From patchwork Sat Feb  7 10:33:43 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 80604
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0124BEE0AC3
	for <webhook@archiver.kernel.org>; Sat,  7 Feb 2026 10:34:10 +0000 (UTC)
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com
 [209.85.128.43])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2670.1770460443080016574
 for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:03 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=YXLJKYtB;
 spf=pass (domain: gmail.com, ip: 209.85.128.43,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f43.google.com with SMTP id
 5b1f17b1804b1-47ee76e8656so44653635e9.0
        for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770460441; x=1771065241;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=6bfKLCWJpPfeVrR5hOx9NT+dhIEP+a56Mv88loEaXfQ=;
        b=YXLJKYtBds+zmcY7erESzcZoLom4EepZu78zpXBsHH+HQJGPOUJKmzFqY2K1/kdJPl
         XKkIlVc5Y9Hw4fMAk7ILXiaWra+gYTX8UVFVi/3PlBxVXLH1huifXGsq3I5jTP7CYdbx
         SxH8ad+mLZZ5fVKpcTkj6BElnTHacgrDQdJLrjFNZM8bhPDQn6aSSO0AarXoYT9za3d4
         YzpbJznn30UAJ/rYnVba/jzK+VmR99RA375EdWy9ow1Ogw1SgXdA5FVPZd0m1obI+cKC
         bWr5nEEnu1hWs+H9zgSWOSTAIWFW8e5YKwJ9KkN5nqkJLhDGqzOm1/gKuKLLjd0jGrPM
         C69A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770460441; x=1771065241;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=6bfKLCWJpPfeVrR5hOx9NT+dhIEP+a56Mv88loEaXfQ=;
        b=hiJwjhV/kdF04fs7QY+bRUzzI4jqZSRJkxatqB/fSvVEXtaqt4niC/HagU9FH13s8X
         TjXYLaDkpYySjVBYtoKGomP4D8b3O97N9Piv82y8uGCemimuIgZ8CHIj8cFU6leqTrFg
         cUWYAfvn458zdIS/Wg5d8RnZcrE2jQqSGhDodhqF+SF5p3UnHybjTFngS57xzMyRoBCr
         9sszCrO0KK1X+SwK5TEr3vGiMaWHX90LKvFGTfPyUNaXzRwTVv26Kj+d1Lx6EtHameu6
         pXMZm30Sqw+kz7JI7GYmUr+xI3CAShAmj1a3BuQRNvy8Jvs0GhmiqLl9M+Y28vhBw0YO
         5GlA==
X-Gm-Message-State: AOJu0YwP2AiLqgbsxNClhmgmq7itNGn8FMP/ZGRidKvsnCtV8/fmMrW+
	p5MRn8395qu1w7zUtVFyAcn+FmIwJvvCzqjSNBqidw6Kt8vnjTVWumOpRGMOkA==
X-Gm-Gg: AZuq6aKx9+D/NmWsfMyBPvpg15Zr0H1pkDrO0G8EqVp8UX3Fs4IbG3EHTzhMa4u0LEc
	/20KFPjRlB90DSeOETjFxXbjPUgk5EsI0DqULgtTX+QqAK1csuLitlMXGPcsttVZPNeAaeHimsX
	AXDPUkyNncSte2KLkwgU4ffgLEtiiVr86s0T69pmY/3UHSyyXNYs5toSe4rzDG+nz7NQqVW0roi
	qABcmkwBJfQRpSqdYB8/VCTrwHW9M63IWJwdDg6P0fthRboxGwPjTqp50PsWFUCsIrDgFGkOUCH
	8WM4pBV+gL4UkNnorgnSB5G+qqWx3JKlDCAkBpPcu+l5ALfGwYJGcSgxp4mXLld8/knoVGiPwkT
	ZUo5KseJM6nac5ffVKur0B2auhFMP0Le5URWr90FNvfj3asBmgeboZxEb4w4MiVmHXsL32OZdzn
	btsppMuyKx
X-Received: by 2002:a05:600c:6217:b0:47e:e91d:73c0 with SMTP id
 5b1f17b1804b1-483202310a5mr75726075e9.19.1770460441082;
        Sat, 07 Feb 2026 02:34:01 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43629664632sm12077622f8f.0.2026.02.07.02.34.00
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Feb 2026 02:34:00 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][scarthgap][PATCH 01/15] imagemagick: patch CVE-2025-66628
Date: Sat,  7 Feb 2026 11:33:43 +0100
Message-ID: <20260207103359.4177243-1-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 07 Feb 2026 10:34:10 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124242

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66628

Pick the patch that refers to the relevant github advisory[1]
explicitly in its commit message.

[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hjr-v6g4-3fm8

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../imagemagick/CVE-2025-66628.patch          | 27 +++++++++++++++++++
 .../imagemagick/imagemagick_7.1.1.bb          |  1 +
 2 files changed, 28 insertions(+)
 create mode 100644 meta-oe/recipes-support/imagemagick/imagemagick/CVE-2025-66628.patch

diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2025-66628.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2025-66628.patch
new file mode 100644
index 0000000000..7894d12ab6
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2025-66628.patch
@@ -0,0 +1,27 @@
+From 3853a72088f6a72fe3d7405655d8f9cbed605e75 Mon Sep 17 00:00:00 2001
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Tue, 2 Dec 2025 22:49:12 +0100
+Subject: [PATCH] Added extra check to avoid an overflow on 32-bit machines
+ (GHSA-6hjr-v6g4-3fm8)
+
+CVE: CVE-2025-66628
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/bdae0681ad1e572defe62df85834218f01e6d670]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ coders/tim.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/coders/tim.c b/coders/tim.c
+index 4c094ac5f..fcfd9266f 100644
+--- a/coders/tim.c
++++ b/coders/tim.c
+@@ -231,7 +231,8 @@ static Image *ReadTIMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+     (void) ReadBlobLSBShort(image);
+     width=ReadBlobLSBShort(image);
+     height=ReadBlobLSBShort(image);
+-    image_size=2*width*height;
++    if (HeapOverflowSanityCheckGetSize(2*width,height,&image_size) != MagickFalse)
++      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+     if (image_size > GetBlobSize(image))
+       ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
+     bytes_per_line=width*2;
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
index 99632967c2..40e57b7f1d 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
@@ -25,6 +25,7 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
            file://CVE-2025-57807.patch \
            file://CVE-2025-62171.patch \
            file://CVE-2025-65955.patch \
+           file://CVE-2025-66628.patch \
            "
 SRCREV = "82572afc879b439cbf8c9c6f3a9ac7626adf98fb"
 

From patchwork Sat Feb  7 10:33:44 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 80609
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 43465EE0ACE
	for <webhook@archiver.kernel.org>; Sat,  7 Feb 2026 10:34:11 +0000 (UTC)
Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com
 [209.85.221.45])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2752.1770460443810270804
 for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:04 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=cv+PSol6;
 spf=pass (domain: gmail.com, ip: 209.85.221.45,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f45.google.com with SMTP id
 ffacd0b85a97d-4362d4050c1so1296244f8f.2
        for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770460442; x=1771065242;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=u4OYaDRBcJ4lMPOIpCnvWAS0ok/vhSuVcfQYk7Mfdpg=;
        b=cv+PSol67LrNdxMW2SVtoM0Y9LxcDz42fq2iaTQmoYtMaFpA6XTWIC9Y+SGZOclYQE
         lAWvvJqvGbPzWDkJJzAOYBCSDOeSlf+JnQxT+H4r2KFwhS/M4yLZzsFYtHxyxzU4kIHO
         n24CmZO0H58VQBtk/3uZ1ox+K7BD28f8aeGOZu8qUHgK9IgRCVZ9t58AXnDyyE6K3cS/
         IfJmV9u5YWkCrKRVPLI0bBUrTPSzMkVykGCT3D6ITYbHSIQZfmWs6nj5fts4CeDqeufV
         NFT8JYRnFD6Pj9Rbk3PM95hlQdA6OveZFwvqWlQrLwfe7KzW/YmSwyPIQg6vrPYw5g8b
         TPEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770460442; x=1771065242;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=u4OYaDRBcJ4lMPOIpCnvWAS0ok/vhSuVcfQYk7Mfdpg=;
        b=ZnE+nElWtqLmbPsDFwGZqrSIjSK+zLJG2zVT0Q1LJmP10fyilvR8c7pcHkDfNFQvf9
         T4KcxccLLhyTSJ8I5dP9R6qbTKKXHPc0S9uXjgwGUcILf71G7qow5NJgkOulrW4C0j42
         Gl59WbsFi/UMaHYlledI2vfy9Kex4EYX6vqNbi93caNDf2jxhQOYkEbYTuxCpv+GpCWc
         WM5LvWlTQYImaNweL+akHJf3r+C+B9KocDRf93QmtBMUktIn7msZmT7qKI2mo4f9jYz6
         Q3bRyIMtVhFe8atc0TGsimALFJvfKzbHXGg2lRILmHceqBD9Mo9cNyX343xwG7WvFNEV
         yFkA==
X-Gm-Message-State: AOJu0YzFKAwWey6ZeJUxVxQtHRZse1lcA2M/csC7FfM4u6qiMnXOq+l5
	c8nwUymBk/rPKmpYB4Imi+xNNgJBKeLEfGZOSI4rFEi4nK0pByFQ/GVIRGvv0Q==
X-Gm-Gg: AZuq6aKvrWj1qiyQYXTxnggeqnrAWfaR6wW2CEpm8iNg9LNw/F2KXpMbK0N+7J/z4nF
	qV9q2DjMBijZ+Mxou7rhYlC3+vCkmErccnAAqbPJtFbnt+HXGD3JvaoG3CciPb4DSw4zY2uii6U
	Aqw1/V2t3vdtc97/Pl+BMllgTMOVpG0gG0LND6Fl0sYm9GdO1Zx88c/oQIa9qMkxtNy53rUBKUb
	zvRC3ZqvM09MNsX2sRInwIX/Sg+QEfn1cCrkEZ7oJ2EOgHx9ThAYyCnliLBfc93Hzkq7SWPXN4T
	ibwfTSIMwivdJSQu/8Sky5PXaSj4kOe/OlGn9IgAIpi1LcWw5CEZSGty5fjvmoQsMOFej8hAILN
	U0gX+FIEdLfm77UHtLMjEvHDWLFVZekTFRWY1VJhgGk5WgZZSbY60vGVYKwdQdfg/BwJy4ibRED
	P4m5chS2JN
X-Received: by 2002:a05:6000:184f:b0:430:f241:a11f with SMTP id
 ffacd0b85a97d-4362938b258mr7755536f8f.30.1770460441783;
        Sat, 07 Feb 2026 02:34:01 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43629664632sm12077622f8f.0.2026.02.07.02.34.01
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Feb 2026 02:34:01 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][scarthgap][PATCH 02/15] libcupsfilters: patch
 CVE-2025-64503
Date: Sat,  7 Feb 2026 11:33:44 +0100
Message-ID: <20260207103359.4177243-2-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260207103359.4177243-1-skandigraun@gmail.com>
References: <20260207103359.4177243-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 07 Feb 2026 10:34:11 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124243

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64503

Pick the patch that explicitly refernces the CVE ID in its message.
(The NVD advisory mentions only the cups-filters patch, but
the developer indicated the CVE ID in the libcupsfilters patch also)

Between this recipe version and the patch the project has decided to
eliminate c++ from the project, and use c only. The patch however
is straightforward enough that it could be backported with very small
modifications.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../cups/libcupsfilters/CVE-2025-64503.patch  | 45 +++++++++++++++++++
 .../cups/libcupsfilters_2.0.0.bb              | 12 ++---
 2 files changed, 51 insertions(+), 6 deletions(-)
 create mode 100644 meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-64503.patch

diff --git a/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-64503.patch b/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-64503.patch
new file mode 100644
index 0000000000..fc49c6b1f2
--- /dev/null
+++ b/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-64503.patch
@@ -0,0 +1,45 @@
+From 7b5275f86f9011ac260409e7456bf21e05541bce Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 21:10:56 +0100
+Subject: [PATCH] Fix out-of-bounds write in cfFilterPDFToRaster()
+
+PDFs with too large page dimensions could cause an integer overflow and then a too small buffer for the pixel line to be allocated.
+
+Fixed this by cropping the page size to the maximum allowed by the standard, 14400x14400pt, 200x200in, 5x5m
+
+https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
+
+Fixes CVE-2025-64503
+
+CVE: CVE-2025-64503
+Upstream-Status: Backport [https://github.com/OpenPrinting/libcupsfilters/commit/fd01543f372ca3ba1f1c27bd3427110fa0094e3f]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ cupsfilters/pdftoraster.cxx | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/cupsfilters/pdftoraster.cxx b/cupsfilters/pdftoraster.cxx
+index f51c41f..075c206 100644
+--- a/cupsfilters/pdftoraster.cxx
++++ b/cupsfilters/pdftoraster.cxx
+@@ -1609,6 +1609,20 @@ out_page(pdftoraster_doc_t *doc,
+     doc->header.cupsPageSize[0] = l;
+   else
+     doc->header.cupsPageSize[1] = l;
++
++  //
++  // Maximum allowed page size for PDF is 200x200 inches (~ 5x5 m), or 14400x14400 pt
++  // https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
++  //
++  if (doc->header.cupsPageSize[0] > 14400) {
++    fprintf(stderr, "ERROR: Page width is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[0]);
++    doc->header.cupsPageSize[0] = 14400;
++  }
++  if (doc->header.cupsPageSize[1] > 14400) {
++    fprintf(stderr, "ERROR: Page height is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[1]);
++    doc->header.cupsPageSize[1] = 14400;
++  }
++
+   if (rotate == 90 || rotate == 270)
+   {
+     doc->header.cupsImagingBBox[0] =
diff --git a/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb b/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb
index 9178829611..7c4eee95c4 100644
--- a/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb
+++ b/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb
@@ -5,12 +5,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=aab2024bd2a475438a154cd1640c9684"
 
 DEPENDS = "cups fontconfig libexif dbus lcms qpdf poppler libpng jpeg tiff"
 
