From patchwork Mon Nov  3 20:59:08 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 73564
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9697DCCF9F8
	for <webhook@archiver.kernel.org>; Mon,  3 Nov 2025 20:59:37 +0000 (UTC)
Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com
 [209.85.210.171])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2307.1762203569222157157
 for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:29 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=y8l+vXEX;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.171,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f171.google.com with SMTP id
 d2e1a72fcca58-7a59ec9bef4so5953914b3a.2
        for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762203568;
 x=1762808368; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=WDWCQe9NFH2ttJXNLXPTWFYa5WQZvItUUI4WsBw5sMY=;
        b=y8l+vXEXpXSn9p9zds7lJMpdhob+zi9yHaQ9rsnxedjfAhLyB3IwW7uUA/3yj5FM/o
         Tph4sWeMlJEHJycC+KFs7wP0RuV9WcjvtVGpbXkJOkoX2nHSAhsPNfQJn0HHnfJX73yu
         p9eowLuLGsARxP9KmdEQUOqFE4bRoNZHJcYdMkIhOXNZyDByZhfjZKANY0jlZfdnCSeq
         gCcTL6HqzZK3zcNRMGjsJ3YUsjjRiW+V7t+d++rjOJkef74PXmuIeWhuSzpAzYAZN8w1
         resyU4FxJXeBkI7uMKbIEZ5Rl0wWA9CGAJrs2X5Daw3Ma+o43+E6aSbU/LfHozKoewRI
         OLyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762203568; x=1762808368;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=WDWCQe9NFH2ttJXNLXPTWFYa5WQZvItUUI4WsBw5sMY=;
        b=anQW8ThED5cgsx7pc02acPo7OJvBeCjX/6eAyYiRWZe7OQ4MWbeLKueTXUn/4yrF/y
         SQ9vLcyI6CsL7kJ4bIJgJSOA27xrEIjfiV2lEvFTuIdlNcGohE7ChraeAsYrl4b4nv66
         N4aMWFuK9AhhzamLIvBpAKAlBAXhrV6px1ceyfhT6q2EtAmGsqKpWE9O0pFG6RrQPBrV
         zy2O1DibO3Kcd0lgJtaCJUY3e+vxKX5SQTqq1xvFsOY3LRdRqTtpIsMDJTF33+NpjdRm
         U0P4n2yivJMOCKs4DTo8lNCtgW/t9j/qXLdanGlLk5Ib3nM8uEi18Ggkek34l+c3/QTB
         FmnQ==
X-Gm-Message-State: AOJu0Yy0YucEmyYyNRZ2mCjanBLVpCglawSO8UQBUPLSI6z42lYcDlC0
	zdXv6B/pukgwUvzXbUrmuDBWvjmbtHdXEvrSkQuhb8iwPPkyRa/EeFrJHjM1shEpd43cfek0GUd
	SVizaEPo=
X-Gm-Gg: ASbGncuDO0NOsXbdAtPEe/99O8YkqSq5zKFTyzBw0FIZ60LuL/b36SjDYRSAKBZu7Bo
	r3Z3WoiucFHYNP2iaMRhb2NkJ2mxW08ATCKCtzv6j4tnYVFhLpQKjXZ0AIX6mX3YqAzipaohmQ4
	mbDQ9XnxyeW6Jk75oWWo0vbfW3f3RWlBl5D+K5b04uI+T+0DZZXhH6Ghxc77Gny6Icx3HylaTqv
	EH359NwHTWiByL5C/yLPi1PM1mJjS6MkmbwEznGhgM4yHvN1ukWQffxs2xollGmQGgtg6f4oawv
	l0SL2NdEjOxbecUpK2hMY5ZIf3kHT+9hj6pCQlOyLmzdMY3WVQRgETPuA7aU9VGyk0zWWmg/ixI
	GtSUrxy79sV8P6Hw2k8/ODGgmsErCbYjcZrGHdEj8QDrMuTxqJo308KwHOJDcNcjMcrE=
X-Google-Smtp-Source: 
 AGHT+IHj8RHqPfxzCu6x2B3gaRC8x8wTtJJb0Z2Li0dnJ+6YckroEiNLmzheeW1jBubJJocaN0qxkQ==
X-Received: by 2002:a17:90b:3a8c:b0:33b:b078:d6cc with SMTP id
 98e67ed59e1d1-34083070ec7mr16847144a91.31.1762203568438;
        Mon, 03 Nov 2025 12:59:28 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:6a2d:a521:f4d2:20a3])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-3415b02891asm2024911a91.9.2025.11.03.12.59.27
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 03 Nov 2025 12:59:28 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 1/8] u-boot: fix CVE-2024-42040
Date: Mon,  3 Nov 2025 12:59:08 -0800
Message-ID: 
 <f5b980ade1e952a181cb51d60268942095627c0d.1762203396.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762203396.git.steve@sakoman.com>
References: <cover.1762203396.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 03 Nov 2025 20:59:37 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/225697

From: Hongxu Jia <hongxu.jia@windriver.com>

Backport a patch [1] from upstrem to fix CVE-2024-42040 [2]

[1] https://source.denx.de/u-boot/u-boot/-/commit/81e5708cc2c865df606e49aed5415adb2a662171
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-42040

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../u-boot/files/CVE-2024-42040.patch         | 56 +++++++++++++++++++
 meta/recipes-bsp/u-boot/u-boot-common.inc     |  4 +-
 2 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
new file mode 100644
index 0000000000..2d250e51b7
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
@@ -0,0 +1,56 @@
+From 1406fc918977bba4dac0af5e22e63a5553aa6aff Mon Sep 17 00:00:00 2001
+From: Paul HENRYS <paul.henrys_ext@softathome.com>
+Date: Thu, 9 Oct 2025 17:43:28 +0200
+Subject: [PATCH] net: bootp: Prevent buffer overflow to avoid leaking the RAM
+ content
+
+CVE-2024-42040 describes a possible buffer overflow when calling
+bootp_process_vendor() in bootp_handler() since the total length
+of the packet is passed to bootp_process_vendor() without being
+reduced to len-(offsetof(struct bootp_hdr,bp_vend)+4).
+
+The packet length is also checked against its minimum size to avoid
+reading data from struct bootp_hdr outside of the packet length.
+
+Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
+Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
+
+CVE: CVE-2024-42040
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/81e5708cc2c865df606e49aed5415adb2a662171]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ net/bootp.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/net/bootp.c b/net/bootp.c
+index 68002909634..843180d296c 100644
+--- a/net/bootp.c
++++ b/net/bootp.c
+@@ -362,6 +362,14 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
+ 	debug("got BOOTP packet (src=%d, dst=%d, len=%d want_len=%zu)\n",
+ 	      src, dest, len, sizeof(struct bootp_hdr));
+ 
++	/* Check the minimum size of a BOOTP packet is respected.
++	 * A BOOTP packet is between 300 bytes and 576 bytes big
++	 */
++	if (len < offsetof(struct bootp_hdr, bp_vend) + 64) {
++		printf("Error: got an invalid BOOTP packet (len=%u)\n", len);
++		return;
++	}
++
+ 	bp = (struct bootp_hdr *)pkt;
+ 
+ 	/* Filter out pkts we don't want */
+@@ -379,7 +387,8 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
+ 
+ 	/* Retrieve extended information (we must parse the vendor area) */
+ 	if (net_read_u32((u32 *)&bp->bp_vend[0]) == htonl(BOOTP_VENDOR_MAGIC))
+-		bootp_process_vendor((uchar *)&bp->bp_vend[4], len);
++		bootp_process_vendor((uchar *)&bp->bp_vend[4], len -
++				     (offsetof(struct bootp_hdr, bp_vend) + 4));
+ 
+ 	net_set_timeout_handler(0, (thand_f *)0);
+ 	bootstage_mark_name(BOOTSTAGE_ID_BOOTP_STOP, "bootp_stop");
+-- 
+2.49.0
+
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index d366f10398..7a63420642 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -14,7 +14,9 @@ PE = "1"
 # repo during parse
 SRCREV = "d637294e264adfeb29f390dfc393106fd4d41b17"
 
-SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master"
+SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
+           file://CVE-2024-42040.patch \
+"
 
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"

From patchwork Mon Nov  3 20:59:09 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 73565
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B0537CCFA08
	for <webhook@archiver.kernel.org>; Mon,  3 Nov 2025 20:59:37 +0000 (UTC)
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2244.1762203571013149585
 for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:31 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=e+FXWweh;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.180,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-29570bcf220so26598245ad.3
        for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762203570;
 x=1762808370; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=cbzJhZneSkI5CKHwBjD+/w6YVujFi5n4XANcVyV2s7s=;
        b=e+FXWweh6hvbO7wNDfYXs8SuAo5p8IQstlwviaKiQ3av/s/JkpR65k3P0/JNkarYVS
         0hdIe0ueNBcSTInWb9izFZkdJi01eabJWPpgDrfALVZw5/bgCGgRrKiiYXXRRJfB3LQk
         nl7ejUY01ayY/Kcw7/xv0uBS3DlRUAiPEdGmZ2xrSx1U9OOQIoshwE7XIFTABDekRtda
         FrJbskHx7Rm1oQ+HlhO4gk9alR7EqCbocSPUrNjrz5WybEUlDJCsrgLQZIF+zbyqpqey
         XmaSjo4HdBprx4ItRJIc3IKOWLhLo59hPH1PUOKM3Qvdzvis72SyzHT72oJBGvXze08c
         0QHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762203570; x=1762808370;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=cbzJhZneSkI5CKHwBjD+/w6YVujFi5n4XANcVyV2s7s=;
        b=sMjbmQpUPnvQKI7yfxALx3NHLk2H29Nx76LgPXfg/HXmLcpe4xb7AtrJbUUjk8mXCe
         TlkfQCRg7LqaG5uT56ej9y62GtdTbDo4YIGjgmiajY6xQTGRdweFGkNp3c/6kWwusnc7
         YFy919PgIs5airRbCk0f5x1ABvju4pv8rHlHib6+Zf88WfdAPSMndx+NNXAyK7ap0W/W
         rec+OFdjWsuWd3PtsP0nepNhp/II0LzrqAx46R0ShMM6WiBHT1ygrnylIX+zdz3YtH75
         adB2scU2OYuc6B40bMpLIJ+MgE8t5/kLupQR2YlRMiTWalvnEO8y83uYFp3jkGE7+cNo
         RXzw==
X-Gm-Message-State: AOJu0YzZhbTl+CAujcA9EPn+C/eSuRpiKPzr010Nh9zCgLGlzHADPuIw
	jaAMW0ofAa9SAlvH13uX2qlLMRsLzaz7rStE6yDER8TT3udPZc5GLWV8+5gduvngGZgoubh87DO
	uGI1BgVk=
X-Gm-Gg: ASbGncviUiT3JRZq7QAFQV92bNi17qpwtpetW0cDr1EvAhrrVtMDYyYiMyxYZ4XOeWL
	5znCEA80UQflmIi372A7sVNsXTNiDc4gDxUri+LP2wpdbuj2l5XZrsUWEV0ImmL16hi+xUe9DOM
	DKadDgeUoloUrWfRNYsKOC1Ltmua42Z+mBKx6ZLYKdaRLgSXNqGFozLQkzinLq/qtK9P6tbQAKD
	VzoUXliVCw4ME6QtuMhXEbpq+htNU1rTSiES3yTElAeyBU6jNF4nw+8pyU/v5CQxsqvXA/dRcyB
	s7wKGHRAcIff+35eBV2aIdMmIagf4yguO8Ty2nBK+jnq0y1tdNOiqA4Epp/pBjUHoqGofm9wYYF
	K6pYUYj0Wb2OMhjrsu2let6MIdrKWFRwzOK3PJrD3lubtqik9G9l45tp3jB0i/PPUY2c=
X-Google-Smtp-Source: 
 AGHT+IF67qwpBbRw5RzNcVBmYjiImDp5mbYUS3wANbrP+9KMXcjdwCnl8GNuymbEvme3xrdM10u95g==
X-Received: by 2002:a17:903:384c:b0:24f:dbe7:73a2 with SMTP id
 d9443c01a7336-2951a45a272mr170714395ad.31.1762203570287;
        Mon, 03 Nov 2025 12:59:30 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:6a2d:a521:f4d2:20a3])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-3415b02891asm2024911a91.9.2025.11.03.12.59.29
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 03 Nov 2025 12:59:29 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 2/8] openssh: fix CVE-2025-61985
Date: Mon,  3 Nov 2025 12:59:09 -0800
Message-ID: 
 <5170bd2f8a63bcc310667a327ea2ab96c783c4f6.1762203396.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762203396.git.steve@sakoman.com>
References: <cover.1762203396.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 03 Nov 2025 20:59:37 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/225698

From: Archana Polampalli <archana.polampalli@windriver.com>

ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially
leading to code execution when a ProxyCommand is used.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssh/openssh/CVE-2025-61985.patch      | 35 +++++++++++++++++++
 .../openssh/openssh_8.9p1.bb                  |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-61985.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2025-61985.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61985.patch
new file mode 100644
index 0000000000..7333d5aae8
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61985.patch
@@ -0,0 +1,35 @@
+From 54928cb9eaa7143ff17f463efa7ed3109afdbf30 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 4 Sep 2025 00:30:06 +0000
+Subject: [PATCH] upstream: don't allow \0 characters in url-encoded strings.
+ Suggested by David Leadbeater, ok deraadt@
+
+OpenBSD-Commit-ID: c92196cef0f970ceabc1e8007a80b01e9b7cd49c
+
+CVE: CVE-2025-61985
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/43b3bff47bb029f2299bacb6a36057981b39fdb0]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ misc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/misc.c b/misc.c
+index 6135b15..3d133b5 100644
+--- a/misc.c
++++ b/misc.c
+@@ -934,9 +934,10 @@ urldecode(const char *src)
+			*dst++ = ' ';
+			break;
+		case '%':
++			/* note: don't allow \0 characters */
+			if (!isxdigit((unsigned char)src[1]) ||
+			    !isxdigit((unsigned char)src[2]) ||
+-			    (ch = hexchar(src + 1)) == -1) {
++			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
+				free(ret);
+				return NULL;
+			}
+--
+2.40.0
diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
index 345051c8dc..780ece8999 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
@@ -39,6 +39,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://CVE-2024-6387.patch \
            file://CVE-2025-26465.patch \
            file://CVE-2025-32728.patch \
+           file://CVE-2025-61985.patch \
            "
 SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
 

