of your changes. I would
just need a way to reproduce the results you obtained. cve-check, maybe?

Antonin

Hi Antonin,

The decision is based on the upstream release notes and accompanying information.

As for gstreamer, three update commits have been made.

gstreamer1.0: upgrade 1.24.6 -> 1.24.9
https://git.yoctoproject.org/poky/commit/meta/recipes-multimedia/gstreamer?h=walnascar&id=0770b0 ecea8accb0edb9137595b2c7e0b94bb69b

gstreamer1.0: upgrade 1.24.9 -> 1.24.10
https://git.yoctoproject.org/poky/commit/?h=walnascar&id=d84 bc502cc610cbda9bf19e0320537287bf8a674

gstreamer1.0: upgrade 1.24.10 -> 1.24.12
https://git.yoctoproject.org/poky/commit/?h=walnascar&id= 925d5f1c725ceeb36c180b38a22dfdedd0dfc220

Release information for these updates is found at
https://gstreamer.freedesktop.org/news/

In it, it is stated that the security fixe is included in the 1.24.9 and 1.24.10 releases.

The details are confirmed at
https://gstreamer.freedesktop.org/security/

We can confirm that GStreamer-SA-2024-0004 through GStreamer-SA-2024-0030 were addressed in this release of walnascar.



On 2025/04/16 16:27, Antonin Godard wrote:
> Hi Takayasu,
> 
> On Wed Apr 16, 2025 at 12:34 AM CEST, Takayasu Ito wrote:
>> Hi Antonin,
>>
>> I could not post the patch because I did not have the development environment with me due to machine trouble.
> 
> Okay, that's fine.
> 
> Could you please explain how you obtained these results?
> It's not straightforward for me to assert the validity of your changes. I would
> just need a way to reproduce the results you obtained. cve-check, maybe?
> 
> Antonin
>