-SRC_URI = " \
-	https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \
-	file://0001-use-noexcept-false-instead-of-throw-from-c-17-onward.patch \
-	file://0001-CVE-2024-47076.patch \
-	file://CVE-2025-57812.patch \
-"
+SRC_URI = "https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \
+           file://0001-use-noexcept-false-instead-of-throw-from-c-17-onward.patch \
+           file://0001-CVE-2024-47076.patch \
+           file://CVE-2025-57812.patch \
+           file://CVE-2025-64503.patch \
+           "
 SRC_URI[sha256sum] = "542f2bfbc58136a4743c11dc8c86cee03c9aca705612654e36ac34aa0d9aa601"
 
 inherit autotools gettext pkgconfig github-releases

From patchwork Sat Feb  7 10:33:45 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 80613
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7BAC4EE0ADC
	for <webhook@archiver.kernel.org>; Sat,  7 Feb 2026 10:34:11 +0000 (UTC)
Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com
 [209.85.128.42])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2754.1770460444333591618
 for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:04 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=PJn2WQ1J;
 spf=pass (domain: gmail.com, ip: 209.85.128.42,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f42.google.com with SMTP id
 5b1f17b1804b1-47ee07570deso12996205e9.1
        for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770460443; x=1771065243;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=aEyz1L87sM2JTy0ZZYzaDSsgoWVpgPX6RaXr6Hl5d2E=;
        b=PJn2WQ1Ja8Q4xi/Srokl0nxsrRT76k80aT08RT90/6Pw8OlfoTEuRIzA8knetfBRQg
         wyF15wtxKVp+NmS8IDDYmxkUYcw4Ma4QLKP+/2+5BnnFNmQFnh3U3fjuGCHUf4SfuRBr
         BR0cAeBjT+5cXeRxTVXMi3ISItD9IoiYDjGkT1izAaCR4A6DEOSqIEszV4+EdOImjTW/
         nfJ0dw+yaoYFGruPTEw2X+QYk4KaDsB3rh80Avin/0w1liZ4rrix9GKLy0cMVs2owfuh
         I25OxExsWznA1tW1jgXiLywifgfQxwEcPXlyaQ5IGLJ9BXe2dolSiJKT9T5puT0P8VyI
         ZvVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770460443; x=1771065243;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=aEyz1L87sM2JTy0ZZYzaDSsgoWVpgPX6RaXr6Hl5d2E=;
        b=fTxVA5PhfDGTzImiMwb+a3/u783zp8Pz9XULCrUPrfGV+osqCsKdwM6S7QXt6Rkdm4
         TJ666KJl7NFvWiwR703ZICDmMyx2z2wMVzceBeLV+DaMegwq2G4pEBeoAJRyAQON6zh5
         LKaIjY1xWJitqm7dIwbLsjA9Yy3KdXZ5QmBiOgc6vXrhqJFZlEieZnSo+atGo1hyZAZH
         kCFFoQJ9CTU0jJEMkgYruxrD8FKdN7bCFfKc04ryp45BvNzukHdb4uFIaaxWF95wT3nb
         oD9ty8Oo4dIpKBVQGydeNIRommpEBWERnGDnoX3UoBDoSb1vhEWkeWVLf407+edccnNZ
         f8SA==
X-Gm-Message-State: AOJu0YzHuhIqVU2yHoI/3cpD0hdocLoM5zXCtmbQ2+dvjOQut720EoZm
	xzDi1Nt+5eWGCzGcVcEK4Mc8TorA8qmkmeNp3Ref6po+SYNbItt3cD+TA+JRcQ==
X-Gm-Gg: AZuq6aKhntiwO/x1+oks9Umif3KEE9sHzDixp1OTalX8AFV8T6Gv4oBYwJnrUKYTXOB
	syPKAMO8iMWn5YlGVOgsKZRS1yLiHH33uJV9e2T0CC0/dxKaHq3zLf77G8pY+Rfzaf+8lA9MS6g
	u0+o707QOTMCcqexnKqLuqKkNIRma5mamuW0tlGaNRkE5/KM6G1+OT+YXFh/Y41FHd0kNUzg3VC
	tua1iU149RP28jsXK2S4RFQ8aru8HNHjUGyIH/7Y968xQ3uDtn5Vf0L1SlW/BhbbF1xhT6Md56d
	X/GtVrPcLOXOkWaoQI5IQTugFbZhDPTSTI0v0I0OE89RiugENRKgU1Y98v4znnIZDe1xU9EMHgo
	8fwo3+k6CjFmNPVbl+4Lqq1Q//SCzNMRUDcGpQw91EV7m+s6Mga2xTMTeFr0N5d0iKHjV9qk0Xs
	kjEsTHJRt8
X-Received: by 2002:a05:600c:4e8c:b0:46e:4586:57e4 with SMTP id
 5b1f17b1804b1-48320212d56mr84392445e9.24.1770460442563;
        Sat, 07 Feb 2026 02:34:02 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43629664632sm12077622f8f.0.2026.02.07.02.34.01
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Feb 2026 02:34:02 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][scarthgap][PATCH 03/15] mongodb: upgrade 4.4.29 -> 4.4.30
Date: Sat,  7 Feb 2026 11:33:45 +0100
Message-ID: <20260207103359.4177243-3-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260207103359.4177243-1-skandigraun@gmail.com>
References: <20260207103359.4177243-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 07 Feb 2026 10:34:11 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124244

This is a security release to fix CVE-2025-14847:
https://nvd.nist.gov/vuln/detail/CVE-2025-14847

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../meta-python/recipes-dbs/mongodb/mongodb_git.bb          | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
index 5d904dd4f9..48bae85179 100644
--- a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
+++ b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
@@ -11,9 +11,9 @@ DEPENDS = "openssl libpcap zlib boost curl python3 \
 
 inherit scons dos2unix siteinfo python3native systemd useradd
 
-PV = "4.4.29"
-#v4.4.29
-SRCREV = "89d6ffe6fc67b36fd47aff6425087003966588e3"
+PV = "4.4.30"
+#v4.4.30
+SRCREV = "1ae4c9990dbc5711f3500748f0c3f8b5d375d8c0"
 SRC_URI = "git://github.com/mongodb/mongo.git;branch=v4.4;protocol=https \
            file://0001-Tell-scons-to-use-build-settings-from-environment-va.patch \
            file://0001-Use-long-long-instead-of-int64_t.patch \

From patchwork Sat Feb  7 10:33:46 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 80606
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1757FEE0AC9
	for <webhook@archiver.kernel.org>; Sat,  7 Feb 2026 10:34:11 +0000 (UTC)
Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com
 [209.85.128.52])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2674.1770460444973249853
 for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:05 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=lIJL6jkg;
 spf=pass (domain: gmail.com, ip: 209.85.128.52,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f52.google.com with SMTP id
 5b1f17b1804b1-48068127f00so27354585e9.3
        for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770460443; x=1771065243;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=cawXVzTaWxPhuZthNqx5H6eSXyYqlw8mRvhr0Tpd40o=;
        b=lIJL6jkgVjjaU/SEc/sOLVsWAt2SHStjHMMcoLSIIKoNe1QDMaCn83qlx9lesK6364
         Iu6dqVUt5bI3BstWFOmzPEAsKtpSQHDOAdRWILFsdpTV5/KVFUtwlUMQS+twRkwxYJAX
         yoZqcfaf+YuesFvrnHR5VfvBUQNHkR9YmcxTG94WVNuOdAASyqG/+B/HbvyVisi0+eob
         Dot1LF6UmW/sO1jvc+FDb9Y6QYx+MISeQ6LI836TiNSYyqdIswSL2kvEFilII3KOGBqL
         RLOiZDstXQwkkjofspQBjjtumSWxPlPA3U5kvn2jg6ulyESxMwB32J6MOu6fjd68A7aB
         uwww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770460443; x=1771065243;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=cawXVzTaWxPhuZthNqx5H6eSXyYqlw8mRvhr0Tpd40o=;
        b=uwnJwAepM/rwV7w380nkBH1nWKTR5X1Bwis9y2SN2Wa8F4HlFlYbThexDBlcqWxOqf
         cpPxTinS8DOcPNyBq5cS+N1T52OkHelZy9cCN9I3T8wiOJEwYlohovMvIi3sgcXZRGr0
         zGUxIYllQsVh9ytuNVUjeu2JSznG4tHVElyeJ46mmlk/DsSD6q/78xB72QWcR/NXnbzD
         Tw8kZW/W2KOSVmy82RVO0CjWBoRUnKKZJ68RGYtJXRQaR0qqD1VSjdE498LFgm18sAUC
         rm1t8zdNuo9jUsFfG0rZL47upF8adVUYJKfRZfOwnouuv5uTdou0hA39wpZ2Ky9y/A9q
         P7gg==
X-Gm-Message-State: AOJu0YzgIndCr0oqVZXRWFP53ewjICoI96lK+f6kH0xRWNskqdYSewIc
	4Znq6XJ2h/PUDQUXtt1tZAn/3VLdUDC0l3Ag4vfxiZe60GnMu6Lh9OVHsZ0zFg==
X-Gm-Gg: AZuq6aL/fIXXVY+qp/R9D0ZHrO24TwHRJOcHywns6Du2iBzy54j9hasNK/xaCBj/VC9
	bvD/qNatzmbAVwVO4XtP5O7yzWvv5b6GWZdW7OUjZHQ8UlAoSMZs/3zCKbYoujkZ1/GLCDFS4x/
	SewUD4vd7iVBe8x+7sNgnFEtBqkdCCmNE6MVXl7JDQd4SYYbZucIYK11VOKVTb+ANBF8PGYeYsd
	lcIQl/4QpfJw93bm0oSVTfesJi0+uf/XSj8OfcW3x8cP1jtGjO5OM7bA74iGrgXB6fpmZ6JimpQ
	oZtDD7x9eM2odrjKxvXu3Wq5zZxla0PyWr9C5ykcm/8Y3tBw1g+twZlbyMGZT2OnuHJzgVyLdS8
	IXJqJTCNCZ6ylBRiXiTt8rL3nMC7pGJuWvJ/5WXQOAuQitoJz8iRtAJGh+QzoTxNjWW/XsWVznZ
	PHp6eo9Y51
X-Received: by 2002:a05:600c:4ecb:b0:471:14b1:da13 with SMTP id
 5b1f17b1804b1-4832020df78mr73119525e9.14.1770460443219;
        Sat, 07 Feb 2026 02:34:03 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43629664632sm12077622f8f.0.2026.02.07.02.34.02
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Feb 2026 02:34:02 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][scarthgap][PATCH 04/15] mongodb: ignore CVE-2025-14911
Date: Sat,  7 Feb 2026 11:33:46 +0100
Message-ID: <20260207103359.4177243-4-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260207103359.4177243-1-skandigraun@gmail.com>
References: <20260207103359.4177243-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 07 Feb 2026 10:34:11 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124245

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14911

The CVE is currently tracked without valid CPE. The vulnerability
affects mongo-c-driver component, not mongodb. They are also stored
in different repositories.

Due to this, ignore this CVE.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../meta-python/recipes-dbs/mongodb/mongodb_git.bb               | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
index 48bae85179..baa159adf8 100644
--- a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
+++ b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
@@ -52,6 +52,7 @@ S = "${WORKDIR}/git"
 
 CVE_STATUS[CVE-2014-8180] = "not-applicable-config: Not affecting our configuration so it can be safely ignored."
 CVE_STATUS[CVE-2017-2665] = "not-applicable-config: Not affecting our configuration so it can be safely ignored."
+CVE_STATUS[CVE-2025-14911] = "cpe-incorrect: The vulnerability is about mongo-c-driver application, not mongodb"
 
 COMPATIBLE_HOST ?= '(x86_64|i.86|powerpc64|arm|aarch64).*-linux'
 

From patchwork Sat Feb  7 10:33:47 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 80607
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2B60AEE0ACD
	for <webhook@archiver.kernel.org>; Sat,  7 Feb 2026 10:34:11 +0000 (UTC)
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com
 [209.85.128.43])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2675.1770460445682592197
 for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:06 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=mTeQbh/8;
 spf=pass (domain: gmail.com, ip: 209.85.128.43,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f43.google.com with SMTP id
 5b1f17b1804b1-483337aa225so392935e9.2
        for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770460444; x=1771065244;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=r6HjRJ8CM1uL/KeUGC0wD1I7TB1B6bYYi/enQbhxXoo=;
        b=mTeQbh/8CJ+VaHQV0sOlcdQWuYRPQ3dAWm7rH2ooHhEXbuSs03iAR1bd78uAWtZ4jl
         6DSieCsjpoXPFtLxfgOaTAB7rKtGh/9Pi1GLb+R3wUbWwZai4Sa9cfb2bOkHohKBzv0Z
         QOyEXL2ZnTkkgnhfm7rmGdlm7eLdoWXv8tCZk+Ee3eL5sprnF7vtw/cZPqMX3NigV5tF
         Ck34kBONCjJfsjGKNQiytajOFZr71FtPXt8m715+eHOBVR0MZIo/9lDCm6T0Z/Idqj97
         1UE3A3Rhn9oUP0Yh+exXFiqWf/5qc1q8pwEZVGReEi13PiEju2J3oWoGeo9wLnBtN2Dz
         h+3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770460444; x=1771065244;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=r6HjRJ8CM1uL/KeUGC0wD1I7TB1B6bYYi/enQbhxXoo=;
        b=WGAqwIa9PXzTx1w0rIjhb7yKujuWZUeZT9p1miIdbJVoAH1bi4UxDjv/RZoOvWtEQ6
         bYYuu7btkQ5wVM+4TW7EnhLTB2y6x+JMliYPYH/8OZwmEnyljHZpqpNW1Vwb2YhlJl/t
         mSyZMt7rsp/bQTjOW/rnvbwdMQOzmHjwTEOp3AbENZbB+4eWeHaZzgNsL3yzSuWRk4vz
         iHWaa89R6fLql+MwA3Nz+24CDN3zcl2lMWjAuPZHsREA0s8rEeIQrcOCCKfnP8mUXtXE
         ZH1/Y3nKecDGxYlDyhbNRadgkWDakZ9ISDQMSymGwbCmfCKytI4YN0fkto9QDvWs1RF3
         PLXQ==
X-Gm-Message-State: AOJu0Yz3W2QJZ3f3DniuScUbCL1KTYDnTm0gW3BJQZ0KOFDRd5b9ZIFE
	7QkkAW9SQfSoMEhdjk50EmbUWUZHtkjYCu4YGh0uTkp7wsTh7YzEXe2bh1iZeQ==
X-Gm-Gg: AZuq6aI4t9L6RHxdtI8RYD9Am7GtMoE0BN/xR51gQMbHChTWvGB742MTgf9uJrzMj9C
	GVyep/jxviW5fr+rCfesB0ILC6LSGEU4X3nmkQQuC3CRSQPzdO05qeZTVjNSkt4jcNv/hE94kez
	43GX3TFHDoAQXXRh4V7jNAqyCC8pjmZRl3UW50M4Kpv2raplISL1DykOUUmWRRmcYQHYGXLBjHc
	uG67UX/utGdZ8vSYTqz81YAz3F1qo3f26S8tFjLCZr+yEGxutB2hwuHJOSFV+L9Y3IaE4AQqJMP
	Z+jqodJqeSYhpjf9m1FlVT8Owh8Wt7D71YI6K6mu0T0htVdp1bDAs0igC+vwUabcMoAAEI+curu
	/cU4HqRI4HcexZwoQuYyqWYzUBX/A/FA85dNUoPCigNlvlUXii2waFFa0bCsKz5motWrGEAsf6I
	vqo/R7tWdU
X-Received: by 2002:a05:600c:818f:b0:47e:e20e:bbb7 with SMTP id
 5b1f17b1804b1-4832021c808mr73831025e9.25.1770460443917;
        Sat, 07 Feb 2026 02:34:03 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43629664632sm12077622f8f.0.2026.02.07.02.34.03
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Feb 2026 02:34:03 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-webserver][scarthgap][PATCH 05/15] netdata: ignore
 CVE-2024-32019
Date: Sat,  7 Feb 2026 11:33:47 +0100
Message-ID: <20260207103359.4177243-5-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260207103359.4177243-1-skandigraun@gmail.com>
References: <20260207103359.4177243-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 07 Feb 2026 10:34:11 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124246

Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32019

The vulnerability affects the ndsudo binary, part of netdata.
This binary was introduced in version 1.45.0[1], and the recipe
contains v1.34.1 - which is not vulnerable yet.

