[whinlatter,00/22] Pull request (cover letter only)

Message ID	cover.1770630733.git.yoann.congal@smile.fr
State	Not Applicable, archived
Headers	show Return-Path: <yoann.congal@smile.fr> ip: 209.85.128.42, mailfrom: yoann.congal@smile.fr) From: Yoann Congal <yoann.congal@smile.fr> To: openembedded-core@lists.openembedded.org Cc: Paul Barker <paul@pbarker.dev> Subject: [OE-core][whinlatter 00/22] Pull request (cover letter only) Date: Mon, 9 Feb 2026 10:58:33 +0100 Message-ID: <cover.1770630733.git.yoann.congal@smile.fr> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit

Message ID

cover.1770630733.git.yoann.congal@smile.fr

State

Not Applicable, archived

Headers

From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Cc: Paul Barker <paul@pbarker.dev>
Subject: [OE-core][whinlatter 00/22] Pull request (cover letter only)
Date: Mon,  9 Feb 2026 10:58:33 +0100
Message-ID: <cover.1770630733.git.yoann.congal@smile.fr>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Message

Yoann Congal Feb. 9, 2026, 9:58 a.m. UTC

Those are the patches from the last patch review:
https://lore.kernel.org/openembedded-core/cover.1770109549.git.yoann.congal@smile.fr/T/#t
(with added cherry-pick info, where appropriate)

Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3181

The following changes since commit fa31089d48cac2aa11279e932a77f4dbdc02c02d:

  libarchive: upgrade 3.8.4 -> 3.8.5 (2026-01-26 08:44:38 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/whinlatter-next
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/whinlatter-next

for you to fetch changes up to 7ffbe7bb6e262a410afac64c5211df0d52c202c7:

  inetutils: patch CVE-2026-24061 (2026-02-09 01:51:46 +0100)

----------------------------------------------------------------

Hugo SIMELIERE (1):
  libtasn1: Fix CVE-2025-13151

Jiaying Song (1):
  grub: fix CVE-2025-54770 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663
    CVE-2025-61664

Ken Kurematsu (1):
  libtheora: set CVE_PRODUCT

Khai Dang (1):
  docbook-xml-dtd4: fix the fetching failure

Mark Hatle (1):
  dpkg: Fix ADMINDIR

Mathieu Dubois-Briand (2):
  oeqa/gitarchive: Fix git push URL parameter
  oeqa/gitarchive: Push tag before copying log files

Peter Marko (13):
  go: upgrade 1.25.5 -> 1.25.6
  zlib: ignore CVE-2026-22184
  python3-urllib3: patch CVE-2026-21441
  glibc: stable 2.42 branch updates
  dropbear: patch CVE-2025-14282
  libpng: upgrade 1.6.53 -> 1.6.54
  glib-2.0: patch CVE-2026-0988
  libxml2: patch CVE-2026-0989
  libxml2: patch CVE-2026-0990
  libxml2: patch CVE-2026-0992
  libxml2: add follow-up patch for CVE-2026-0992
  expat: upgrade 2.7.3 -> 2.7.4
  inetutils: patch CVE-2026-24061

Richard Purdie (2):
  scripts/oe-git-archive: Ensure new push parameter is specified
  pseudo: Update to 1.9.3 release