From patchwork Mon Nov  3 20:59:10 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 73567
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A485BCCFA09
	for <webhook@archiver.kernel.org>; Mon,  3 Nov 2025 20:59:37 +0000 (UTC)
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com
 [209.85.216.45])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2245.1762203572819207014
 for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:32 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=apZEDkrX;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.45,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f45.google.com with SMTP id
 98e67ed59e1d1-340c39ee02dso2127428a91.1
        for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762203572;
 x=1762808372; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=8yYRl+fm3yp25/jQWj+Erez1PvA+Tpu7oWuqCN6Pya8=;
        b=apZEDkrXtm3H8dYM6Ldbx7l+zdwKPKE6V8pFAEOq5NnRXZclUhfoihR16FAwQF7itS
         9UojhpF9q3yHxu/2z979W2OXaFsXxvxL5Tyk11lcpNWuEl2fxvfA5qqzAF5Gikft1gVt
         QHaPKIoWQ1lYLE3FNOnuGAmEvoWvfH1dmvqNBPy6UcouBrW4xHBLgV2Q980u1UHdKEad
         X0DfCNydWZ4L0FBYUDcKd6QtcLmCLJgDTvrxaZf0lIO65vbcfiGvZuHQ5w8UlprAftja
         FHe2PlEjxTmKmzukYPPnnaIakPW/2EE3XJNh/RMiLohaTSxaWWbCmR/jWU6M0I25WkgZ
         jAfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762203572; x=1762808372;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=8yYRl+fm3yp25/jQWj+Erez1PvA+Tpu7oWuqCN6Pya8=;
        b=Ql7sELjpEGIqwSnHoObw5MpYo7VTdDDfFDk47dI1FU3zvUqUTin7F94HmFefarhuPa
         Dp/LCy+GPXmiWMa7DI8WMMg+iwYfh+z+a2rPUoFUu+OngjQJU8jDjfiD+xdNUjyKuEsI
         XmU0BxP0ffXpqT3YwIdhDXIxRRvEQ5xmFikQn+Ut6zDCqCiIUJZ2XbQupXZc8XfJvRZK
         Rj+z2UeVEtfLSv9SqeTTqgDtu9lh7ZVV6uSmH7QopQqwz5hVuaXh+V1132rxxWmsPi4V
         8oB1VAO2eKK2n0eOcwvCzvRLFKGJZ2K7Hsw1AZ3kgNYkMOtw8sgI87Fmes5zleXa+9PK
         hhHw==
X-Gm-Message-State: AOJu0Yw+feP22ql/dH81384Y/WxreZVmHz/35Z0wA2kEr3cxJ0EOmHlr
	7gmB4ecdLQLFhjuxy0NA1KGGxjk/dBBSM3VcXCFWCH2Qzk6hQRoVBY+i2+clRrhsMiXUpcsYHmB
	HJa+Ob0w=
X-Gm-Gg: ASbGncuV1cQOTulyr/fs03LTfLThUzWjRgd6UvL7mW5ScJVBLWHukz4cpTII13al+uE
	HY9znut2SDJAgQvuzxcwrsh2/u0gkeWVDNSFtHUAUOQ5oRdE5eYeJ37PHyCRlkboVkhUjNhZV83
	oKn1BYyfrdv1us+4HPckkvEMAgipL1DKYSENUEFHfbosSipcz8Fiklu3+6C4xnVOglnkIxToLs0
	T+edngR5NSVWMiFLUy1dcZh5IagQsNfYveKpFfQEhhBiPGqRNaB29uBaoTtx59UewiOcG/LPnjS
	yeFarNVRi+12Yte3sEYEisB2EMt/fBTfH6Y6BbMvRPYqA5BtjxXb8vrOf/jUm/ZlHjkAHMlgp4i
	kkGHksJKYx9tlHuGY1SnYLgp26Tzv4wEM8tFMsTLiJWPbjybQ8WE6czT5SLx1KXociQg=
X-Google-Smtp-Source: 
 AGHT+IF/QUNsqvZMGpjkL51h+rOAPJlk8UAEJQOfPHXpISSw1sm7AurzrGzmXPpRnAkbC/VKYnohVg==
X-Received: by 2002:a17:90a:ec84:b0:329:d8d2:3602 with SMTP id
 98e67ed59e1d1-340830745a8mr19743949a91.17.1762203571971;
        Mon, 03 Nov 2025 12:59:31 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:6a2d:a521:f4d2:20a3])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-3415b02891asm2024911a91.9.2025.11.03.12.59.31
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 03 Nov 2025 12:59:31 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 3/8] wpa-supplicant: patch CVE-2025-24912
Date: Mon,  3 Nov 2025 12:59:10 -0800
Message-ID: 
 <d0907754e0b44c5e41242bc1603278f86101fa31.1762203396.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762203396.git.steve@sakoman.com>
References: <cover.1762203396.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 03 Nov 2025 20:59:37 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/225699

From: Peter Marko <peter.marko@siemens.com>

Pick patches as listed in NVD CVE report.

Note that Debian lists one of the patches as introducing the
vulnerability. This is against what the original report [1] says.
Also the commit messages provide hints that the first patch fixes this
issue and second is fixing problem with the first patch.

[1] https://jvn.jp/en/jp/JVN19358384/

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../wpa-supplicant/CVE-2025-24912-01.patch    | 79 +++++++++++++++++++
 .../wpa-supplicant/CVE-2025-24912-02.patch    | 70 ++++++++++++++++
 .../wpa-supplicant/wpa-supplicant_2.10.bb     |  2 +
 3 files changed, 151 insertions(+)
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch
new file mode 100644
index 0000000000..8976047f68
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch
@@ -0,0 +1,79 @@
+From 726432d7622cc0088ac353d073b59628b590ea44 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 25 Jan 2025 11:21:16 +0200
+Subject: [PATCH] RADIUS: Drop pending request only when accepting the response
+
+The case of an invalid authenticator in a RADIUS response could imply
+that the response is not from the correct RADIUS server and as such,
+such a response should be discarded without changing internal state for
+the pending request. The case of an unknown response (RADIUS_RX_UNKNOWN)
+is somewhat more complex since it could have been indicated before
+validating the authenticator. In any case, it seems better to change the
+state for the pending request only when we have fully accepted the
+response.
+
+Allowing the internal state of pending RADIUS request to change based on
+responses that are not fully validation could have allow at least a
+theoretical DoS attack if an attacker were to have means for injecting
+RADIUS messages to the network using the IP address of the real RADIUS
+server and being able to do so more quickly than the real server and
+with the matching identifier from the request header (i.e., either by
+flooding 256 responses quickly or by having means to capture the RADIUS
+request). These should not really be realistic options in a properly
+protected deployment, but nevertheless it is good to be more careful in
+processing RADIUS responses.
+
+Remove a pending RADIUS request from the internal list only when having
+fully accepted a matching RADIUS response, i.e., after one of the
+registered handlers has confirmed that the authenticator is valid and
+processing of the response has succeeded.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2025-24912
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/radius/radius_client.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c
+index 2a7f36170..7909b29a7 100644
+--- a/src/radius/radius_client.c
++++ b/src/radius/radius_client.c
+@@ -922,13 +922,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 		       roundtrip / 100, roundtrip % 100);
+ 	rconf->round_trip_time = roundtrip;
+ 
+-	/* Remove ACKed RADIUS packet from retransmit list */
+-	if (prev_req)
+-		prev_req->next = req->next;
+-	else
+-		radius->msgs = req->next;
+-	radius->num_msgs--;
+-
+ 	for (i = 0; i < num_handlers; i++) {
+ 		RadiusRxResult res;
+ 		res = handlers[i].handler(msg, req->msg, req->shared_secret,
+@@ -939,6 +932,13 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 			radius_msg_free(msg);
+ 			/* fall through */
+ 		case RADIUS_RX_QUEUED:
++			/* Remove ACKed RADIUS packet from retransmit list */
++			if (prev_req)
++				prev_req->next = req->next;
++			else
++				radius->msgs = req->next;
++			radius->num_msgs--;
++
+ 			radius_client_msg_free(req);
+ 			return;
+ 		case RADIUS_RX_INVALID_AUTHENTICATOR:
+@@ -960,7 +960,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 		       msg_type, hdr->code, hdr->identifier,
+ 		       invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
+ 		       "");
+-	radius_client_msg_free(req);
+ 
+  fail:
+ 	radius_msg_free(msg);
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch
new file mode 100644
index 0000000000..f3cecd6d5f
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch
@@ -0,0 +1,70 @@
+From 339a334551ca911187cc870f4f97ef08e11db109 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <quic_jouni@quicinc.com>
+Date: Wed, 5 Feb 2025 19:23:39 +0200
+Subject: [PATCH] RADIUS: Fix pending request dropping
+
+A recent change to this moved the place where the processed RADIUS
+request was removed from the pending list to happen after the message
+handler had been called. This did not take into account possibility of
+the handler adding a new pending request in the list and the prev_req
+pointer not necessarily pointing to the correct entry anymore. As such,
+some of the pending requests could have been lost and that would result
+in not being able to process responses to those requests and also, to a
+memory leak.
+
+Fix this by determining prev_req at the point when the pending request
+is being removed, i.e., after the handler function has already added a
+new entry.
+
+Fixes: 726432d7622c ("RADIUS: Drop pending request only when accepting the response")
+Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
+
+CVE: CVE-2025-24912
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=339a334551ca911187cc870f4f97ef08e11db109]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/radius/radius_client.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c
+index 7909b29a7..d4faa7936 100644
+--- a/src/radius/radius_client.c
++++ b/src/radius/radius_client.c
+@@ -824,7 +824,7 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 	struct radius_hdr *hdr;
+ 	struct radius_rx_handler *handlers;
+ 	size_t num_handlers, i;
+-	struct radius_msg_list *req, *prev_req;
++	struct radius_msg_list *req, *prev_req, *r;
+ 	struct os_reltime now;
+ 	struct hostapd_radius_server *rconf;
+ 	int invalid_authenticator = 0;
+@@ -887,7 +887,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 		break;
+ 	}
+ 
+-	prev_req = NULL;
+ 	req = radius->msgs;
+ 	while (req) {
+ 		/* TODO: also match by src addr:port of the packet when using
+@@ -899,7 +898,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 		    hdr->identifier)
+ 			break;
+ 
+-		prev_req = req;
+ 		req = req->next;
+ 	}
+ 
+@@ -933,6 +931,12 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 			/* fall through */
+ 		case RADIUS_RX_QUEUED:
+ 			/* Remove ACKed RADIUS packet from retransmit list */
++			prev_req = NULL;
++			for (r = radius->msgs; r; r = r->next) {
++				if (r == req)
++					break;
++				prev_req = r;
++			}
+ 			if (prev_req)
+ 				prev_req->next = req->next;
+ 			else
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
index fbbbebc450..50ac901cba 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
@@ -43,6 +43,8 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
            file://CVE-2022-37660-0003.patch \
            file://CVE-2022-37660-0004.patch \
            file://CVE-2022-37660-0005.patch \
+           file://CVE-2025-24912-01.patch \
+           file://CVE-2025-24912-02.patch \
            "
 SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"
 