Ignore the CVE due to this.

[1]: https://github.com/netdata/netdata/commit/0c8b46cbfd05109a45ee4de27f034567569fa3fa

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-webserver/recipes-webadmin/netdata/netdata_1.44.3.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-webserver/recipes-webadmin/netdata/netdata_1.44.3.bb b/meta-webserver/recipes-webadmin/netdata/netdata_1.44.3.bb
index 700c6b2346..123da8bcf3 100644
--- a/meta-webserver/recipes-webadmin/netdata/netdata_1.44.3.bb
+++ b/meta-webserver/recipes-webadmin/netdata/netdata_1.44.3.bb
@@ -15,6 +15,8 @@ SRC_URI = "\
 
 SRC_URI[sha256sum] = "50df30a9aaf60d550eb8e607230d982827e04194f7df3eba0e83ff7919270ad2"
 
+CVE_STATUS[CVE-2024-32019] = "cpe-incorrect: versions <1.45.0 are not vulnerable yet"
+
 UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/tags"
 UPSTREAM_CHECK_REGEX = "${BPN}/releases/tag/v(?P<pver>\d+(?:\.\d+)*)"
 

From patchwork Sat Feb  7 10:33:48 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 80611
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3D6CAEE0AD1
	for <webhook@archiver.kernel.org>; Sat,  7 Feb 2026 10:34:11 +0000 (UTC)
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com
 [209.85.128.44])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2676.1770460446835529784
 for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:07 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=BKO7GRGR;
 spf=pass (domain: gmail.com, ip: 209.85.128.44,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f44.google.com with SMTP id
 5b1f17b1804b1-47edd9024b1so16778205e9.3
        for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770460445; x=1771065245;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=DVc64dTlgqEmNKNF7KAQP3AnYLyalzecOq5ugW40Z70=;
        b=BKO7GRGRovkEfbsXU4ZKpHc79XzYAO4VoHTyGWrSXcVmkwLlAQLQH/3zp5yDz7w8Jp
         61j873/uYm8UUD3P7CJDpMZIA1K8Xzj5GH9c8lsA7Gmjig4SEvog9aA1XZ8mb7eLYqQz
         1Lu/Wqgkw3dIvlMQTYdJJCLkCV6boRJ9hl2Bxf3mxpUdsYJLTREgpNeDo/80kQL7jB5L
         uiA/ZrmUFc02meZmyz18SLsHcLB+w7ZdP4DhA5fhtdYdCxyORRI7/HQfXOsiH6C5HEx8
         92EAICojczImsXCLZtwPg/NbLteHdzqGRQM27EJqYtlQjx2LU9alUYU/95xp77ty6JV7
         XQXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770460445; x=1771065245;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=DVc64dTlgqEmNKNF7KAQP3AnYLyalzecOq5ugW40Z70=;
        b=A8cnK8UT4YWQopdUlKcNNu5IYoPGdpP6okc2XwUz1ecljpoVj0X8RK+Vv645NMcVjX
         HpoKf6aCmq7clAoDTsuVbUo2/YqBriWmUW33xLbhsnl3XJOqpUSLfFxg10I4P69QP7wx
         7kfudvuffXv8gBWVPi7GtjBQy5jCglpTXNDKRkYNANGRADAIBPa/f+g9VxHJEkAPLC37
         rZif4dexMcciGUQ2B+VA6EoXo3H3k9PBCBdL3+DWVcS3R5u/VIQyci9Zs3VvaMJT5zkm
         i4FI5P3PpDBox6PjjI66ZI6p2XjVZ6nMT5efWIweHho6ZNcY3XS6/raxAfl/MIi2/gga
         S9xw==
X-Gm-Message-State: AOJu0YyxnkKYmYzFkif5Em/lg9QZFo3C5hpYTJsfIG3mYyHA820Tn+4a
	+5iygUEmLn/uEFKLfwLoWfZrtOYzArecYyS9ME/EZkpkyk7xHMFcT6BVizeEpg==
X-Gm-Gg: AZuq6aJX+2OU+WqnszzGH04lzoD85RzOl+CAHGJPffXkgV2z6zsnYKcpXXCT4Xg+4se
	YVpoJ4X4quA0c7OZBnXnqo82mCz23vAHYzXHu1xh87Mn71knXe1hxaiPx5v4G7hARWjrf8cNEmB
	u05GpCFud/yHRaVCkdPT4DlYP8fmMPJeGYe2WaGLJNCQxtaeEHTUBzSlqg2G8bgjHNnONtPdFbM
	sHiXE1Q1OfVsHIIVV0ogurq7kK7yGBmYE9cQvGN6CEJq/o0D2Sk5nATXpiKP+VUyRC6YVhM4m4S
	al5c8Q/GFX6yx/gPC2kFEwHS/w7e8YeWxIB2zUKD2P0UhWMUoTnat1vQHC4aDESmw0d6VL6QhsO
	BUUsKQMkvR1OXie8rQrd00gYurIi6hpUlokQTxZQSmwcufDvNkoX4aGEU8zFkUm1dHPkCMJ3lj8
	iNl3zYxIpmaENRznZQDFaI
X-Received: by 2002:a05:600c:630f:b0:482:dbd7:a1c1 with SMTP id
 5b1f17b1804b1-48320226287mr75834315e9.34.1770460444776;
        Sat, 07 Feb 2026 02:34:04 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43629664632sm12077622f8f.0.2026.02.07.02.34.03
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Feb 2026 02:34:04 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][scarthgap][PATCH 06/15] nodejs: upgrade 20.18.2 -> 20.20.0
Date: Sat,  7 Feb 2026 11:33:48 +0100
Message-ID: <20260207103359.4177243-6-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260207103359.4177243-1-skandigraun@gmail.com>
References: <20260207103359.4177243-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 07 Feb 2026 10:34:11 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124247

Part of nodejs LTS release, contains many security- and bugfixes.

Ptests passed successfully.

Full changelog:
https://github.com/nodejs/node/blob/v20.x/doc/changelogs/CHANGELOG_V20.md

Dropped patches that are included in this release.

Added 0001-Revert-stop-using-deprecated-ares_query.patch:
Nodejs has changed a deprecated c-ares call to a newer version,
however this newer method is not available in the c-ares shipped
in meta-oe, and it failed to compile (the new call was added to c-ares
in v1.28.0, but Scarthgap comes with v1.27.0). This patch reverts this
failing commit completely. Based on the PR/issue discussions, the
only goal was to eliminate deprecation warnings. There seem to be
no logic change from this change.

License-Update:
- The license file was regenerated, to ensure it is up to date.
  It contains all licenses from all vendored dependecies. This
  resulted in adding nlohmann-json license to the file, which
  is MIT. There were already other MIT dependencies, so this
  didn't change the overall license declaration.
- base64 related license was removed, because base64 code was
  simplified, so it doesn't depend on this library anymore.
  (It was BSD-2-Clause, but there ar other dependencies using
  this license, so the overall license didn't change)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../oe-npm-cache                              |   0
 ....18.bb => nodejs-oe-cache-native_20.20.bb} |   0
 ...e-running-gyp-files-for-bundled-deps.patch |  46 -----
 ...ert-stop-using-deprecated-ares_query.patch | 164 ++++++++++++++++
 ...4-Do-not-use-mminimal-toc-with-clang.patch |  27 ++-
 .../0001-src-fix-build-with-GCC-15.patch      |  33 ----
 .../nodejs/nodejs/182d9c05e78.patch           | 182 ------------------
 .../nodejs/zlib-fix-pointer-alignment.patch   |  64 ------
 .../{nodejs_20.18.2.bb => nodejs_20.20.0.bb}  |   9 +-
 9 files changed, 185 insertions(+), 340 deletions(-)
 rename meta-oe/recipes-devtools/nodejs/{nodejs-oe-cache-20.18 => nodejs-oe-cache-20.20}/oe-npm-cache (100%)
 rename meta-oe/recipes-devtools/nodejs/{nodejs-oe-cache-native_20.18.bb => nodejs-oe-cache-native_20.20.bb} (100%)
 delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch
 create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-Revert-stop-using-deprecated-ares_query.patch
 delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-src-fix-build-with-GCC-15.patch
 delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/182d9c05e78.patch
 delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/zlib-fix-pointer-alignment.patch
 rename meta-oe/recipes-devtools/nodejs/{nodejs_20.18.2.bb => nodejs_20.20.0.bb} (95%)

diff --git a/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-20.18/oe-npm-cache b/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-20.20/oe-npm-cache
similarity index 100%
rename from meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-20.18/oe-npm-cache
rename to meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-20.20/oe-npm-cache
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_20.18.bb b/meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_20.20.bb
similarity index 100%
rename from meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_20.18.bb
rename to meta-oe/recipes-devtools/nodejs/nodejs-oe-cache-native_20.20.bb
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch
deleted file mode 100644
index 12f6cd8b96..0000000000
--- a/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 7d94bfe53beeb2d25eb5f2ff6b1d509df7e6ab80 Mon Sep 17 00:00:00 2001
-From: Zuzana Svetlikova <zsvetlik@redhat.com>
-Date: Thu, 27 Apr 2017 14:25:42 +0200
-Subject: [PATCH] Disable running gyp on shared deps
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Probably imported from:
-https://src.fedoraproject.org/rpms/nodejs/c/41af04f2a3c050fb44628e91ac65fd225b927acb?branch=22609d8c1bfeaa21fe0057645af20b3a2ccc7f53
-which is probably based on dont-run-gyp-files-for-bundled-deps.patch added in:
-https://github.com/alpinelinux/aports/commit/6662eb3199902e8451fb20dce82554ad96f796bb
-
-We also explicitly prune some dependencies from source in the bitbake recipe:
-
-python prune_sources() {
-    import shutil
-
-    shutil.rmtree(d.getVar('S') + '/deps/openssl')
-    if 'ares' in d.getVar('PACKAGECONFIG'):
-        shutil.rmtree(d.getVar('S') + '/deps/cares')
-    if 'brotli' in d.getVar('PACKAGECONFIG'):
-        shutil.rmtree(d.getVar('S') + '/deps/brotli')
-    if 'libuv' in d.getVar('PACKAGECONFIG'):
-        shutil.rmtree(d.getVar('S') + '/deps/uv')
-    if 'nghttp2' in d.getVar('PACKAGECONFIG'):
-        shutil.rmtree(d.getVar('S') + '/deps/nghttp2')
-    if 'zlib' in d.getVar('PACKAGECONFIG'):
-        shutil.rmtree(d.getVar('S') + '/deps/zlib')
-}
-do_unpack[postfuncs] += "prune_sources"
-
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/Makefile
-+++ b/Makefile
-@@ -169,7 +169,7 @@ with-code-cache test-code-cache:
- 	$(warning '$@' target is a noop)
- 
- out/Makefile: config.gypi common.gypi node.gyp \
--	deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
-+	deps/llhttp/llhttp.gyp \
- 	deps/simdutf/simdutf.gyp deps/ada/ada.gyp \
- 	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
- 	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-Revert-stop-using-deprecated-ares_query.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-Revert-stop-using-deprecated-ares_query.patch
new file mode 100644
index 0000000000..ae4c316baf
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-Revert-stop-using-deprecated-ares_query.patch
@@ -0,0 +1,164 @@
+From f421a0f1f962acff2c71cba06c9ae2af85bd09ee Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Fri, 6 Feb 2026 21:42:56 +0100
+Subject: [PATCH] Revert "stop using deprecated ares_query"
+
+Nodejs has removed the usage of some deprecated c-ares calls[1],
+however as a result the c-ares requirements have increased beyond
+the c-ares version than what is available in Scarthgap.
+
+Due to this it failed to compile:
+../src/cares_wrap.h:264:22: error: 'ares_query_dnsrec' was not declared in this scope
+
+To be able to still compile nodejs, keep using the original, deprectaed
+calls. This patch reverts the below linked commit.
+
+[1]: https://github.com/nodejs/node/commit/22e0d17097fa419cde5fcd5d648fe70aa9fb80e2
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/cares_wrap.cc | 24 ++++++++++++------------
+ src/cares_wrap.h  | 35 ++++++++++++++++-------------------
+ 2 files changed, 28 insertions(+), 31 deletions(-)
+
+diff --git a/src/cares_wrap.cc b/src/cares_wrap.cc
+index 2388c604..5a8e11c7 100644
+--- a/src/cares_wrap.cc
++++ b/src/cares_wrap.cc
+@@ -825,62 +825,62 @@ void ChannelWrap::EnsureServers() {
+ }
+ 
+ int AnyTraits::Send(QueryWrap<AnyTraits>* wrap, const char* name) {
+-  wrap->AresQuery(name, ARES_CLASS_IN, ARES_REC_TYPE_ANY);
++  wrap->AresQuery(name, ns_c_in, ns_t_any);
+   return ARES_SUCCESS;
+ }
+ 
+ int ATraits::Send(QueryWrap<ATraits>* wrap, const char* name) {
+-  wrap->AresQuery(name, ARES_CLASS_IN, ARES_REC_TYPE_A);
++  wrap->AresQuery(name, ns_c_in, ns_t_a);
+   return ARES_SUCCESS;
+ }
+ 
+ int AaaaTraits::Send(QueryWrap<AaaaTraits>* wrap, const char* name) {
+-  wrap->AresQuery(name, ARES_CLASS_IN, ARES_REC_TYPE_AAAA);
++  wrap->AresQuery(name, ns_c_in, ns_t_aaaa);
+   return ARES_SUCCESS;
+ }
+ 
+ int CaaTraits::Send(QueryWrap<CaaTraits>* wrap, const char* name) {
+-  wrap->AresQuery(name, ARES_CLASS_IN, ARES_REC_TYPE_CAA);
++  wrap->AresQuery(name, ns_c_in, T_CAA);
+   return ARES_SUCCESS;
+ }
+ 
+ int CnameTraits::Send(QueryWrap<CnameTraits>* wrap, const char* name) {
+-  wrap->AresQuery(name, ARES_CLASS_IN, ARES_REC_TYPE_CNAME);
++  wrap->AresQuery(name, ns_c_in, ns_t_cname);
+   return ARES_SUCCESS;
+ }
+ 
+ int MxTraits::Send(QueryWrap<MxTraits>* wrap, const char* name) {
+-  wrap->AresQuery(name, ARES_CLASS_IN, ARES_REC_TYPE_MX);
++  wrap->AresQuery(name, ns_c_in, ns_t_mx);
+   return ARES_SUCCESS;
+ }
+ 
+ int NsTraits::Send(QueryWrap<NsTraits>* wrap, const char* name) {
+-  wrap->AresQuery(name, ARES_CLASS_IN, ARES_REC_TYPE_NS);
++  wrap->AresQuery(name, ns_c_in, ns_t_ns);
+   return ARES_SUCCESS;
+ }
+ 
+ int TxtTraits::Send(QueryWrap<TxtTraits>* wrap, const char* name) {
+-  wrap->AresQuery(name, ARES_CLASS_IN, ARES_REC_TYPE_TXT);
++  wrap->AresQuery(name, ns_c_in, ns_t_txt);
+   return ARES_SUCCESS;
+ }
+ 
+ int SrvTraits::Send(QueryWrap<SrvTraits>* wrap, const char* name) {
+-  wrap->AresQuery(name, ARES_CLASS_IN, ARES_REC_TYPE_SRV);
++  wrap->AresQuery(name, ns_c_in, ns_t_srv);
+   return ARES_SUCCESS;
+ }
+ 
+ int PtrTraits::Send(QueryWrap<PtrTraits>* wrap, const char* name) {
+-  wrap->AresQuery(name, ARES_CLASS_IN, ARES_REC_TYPE_PTR);
++  wrap->AresQuery(name, ns_c_in, ns_t_ptr);
+   return ARES_SUCCESS;
+ }
+ 
+ int NaptrTraits::Send(QueryWrap<NaptrTraits>* wrap, const char* name) {
+-  wrap->AresQuery(name, ARES_CLASS_IN, ARES_REC_TYPE_NAPTR);
++  wrap->AresQuery(name, ns_c_in, ns_t_naptr);
+   return ARES_SUCCESS;
+ }
+ 
+ int SoaTraits::Send(QueryWrap<SoaTraits>* wrap, const char* name) {
+-  wrap->AresQuery(name, ARES_CLASS_IN, ARES_REC_TYPE_SOA);
++  wrap->AresQuery(name, ns_c_in, ns_t_soa);
+   return ARES_SUCCESS;
+ }
+ 
+diff --git a/src/cares_wrap.h b/src/cares_wrap.h
+index a770d9e3..820c5d88 100644
+--- a/src/cares_wrap.h
++++ b/src/cares_wrap.h
+@@ -254,20 +254,18 @@ class QueryWrap final : public AsyncWrap {
+     return Traits::Send(this, name);
+   }
+ 
+-  void AresQuery(const char* name,
+-                 ares_dns_class_t dnsclass,
+-                 ares_dns_rec_type_t type) {
++  void AresQuery(const char* name, int dnsclass, int type) {
+     channel_->EnsureServers();
+     TRACE_EVENT_NESTABLE_ASYNC_BEGIN1(
+       TRACING_CATEGORY_NODE2(dns, native), trace_name_, this,
+       "name", TRACE_STR_COPY(name));
+-    ares_query_dnsrec(channel_->cares_channel(),
+-                      name,
+-                      dnsclass,
+-                      type,
+-                      Callback,
+-                      MakeCallbackPointer(),
+-                      nullptr);
++    ares_query(
++        channel_->cares_channel(),
++        name,
++        dnsclass,
++        type,
++        Callback,
++        MakeCallbackPointer());
+   }
+ 
+   void ParseError(int status) {
+@@ -314,20 +312,19 @@ class QueryWrap final : public AsyncWrap {
+     return wrap;
+   }
+ 
+-  static void Callback(void* arg,
+-                       ares_status_t status,
+-                       size_t timeouts,
+-                       const ares_dns_record_t* dnsrec) {
++  static void Callback(
++      void* arg,
++      int status,
++      int timeouts,
++      unsigned char* answer_buf,
++      int answer_len) {
+     QueryWrap<Traits>* wrap = FromCallbackPointer(arg);
+     if (wrap == nullptr) return;
+ 
+     unsigned char* buf_copy = nullptr;
+-    size_t answer_len = 0;
+     if (status == ARES_SUCCESS) {
+-      // No need to explicitly call ares_free_string here,
+-      // as it is a wrapper around free, which is already
+-      // invoked when MallocedBuffer is destructed.
+-      ares_dns_write(dnsrec, &buf_copy, &answer_len);
++      buf_copy = node::Malloc<unsigned char>(answer_len);
++      memcpy(buf_copy, answer_buf, answer_len);
+     }
+ 
+     wrap->response_data_ = std::make_unique<ResponseData>();
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch
index dd9c9015e2..3c78ac87ae 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch
@@ -14,12 +14,21 @@ Upstream-Status: Pending
 