 meta/lib/oe/package_manager/deb/__init__.py   |   4 +
 .../oeqa/selftest/cases/gitarchivetests.py    |   4 +-
 meta/lib/oeqa/utils/gitarchive.py             |   8 +-
 .../grub/files/CVE-2025-54770.patch           |  41 +++
 .../grub/files/CVE-2025-61661.patch           |  40 +++
 .../grub/files/CVE-2025-61662.patch           |  72 ++++
 .../grub/files/CVE-2025-61663_61664.patch     |  64 ++++
 meta/recipes-bsp/grub/grub2.inc               |   4 +
 .../inetutils/CVE-2026-24061-01.patch         |  38 ++
 .../inetutils/CVE-2026-24061-02.patch         |  82 +++++
 .../inetutils/inetutils_2.6.bb                |   2 +
 .../dropbear/dropbear/CVE-2025-14282-01.patch | 280 +++++++++++++++
 .../dropbear/dropbear/CVE-2025-14282-02.patch |  97 +++++
 .../dropbear/dropbear/CVE-2025-14282-03.patch | 282 +++++++++++++++
 .../dropbear/dropbear/CVE-2025-14282-04.patch |  72 ++++
 .../dropbear/dropbear/CVE-2025-14282-05.patch |  46 +++
 .../recipes-core/dropbear/dropbear_2025.88.bb |   5 +
 .../expat/{expat_2.7.3.bb => expat_2.7.4.bb}  |   2 +-
 .../glib-2.0/files/CVE-2026-0988.patch        |  58 +++
 meta/recipes-core/glib-2.0/glib.inc           |   1 +
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 meta/recipes-core/glibc/glibc_2.42.bb         |   2 +-
 .../libxml/libxml2/CVE-2026-0989.patch        | 309 ++++++++++++++++
 .../libxml/libxml2/CVE-2026-0990.patch        |  76 ++++
 .../libxml/libxml2/CVE-2026-0992-01.patch     |  49 +++
 .../libxml/libxml2/CVE-2026-0992-02.patch     | 336 ++++++++++++++++++
 .../libxml/libxml2/CVE-2026-0992-03.patch     |  33 ++
 meta/recipes-core/libxml/libxml2_2.14.6.bb    |   5 +
 meta/recipes-core/zlib/zlib_1.3.1.bb          |   2 +
 .../docbook-xml/docbook-xml-dtd4_4.5.bb       |  10 +-
 ...-dirs.c-set_rootfs-was-not-checking-.patch |  46 +++
 meta/recipes-devtools/dpkg/dpkg_1.22.21.bb    |   1 +
 .../go/{go-1.25.5.inc => go-1.25.6.inc}       |   2 +-
 ...e_1.25.5.bb => go-binary-native_1.25.6.bb} |   6 +-
 ..._1.25.5.bb => go-cross-canadian_1.25.6.bb} |   0
 ...{go-cross_1.25.5.bb => go-cross_1.25.6.bb} |   0
 ...osssdk_1.25.5.bb => go-crosssdk_1.25.6.bb} |   0
 ...runtime_1.25.5.bb => go-runtime_1.25.6.bb} |   0
 ...ent-based-hash-generation-less-pedan.patch |   8 +-
 ...ng-cgo-on-386-call-C-sigaction-funct.patch |   4 +-
 ...d-go-make-GOROOT-precious-by-default.patch |   2 +-
 .../go/{go_1.25.5.bb => go_1.25.6.bb}         |   0
 meta/recipes-devtools/pseudo/pseudo_git.bb    |   4 +-
 .../python3-urllib3/CVE-2026-21441.patch      | 111 ++++++
 .../python/python3-urllib3_2.5.0.bb           |   1 +
 .../{libpng_1.6.53.bb => libpng_1.6.54.bb}    |   4 +-
 .../libtheora/libtheora_1.2.0.bb              |   2 +
 .../gnutls/libtasn1/CVE-2025-13151.patch      |  30 ++
 .../recipes-support/gnutls/libtasn1_4.20.0.bb |   1 +
 scripts/lib/resulttool/store.py               |   9 +-
 scripts/oe-git-archive                        |   2 +-
 51 files changed, 2228 insertions(+), 31 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54770.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61661.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61662.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61663_61664.patch
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-01.patch
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-02.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-14282-01.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-14282-02.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-14282-03.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-14282-04.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-14282-05.patch
 rename meta/recipes-core/expat/{expat_2.7.3.bb => expat_2.7.4.bb} (92%)
 create mode 100644 meta/recipes-core/glib-2.0/files/CVE-2026-0988.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0989.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-01.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch
 create mode 100644 meta/recipes-devtools/dpkg/dpkg/0001-lib-dpkg-options-dirs.c-set_rootfs-was-not-checking-.patch
 rename meta/recipes-devtools/go/{go-1.25.5.inc => go-1.25.6.inc} (91%)
 rename meta/recipes-devtools/go/{go-binary-native_1.25.5.bb => go-binary-native_1.25.6.bb} (79%)
 rename meta/recipes-devtools/go/{go-cross-canadian_1.25.5.bb => go-cross-canadian_1.25.6.bb} (100%)
 rename meta/recipes-devtools/go/{go-cross_1.25.5.bb => go-cross_1.25.6.bb} (100%)
 rename meta/recipes-devtools/go/{go-crosssdk_1.25.5.bb => go-crosssdk_1.25.6.bb} (100%)
 rename meta/recipes-devtools/go/{go-runtime_1.25.5.bb => go-runtime_1.25.6.bb} (100%)
 rename meta/recipes-devtools/go/{go_1.25.5.bb => go_1.25.6.bb} (100%)
 create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2026-21441.patch
 rename meta/recipes-multimedia/libpng/{libpng_1.6.53.bb => libpng_1.6.54.bb} (94%)
 create mode 100644 meta/recipes-support/gnutls/libtasn1/CVE-2025-13151.patch