From patchwork Mon Nov  3 20:59:11 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 73566
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A2F81CCFA04
	for <webhook@archiver.kernel.org>; Mon,  3 Nov 2025 20:59:37 +0000 (UTC)
Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com
 [209.85.216.47])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2246.1762203574352588448
 for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:34 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=1lFNQYUT;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.47,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f47.google.com with SMTP id
 98e67ed59e1d1-34029cd0cbdso4570006a91.3
        for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762203574;
 x=1762808374; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=GGvCKDoNBy3QOXCjC11M38+pZzutqdle4zV/UT4oXrw=;
        b=1lFNQYUTbp53y1D4NOGfGCwj3ErqDKASXL0sWYHxu7jF/DRE5YI6p5WEIkAHEV3niW
         EqNLvG0XFHhF1n/hs0AsRvgX/4VHJhfQBxFq+QWBNdksifhreSu4MW8BSRN44tMiSDcY
         yp+ACrOR1Y+RGHGPPJHM5eu74LWuzd0P/FhXJwHeCn3RYGYIuUEnDGybnQoGuDhVJOrY
         xS39zfwr/NMk5xt/2rKIDCBiOjsSi+yTsMvc5K3+plwtpM4GO/e2N4tREi0MhderGUeM
         Lg21wQUzmCIr+fMfYC+nkm2HNc7aLkDghMDI2C8J6oLRiFSiEvw4b1NkGoofog4ipdin
         uIDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762203574; x=1762808374;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=GGvCKDoNBy3QOXCjC11M38+pZzutqdle4zV/UT4oXrw=;
        b=E5EWWb/SUY9VqkEmT+GCCJ8D5zWz/U/+feYRbDzZuRx5NqNxfvzzV6eUE/bzVXbxlW
         Ld954tyACqb6Cbz87lL2xnjBZd6FO4TS9pdl38gs87DKhgZsWRbQYd0pDW2COUz7xlAB
         u5cThJUwus68EWKrOQ53xrnWN5zOtmUZTY1o00Wy5iIvDmvKHGmrpqzkByKbMJBsO9eR
         I6HG0XXZJ7HMFp95IQFcBtXRlFxsuAIGZHXNL2drQC8uFyVkyftZFGptGVH9mZyIelr+
         Ava4Q3J4IGz+cqeRSvF5Bb5339X38yBzGGO03YXKNIPRDY8YNWJ6MwDvd9op2Xp+TRnc
         5/Eg==
X-Gm-Message-State: AOJu0YyM+vQ8L6gB6uXHgmLt9NpDfuh6h4ZPe1AfbUk7O6kBn5Einlbf
	puSuieD6cZVfS8/mqPQi/u1hYFAWC9onFY7nH32aaBcOwQUCpRLllGhKMAaUj4/SmqA+XNk5NGC
	f/hQZVxQ=
X-Gm-Gg: ASbGncumNquOIYmMVnemmk+D9FOAacoq+v4IF/kv4I2nvQzqPabYnxPCeSCT2biCWPG
	War9958eb3EHsTepGBG5s9879bGCHfi0NWN7ekA8KP9Yvcxmbqjhq0gDJXqvcw79L+19rAyfHVT
	IfxCHQqvAEJXwoZbJpmQubGrfVLDSqEdnSI1xok9wE4+WTI+bbO4f6Elkqk5D4kr7Fz2MWWyGRd
	wq0XINcrabEr8aKPGBhxU2oArmYkYZNHDqM+DD4GKQngoBTYS5DJmZT0nTl7SPac/O9dTpZliMZ
	ZX1zg4oj6eRUx1vxU1n134BTCSgOBxGfGsQXRSOqj/Q9YG/yFr1bfLcXA5VU4v7/FSm1PlsNzpj
	K56fWexfYCT60VXT9Cv5PYJRAs/OqcBpKgK7YExR2xkycfsgWtRUtrKkKYlVLJSA8Okw=
X-Google-Smtp-Source: 
 AGHT+IHqGlLVzpD4OoUOECQFTTAsOvFBCChmFmDQCQNgWKGPsP8XDwrDlf5/X2vVK+LuZQqSd+FVLQ==
X-Received: by 2002:a17:90b:258c:b0:341:6164:c27d with SMTP id
 98e67ed59e1d1-3416164d3d3mr2178373a91.3.1762203573641;
        Mon, 03 Nov 2025 12:59:33 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:6a2d:a521:f4d2:20a3])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-3415b02891asm2024911a91.9.2025.11.03.12.59.33
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 03 Nov 2025 12:59:33 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 4/8] binutils: patch CVE-2025-11412
Date: Mon,  3 Nov 2025 12:59:11 -0800
Message-ID: 
 <9130f3471f4814979cfdfa66ca118929f240cb30.1762203396.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762203396.git.steve@sakoman.com>
References: <cover.1762203396.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 03 Nov 2025 20:59:37 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/225700

From: Peter Marko <peter.marko@siemens.com>

Pick commit per NVD CVE report.