 --- a/common.gypi
 +++ b/common.gypi
-@@ -417,7 +417,7 @@
-             'ldflags': [ '-m32' ],
-           }],
-           [ 'target_arch=="ppc64" and OS!="aix"', {
--            'cflags': [ '-m64', '-mminimal-toc' ],
-+            'cflags': [ '-m64' ],
-             'ldflags': [ '-m64' ],
-           }],
-           [ 'target_arch=="s390x"', {
+@@ -498,7 +498,7 @@
+                 'ldflags': [ '-m32' ],
+               }],
+               [ 'host_arch=="ppc64" and OS not in "aix os400"', {
+-                'cflags': [ '-m64', '-mminimal-toc' ],
++                'cflags': [ '-m64' ],
+                 'ldflags': [ '-m64' ],
+               }],
+               [ 'host_arch=="s390x" and OS=="linux"', {
+@@ -522,7 +522,7 @@
+                 'ldflags': [ '-m32' ],
+               }],
+               [ 'target_arch=="ppc64" and OS not in "aix os400"', {
+-                'cflags': [ '-m64', '-mminimal-toc' ],
++                'cflags': [ '-m64' ],
+                 'ldflags': [ '-m64' ],
+               }],
+               [ 'target_arch=="s390x" and OS=="linux"', {
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-src-fix-build-with-GCC-15.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-src-fix-build-with-GCC-15.patch
deleted file mode 100644
index 9d09f4f482..0000000000
--- a/meta-oe/recipes-devtools/nodejs/nodejs/0001-src-fix-build-with-GCC-15.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From bade7a1866618b9e46358b839fe5fdf16b1db2be Mon Sep 17 00:00:00 2001
-From: tjuhaszrh <tjuhasz@redhat.com>
-Date: Sat, 25 Jan 2025 10:34:54 +0100
-Subject: [PATCH] src: fix build with GCC 15
-
-Added cstdint to worker_inspector as on more recent version of gcc
-the build was failing due to changes to libstdc++ and the removal
-of transitive includes.
-
-PR-URL: https://github.com/nodejs/node/pull/56740
-Fixes: https://github.com/nodejs/node/issues/56731
-Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
-Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
-Reviewed-By: Richard Lau <rlau@redhat.com>
-Reviewed-By: James M Snell <jasnell@gmail.com>
-
-Upstream-Status: Backport [https://github.com/nodejs/node/commit/bade7a1866618b9e46358b839fe5fdf16b1db2be]
----
- src/inspector/worker_inspector.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/inspector/worker_inspector.h b/src/inspector/worker_inspector.h
-index d3254d5aa0ebe4..24403bb1704c40 100644
---- a/src/inspector/worker_inspector.h
-+++ b/src/inspector/worker_inspector.h
-@@ -5,6 +5,7 @@
- #error("This header can only be used when inspector is enabled")
- #endif
- 
-+#include <cstdint>
- #include <memory>
- #include <string>
- #include <unordered_map>
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/182d9c05e78.patch b/meta-oe/recipes-devtools/nodejs/nodejs/182d9c05e78.patch
deleted file mode 100644
index 9b3fc566c8..0000000000
--- a/meta-oe/recipes-devtools/nodejs/nodejs/182d9c05e78.patch
+++ /dev/null
@@ -1,182 +0,0 @@
-From 182d9c05e78b1ddb1cb8242cd3628a7855a0336f Mon Sep 17 00:00:00 2001
-From: Andrey Kosyakov <caseq@chromium.org>
-Date: Thu, 17 Aug 2023 13:50:11 -0700
-Subject: [PATCH] Define UChar as char16_t
-
-We used to have UChar defined as uint16_t which does not go along
-with STL these days if you try to have an std::basic_string<> of it,
-as there are no standard std::char_traits<> specialization for uint16_t.
-
-This switches UChar to char16_t where practical, introducing a few
-compatibility shims to keep CL size small, as (1) this would likely
-have to be back-ported and (2) crdtp extensively uses uint16_t for
-wide chars.
-
-Bug: b:296390693
-Change-Id: I66a32d8f0050915225b187de56896c26dd76163d
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4789966
-Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
-Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
-Auto-Submit: Andrey Kosyakov <caseq@chromium.org>
-Cr-Commit-Position: refs/heads/main@{#89559}
-
-Upstream-Status: Backport [https://chromium-review.googlesource.com/c/v8/v8/+/4789966]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- src/inspector/string-16.cc                             |  8 +++++++-
- src/inspector/string-16.h                              | 10 ++++++++--
- src/inspector/v8-string-conversions.cc                 |  6 +++---
- src/inspector/v8-string-conversions.h                  |  6 ++++--
- .../inspector_protocol/crdtp/test_platform_v8.cc       |  9 ++++++---
- 5 files changed, 28 insertions(+), 11 deletions(-)
-
---- a/deps/v8/src/inspector/string-16.cc
-+++ b/deps/v8/src/inspector/string-16.cc
-@@ -27,7 +27,7 @@ bool isSpaceOrNewLine(UChar c) {
-   return isASCII(c) && c <= ' ' && (c == ' ' || (c <= 0xD && c >= 0x9));
- }
-
--int64_t charactersToInteger(const UChar* characters, size_t length,
-+int64_t charactersToInteger(const uint16_t* characters, size_t length,
-                             bool* ok = nullptr) {
-   std::vector<char> buffer;
-   buffer.reserve(length + 1);
-@@ -50,6 +50,8 @@ int64_t charactersToInteger(const UChar*
-
- String16::String16(const UChar* characters, size_t size)
-     : m_impl(characters, size) {}
-+String16::String16(const uint16_t* characters, size_t size)
-+    : m_impl(reinterpret_cast<const UChar*>(characters), size) {}
-
- String16::String16(const UChar* characters) : m_impl(characters) {}
-
-@@ -241,6 +243,10 @@ String16 String16::fromUTF16LE(const UCh
- #endif  // V8_TARGET_BIG_ENDIAN
- }
-
-+String16 String16::fromUTF16LE(const uint16_t* stringStart, size_t length) {
-+  return fromUTF16LE(reinterpret_cast<const UChar*>(stringStart), length);
-+}
-+
- std::string String16::utf8() const {
-   return UTF16ToUTF8(m_impl.data(), m_impl.size());
- }
---- a/deps/v8/src/inspector/string-16.h
-+++ b/deps/v8/src/inspector/string-16.h
-@@ -6,6 +6,7 @@
- #define V8_INSPECTOR_STRING_16_H_
-
- #include <stdint.h>
-+#include <uchar.h>
-
- #include <cctype>
- #include <climits>
-@@ -17,7 +18,7 @@
-
- namespace v8_inspector {
-
--using UChar = uint16_t;
-+using UChar = char16_t;
-
- class String16 {
-  public:
-@@ -27,6 +28,7 @@ class String16 {
-   String16(const String16&) V8_NOEXCEPT = default;
-   String16(String16&&) V8_NOEXCEPT = default;
-   String16(const UChar* characters, size_t size);
-+  String16(const uint16_t* characters, size_t size);
-   V8_EXPORT String16(const UChar* characters);
-   V8_EXPORT String16(const char* characters);
-   String16(const char* characters, size_t size);
-@@ -48,7 +50,9 @@ class String16 {
-   int toInteger(bool* ok = nullptr) const;
-   std::pair<size_t, size_t> getTrimmedOffsetAndLength() const;
-   String16 stripWhiteSpace() const;
--  const UChar* characters16() const { return m_impl.c_str(); }
-+  const uint16_t* characters16() const {
-+    return reinterpret_cast<const uint16_t*>(m_impl.c_str());
-+  }
-   size_t length() const { return m_impl.length(); }
-   bool isEmpty() const { return !m_impl.length(); }
-   UChar operator[](size_t index) const { return m_impl[index]; }
-@@ -78,6 +82,8 @@ class String16 {
-   // On Big endian architectures, byte order needs to be flipped.
-   V8_EXPORT static String16 fromUTF16LE(const UChar* stringStart,
-                                         size_t length);
-+  V8_EXPORT static String16 fromUTF16LE(const uint16_t* stringStart,
-+                                        size_t length);
-
-   std::size_t hash() const {
-     if (!hash_code) {
---- a/deps/v8/src/inspector/v8-string-conversions.cc
-+++ b/deps/v8/src/inspector/v8-string-conversions.cc
-@@ -12,7 +12,7 @@
-
- namespace v8_inspector {
- namespace {
--using UChar = uint16_t;
-+using UChar = char16_t;
- using UChar32 = uint32_t;
-
- bool isASCII(UChar c) { return !(c & ~0x7F); }
-@@ -386,7 +386,7 @@ std::string UTF16ToUTF8(const UChar* str
-
- std::basic_string<UChar> UTF8ToUTF16(const char* stringStart, size_t length) {
-   if (!stringStart || !length) return std::basic_string<UChar>();
--  std::vector<uint16_t> buffer(length);
-+  std::vector<UChar> buffer(length);
-   UChar* bufferStart = buffer.data();
-
-   UChar* bufferCurrent = bufferStart;
-@@ -395,7 +395,7 @@ std::basic_string<UChar> UTF8ToUTF16(con
-                          reinterpret_cast<const char*>(stringStart + length),
-                          &bufferCurrent, bufferCurrent + buffer.size(), nullptr,
-                          true) != conversionOK)
--    return std::basic_string<uint16_t>();
-+    return std::basic_string<UChar>();
-   size_t utf16Length = bufferCurrent - bufferStart;
-   return std::basic_string<UChar>(bufferStart, bufferStart + utf16Length);
- }
---- a/deps/v8/src/inspector/v8-string-conversions.h
-+++ b/deps/v8/src/inspector/v8-string-conversions.h
-@@ -5,14 +5,16 @@
- #ifndef V8_INSPECTOR_V8_STRING_CONVERSIONS_H_
- #define V8_INSPECTOR_V8_STRING_CONVERSIONS_H_
-
-+#include <uchar.h>
-+
- #include <cstdint>
- #include <string>
-
- // Conversion routines between UT8 and UTF16, used by string-16.{h,cc}. You may
- // want to use string-16.h directly rather than these.
- namespace v8_inspector {
--std::basic_string<uint16_t> UTF8ToUTF16(const char* stringStart, size_t length);
--std::string UTF16ToUTF8(const uint16_t* stringStart, size_t length);
-+std::basic_string<char16_t> UTF8ToUTF16(const char* stringStart, size_t length);
-+std::string UTF16ToUTF8(const char16_t* stringStart, size_t length);
- }  // namespace v8_inspector
-
- #endif  // V8_INSPECTOR_V8_STRING_CONVERSIONS_H_
---- a/deps/v8/third_party/inspector_protocol/crdtp/test_platform_v8.cc
-+++ b/deps/v8/third_party/inspector_protocol/crdtp/test_platform_v8.cc
-@@ -11,13 +11,16 @@
- namespace v8_crdtp {
-
- std::string UTF16ToUTF8(span<uint16_t> in) {
--  return v8_inspector::UTF16ToUTF8(in.data(), in.size());
-+  return v8_inspector::UTF16ToUTF8(reinterpret_cast<const char16_t*>(in.data()),
-+                                   in.size());
- }
-
- std::vector<uint16_t> UTF8ToUTF16(span<uint8_t> in) {
--  std::basic_string<uint16_t> utf16 = v8_inspector::UTF8ToUTF16(
-+  std::basic_string<char16_t> utf16 = v8_inspector::UTF8ToUTF16(
-       reinterpret_cast<const char*>(in.data()), in.size());
--  return std::vector<uint16_t>(utf16.begin(), utf16.end());
-+  return std::vector<uint16_t>(
-+      reinterpret_cast<const uint16_t*>(utf16.data()),
-+      reinterpret_cast<const uint16_t*>(utf16.data()) + utf16.size());
- }
-
- }  // namespace v8_crdtp
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/zlib-fix-pointer-alignment.patch b/meta-oe/recipes-devtools/nodejs/nodejs/zlib-fix-pointer-alignment.patch
deleted file mode 100644
index 824ff678c6..0000000000
--- a/meta-oe/recipes-devtools/nodejs/nodejs/zlib-fix-pointer-alignment.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From bbcd1f33161fd9874e8a61999d2739b177f99723 Mon Sep 17 00:00:00 2001
-From: Jeroen Hofstee <jhofstee@victronenergy.com>
-Date: Mon, 28 Apr 2025 14:21:44 +0000
-Subject: [PATCH] zlib: fix pointer alignment
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The function AllocForBrotli prefixes the allocated memory with its
-size, and returns a pointer to the region after it. This pointer can
-however no longer be suitably aligned. Correct this by allocating
-the maximum of the the size of the size_t and the max alignment.
-
-On Arm 32bits the size_t is 4 bytes long, but the alignment is 8 for
-some NEON instructions. When Brotli is compiled with optimizations
-enabled newer GCC versions will use the NEON instructions and trigger
-a bus error killing node.
-
-see https://github.com/google/brotli/issues/1159
-
-PR-URL: https://github.com/nodejs/node/pull/57727
-Reviewed-By: Shelley Vohr <shelley.vohr@gmail.com>
-Reviewed-By: Tobias Nießen <tniessen@tnie.de>
-Reviewed-By: Daniel Lemire <daniel@lemire.me>
-Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de>
-
-Upstream-Status: Backport [https://github.com/nodejs/node/commit/dc035bbc9b310ff8067bc0dad22230978489c061]
----
- src/node_zlib.cc | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/src/node_zlib.cc b/src/node_zlib.cc
-index 66370e41..a537e766 100644
---- a/src/node_zlib.cc
-+++ b/src/node_zlib.cc
-@@ -493,20 +493,22 @@ class CompressionStream : public AsyncWrap, public ThreadPoolWork {
-   }
- 
-   static void* AllocForBrotli(void* data, size_t size) {
--    size += sizeof(size_t);
-+    constexpr size_t offset = std::max(sizeof(size_t), alignof(max_align_t));
-+    size += offset;
-     CompressionStream* ctx = static_cast<CompressionStream*>(data);
-     char* memory = UncheckedMalloc(size);
-     if (UNLIKELY(memory == nullptr)) return nullptr;
-     *reinterpret_cast<size_t*>(memory) = size;
-     ctx->unreported_allocations_.fetch_add(size,
-                                            std::memory_order_relaxed);
--    return memory + sizeof(size_t);
-+    return memory + offset;
-   }
- 
-   static void FreeForZlib(void* data, void* pointer) {
-     if (UNLIKELY(pointer == nullptr)) return;
-     CompressionStream* ctx = static_cast<CompressionStream*>(data);
--    char* real_pointer = static_cast<char*>(pointer) - sizeof(size_t);
-+    constexpr size_t offset = std::max(sizeof(size_t), alignof(max_align_t));
-+    char* real_pointer = static_cast<char*>(pointer) - offset;
-     size_t real_size = *reinterpret_cast<size_t*>(real_pointer);
-     ctx->unreported_allocations_.fetch_sub(real_size,
-                                            std::memory_order_relaxed);
--- 
-2.43.0
-
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_20.20.0.bb
similarity index 95%
rename from meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb
rename to meta-oe/recipes-devtools/nodejs/nodejs_20.20.0.bb
index d757a7395c..1bc5a6e9cd 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_20.20.0.bb
@@ -1,7 +1,7 @@
 DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript"
 HOMEPAGE = "http://nodejs.org"
 LICENSE = "MIT & ISC & BSD-2-Clause & BSD-3-Clause & Artistic-2.0 & Apache-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=c83fcdcd43ab352be6429ee1fd8827a0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=ac91fab5dbaf757274d2b29888f943ef"
 