Comments

Yoann Congal Feb. 9, 2026, 10:45 a.m. UTC | #1

On Mon Feb 9, 2026 at 10:58 AM CET, Yoann Congal wrote:
> Those are the patches from the last patch review:
> https://lore.kernel.org/openembedded-core/cover.1770109549.git.yoann.congal@smile.fr/T/#t
> (with added cherry-pick info, where appropriate)
>
> Passed a-full on autobuilder:
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3181
As Paul wrote on IRC, I forgot to mention that the meta-intel build
failed. But, IMHO it should not prevent the merge:
* meta-intel build also fail on master currently: See the latest nightly:
  https://autobuilder.yoctoproject.org/valkyrie/#/builders/41/builds/2992
  => This new failure is not related to this series
* I notified the maintainer (Yogesh Tyagi, CC'd) last week, he is
  working on reproducing & fixing it.

> The following changes since commit fa31089d48cac2aa11279e932a77f4dbdc02c02d:
>
>   libarchive: upgrade 3.8.4 -> 3.8.5 (2026-01-26 08:44:38 +0000)
>
> are available in the Git repository at:
>
>   https://git.openembedded.org/openembedded-core-contrib stable/whinlatter-next
>   https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/whinlatter-next
>
> for you to fetch changes up to 7ffbe7bb6e262a410afac64c5211df0d52c202c7:
>
>   inetutils: patch CVE-2026-24061 (2026-02-09 01:51:46 +0100)
>
> ----------------------------------------------------------------
>
> Hugo SIMELIERE (1):
>   libtasn1: Fix CVE-2025-13151
>
> Jiaying Song (1):
>   grub: fix CVE-2025-54770 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663
>     CVE-2025-61664
>
> Ken Kurematsu (1):
>   libtheora: set CVE_PRODUCT
>
> Khai Dang (1):
>   docbook-xml-dtd4: fix the fetching failure
>
> Mark Hatle (1):
>   dpkg: Fix ADMINDIR
>
> Mathieu Dubois-Briand (2):
>   oeqa/gitarchive: Fix git push URL parameter
>   oeqa/gitarchive: Push tag before copying log files
>
> Peter Marko (13):
>   go: upgrade 1.25.5 -> 1.25.6
>   zlib: ignore CVE-2026-22184
>   python3-urllib3: patch CVE-2026-21441
>   glibc: stable 2.42 branch updates
>   dropbear: patch CVE-2025-14282
>   libpng: upgrade 1.6.53 -> 1.6.54
>   glib-2.0: patch CVE-2026-0988
>   libxml2: patch CVE-2026-0989
>   libxml2: patch CVE-2026-0990
>   libxml2: patch CVE-2026-0992
>   libxml2: add follow-up patch for CVE-2026-0992
>   expat: upgrade 2.7.3 -> 2.7.4
>   inetutils: patch CVE-2026-24061
>
> Richard Purdie (2):
>   scripts/oe-git-archive: Ensure new push parameter is specified
>   pseudo: Update to 1.9.3 release
>
>  meta/lib/oe/package_manager/deb/__init__.py   |   4 +
>  .../oeqa/selftest/cases/gitarchivetests.py    |   4 +-
>  meta/lib/oeqa/utils/gitarchive.py             |   8 +-
>  .../grub/files/CVE-2025-54770.patch           |  41 +++
>  .../grub/files/CVE-2025-61661.patch           |  40 +++
>  .../grub/files/CVE-2025-61662.patch           |  72 ++++
>  .../grub/files/CVE-2025-61663_61664.patch     |  64 ++++
>  meta/recipes-bsp/grub/grub2.inc               |   4 +
>  .../inetutils/CVE-2026-24061-01.patch         |  38 ++
>  .../inetutils/CVE-2026-24061-02.patch         |  82 +++++
>  .../inetutils/inetutils_2.6.bb                |   2 +
>  .../dropbear/dropbear/CVE-2025-14282-01.patch | 280 +++++++++++++++
>  .../dropbear/dropbear/CVE-2025-14282-02.patch |  97 +++++
>  .../dropbear/dropbear/CVE-2025-14282-03.patch | 282 +++++++++++++++
>  .../dropbear/dropbear/CVE-2025-14282-04.patch |  72 ++++
>  .../dropbear/dropbear/CVE-2025-14282-05.patch |  46 +++
>  .../recipes-core/dropbear/dropbear_2025.88.bb |   5 +
>  .../expat/{expat_2.7.3.bb => expat_2.7.4.bb}  |   2 +-
>  .../glib-2.0/files/CVE-2026-0988.patch        |  58 +++
>  meta/recipes-core/glib-2.0/glib.inc           |   1 +
>  meta/recipes-core/glibc/glibc-version.inc     |   2 +-
>  meta/recipes-core/glibc/glibc_2.42.bb         |   2 +-
>  .../libxml/libxml2/CVE-2026-0989.patch        | 309 ++++++++++++++++
>  .../libxml/libxml2/CVE-2026-0990.patch        |  76 ++++