(From OE-Core rev: 6b94ff6c584a31d2b1e06d1e1dc19392d759b4b7)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.38.inc                |  1 +
 .../binutils/binutils/CVE-2025-11412.patch    | 35 +++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index ade69881a1..39f2827f78 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -84,5 +84,6 @@ SRC_URI = "\
      file://0045-CVE-2025-11083.patch \
      file://0046-CVE-2025-11081.patch \
      file://0047-CVE-2025-8225.patch \
+     file://CVE-2025-11412.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
new file mode 100644
index 0000000000..19a630b863
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
@@ -0,0 +1,35 @@
+From 047435dd988a3975d40c6626a8f739a0b2e154bc Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 25 Sep 2025 08:22:24 +0930
+Subject: [PATCH] PR 33452 SEGV in bfd_elf_gc_record_vtentry
+
+Limit addends on vtentry relocs, otherwise ld might attempt to
+allocate a stupidly large array.  This also fixes the expression
+overflow leading to pr33452.  A vtable of 33M entries on a 64-bit
+host is surely large enough, especially considering that VTINHERIT
+and VTENTRY relocations are to support -fvtable-gc that disappeared
+from gcc over 20 years ago.
+
+	PR ld/33452
+	* elflink.c (bfd_elf_gc_record_vtentry): Sanity check addend.
+
+CVE: CVE-2025-11412
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ bfd/elflink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 54f0d6e957e..0a0456177c2 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -14407,7 +14407,7 @@ bfd_elf_gc_record_vtentry (bfd *abfd, asection *sec,
+   const struct elf_backend_data *bed = get_elf_backend_data (abfd);
+   unsigned int log_file_align = bed->s->log_file_align;
+ 
+-  if (!h)
++  if (!h || addend > 1u << 28)
+     {
+       /* xgettext:c-format */
+       _bfd_error_handler (_("%pB: section '%pA': corrupt VTENTRY entry"),

From patchwork Mon Nov  3 20:59:12 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 73563
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 955C3CCFA03
	for <webhook@archiver.kernel.org>; Mon,  3 Nov 2025 20:59:37 +0000 (UTC)
Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com
 [209.85.210.173])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2247.1762203576661307495
 for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:36 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=dI0Jg1UU;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.173,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f173.google.com with SMTP id
 d2e1a72fcca58-7930132f59aso6891515b3a.0
        for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762203576;
 x=1762808376; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=cuXNNoOnf/N4PPPt3nT3XdSn8s9ATKupZLau7hbXZOI=;
        b=dI0Jg1UUNcNE7AIoc74r6K9S43BFack0DyFagaeWjO1CPGguDGa8bfWfqiTLVQrmf6
         6Bj2/hVtyQXMcpnhcGER0W1Is76ljhdONqotRlT58WtoI/QKO+vOmb6lFcmOaJMk3N0v
         W+2K/LLJDiKjqTaf8+dSCyU0162DhOFbQj/yb2uayujxobYHiaHYG1rIttXu+zg61TJ9
         uuBiN7+hW6h/lMhaJdvesBtY98VPME/jwAooOBpBzmg8cIMUfk4zR4RcLa52TNtqZnIt
         6ixz8Dh5+Wf2T1Fobu3Bp3rBWGRlSlrVAnyb6dv7c7kgQIybIoI0kn0rZVx30FliDCPy
         wNHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762203576; x=1762808376;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=cuXNNoOnf/N4PPPt3nT3XdSn8s9ATKupZLau7hbXZOI=;
        b=NT/OB2eHj+2+kHcNK79Ebdf7NZeMvvUYWr7ibb9p14Op10xEuCZ1va7uU/cGLYn1Jx
         8uOFQTfk9gQIoPbHGS/sWwVymeIwNxQBfXh0q7dp5/3ICbGaPwLFsypAIRvSxqT34rMh
         XZawJq3Bq4RkWuFaJIIOnSgSqzPS01kKj95mWIjpvzX5FG2tbQTgVynAn36H1A9ZmqtM
         kbdb1s3X2+sqxEd6wMtnJG/V7OKE7jgO3cIlTW4TPuSCbh78dIFG7E2MxQkQkYpll1h6
         aCO/afQFR8B6iUNeosWFnDIzjAcrNYWbxfpU2Sm83KmbQTY0LR7ObgafYtfrYIADufnJ
         WGRw==
X-Gm-Message-State: AOJu0YwVjpWhlf/lYN97St+sgwEBYMi2UhNvm0QzO33+d2TifmgjuhbH
	MzLRT1h65hhK0V1lIkjVEPYuQtav5zkzbYqkpzTIatL3qmv57BT8Qa1khIbDbJ3o6L0N0JxUQks
	dztLsnvI=
X-Gm-Gg: ASbGncuqZ+8vX2mvAX6AVXbN8YPju/6ybwf84nCK76IAQdf0v6acuASFMLrU28QWCl9
	P57pP4tqQkSE0zCnns4SANYrHBww4PDIAdaJQUGc5y0X3Hm3ovaSJhygKB9i0wEpNGAQYDBJptG
	/VTPt9Vhff3gCwZfH0311iQk26gjl36NIpeAgIZf9aAgQ7D2F8tRUiWtF2K1NqLyc04oAp/Cwqd
	sZ/snF+tXTB/gZFKWmTSA2cL6szPMtfvPOhYC9I/0L/I4adiux0dPM6l3bwUa6yLgLUg+MS1R0e
	MZxEoRXZ1ic6B92o/acI3PsJkKPFD2/ARnIpVL+xLc6GRHi9vLsN4ZxOBtKusietwqzLmMfct1B
	jMXYwMfFB2ETs1HCd/6+2mLEDyEawNrJTdiDTB/MmIsPvg0nZlOgcFDKDdta50zqxIPcCWOp8Xq
	mwsMTz9TpqlFpi
X-Google-Smtp-Source: 
 AGHT+IFCAfsTsQfJFmWpqDo3qsb8pCrwwdbN/59NZEumdWcJIY+zV+/uoqBoftvnfCdezg3C82PMJQ==
X-Received: by 2002:a05:6a20:a10c:b0:341:4171:b5ae with SMTP id
 adf61e73a8af0-348cce0aa9emr17587081637.52.1762203575925;
        Mon, 03 Nov 2025 12:59:35 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:6a2d:a521:f4d2:20a3])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-3415b02891asm2024911a91.9.2025.11.03.12.59.34
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 03 Nov 2025 12:59:35 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 5/8] binutils: patch CVE-2025-11413
Date: Mon,  3 Nov 2025 12:59:12 -0800
Message-ID: 
 <8d1a830c713a299f67fc512ed8bc0be21be4b9f0.1762203396.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762203396.git.steve@sakoman.com>
References: <cover.1762203396.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 03 Nov 2025 20:59:37 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/225701

From: Peter Marko <peter.marko@siemens.com>

Pick commit per NVD CVE report.

Note that there were two patches for this, first [1] and then [2].
The second patch moved the original patch to different location.
Cherry-pick of second patch is successful leaving out the code removing
the code from first location, so the patch attached here is not
identical to the upstream commit but is identical to applying both and
merging them to a single patch.

[1] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=1108620d7a521f1c85d2f629031ce0fbae14e331
[2] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0

(From OE-Core rev: 98df728e6136d04af0f4922b7ffbeffb704de395)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.38.inc                |  1 +
 .../binutils/binutils/CVE-2025-11413.patch    | 38 +++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index 39f2827f78..d5ad3c0ecb 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -85,5 +85,6 @@ SRC_URI = "\
      file://0046-CVE-2025-11081.patch \
      file://0047-CVE-2025-8225.patch \
      file://CVE-2025-11412.patch \
+     file://CVE-2025-11413.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch
new file mode 100644
index 0000000000..bfd1be7787
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch
@@ -0,0 +1,38 @@
+From 72efdf166aa0ed72ecc69fc2349af6591a7a19c0 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 25 Sep 2025 10:41:32 +0930
+Subject: [PATCH] Re: elf: Disallow the empty global symbol name
+
+sparc64-linux-gnu  +FAIL: selective2
+sparc64-linux-gnu  +FAIL: selective3
+
+	PR ld/33456
+	* elflink.c (elf_link_add_object_symbols): Move new check later
+	to give the backend add_symbol_hook a chance to remove symbols
+	with empty names.
+
+CVE: CVE-2025-11413
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ bfd/elflink.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 0a0456177c2..5c8b822e36a 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -4931,6 +4931,13 @@ elf_link_add_object_symbols (bfd *abfd, struct bfd_link_info *info)
+ 	    continue;
+ 	}
+ 
++      if (name[0] == '\0')
++	{
++	  _bfd_error_handler (_("%pB: corrupt symbol table"), abfd);
++	  bfd_set_error (bfd_error_bad_value);
++	  goto error_free_vers;
++	}
++
+       /* Sanity check that all possibilities were handled.  */
+       if (sec == NULL)
+ 	abort ();