 CVE_PRODUCT = "nodejs node.js"
 
@@ -20,14 +20,11 @@ COMPATIBLE_HOST:riscv32 = "null"
 COMPATIBLE_HOST:powerpc = "null"
 
 SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
-           file://0001-Disable-running-gyp-files-for-bundled-deps.patch \
            file://0004-v8-don-t-override-ARM-CFLAGS.patch \
            file://system-c-ares.patch \
            file://0001-liftoff-Correct-function-signatures.patch \
            file://libatomic.patch \
-           file://182d9c05e78.patch \
-           file://zlib-fix-pointer-alignment.patch \
-           file://0001-src-fix-build-with-GCC-15.patch \
+           file://0001-Revert-stop-using-deprecated-ares_query.patch \
            file://run-ptest \
            "
 SRC_URI:append:class-target = " \
@@ -36,7 +33,7 @@ SRC_URI:append:class-target = " \
 SRC_URI:append:toolchain-clang:powerpc64le = " \
            file://0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch \
            "
-SRC_URI[sha256sum] = "69bf81b70f3a95ae0763459f02860c282d7e3a47567c8afaf126cc778176a882"
+SRC_URI[sha256sum] = "5294d9d2915620e819e6892fd7e545b98d650bad36dae54e6527eaac482add98"
 
 S = "${WORKDIR}/node-v${PV}"
 

From patchwork Sat Feb  7 10:33:49 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 80608
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 425A9EE0AD2
	for <webhook@archiver.kernel.org>; Sat,  7 Feb 2026 10:34:11 +0000 (UTC)
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com
 [209.85.221.48])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2755.1770460447307077260
 for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:07 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=B2w4uLpX;
 spf=pass (domain: gmail.com, ip: 209.85.221.48,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f48.google.com with SMTP id
 ffacd0b85a97d-4359a16a400so2730928f8f.1
        for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770460446; x=1771065246;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=QUAPQ0xIymNcGM3E5KzH+NgO3Zpd/3ivyUO0Y725gzk=;
        b=B2w4uLpXKKyJ0pXbzMALoWA5D+0QqGUESVjRwuFoJYRLGYT9yMP3EAjqa5trnaGsZe
         WjlgOSFTccYaX419dOCE3ksGygK+92Q57qMNeUVveqf6LxINrNax/1ybF8H16LZBjtJo
         7v6blIqkMzeAOLHyGDELbne0ACQQ6g9nxPT0dg53exaRKJw6VoRewAlaT4lEINX7Ukew
         jFvp/3HYp1hAPvvvv5RsmAta3qG362T5KFTA4JsuH7auZBXQnNDpqVGtCkAs3UpEusbx
         er/XUR/3KaPiR0Cf7gwFRgaSpeZg4VDV3TptpMeN3B6W4eyt+/xiIvTy2liIEGrMewLj
         ld4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770460446; x=1771065246;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=QUAPQ0xIymNcGM3E5KzH+NgO3Zpd/3ivyUO0Y725gzk=;
        b=KpzdOXg5BnbP+BWFXOV6lvGgq1k6Skzh7JDyKuTqn8XNLDm7kpQenh8+8wJTi+11Dl
         gFwfUf9Nt25h107Em99WoyCIQcLCDC5FwqudmaIKDw9w/U88VUo+uLkeKeha1QjokoDA
         QsHAl/b2/KGv8RN64zRXL1cDpdmKF3IeZwkZCmIjQ1b1SH8Jb8Y6oj1faUIi6KSvE03C
         ueogXP5AirOKwvJuzqihRry1voosZD5A6DARgvOnlMv/CY1CV/4loHQy6bX0KM78xiSp
         YgPjQVlp8S1dyTPHOdUeK5IfwvSWDrF7MZPwzCH8jPMSYPmQ51aSTW9/h1bQu4NjcclJ
         H2HA==
X-Gm-Message-State: AOJu0Yx8vwV0EUesiV2oYkOFLtdAaa+oEOcGXpu/JGaUIp/c67IUYnST
	s0sWtrXOhqmoOySNa69OrHsEqUJeYZ7XE3U/rX61GO2seXkq1odk9eP/gMeGbQ==
X-Gm-Gg: AZuq6aJLdr4YDvKt2aS9RD63+kGdQcx6YMymN9xZJ3j2u5j+DBMVa8iDvi7gSRZP3JI
	8AdYgVokJMTf4Emw0vh2w9RL9gh6XxkJibTI6MiqO9Whoe5mC5nLfJP5uxmWiM2KBO5K3jI9yzm
	W7h8w9Y76X0l0kUGHOZ8V+ykxh1l8Bzt5SP3sjIcR0TDqHHt4NYnCsF2px60bdhBgNfiXp7UTuK
	dPrnly+BbvM0a/go0picVoOQEOGlMq35852vdsSmwmEO8i/VMBkKzT6ebeHQZ1zB3fbP8CJv0+Z
	teDkv1qOigCNRErFngXJKO7SJuP+gPq/7PAdmFoGJvxRkatmjdyVOTP/0CYvSYcchF8oZfVhA6b
	pfM24d3TWTCHhrCdL7/PixbIsooHbfPypLzIjomcHPAgTK0PRihxhEPognrPdoTe/iUIccoGiZd
	3oMaCGaoeK
X-Received: by 2002:a5d:584c:0:b0:435:db9b:5883 with SMTP id
 ffacd0b85a97d-4362933a9b5mr7261085f8f.2.1770460445509;
        Sat, 07 Feb 2026 02:34:05 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43629664632sm12077622f8f.0.2026.02.07.02.34.04
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Feb 2026 02:34:05 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-networking][scarthgap][PATCH 07/15] proftpd: ignore
 CVE-2021-47865
Date: Sat,  7 Feb 2026 11:33:49 +0100
Message-ID: <20260207103359.4177243-7-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260207103359.4177243-1-skandigraun@gmail.com>
References: <20260207103359.4177243-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 07 Feb 2026 10:34:11 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124248

Details: https://nvd.nist.gov/vuln/detail/CVE-2021-47865

This CVE was opened based on a 5 years old Github issue[1], and has been made
public recently. The CVE wasn't officially disputed (yet?), but based on
the description and the given PoC the application is working as expected.

The vulnerability description and the PoC basically configures proftpd to
accept maximum x connections, and then when the user tries to open x + 1
concurrent connections, it refuses new connections over the configured limit.

See also discussion in the Github issue.

It seems that it won't be fixed, because there is nothing to fix.

[1]: https://github.com/proftpd/proftpd/issues/1298

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-networking/recipes-daemons/proftpd/proftpd_1.3.7f.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7f.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7f.bb
index 2c93393e68..2004595e6e 100644
--- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7f.bb
+++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7f.bb
@@ -26,6 +26,7 @@ S = "${WORKDIR}/git"
 inherit autotools-brokensep useradd update-rc.d systemd multilib_script
 
 CVE_STATUS[CVE-2001-0027] = "fixed-version: version 1.2.0rc3 removed affected module"
+CVE_STATUS[CVE-2021-47865] = "upstream-wontfix: it is not a vulnerability but inproper configuration"
 
 EXTRA_OECONF += "--enable-largefile"
 

From patchwork Sat Feb  7 10:33:50 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 80610
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6B9C7EE0AD8
	for <webhook@archiver.kernel.org>; Sat,  7 Feb 2026 10:34:11 +0000 (UTC)
Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com
 [209.85.221.50])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2756.1770460448036489790
 for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:08 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=fQ9BhFUx;
 spf=pass (domain: gmail.com, ip: 209.85.221.50,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f50.google.com with SMTP id
 ffacd0b85a97d-4359a302794so976192f8f.1
        for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770460446; x=1771065246;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=HnF4Y74p53hifhhwZNzm96a8e1Dmrt6Jbonl+2NB5a0=;
        b=fQ9BhFUxsNs4iU6YOyLBUwqAlFe+trccLQth4ALT8F7JUxcHglqXfoT3aIayCLdPf2
         kcG5zOSX5GV5pmeV9Tye9TCXL5fa5BjQbQqyJv+5oGtAX0gyhRRfsXolO4hXxWV8uLo7
         dMHNqtQXRz0U/KuNrkAzjYrhZmn12xnZ3b++cE4/d+cpSYSiZFsSpIqaqYGcjaSZtEiz
         wIHDcNaH2P8FxS92kkpAL7YbQoLaQGUiq2cXi+JKqhhD0RDFb7F+8Nj/JYTMZ/+RoBXq
         FpAOWaHg0mLwY8Wlu1Gq7AcrOMLkxI3jcSyFm+nRZ8+04sgdOtRGWpWvdddxO9ORKWz6
         u6NQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770460446; x=1771065246;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=HnF4Y74p53hifhhwZNzm96a8e1Dmrt6Jbonl+2NB5a0=;
        b=Em61DIVL/uDf5l/vaRbF0zyhTxaLENDvtAw+F4QyO6eU7l76tr3hpcgeRx74h6Quhh
         TIg0r1+c4VCqGjlXwOHdelPlpE586tIAPPAPMf4gGyz8eokHGLZlu+YkfE9GGMUmN5Sd
         GmHsT2LVp3AzYZpIIMgf2ioaUitvke2f0VrbIG8f1vWZHj4vREFrmAvQPhqWSfI9jwS+
         L8waWd60w33LAUEAEhUnqdR5PbpkoAqILQbM7ecCjHgd+CPgzf1bRfojpb2EZKBP+m43
         0Q4iSnhntrwAToa3DVzwFRvQ0mCelPBwVGAzSze17U5wdN9JML+0vsJUpzImbAdvZK7e
         yFBQ==
X-Gm-Message-State: AOJu0YzD0L8q51bqYkzLDDuunQ89+PsEpV8iSN+D5ZaUXqQgL6PUP9jC
	D+i8UxVYwK2rS8KkoygsTkFdtgcSro/aV5i6aNxjbiF8o/3STSU4hRRoY19tuA==
X-Gm-Gg: AZuq6aJFrZgGHS+FH+6uDBF8ZyCC+sqrrNVl7eJ1SZAbZi+0JBdzb2DH1VzkXSnt2xp
	oQGAY0H0oay1OxPhlf6WMg9t7gP891avor3KsF8NOGDw/f54I/D6uOeuPcw61WbVrUPRBEEfm6e
	yULZ+IpJPog9sPsK1Rr7B3TFDfMN5BFK1jWCF9NzgD/u8THeCj64mFFe8b0mcpQk4Thef5hc7ZF
	JCLPwrFjlbCVY7k/KhpkYiKvazWU5HMG18HV93xY5fANdM4PtAG9RtbhPSEYYav4UeBPWDwRgbK
	JbhMNm/Oxt2LPPOBIQWVPeJ1UOwBjHz7HTv+MeCl7BMkRNsVOAxFk3ccO9WDAkHJsGBoZgQ8WIN
	pMcDb89cJUlSxn1Ukzq3lxr2YcGEqjGVZDI+LbZD9NzCZ3GOfW4nhpkvB259izd/v4jZ4a/i7Vf
	YxpLphJWGT
X-Received: by 2002:a05:6000:22c4:b0:436:1517:aec7 with SMTP id
 ffacd0b85a97d-4362933efb8mr8004728f8f.17.1770460446175;
        Sat, 07 Feb 2026 02:34:06 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43629664632sm12077622f8f.0.2026.02.07.02.34.05
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Feb 2026 02:34:05 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][scarthgap][PATCH 08/15] python3-aiohttp: patch
 CVE-2025-69225
Date: Sat,  7 Feb 2026 11:33:50 +0100
Message-ID: <20260207103359.4177243-8-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260207103359.4177243-1-skandigraun@gmail.com>
References: <20260207103359.4177243-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 07 Feb 2026 10:34:11 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124249