>  .../libxml/libxml2/CVE-2026-0992-01.patch     |  49 +++
>  .../libxml/libxml2/CVE-2026-0992-02.patch     | 336 ++++++++++++++++++
>  .../libxml/libxml2/CVE-2026-0992-03.patch     |  33 ++
>  meta/recipes-core/libxml/libxml2_2.14.6.bb    |   5 +
>  meta/recipes-core/zlib/zlib_1.3.1.bb          |   2 +
>  .../docbook-xml/docbook-xml-dtd4_4.5.bb       |  10 +-
>  ...-dirs.c-set_rootfs-was-not-checking-.patch |  46 +++
>  meta/recipes-devtools/dpkg/dpkg_1.22.21.bb    |   1 +
>  .../go/{go-1.25.5.inc => go-1.25.6.inc}       |   2 +-
>  ...e_1.25.5.bb => go-binary-native_1.25.6.bb} |   6 +-
>  ..._1.25.5.bb => go-cross-canadian_1.25.6.bb} |   0
>  ...{go-cross_1.25.5.bb => go-cross_1.25.6.bb} |   0
>  ...osssdk_1.25.5.bb => go-crosssdk_1.25.6.bb} |   0
>  ...runtime_1.25.5.bb => go-runtime_1.25.6.bb} |   0
>  ...ent-based-hash-generation-less-pedan.patch |   8 +-
>  ...ng-cgo-on-386-call-C-sigaction-funct.patch |   4 +-
>  ...d-go-make-GOROOT-precious-by-default.patch |   2 +-
>  .../go/{go_1.25.5.bb => go_1.25.6.bb}         |   0
>  meta/recipes-devtools/pseudo/pseudo_git.bb    |   4 +-
>  .../python3-urllib3/CVE-2026-21441.patch      | 111 ++++++
>  .../python/python3-urllib3_2.5.0.bb           |   1 +
>  .../{libpng_1.6.53.bb => libpng_1.6.54.bb}    |   4 +-
>  .../libtheora/libtheora_1.2.0.bb              |   2 +
>  .../gnutls/libtasn1/CVE-2025-13151.patch      |  30 ++
>  .../recipes-support/gnutls/libtasn1_4.20.0.bb |   1 +
>  scripts/lib/resulttool/store.py               |   9 +-
>  scripts/oe-git-archive                        |   2 +-
>  51 files changed, 2228 insertions(+), 31 deletions(-)
>  create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54770.patch
>  create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61661.patch
>  create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61662.patch
>  create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61663_61664.patch
>  create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-01.patch
>  create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-02.patch
>  create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-14282-01.patch
>  create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-14282-02.patch
>  create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-14282-03.patch
>  create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-14282-04.patch
>  create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-14282-05.patch
>  rename meta/recipes-core/expat/{expat_2.7.3.bb => expat_2.7.4.bb} (92%)
>  create mode 100644 meta/recipes-core/glib-2.0/files/CVE-2026-0988.patch
>  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0989.patch
>  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch
>  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-01.patch
>  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch
>  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch
>  create mode 100644 meta/recipes-devtools/dpkg/dpkg/0001-lib-dpkg-options-dirs.c-set_rootfs-was-not-checking-.patch
>  rename meta/recipes-devtools/go/{go-1.25.5.inc => go-1.25.6.inc} (91%)
>  rename meta/recipes-devtools/go/{go-binary-native_1.25.5.bb => go-binary-native_1.25.6.bb} (79%)
>  rename meta/recipes-devtools/go/{go-cross-canadian_1.25.5.bb => go-cross-canadian_1.25.6.bb} (100%)
>  rename meta/recipes-devtools/go/{go-cross_1.25.5.bb => go-cross_1.25.6.bb} (100%)
>  rename meta/recipes-devtools/go/{go-crosssdk_1.25.5.bb => go-crosssdk_1.25.6.bb} (100%)
>  rename meta/recipes-devtools/go/{go-runtime_1.25.5.bb => go-runtime_1.25.6.bb} (100%)
>  rename meta/recipes-devtools/go/{go_1.25.5.bb => go_1.25.6.bb} (100%)
>  create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2026-21441.patch
>  rename meta/recipes-multimedia/libpng/{libpng_1.6.53.bb => libpng_1.6.54.bb} (94%)
>  create mode 100644 meta/recipes-support/gnutls/libtasn1/CVE-2025-13151.patch

[whinlatter,00/22] Pull request (cover letter only)

Pull-request

Message

Comments