From patchwork Mon Nov  3 20:59:13 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 73568
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AAB98CCFA04
	for <webhook@archiver.kernel.org>; Mon,  3 Nov 2025 20:59:47 +0000 (UTC)
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2250.1762203578607190744
 for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:38 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=e67P7U97;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.181,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-7aab061e7cbso2067862b3a.1
        for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762203578;
 x=1762808378; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=de7N/XhamQM8wU5w8codXLSzfpje8MKOLouEZgGinRs=;
        b=e67P7U97zQjWqysVGOE1KB7o+idXJvtgmzbFZRZzuzIuAnbu1RAsYEE8A5PpjcQoQY
         4nFhnbarqdrvBwujl2TD/dAvAjpqwYnjp32JNamR9/DwnztsYTQcUMK1RChKMYOLqbLs
         H0JMnTQ/m3UfUQLcNXBYBHQo99sxijYCopQ4/foN8SYu2z6S3S94hMRuw6TmXabyoMWl
         HdmqnpXqLCbom0k8h0MQsVFOuN1iDD+rTFfinAJ455Qgu9X3/f8NLeA/FYhuh2tmOIs/
         19cXAqtJSU1N6VYYVyWTQDrX7OjX/TLxLb81T14MBe6/stk2vB1sU3oLhnkMIuvOuRG8
         0Xmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762203578; x=1762808378;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=de7N/XhamQM8wU5w8codXLSzfpje8MKOLouEZgGinRs=;
        b=PWtZzhu6Crg9iph1ZpJ/Nf5iOloIkkhlaLPBWLCKQKUfKDhMDPa3LlfxStifED915G
         bs8MWN6xiJL4AcPzep4sKoiuj50ZimI24EqTPCyoTDWuiMNNvbXYxd2ltm1hmUZr00Hs
         8VerKiNs8/wawdMmvsaAn2IQxOQLX/+SCM0lQ0errmU1sEoMf05L+fKpJaWNjXEEl4h5
         M1rf9GSuaXG+kfqjhcYdtJIf2jfg0oEnhjzdLxRTHSw6g6K7oolL3OEG7MM7c4yZBmwc
         xprLAV+D+zpZYkk+MiGLUxdOy+78oE5BXaKmfk++xGuagAmoC8G03NvfJWfNtaF3bXUQ
         JTRA==
X-Gm-Message-State: AOJu0YyG+yJyjXU7XHCduzvajXaPccNIvyCe5PtJ8HUa5wcJ0d3C8x6K
	ugSHjL5/ObjF9+3/1xlEM9tyLEntmJ86GcyF6UgRLo37P1Ont/GRi26vH7uzuKc+MWx21eAXcED
	p7jC1CEo=
X-Gm-Gg: ASbGnct3LW5jsqj3+RWfbFkpuofsesc+5nTC504HpNdxT8fjqJKR++Cusx5FGMyKeo6
	ConXg9GrpHgRnSb43x9E+6yAPCCkZoHjHRgjnIs1fcFSkc+q0DCSjT1MmUxF9Vf5MGVwb8Wb6cz
	wjQ5InxaXZDInA8P/0quabc7poRm5mT0tLiTQATtqCoLigXEeF25XMyYr9+tbAByGikRLVwQpbT
	q/O17fUQOUmGHhtR9rO0VB9m4LZCp9zW11UehdVJBLpeT03p4vWVq8E+GrkiGvZGIAE1vItKLg1
	+LkwCInyYogQdLHHTIibnh+ogfREF4Kt5y9Fa8rzTj8N+aDXczW05zAQ6BD4Xnh4MCR30mQFLGo
	00u2TmUOEAaCC7rwfFPEAziylDxbZXe4XU/DgBSQuCkSWjdTuZggB/Gz8mF/AaSYp8G7qI8qpZF
	tuuw==
X-Google-Smtp-Source: 
 AGHT+IGVO75BUuCr44ZLOAR3xLri9q/C598Ghz+elnEtPmjk2fAcZQutU2WglGXnelzlULeaeew2ig==
X-Received: by 2002:a05:6a20:430d:b0:343:55a9:3ebf with SMTP id
 adf61e73a8af0-348ca763736mr18504922637.16.1762203577791;
        Mon, 03 Nov 2025 12:59:37 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:6a2d:a521:f4d2:20a3])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-3415b02891asm2024911a91.9.2025.11.03.12.59.36
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 03 Nov 2025 12:59:37 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 6/8] go: fix CVE-2024-24783
Date: Mon,  3 Nov 2025 12:59:13 -0800
Message-ID: 
 <b7d89fae22b317199b8f72978712075078a17005.1762203396.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762203396.git.steve@sakoman.com>
References: <cover.1762203396.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 03 Nov 2025 20:59:47 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/225702

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport https://github.com/golang/go/commit/be5b52bea674190ef7de272664be6c7ae93ec5a0

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.17.13.inc       |  1 +
 .../go/go-1.21/CVE-2024-24783.patch           | 83 +++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-24783.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index aab8e85c22..465f24e108 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -68,6 +68,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \
            file://CVE-2025-47907-pre-0002.patch \
            file://CVE-2025-47907.patch \
            file://CVE-2025-47906.patch \
+           file://CVE-2024-24783.patch \
            "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2024-24783.patch b/meta/recipes-devtools/go/go-1.21/CVE-2024-24783.patch
new file mode 100644
index 0000000000..952258be20
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.21/CVE-2024-24783.patch
@@ -0,0 +1,83 @@
+From be5b52bea674190ef7de272664be6c7ae93ec5a0 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 18 Jan 2024 12:51:13 -0800
+Subject: [PATCH] [release-branch.go1.21] crypto/x509: make sure pub key is
+ non-nil before interface conversion
+
+alreadyInChain assumes all keys fit a interface which contains the
+Equal method (which they do), but this ignores that certificates may
+have a nil key when PublicKeyAlgorithm is UnknownPublicKeyAlgorithm. In
+this case alreadyInChain panics.
+
+Check that the key is non-nil as part of considerCandidate (we are never
+going to build a chain containing UnknownPublicKeyAlgorithm anyway).
+
+For #65390
+Fixes #65392
+Fixes CVE-2024-24783
+
+Change-Id: Ibdccc0a487e3368b6812be35daad2512220243f3
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2137282
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173774
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Carlos Amedee <amedee@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/569238
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+
+CVE: CVE-2024-24783
+Upstream-Status: Backport [https://github.com/golang/go/commit/be5b52bea674190ef7de272664be6c7ae93ec5a0]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/crypto/x509/verify.go      |  3 +++
+ src/crypto/x509/verify_test.go | 19 +++++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
+index 9ef1146..3e95808 100644
+--- a/src/crypto/x509/verify.go
++++ b/src/crypto/x509/verify.go
+@@ -819,6 +819,9 @@ func (c *Certificate) buildChains(cache map[*Certificate][][]*Certificate, curre
+ 	)
+ 
+ 	considerCandidate := func(certType int, candidate *Certificate) {
++		if candidate.PublicKey == nil {
++			return
++		}
+ 		for _, cert := range currentChain {
+ 			if cert.Equal(candidate) {
+ 				return
+diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go
+index 9954a67..9da39ca 100644
+--- a/src/crypto/x509/verify_test.go
++++ b/src/crypto/x509/verify_test.go
+@@ -1968,3 +1968,22 @@ func TestSystemRootsErrorUnwrap(t *testing.T) {
+ 		t.Error("errors.Is failed, wanted success")
+ 	}
+ }
++
++func TestVerifyNilPubKey(t *testing.T) {
++	c := &Certificate{
++		RawIssuer:      []byte{1, 2, 3},
++		AuthorityKeyId: []byte{1, 2, 3},
++	}
++	opts := &VerifyOptions{}
++	opts.Roots = NewCertPool()
++	r := &Certificate{
++		RawSubject:   []byte{1, 2, 3},
++		SubjectKeyId: []byte{1, 2, 3},
++	}
++	opts.Roots.AddCert(r)
++
++	_, err := c.buildChains(nil, []*Certificate{r}, nil, opts)
++	if _, ok := err.(UnknownAuthorityError); !ok {
++		t.Fatalf("buildChains returned unexpected error, got: %v, want %v", err, UnknownAuthorityError{})
++	}
++}
+-- 
+2.50.1
+