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69225

Backport the patch that is referenced by the NVD report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../python3-aiohttp/CVE-2025-69225.patch      | 49 +++++++++++++++++++
 .../python/python3-aiohttp_3.9.5.bb           |  5 +-
 2 files changed, 52 insertions(+), 2 deletions(-)
 create mode 100644 meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69225.patch

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69225.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69225.patch
new file mode 100644
index 0000000000..cadfe27adc
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69225.patch
@@ -0,0 +1,49 @@
+From 9ef3eb4a9f79c106b8a5518fc600412ad81dff5c Mon Sep 17 00:00:00 2001
+From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com>
+Date: Sat, 3 Jan 2026 00:39:41 +0000
+Subject: [PATCH] Reject non-ascii digits in Range header (#11903)
+
+**This is a backport of PR #11887 as merged into master
+(7a067d1905e1eeb921a50010dd0004990dbb3bf0).**
+
+Co-authored-by: Sam Bull <git@sambull.org>
+
+CVE: CVE-2025-69225
+Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ aiohttp/web_request.py    | 2 +-
+ tests/test_web_request.py | 7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/aiohttp/web_request.py b/aiohttp/web_request.py
+index 4bc670a..d565557 100644
+--- a/aiohttp/web_request.py
++++ b/aiohttp/web_request.py
+@@ -598,7 +598,7 @@ class BaseRequest(MutableMapping[str, Any], HeadersMixin):
+         if rng is not None:
+             try:
+                 pattern = r"^bytes=(\d*)-(\d*)$"
+-                start, end = re.findall(pattern, rng)[0]
++                start, end = re.findall(pattern, rng, re.ASCII)[0]
+             except IndexError:  # pattern was not found in header
+                 raise ValueError("range not in acceptable format")
+ 
+diff --git a/tests/test_web_request.py b/tests/test_web_request.py
+index c6398ac..704fc18 100644
+--- a/tests/test_web_request.py
++++ b/tests/test_web_request.py
+@@ -227,6 +227,13 @@ def test_range_to_slice_tail_stop() -> None:
+     assert req.content[req.http_range] == payload[-500:]
+ 
+ 
++def test_range_non_ascii() -> None:
++    # ५ = DEVANAGARI DIGIT FIVE
++    req = make_mocked_request("GET", "/", headers=CIMultiDict([("RANGE", "bytes=4-५")]))
++    with pytest.raises(ValueError, match="range not in acceptable format"):
++        req.http_range
++
++
+ def test_non_keepalive_on_http10() -> None:
+     req = make_mocked_request("GET", "/", version=HttpVersion(1, 0))
+     assert not req.keep_alive
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb
index d3782f2d48..43482db392 100644
--- a/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb
+++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb
@@ -7,8 +7,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41"
 SRC_URI[sha256sum] = "edea7d15772ceeb29db4aff55e482d4bcfb6ae160ce144f2682de02f6d693551"
 
 SRC_URI += "file://CVE-2024-52304.patch \
-            file://CVE-2025-53643.patch \
-"
+           file://CVE-2025-53643.patch \
+           file://CVE-2025-69225.patch \
+           "
 
 PYPI_PACKAGE = "aiohttp"
 inherit python_setuptools_build_meta pypi

From patchwork Sat Feb  7 10:33:51 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 80614
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 722B6EE0ADA
	for <webhook@archiver.kernel.org>; Sat,  7 Feb 2026 10:34:11 +0000 (UTC)
Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com
 [209.85.128.45])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2677.1770460448634331477
 for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:08 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=Hb41UhzE;
 spf=pass (domain: gmail.com, ip: 209.85.128.45,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f45.google.com with SMTP id
 5b1f17b1804b1-48327b8350dso10922505e9.1
        for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770460447; x=1771065247;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=dBaw7D/ugt1ws/4hVRkJ39yJ7pS9dxvk1FYDtvRp5cg=;
        b=Hb41UhzEyBc8xY5JO/nbf0A6EojqHhIaRt4dvulND6Abt9Xm/Nd1cfnWwcMl7bBqpl
         qFiUdEp2tuK84xquMZalSvWXVn+ZWRxwY+cdQ5bNELRQk65Byu43WKeBSLzmQc68gKvt
         NMkVVzqQGCCqABdHmOFQCuXB7PMIWM98qsk5jKjJPoXuIU/iF3uQjjfBa+CQRbBGHKfI
         B1WygOCImstDcpj0O/MwRFMTrOxPchLmR0WIZJJxi1bg/yi9zhSVe4aHNgoSAr96NNWQ
         HsinYHH6yuzKjkDiIg51HnuzCYN1TTw76CK0dPeTRw9WH1vexkp8AJbTHF90rcYkMpHA
         2idQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770460447; x=1771065247;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=dBaw7D/ugt1ws/4hVRkJ39yJ7pS9dxvk1FYDtvRp5cg=;
        b=HEU/AokIhEw00zOje4Qc0xR3aHAQ+c/oEEbRL7dRmi/dNj5szBvy9qBjgmVaN6VYvL
         Dw1Txd2jOPHNdYYf3oMa1zUloDlxqq/l1q5a8vOdJZhUn5KxPTX3jScvY6akko664s0I
         UtrozBoE6Kp8Ys5emRhZt8xcKBvO+inI1pSNB8ZsTUmQYxshjkgk9WQjEboOh/AXUf37
         cwtfm5Dpdp7lczmoJhwiybN32K9KHzHCPow2LiMwANkrGjLer/gQKI/MqDBVRgQswGds
         PcCr+EXvdFlyyWXe1/RryPx7xga57BbcCoaNAIrqolQa4rZIznASCBc36xZbNI3LC9D8
         NTIw==
X-Gm-Message-State: AOJu0YxGlNEShS2Capi7oTdlfOWQ1Ik672LlYab9DnAO/CBXl9ROkc/2
	Ig2PBBBgN0lPDyAG4c7a4c7W14Z1gt4UTPpMx58zjnzMbu83kF0qlCs9zYbMHQ==
X-Gm-Gg: AZuq6aKlL4tz/7GfQWTyHvs6mWlL2qpTibVOueTUoGh2KQ7agmmejk0ref/SVSwC0kC
	8Dnv5n8JQMvg1yaBEn8lBjR0Az+QXHX/kewJeGfjqhNAUMVXTi/eraeklmOluuXAn3SAfyZ6xr8
	CAJkHfzv/bMbRJYgRcVlBhgs2siKZy0/nzFmjUKNdqX+H34pdOhg3/2rkEX3Iwazff+p9UMAHPe
	a0wHRJ1IZuR1vXSxFQZluFtq26+QBmeyt0l0cb/ZwrKXk9BRZ//JijRXo2M7uYjOwP+QJY/z+RT
	qlvlvL+ikrRANfshrhabMPqkwaJn63crAvpZL5muhkUEEBUDR34f/giC9e1+HZMEYUSAbopk2Ff
	3nP/HM8WqUUOAw/KizRMP6JHk4daw6OAQFWnHEywR6sK1aAztG8xITgqkYFjo2btznT7Y3nTaqL
	vNmcvNnMPt
X-Received: by 2002:a05:600c:1f16:b0:47a:814c:eea1 with SMTP id
 5b1f17b1804b1-48320227d98mr84644545e9.35.1770460446797;
        Sat, 07 Feb 2026 02:34:06 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43629664632sm12077622f8f.0.2026.02.07.02.34.06
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Feb 2026 02:34:06 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][scarthgap][PATCH 09/15] python3-aiohttp: patch
 CVE-2025-69226
Date: Sat,  7 Feb 2026 11:33:51 +0100
Message-ID: <20260207103359.4177243-9-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260207103359.4177243-1-skandigraun@gmail.com>
References: <20260207103359.4177243-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 07 Feb 2026 10:34:11 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124250

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69226

Backport the patch that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../python3-aiohttp/CVE-2025-69226.patch      | 134 ++++++++++++++++++
 .../python/python3-aiohttp_3.9.5.bb           |   1 +
 2 files changed, 135 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69226.patch

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69226.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69226.patch
new file mode 100644
index 0000000000..77dd89a805
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69226.patch
@@ -0,0 +1,134 @@
+From 8d718d1fb8ee7a923c0e42cf100908ecead4f564 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sat, 3 Jan 2026 01:55:05 +0000
+Subject: [PATCH] Reject static URLs that traverse outside static root (#11888)
+ (#11906)
+
+From: Sam Bull <git@sambull.org>
+
+(cherry picked from commit 63961fa77fa2443109f25c3d8ab94772d3878626)
+
+Co-authored-by: J. Nick Koston <nick@koston.org>
+
+CVE: CVE-2025-69226
+Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ aiohttp/web_urldispatcher.py          | 17 +++++++++--------
+ tests/test_urldispatch.py             | 18 +++++++++++++++++-
+ tests/test_web_sendfile_functional.py |  2 +-
+ tests/test_web_urldispatcher.py       |  4 ++--
+ 4 files changed, 29 insertions(+), 12 deletions(-)
+
+diff --git a/aiohttp/web_urldispatcher.py b/aiohttp/web_urldispatcher.py
+index 954291f..864f8dd 100644
+--- a/aiohttp/web_urldispatcher.py
++++ b/aiohttp/web_urldispatcher.py
+@@ -7,6 +7,7 @@ import html
+ import inspect
+ import keyword
+ import os
++import platform
+ import re
+ import warnings
+ from contextlib import contextmanager
+@@ -88,6 +89,7 @@ ROUTE_RE: Final[Pattern[str]] = re.compile(
+ )
+ PATH_SEP: Final[str] = re.escape("/")
+ 
++IS_WINDOWS: Final[bool] = platform.system() == "Windows"
+ 
+ _ExpectHandler = Callable[[Request], Awaitable[Optional[StreamResponse]]]
+ _Resolve = Tuple[Optional["UrlMappingMatchInfo"], Set[str]]
+@@ -647,7 +649,12 @@ class StaticResource(PrefixResource):
+         path = request.rel_url.raw_path
+         method = request.method
+         allowed_methods = set(self._routes)
+-        if not path.startswith(self._prefix2) and path != self._prefix:
++        # We normalise here to avoid matches that traverse below the static root.
++        # e.g. /static/../../../../home/user/webapp/static/
++        norm_path = os.path.normpath(path)
++        if IS_WINDOWS:
++            norm_path = norm_path.replace("\\", "/")
++        if not norm_path.startswith(self._prefix2) and norm_path != self._prefix:
+             return None, set()
+ 
+         if method not in allowed_methods:
+@@ -663,14 +670,8 @@ class StaticResource(PrefixResource):
+         return iter(self._routes.values())
+ 
+     async def _handle(self, request: Request) -> StreamResponse:
+-        rel_url = request.match_info["filename"]
+         try:
+-            filename = Path(rel_url)
+-            if filename.anchor:
+-                # rel_url is an absolute name like
+-                # /static/\\machine_name\c$ or /static/D:\path
+-                # where the static dir is totally different
+-                raise HTTPForbidden()
++            filename = request.match_info["filename"]
+             unresolved_path = self._directory.joinpath(filename)
+             if self._follow_symlinks:
+                 normalized_path = Path(os.path.normpath(unresolved_path))
+diff --git a/tests/test_urldispatch.py b/tests/test_urldispatch.py
+index 4f3abb8..cec4cd0 100644
+--- a/tests/test_urldispatch.py
++++ b/tests/test_urldispatch.py
+@@ -1,4 +1,5 @@
+ import pathlib
++import platform
+ import re
+ from collections.abc import Container, Iterable, Mapping, MutableMapping, Sized
+ from urllib.parse import unquote
+@@ -967,7 +968,22 @@ async def test_405_for_resource_adapter(router) -> None:
+     assert (None, {"HEAD", "GET"}) == ret
+ 
+ 
+-async def test_check_allowed_method_for_found_resource(router) -> None:
++@pytest.mark.skipif(platform.system() == "Windows", reason="Different path formats")
++async def test_static_resource_outside_traversal(router: web.UrlDispatcher) -> None:
++    """Test relative path traversing outside root does not resolve."""
++    static_file = pathlib.Path(aiohttp.__file__)
++    request_path = "/st" + "/.." * (len(static_file.parts) - 2) + str(static_file)
++    assert pathlib.Path(request_path).resolve() == static_file
++
++    resource = router.add_static("/st", static_file.parent)
++    ret = await resource.resolve(make_mocked_request("GET", request_path))
++    # Should not resolve, otherwise filesystem information may be leaked.
++    assert (None, set()) == ret
++
++
++async def test_check_allowed_method_for_found_resource(
++    router: web.UrlDispatcher,
++) -> None:
+     handler = make_handler()
+     resource = router.add_resource("/")
+     resource.add_route("GET", handler)
+diff --git a/tests/test_web_sendfile_functional.py b/tests/test_web_sendfile_functional.py
+index 57ac084..aa53726 100644
+--- a/tests/test_web_sendfile_functional.py
++++ b/tests/test_web_sendfile_functional.py
+@@ -565,7 +565,7 @@ async def test_static_file_directory_traversal_attack(aiohttp_client) -> None:
+ 
+     url_abspath = "/static/" + str(full_path.resolve())
+     resp = await client.get(url_abspath)
+-    assert 403 == resp.status
++    assert resp.status == 404
+     await resp.release()
+ 
+     await client.close()
+diff --git a/tests/test_web_urldispatcher.py b/tests/test_web_urldispatcher.py
+index 0441890..4164677 100644
+--- a/tests/test_web_urldispatcher.py
++++ b/tests/test_web_urldispatcher.py
+@@ -701,8 +701,8 @@ async def test_static_absolute_url(
+     here = pathlib.Path(__file__).parent
+     app.router.add_static("/static", here)
+     client = await aiohttp_client(app)
+-    resp = await client.get("/static/" + str(file_path.resolve()))
+-    assert resp.status == 403
++    async with client.get("/static/" + str(file_path.resolve())) as resp:
++        assert resp.status == 404
+ 
+ 
+ async def test_for_issue_5250(
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb
index 43482db392..f2332065ea 100644
--- a/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb
+++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb
@@ -9,6 +9,7 @@ SRC_URI[sha256sum] = "edea7d15772ceeb29db4aff55e482d4bcfb6ae160ce144f2682de02f6d
 SRC_URI += "file://CVE-2024-52304.patch \
            file://CVE-2025-53643.patch \
            file://CVE-2025-69225.patch \
+           file://CVE-2025-69226.patch \
            "
 