From patchwork Mon Nov  3 20:59:14 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 73570
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B7529CCF9F8
	for <webhook@archiver.kernel.org>; Mon,  3 Nov 2025 20:59:47 +0000 (UTC)
Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com
 [209.85.215.169])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2251.1762203579846927597
 for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:39 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=h4RGKS/b;
 spf=softfail (domain: sakoman.com, ip: 209.85.215.169,
 mailfrom: steve@sakoman.com)
Received: by mail-pg1-f169.google.com with SMTP id
 41be03b00d2f7-b9ef786babcso743009a12.1
        for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762203579;
 x=1762808379; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=1QoNwecra9WX63w380qJnJM/RNRjimOYN7ObQ76YVCI=;
        b=h4RGKS/bCLTj3PCn7QFd8o8x99nEH7qlkUFWPZ/V3XYZmLgn1xntFqpfWykLKrGoxY
         fL//7aSdUpgOwEqJ9G9uxu9XUXvzoqGe0iF7TGv+smYiie9gnjJFo/GvnceByWR4LCbr
         IaIt44irQYGdZz4tnAdLuzMKRm7NylFnnB/emDmApPkD81y8qT3I6is1O+aJT4AjsiT3
         JVhiZ0hyDK+l8yLhf99Rb33r3ii3brGabMtf9nB0qoChrwO+SxBUzbzydzoK9LhdzvYu
         eXVNR52MwtKD8vuyvi9RYtjkBTGvFEby3EcTEHf0eJBaWgq6z3dPkoY6FgK+r8x33MGg
         luJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762203579; x=1762808379;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=1QoNwecra9WX63w380qJnJM/RNRjimOYN7ObQ76YVCI=;
        b=n/gP7s0VZJCiTNjHeIO28ZuFp5iDORA8JylVXppdgnGq51zX5FJqROBH0fvhKtMrtz
         lzybLJdLDI8QPn1XgbBXGcSocO/h5xqawS5GIFzQfOH4Gu6WawDWG6vs6uRh7pQHGRm3
         gFFLNSpOqL3EL8TeXg3/7GIVqWIA+JnDmMvFrPLY/uXRpbAncveTKoH84UGN+lWcRzAJ
         cFdcDRx2CxD2e1tHta2R9b7++zznS5Wb8Bzbu3lytEvOIdejiHLRtwlm3edEn1YwFDhG
         DHtJO39H46JGqB4i9NOVi4qUx5qw088J3YPj+EdF0PMKTtyY0qOKQZo5pc28+RunwXGa
         lMkg==
X-Gm-Message-State: AOJu0Yxf3vYVMFIldHnmgPY0B3ym3elAJffEI/CP7joo02JYBx3p7YEN
	EjV0VZIWVGOPYSMloUWa2NE1TT+PCyVZcF8ufB3vQ7xComB/gKQPR+jCJ+nFPE0bkMvA49EjsXt
	lFqYv7eg=
X-Gm-Gg: ASbGnctS01ELQj3AzppllK5gnL3pwGcoWgCKLJP3DtMBJDQ/KlXo5MMStUm9vlRZYpA
	kyY0EB4Tbj9wQtQLod8vwelaXMo7eca7qF6oZMryr2N0E96OY2lzNpz7Wjsn7CXGepa5GzvVLt/
	hhxhTi6bXMt5zq8lNBmMXhC0ZbnpraWWbwWUzEefX8MJJyf9sAB8Bt/SbFdmRAlLzfVZW3+r4Tz
	ekwAwbKN/TYasdmtrd9B/hm204mHful8BH7HiEXmYtzIh40kt47uvRIp/km9i3tsPjk95U6vKCF
	DVv9YmxFUZ92PgQmLgfsI1rpu9yZL83l4lIXaAo5MhvWthgE2QTY2XWpSBdHFzTnp1J2YzKml/A
	meXyYbqfIvKZGfpkQlQFefnB6U/vguyYu8mG9+Ibou9/BQ7dDQxDhd23n6skI5gieFezIkAkEUq
	MzS5iwuPt/6XWT
X-Google-Smtp-Source: 
 AGHT+IFI/wm1c1PofR6MZdxy3H5knbYMrMMOCJ1/K1nlDrSA7ypRxpzGYsdc8qwJGZZvFFcgzGpI3g==
X-Received: by 2002:a17:903:41cb:b0:295:9c48:96c0 with SMTP id
 d9443c01a7336-2959c489ae2mr85874515ad.5.1762203579120;
        Mon, 03 Nov 2025 12:59:39 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:6a2d:a521:f4d2:20a3])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-3415b02891asm2024911a91.9.2025.11.03.12.59.38
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 03 Nov 2025 12:59:38 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 7/8] bind: upgrade 9.18.33 -> 9.18.41
Date: Mon,  3 Nov 2025 12:59:14 -0800
Message-ID: 
 <deca51264991a2f6c6e450f8fa8b4a233280b700.1762203396.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762203396.git.steve@sakoman.com>
References: <cover.1762203396.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 03 Nov 2025 20:59:47 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/225703

From: Praveen Kumar <praveen.kumar@windriver.com>

This upgrade fixes
CVE-2025-8677,CVE-2025-40778 and CVE-2025-40780.

Changelog
==========
https://downloads.isc.org/isc/bind9/9.18.41/doc/arm/html/changelog.html

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../bind/{bind_9.18.33.bb => bind_9.18.41.bb}                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/bind/{bind_9.18.33.bb => bind_9.18.41.bb} (97%)

diff --git a/meta/recipes-connectivity/bind/bind_9.18.33.bb b/meta/recipes-connectivity/bind/bind_9.18.41.bb
similarity index 97%
rename from meta/recipes-connectivity/bind/bind_9.18.33.bb
rename to meta/recipes-connectivity/bind/bind_9.18.41.bb
index ceea149699..0e557163d5 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.33.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.41.bb
@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
            file://0001-avoid-start-failure-with-bind-user.patch \
            "
 
-SRC_URI[sha256sum] = "fb373fac5ebbc41c645160afd5a9fb451918f6c0e69ab1d9474154e2b515de40"
+SRC_URI[sha256sum] = "6ddc1d981511c4da0b203b0513af131e5d15e5f1c261145736fe1f35dd1fe79d"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # follow the ESV versions divisible by 2