 PYPI_PACKAGE = "aiohttp"

From patchwork Sat Feb  7 10:33:52 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 80612
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5F2DCEE0AD5
	for <webhook@archiver.kernel.org>; Sat,  7 Feb 2026 10:34:11 +0000 (UTC)
Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com
 [209.85.221.47])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2678.1770460449329835709
 for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:09 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=eiZ3CqI8;
 spf=pass (domain: gmail.com, ip: 209.85.221.47,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f47.google.com with SMTP id
 ffacd0b85a97d-436317c80f7so388867f8f.1
        for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770460448; x=1771065248;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=3rGFwaQJ7bAJbzVROmnwqyx/j/aQvzUIBQZY2xy1+rU=;
        b=eiZ3CqI8/bAkTsnd4X17xD9djLEU0LgSHAEtSCNXFQ1ry3ov+t2XChWZelcFFEm7z7
         pWnDDYfuE6bslTHBwLZR7o8tb0dctbcZmIAgkws8Sb9eWVszzDvosl2upLVhf5C8Byat
         r09FPk/f0u9Jz78Aqoma7CUodUdohtfH9k6UKaGhxseuk+FfMlcRaCME4wD2Xnc3BTlJ
         5d9RwOJ3AN9HQL/Zobw57CI/pSr0BrkpO3C1VWqtOqePRTnkDYQsAb43vwpTSPOVkVQ4
         CG2jI/Qac2PauaIj/G1QxMfDl0QuZf7d2yI1qevqda8sNSmcBksy2YFZ+3IBKyDhkiZp
         salg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770460448; x=1771065248;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=3rGFwaQJ7bAJbzVROmnwqyx/j/aQvzUIBQZY2xy1+rU=;
        b=n+/VXJ/LNWLaTjaBBETiRV9hZ0ngHMVxvcP2N6StasunWTlxzGo6skSXOhfY3OAxSa
         621cCkpoKtxHb04+7lgXrjSKkp3JY+xLWbCE13Pv56+6DlzT1uyIfPvwY8JcpuHMfYdX
         ofW5zkSfvIdtwlG0Zp4C70Db8GSvt0JQZJFQ6Ox7ZDKWjIAO0594Cf77PqqBTDvckZ3b
         6c9ATnFfmN663lErOctYSAIUv0nCXW4AP70WheB6CR873aCWIsRqLASA2vMk9yHZFtgp
         xIuKWUgY+INyvx4tZwCurLgsGgs3kJQVNGX0/jU+N9GflPKtx2q5TnZ6+X5xUv1CyvXp
         Zdzg==
X-Gm-Message-State: AOJu0YyJeDtixwtE4bM2Rbg8e2Ytvz6fUL9G9JumbErs0HUyAyeNdA/1
	CUQctj15/dm6LbcfjNmXJqvzJAXJvuD9Vl87xDKW+Z/+OYiaQlRmq3eoig3dUg==
X-Gm-Gg: AZuq6aLQcd1rzAC//lx9KLc7SZGvWkPX5ymzrkPbImzPGZ6B9fhF8rdhPgBQ5l1eqU/
	d/EfrpMWd3cR37znbGukxyCyrUku7H4iY34EnMv+yROpAql9rGbSUSWY6YtRAa8VVXBwtkzxb8I
	+SD8YVrdjDjOcuZzB2YzHtY0tH3tGQ/0BXCD8pNzQONM+UvIpk0kOThuAxXGyPu+XT+pNl/l7L/
	NbwUdKQTl+eUUtXqkbyHRSxOEeNqI27TN9fHZryhFF7AVd69MmHY584OXEW8+fbJNLWWZ4sChJ1
	h9H2j9ZqBzaKhcy+TjnUscgMoTPhQLQtdn0XS53w9wQh8HLRVsTzYmiXxbg2WDtfJuKu1jEhfe9
	RhiKoNWARLpxEb97c88klywJrgbtC+yYLck5Qe0wq6DGSaMVnCJDNSGR1qGk8SrvsW76qHuQWCU
	m6Ku0I3sNnx4pOwUFLoZI=
X-Received: by 2002:a05:6000:288b:b0:430:fd0e:a502 with SMTP id
 ffacd0b85a97d-436209c9865mr13631435f8f.22.1770460447577;
        Sat, 07 Feb 2026 02:34:07 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43629664632sm12077622f8f.0.2026.02.07.02.34.06
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Feb 2026 02:34:07 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][scarthgap][PATCH 10/15] python3-aiohttp: patch
 CVE-2025-69228
Date: Sat,  7 Feb 2026 11:33:52 +0100
Message-ID: <20260207103359.4177243-10-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260207103359.4177243-1-skandigraun@gmail.com>
References: <20260207103359.4177243-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 07 Feb 2026 10:34:11 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124251

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69228

Backport the patch that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../python3-aiohttp/CVE-2025-69228.patch      | 48 +++++++++++++++++++
 .../python/python3-aiohttp_3.9.5.bb           |  1 +
 2 files changed, 49 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69228.patch

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69228.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69228.patch
new file mode 100644
index 0000000000..9a473b1328
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69228.patch
@@ -0,0 +1,48 @@
+From dd79eafcc7ad5429bb769de5fd5c0178e6064be7 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sat, 3 Jan 2026 02:48:45 +0000
+Subject: [PATCH] Enforce client_max_size over entire multipart form (#11889)
+ (#11908)
+
+From: Sam Bull <git@sambull.org>
+
+(cherry picked from commit ed90718fab5d34c127a283e10385f19440df7dd0)
+
+CVE: CVE-2025-69228
+Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ aiohttp/web_request.py       | 2 +-
+ tests/test_web_functional.py | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/aiohttp/web_request.py b/aiohttp/web_request.py
+index d565557..b3d6141 100644
+--- a/aiohttp/web_request.py
++++ b/aiohttp/web_request.py
+@@ -712,9 +712,9 @@ class BaseRequest(MutableMapping[str, Any], HeadersMixin):
+             multipart = await self.multipart()
+             max_size = self._client_max_size
+ 
++            size = 0
+             field = await multipart.next()
+             while field is not None:
+-                size = 0
+                 field_ct = field.headers.get(hdrs.CONTENT_TYPE)
+ 
+                 if isinstance(field, BodyPartReader):
+diff --git a/tests/test_web_functional.py b/tests/test_web_functional.py
+index ee61537..96dcd1c 100644
+--- a/tests/test_web_functional.py
++++ b/tests/test_web_functional.py
+@@ -1641,8 +1641,8 @@ async def test_app_max_client_size(aiohttp_client) -> None:
+     await resp.release()
+ 
+ 
+-async def test_app_max_client_size_adjusted(aiohttp_client) -> None:
+-    async def handler(request):
++async def test_app_max_client_size_adjusted(aiohttp_client: AiohttpClient) -> None:
++    async def handler(request: web.Request) -> web.Response:
+         await request.post()
+         return web.Response(body=b"ok")
+ 
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb
index f2332065ea..84a9f2e668 100644
--- a/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb
+++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://CVE-2024-52304.patch \
            file://CVE-2025-53643.patch \
            file://CVE-2025-69225.patch \
            file://CVE-2025-69226.patch \
+           file://CVE-2025-69228.patch \
            "
 
 PYPI_PACKAGE = "aiohttp"

From patchwork Sat Feb  7 10:33:53 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 80605
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F39A2EE0AC8
	for <webhook@archiver.kernel.org>; Sat,  7 Feb 2026 10:34:10 +0000 (UTC)
Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com
 [209.85.221.53])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2679.1770460450229671095
 for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:10 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=ISOYq0JD;
 spf=pass (domain: gmail.com, ip: 209.85.221.53,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f53.google.com with SMTP id
 ffacd0b85a97d-43626796202so2031637f8f.3
        for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770460448; x=1771065248;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=PBu6RJ+CQHrfcvtyH2TUqdnk37pG48gaHUurRr8+BaQ=;
        b=ISOYq0JDivJ5ktQkd+HOhkivl+Kp4e0h2QQxsHvv/2mznMXH1vd2TEiCVkBlk/F9Mi
         2uXeLcQYBmMBxHDj8SIo8cRqj1q+Pv2A4IQUg6oj4Nkd8GmwjHG0UT7djtl33mP4/ceL
         iEdpgjMTPSnkVhBLfzj9vOcrfd7x+5HA0Idge68EwGWGMIKujEiO0p5ReOYQZ66HbcFx
         p9NAaOnN/DNEVVqKjptXruCIHJzUVQTN3o5zBy9MEg5uWKxl0vZmMiOMUxVOM+escWYy
         8mUYwTK1DWVscdnFMQnR4bjM7GWDEU8ufiqPAjGMi3iskFvsrj9AwqW9HDOY7ddlwH8P
         NEBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770460448; x=1771065248;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=PBu6RJ+CQHrfcvtyH2TUqdnk37pG48gaHUurRr8+BaQ=;
        b=A3cmDYKtCpk+MVI9lY3eUN9SwWF81CuAwkOK35JCkVopVM2XNMi2KfFhMsmofZIepa
         f4lknizgV9kE4KF1uSAC+ZBKjAfXrzKtKd8g+n1LHZ/fF7ImKqMbzzyout4BoQJqFb6c
         ShTfk8Yv6ESRSEyM6JCtYiGQmY6p4mrIvwI0UcFTTjvM0YetSq5LPc1HZr2wmRk/1BRN
         ffddhmu6URSvQixV5PZfRLJ+cKQpk4nUwq5CXI3cNV9p5lm87pdBq8fAcBncAJ1lUZhm
         L48lF9Wx9FuMzQ8Vw61GLzsTdzWQeitwe2+n5wGIgbRs2ywlYNl9OBr47wBmIBSQuCOy
         Gygw==
X-Gm-Message-State: AOJu0YxLejN08ZbZ+okOlT/woTIqJtRVvIN2dCsnSqWt7Khz79Jp9/MY
	zfqNmx6JCiCl0isZZfOCwoN87PR4TFGepWejENKmbnPu+FhMAtvrBa6HiFdKhw==
X-Gm-Gg: AZuq6aJtoTA/bz88maP+gdjeFSuNV1RfyX6ZE0ZVQhy8vYS1T3aeK7Rey+68LsE9WaJ
	6+uMXRGVAI262tQp+MBWJ0jlh4zzOV52xUeqRWXz9Pxs+tmPyccrnUka2qBBcTgnHYAX0FA+ZOB
	ExG+pnRDMz3iHQ84Q5S7bpVuNqHrldeLdnY2GVgrHl1u1+UU4AqSNtccarCt/6U2I1ExkrJFv2d
	1dXYbV55K4Rf0is3AcPDzYJQF6UMdK7s5w2KKA3L/5w7xqJ8i5kV7N6H06FXskP7lBhOgr75TGf
	fu05V85KUCe18AOBWynWbVgsxcfWwfARibJtZQ5+OY0fPIgEyeiyZKJl8xTzCdh6n46OaY2tlkh
	a6XRSarObfUAsvhpFdKFM9IGYLrXCeiNBXL0rXyrGLDhIQk10VzqfpxkpbJ+QoPVW49MgJVbipV
	iC25gEEE5E
X-Received: by 2002:a05:6000:2583:b0:430:fdfc:7dd3 with SMTP id
 ffacd0b85a97d-4362937bd01mr8387380f8f.50.1770460448360;
        Sat, 07 Feb 2026 02:34:08 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43629664632sm12077622f8f.0.2026.02.07.02.34.07
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Feb 2026 02:34:07 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][scarthgap][PATCH 11/15] python3-django: patch
 CVE-2025-64460
Date: Sat,  7 Feb 2026 11:33:53 +0100
Message-ID: <20260207103359.4177243-11-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260207103359.4177243-1-skandigraun@gmail.com>
References: <20260207103359.4177243-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 07 Feb 2026 10:34:10 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124252