From patchwork Mon Nov  3 20:59:15 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 73569
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AAB58CCFA03
	for <webhook@archiver.kernel.org>; Mon,  3 Nov 2025 20:59:47 +0000 (UTC)
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2252.1762203581805910393
 for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:41 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=Q5gv6+Jj;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.180,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-295df6ad56cso8832995ad.3
        for <openembedded-core@lists.openembedded.org>;
 Mon, 03 Nov 2025 12:59:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762203581;
 x=1762808381; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=mHM+X2r5IhHYUn+yN2XwHFIZ5PEZtQ/bTkqL64aMuzw=;
        b=Q5gv6+JjG1W2vqsr06z2XRAgJyWhDyqvKLA1AnIMXA5gQyvTwpFfpcaYSAuc46fyVp
         aeyVsoYPccrAVjViQXE1DX5+lqZpg0us54fNXylv5q8V4dPMWNMXY7EJkICo3KiFw55y
         J533+X+jXTh8aX9e0QRv+M7sUfvO05D9xVefvzAgHxLPsOMhcoIQGgbVVzE6wNeKxqJE
         pNfD3xK9eevE44GdzVNuJvcR/UeRnNKIy2gxpbIJPMGP4LKrxhYnfH7XWb7vDsxXJwUF
         F+41uxfyVIXgkXXXHLn/uONhTrRNWU12Up0qUYOgzI4SJmix6OiGqCn2SH+2Cng7oJE9
         51dw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762203581; x=1762808381;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=mHM+X2r5IhHYUn+yN2XwHFIZ5PEZtQ/bTkqL64aMuzw=;
        b=V0AP1tE9hi8CfDZ44p7oXdPI82JEF60rOQP3twXE7RdlW7NVdg2sfHRExNj372uVvn
         HrhpRMCNNrlntpeB3bJ6nsQUNfefDitgTFcShwylUIWiHeOnKUXHOKgq+KA2BLrWOLAS
         //furVfpnu4ChqMOtUNcfQebIvCueppR04VTPBV60yCAuuAl14rBl4pupBwsRL+vSTv1
         oCg0ZmmqxXvLeYX+GNUWiGkTwL3KRrjlv094I9cBdLF2wiCsj1CXz1Xx0DYnmMH1QGWL
         axEfvsyG8uHSWPgIgcaQNMDmN8Pj2QTwvWOsQqsghv6nvn6NX07oG/mS5EcI3r+TLb2V
         QOrQ==
X-Gm-Message-State: AOJu0YxcubpnlUXB2Py2ZEsoX0Dfhm6zGASffV7NJE993jeqpSNwW7hu
	ziE+j3k1weOLa79qkMlWvoPqcflQGMHuLWAKjYTWHpg+/GTjtAzgSPnfdVXbb/2LbuH+1HRVvly
	lq+Q2Hjg=
X-Gm-Gg: ASbGncv3d5uZA2i0fqWFkU8gCnk/88BmDWlED0PzG1NwJGc8Pvp03ZCafXMAmHBShgH
	crX46UUjUTS7irJhCVgBiekur1Y/bJA9pNWlMg12ujKcfAWckHCI7aN6CZQJLIwLiZECGGMGfxd
	glIoOlYJMRyy+oFByy8OdY0Py3/mJad7qvyHJvPDWQ53vJdSqt9ibZxceeqq+KccjjhJJn6nYS3
	waGE1EtHDo3VyhOlm7x4h2+LOTMfMU/TmskRsf82p2reL2RHyADsW5LrLvC3y8XXSZyra/V8cZa
	EhZ06jOADzDEq9U4VU41vQbAi94U3zd4buBCJJrQnae39L1aC7CfYqeVU/LVAVB++v64A98YEzw
	0zx3Sok7YT20GlGNiDt4fQp8x22KA7EM2CCTkVaKAwXgQiw9v+kqQctwF5FN4o3f7Lzmywlibpq
	7bZQ==
X-Google-Smtp-Source: 
 AGHT+IGdjfNZwEH3bNNgDJs9t0QHZ0aRUs7ORyET388nVweTuL4rgH4rmyQIuyzB2HoZ3itka/Oo6w==
X-Received: by 2002:a17:902:cece:b0:295:5668:2f26 with SMTP id
 d9443c01a7336-295566831admr140127455ad.46.1762203580902;
        Mon, 03 Nov 2025 12:59:40 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:6a2d:a521:f4d2:20a3])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-3415b02891asm2024911a91.9.2025.11.03.12.59.40
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 03 Nov 2025 12:59:40 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 8/8] Don't use ftp.gnome.org
Date: Mon,  3 Nov 2025 12:59:15 -0800
Message-ID: 
 <1e1993b72f2b6109ce3d0ef950553b74b2b37b27.1762203396.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762203396.git.steve@sakoman.com>
References: <cover.1762203396.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 03 Nov 2025 20:59:47 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/225704

From: Jason Schonberg <schonm@gmail.com>

http://ftp.gnome.org/pub/gnome redirects to https://download.gnome.org

 bitbake.conf defines ${GNOME_MIRROR} to be https://download.gnome.org/sources/

Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/python/python3-pygobject_3.42.0.bb | 2 +-
 meta/recipes-devtools/vala/vala.inc                      | 2 +-
 meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb                 | 2 +-
 meta/recipes-gnome/libgudev/libgudev_237.bb              | 2 +-
 meta/recipes-support/libxslt/libxslt_1.1.35.bb           | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/meta/recipes-devtools/python/python3-pygobject_3.42.0.bb b/meta/recipes-devtools/python/python3-pygobject_3.42.0.bb
index 360996dbb7..7798148094 100644
--- a/meta/recipes-devtools/python/python3-pygobject_3.42.0.bb
+++ b/meta/recipes-devtools/python/python3-pygobject_3.42.0.bb
@@ -15,7 +15,7 @@ DEPENDS += "python3 glib-2.0"
 SRCNAME="pygobject"
 
 SRC_URI = " \
-    http://ftp.gnome.org/pub/GNOME/sources/${SRCNAME}/${@gnome_verdir("${PV}")}/${SRCNAME}-${PV}.tar.xz \
+    ${GNOME_MIRROR}/${SRCNAME}/${@gnome_verdir("${PV}")}/${SRCNAME}-${PV}.tar.xz \
     file://0001-Do-not-build-tests.patch \
 "
 SRC_URI[sha256sum] = "9b12616e32cfc792f9dc841d9c472a41a35b85ba67d3a6eb427e307a6fe4367b"
diff --git a/meta/recipes-devtools/vala/vala.inc b/meta/recipes-devtools/vala/vala.inc
index 87d8fedc3f..3e5194e688 100644
--- a/meta/recipes-devtools/vala/vala.inc
+++ b/meta/recipes-devtools/vala/vala.inc
@@ -18,7 +18,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24"
 
 SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 
-SRC_URI = "http://ftp.gnome.org/pub/GNOME/sources/${BPN}/${SHRT_VER}/${BP}.tar.xz"
+SRC_URI = "${GNOME_MIRROR}/${BPN}/${SHRT_VER}/${BP}.tar.xz"
 inherit autotools pkgconfig upstream-version-is-even
 
 FILES:${PN} += "${datadir}/${BPN}-${SHRT_VER}/vapi ${libdir}/${BPN}-${SHRT_VER}/"
diff --git a/meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb b/meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb
index 3e974c91e5..e6c8e43923 100644
--- a/meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb
+++ b/meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb
@@ -2,7 +2,7 @@ require gtk+3.inc
 
 MAJ_VER = "${@oe.utils.trim_version("${PV}", 2)}"
 
-SRC_URI = "http://ftp.gnome.org/pub/gnome/sources/gtk+/${MAJ_VER}/gtk+-${PV}.tar.xz \
+SRC_URI = "${GNOME_MIRROR}/gtk+/${MAJ_VER}/gtk+-${PV}.tar.xz \
            file://0002-Do-not-try-to-initialize-GL-without-libGL.patch \
            file://0003-Add-disable-opengl-configure-option.patch \
            file://link_fribidi.patch \
diff --git a/meta/recipes-gnome/libgudev/libgudev_237.bb b/meta/recipes-gnome/libgudev/libgudev_237.bb
index 9ce43ce34b..4b4121980c 100644
--- a/meta/recipes-gnome/libgudev/libgudev_237.bb
+++ b/meta/recipes-gnome/libgudev/libgudev_237.bb
@@ -22,7 +22,7 @@ GIR_MESON_DISABLE_FLAG = 'disabled'
 
 GTKDOC_MESON_OPTION = "gtk_doc"
 
-UPSTREAM_CHECK_URI = "http://ftp.gnome.org/pub/GNOME/sources/libgudev/"
+UPSTREAM_CHECK_URI = "${GNOME_MIRROR}/libgudev/"
 UPSTREAM_CHECK_REGEX = "(?P<pver>(\d+))"
 
 # This isn't a GNOME-style version do gnome_verdir fails. Just return the
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
index f1532a05c1..fc1fafbf19 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
@@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458"
 SECTION = "libs"
 DEPENDS = "libxml2"
 
-SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \
+SRC_URI = "${GNOME_MIRROR}/libxslt/1.1/libxslt-${PV}.tar.xz \
            file://CVE-2024-55549.patch \
            file://CVE-2025-24855.patch \
            file://CVE-2023-40403-001.patch \