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64460

Backport the patch that explicitly references this CVE in its
commit message.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../CVE-2025-64460.patch                      | 199 ++++++++++++++++++
 .../python/python3-django_5.0.14.bb           |   1 +
 2 files changed, 200 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64460.patch

diff --git a/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64460.patch b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64460.patch
new file mode 100644
index 0000000000..c7a2928536
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-64460.patch
@@ -0,0 +1,199 @@
+From f8fd8a25e04e2b6601fc9cdb69dea41db7b4ff18 Mon Sep 17 00:00:00 2001
+From: Shai Berger <shai@platonix.com>
+Date: Sat, 11 Oct 2025 21:42:56 +0300
+Subject: [PATCH] Fixed CVE-2025-64460 -- Corrected quadratic inner text
+ accumulation in XML serializer.
+
+Previously, `getInnerText()` recursively used `list.extend()` on strings,
+which added each character from child nodes as a separate list element.
+On deeply nested XML content, this caused the overall deserialization
+work to grow quadratically with input size, potentially allowing
+disproportionate CPU consumption for crafted XML.
+
+The fix separates collection of inner texts from joining them, so that
+each subtree is joined only once, reducing the complexity to linear in
+the size of the input. These changes also include a mitigation for a
+xml.dom.minidom performance issue.
+
+Thanks Seokchan Yoon (https://ch4n3.kr/) for report.
+
+Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
+Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
+
+Backport of 50efb718b31333051bc2dcb06911b8fa1358c98c from main.
+
+CVE: CVE-2025-64460
+Upstream-Status: Backport [https://github.com/django/django/commit/0db9ea4669312f1f4973e09f4bca06ab9c1ec74b]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ django/core/serializers/xml_serializer.py | 39 +++++++++++++---
+ docs/topics/serialization.txt             |  2 +
+ tests/serializers/test_xml.py             | 55 ++++++++++++++++++++++-
+ 3 files changed, 89 insertions(+), 7 deletions(-)
+
+diff --git a/django/core/serializers/xml_serializer.py b/django/core/serializers/xml_serializer.py
+index 16b6977..b2837bc 100644
+--- a/django/core/serializers/xml_serializer.py
++++ b/django/core/serializers/xml_serializer.py
+@@ -3,7 +3,8 @@ XML serializer.
+ """
+ 
+ import json
+-from xml.dom import pulldom
++from contextlib import contextmanager
++from xml.dom import minidom, pulldom
+ from xml.sax import handler
+ from xml.sax.expatreader import ExpatParser as _ExpatParser
+ 
+@@ -15,6 +16,25 @@ from django.db import DEFAULT_DB_ALIAS, models
+ from django.utils.xmlutils import SimplerXMLGenerator, UnserializableContentError
+ 
+ 
++@contextmanager
++def fast_cache_clearing():
++    """Workaround for performance issues in minidom document checks.
++
++    Speeds up repeated DOM operations by skipping unnecessary full traversal
++    of the DOM tree.
++    """
++    module_helper_was_lambda = False
++    if original_fn := getattr(minidom, "_in_document", None):
++        module_helper_was_lambda = original_fn.__name__ == "<lambda>"
++        if not module_helper_was_lambda:
++            minidom._in_document = lambda node: bool(node.ownerDocument)
++    try:
++        yield
++    finally:
++        if original_fn and not module_helper_was_lambda:
++            minidom._in_document = original_fn
++
++
+ class Serializer(base.Serializer):
+     """Serialize a QuerySet to XML."""
+ 
+@@ -209,7 +229,8 @@ class Deserializer(base.Deserializer):
+     def __next__(self):
+         for event, node in self.event_stream:
+             if event == "START_ELEMENT" and node.nodeName == "object":
+-                self.event_stream.expandNode(node)
++                with fast_cache_clearing():
++                    self.event_stream.expandNode(node)
+                 return self._handle_object(node)
+         raise StopIteration
+ 
+@@ -393,19 +414,25 @@ class Deserializer(base.Deserializer):
+ 
+ def getInnerText(node):
+     """Get all the inner text of a DOM node (recursively)."""
++    inner_text_list = getInnerTextList(node)
++    return "".join(inner_text_list)
++
++
++def getInnerTextList(node):
++    """Return a list of the inner texts of a DOM node (recursively)."""
+     # inspired by https://mail.python.org/pipermail/xml-sig/2005-March/011022.html
+-    inner_text = []
++    result = []
+     for child in node.childNodes:
+         if (
+             child.nodeType == child.TEXT_NODE
+             or child.nodeType == child.CDATA_SECTION_NODE
+         ):
+-            inner_text.append(child.data)
++            result.append(child.data)
+         elif child.nodeType == child.ELEMENT_NODE:
+-            inner_text.extend(getInnerText(child))
++            result.extend(getInnerTextList(child))
+         else:
+             pass
+-    return "".join(inner_text)
++    return result
+ 
+ 
+ # Below code based on Christian Heimes' defusedxml
+diff --git a/docs/topics/serialization.txt b/docs/topics/serialization.txt
+index 0bb5764..dc403ca 100644
+--- a/docs/topics/serialization.txt
++++ b/docs/topics/serialization.txt
+@@ -173,6 +173,8 @@ Identifier  Information
+ .. _jsonl: https://jsonlines.org/
+ .. _PyYAML: https://pyyaml.org/
+ 
++.. _serialization-formats-xml:
++
+ XML
+ ---
+ 
+diff --git a/tests/serializers/test_xml.py b/tests/serializers/test_xml.py
+index c9df2f2..03462cf 100644
+--- a/tests/serializers/test_xml.py
++++ b/tests/serializers/test_xml.py
+@@ -1,7 +1,10 @@
++import gc
++import time
+ from xml.dom import minidom
+ 
+ from django.core import serializers
+-from django.core.serializers.xml_serializer import DTDForbidden
++from django.core.serializers.xml_serializer import Deserializer, DTDForbidden
++from django.db import models
+ from django.test import TestCase, TransactionTestCase
+ 
+ from .tests import SerializersTestBase, SerializersTransactionTestBase
+@@ -90,6 +93,56 @@ class XmlSerializerTestCase(SerializersTestBase, TestCase):
+         with self.assertRaises(DTDForbidden):
+             next(serializers.deserialize("xml", xml))
+ 
++    def test_crafted_xml_performance(self):
++        """The time to process invalid inputs is not quadratic."""
++
++        def build_crafted_xml(depth, leaf_text_len):
++            nested_open = "<nested>" * depth
++            nested_close = "</nested>" * depth
++            leaf = "x" * leaf_text_len
++            field_content = f"{nested_open}{leaf}{nested_close}"
++            return f"""
++                <django-objects version="1.0">
++                   <object model="contenttypes.contenttype" pk="1">
++                      <field name="app_label">{field_content}</field>
++                      <field name="model">m</field>
++                   </object>
++                </django-objects>
++            """
++
++        def deserialize(crafted_xml):
++            iterator = Deserializer(crafted_xml)
++            gc.collect()
++
++            start_time = time.perf_counter()
++            result = list(iterator)
++            end_time = time.perf_counter()
++
++            self.assertEqual(len(result), 1)
++            self.assertIsInstance(result[0].object, models.Model)
++            return end_time - start_time
++
++        def assertFactor(label, params, factor=2):
++            factors = []
++            prev_time = None
++            for depth, length in params:
++                crafted_xml = build_crafted_xml(depth, length)
++                elapsed = deserialize(crafted_xml)
++                if prev_time is not None:
++                    factors.append(elapsed / prev_time)
++                prev_time = elapsed
++
++            with self.subTest(label):
++                # Assert based on the average factor to reduce test flakiness.
++                self.assertLessEqual(sum(factors) / len(factors), factor)
++
++        assertFactor(
++            "varying depth, varying length",
++            [(50, 2000), (100, 4000), (200, 8000), (400, 16000), (800, 32000)],
++            2,
++        )
++        assertFactor("constant depth, varying length", [(100, 1), (100, 1000)], 2)
++
+ 
+ class XmlSerializerTransactionTestCase(
+     SerializersTransactionTestBase, TransactionTestCase
diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.14.bb b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb
index d176123893..c2c44b4cc7 100644
--- a/meta-python/recipes-devtools/python/python3-django_5.0.14.bb
+++ b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb
@@ -4,6 +4,7 @@ inherit setuptools3
 # Windows-specific DoS via NFKC normalization, not applicable to Linux
 CVE_STATUS[CVE-2025-27556] = "not-applicable-platform: Issue only applies on Windows"
 
+SRC_URI += "file://CVE-2025-64460.patch"
 SRC_URI[sha256sum] = "29019a5763dbd48da1720d687c3522ef40d1c61be6fb2fad27ed79e9f655bc11"
 
 RDEPENDS:${PN} += "\

From patchwork Sat Feb  7 10:33:54 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 80615
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 893A2EE0AD9
	for <webhook@archiver.kernel.org>; Sat,  7 Feb 2026 10:34:11 +0000 (UTC)
Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com
 [209.85.221.49])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2680.1770460450686591117
 for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:11 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=lbUvOT0R;
 spf=pass (domain: gmail.com, ip: 209.85.221.49,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f49.google.com with SMTP id
 ffacd0b85a97d-4362c932df8so944220f8f.1
        for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770460449; x=1771065249;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=kKnnRjRMuro9qqZOeN1YiLD79Nq7a7s42bPdbOSt/zU=;
        b=lbUvOT0RemrqHzudbtt+mj5NBpFWJtVaf0LAz9884OH8a63KYpZQt50/AWSd7dNKFa
         V9XRckCcsHCKddo+bIHDcSEx+JltO0zQRlXlQgjE5ZnRl4+s3L01HUpWaB8GTqAdUQJz
         u2qQWtC2pGfju6TYLmZka8Ls/CGQ12QN49AWk6qqaQaCAwVR4ZXai1PkiXRNv0W7PlQB
         Q4ZM3rfo0Qvi11LqRMZIvMrSUuTie2oUYVdIdQO3zEzlTlbWJAY3V9HOGk/Y5rjarEsq
         CbOZtJfjw17fzHVGmIwwq9XQhioG1r+h/T3NRpzrWfdadJnHSrbyEAmskGPvgq1Nca2h
         NhYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770460449; x=1771065249;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=kKnnRjRMuro9qqZOeN1YiLD79Nq7a7s42bPdbOSt/zU=;
        b=lLgHR9GM0lrbsk6wiVjYh/9YADlmzgIucK1E/3y6wz+GxpZRVrR5qGnXi8+Q+JXJuT
         bK32ntSFwv7PkwjXTP6ScD71mL7cuSs+FAToRUzXRz0GStmQHjazewaxuQKTfBaXOD6z
         4IvE+r8v9deCKLHDtg9N9FMK2WgFEyyvtNBV5HZEy2Rt2wYzIPFOdLtpuon+TrsMZVCi
         l8JPiWQm+C7gdPKIccqJHVZncVwpXIYulZRpC/o+1su5ZJ9LGht+05mnqp/ONkSA86Lv
         d/lq95nEX+U+NNSLIFVdL6Qb5uGKorrxVeKP4SxOAJtFovi3R0JrJHqj6K92jttuNjE+
         bRkQ==
X-Gm-Message-State: AOJu0Yw1nAZzTIWJSuWPCuEzrHTmi4F2zNTFpXxZu/q707+jnpGICJVb
	GHSMdAo/oFF4G5PgpV5E8m9fjzQZpacI1HHsD4TDgA8qlXRsgDNLD5tSz6TJDQ==
X-Gm-Gg: AZuq6aJCII+udrKiOSpBYzrsta9T9QQnnuw3mZ9CTZbEvbF3hxL+003W6Bta/rQ+qbB
	3S9DoOuZresnHCvnLBWnTpM9QHAwglc3wH1PkxBmvid2EO7xmeLirs5QTGprhqCyn5Mr+f4mAD9
	8ADQmLHTEIzTamTvaB5yE9daqmLaDmRltNFipuykFXUTjlXeAqp4uaroVZDyTMZO0XhEvFNpxqF
	A05iWTsPIugpS+tWEW9gHGAPHRYmZecI2FIOWRblXt3wXDVf+uQmQ/CKM2oBG0XGCdObFuFAWUu
	rRGeP7buk8u9p5lFk02T9SOlLa0Aan+GFL22RrNUQVaNSIwId7KFj/u6b9K1t9FDg4edUNe/o0n
	PwgLeOjdwJWnn4UVBw/PgDPYuX933FjiFyk9IZLCjHN/9L4zew6LHw8pWN/2tbgCFzBiJUBjK/5
	wPIioTDLuj
X-Received: by 2002:a05:6000:24c8:b0:435:e448:2ce5 with SMTP id
 ffacd0b85a97d-436293bac76mr8621363f8f.48.1770460448956;
        Sat, 07 Feb 2026 02:34:08 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43629664632sm12077622f8f.0.2026.02.07.02.34.08
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Feb 2026 02:34:08 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][scarthgap][PATCH 12/15] raptor2: patch CVE-2024-57822
 and CVE-2024-57823
Date: Sat,  7 Feb 2026 11:33:54 +0100
Message-ID: <20260207103359.4177243-12-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260207103359.4177243-1-skandigraun@gmail.com>
References: <20260207103359.4177243-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 07 Feb 2026 10:34:11 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124253

Details: https://nvd.nist.gov/vuln/detail/CVE-2024-57822
https://nvd.nist.gov/vuln/detail/CVE-2024-57823

Pick the patches mentioned in the github issue[1] mentioned
in the NVD advisories (both of them are covered by the same issue)

[1]: https://github.com/dajobe/raptor/issues/70

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit dc2c6a514e7744da4165effefa61ad59c27cf507)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../raptor2/raptor2/CVE-2024-57822.patch      | 44 +++++++++++++++++++
 .../raptor2/raptor2/CVE-2024-57823.patch      | 31 +++++++++++++
 .../recipes-support/raptor2/raptor2_2.0.16.bb |  2 +
 3 files changed, 77 insertions(+)
 create mode 100644 meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57822.patch
 create mode 100644 meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57823.patch

diff --git a/meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57822.patch b/meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57822.patch
new file mode 100644
index 0000000000..cb98f4250c
--- /dev/null
+++ b/meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57822.patch
@@ -0,0 +1,44 @@
+From 3b0ded4ae8110b6291d030af927ecd08197e668f Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Thu, 6 Feb 2025 21:12:37 -0800
+Subject: [PATCH] Fix Github issue 70 A) Integer Underflow in
+ raptor_uri_normalize_path()
+
+From: Dave Beckett <dave@dajobe.org>
+
+(raptor_uri_normalize_path): Return empty buffer if path gets to 0
+length
+
+CVE: CVE-2024-57822
+Upstream-Status: Backport [github.com/dajobe/raptor/commit/da7a79976bd0314c23cce55d22495e7d29301c44]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/raptor_rfc2396.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/raptor_rfc2396.c b/src/raptor_rfc2396.c
+index 89183d9..2f0195f 100644
+--- a/src/raptor_rfc2396.c
++++ b/src/raptor_rfc2396.c
+@@ -351,6 +351,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer, size_t path_len)
+           *dest++ = *s++;
+         *dest = '\0';
+         path_len -= len;
++        if(path_len <= 0) {
++          *path_buffer = '\0';
++          return 0;
++        }
+ 
+         if(p && p < prev) {
+           /* We know the previous prev path component and we didn't do
+@@ -390,6 +394,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer, size_t path_len)
+     /* Remove <component>/.. at the end of the path */
+     *prev = '\0';
+     path_len -= (s-prev);
++    if(path_len <= 0) {
++      *path_buffer = '\0';
++      return 0;
++    }
+   }
+ 
+ 
diff --git a/meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57823.patch b/meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57823.patch
new file mode 100644
index 0000000000..79833a55cb
--- /dev/null
+++ b/meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57823.patch
@@ -0,0 +1,31 @@
+From 0b028dd16eb504d3d4dcfa9c72ceb29a9e1f3915 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Fri, 7 Feb 2025 11:38:34 -0800
+Subject: [PATCH] Fix Github issue 70 B) Heap read buffer overflow in ntriples
+ bnode
+
+From: Dave Beckett <dave@dajobe.org>
+
+(raptor_ntriples_parse_term_internal): Only allow looking at the last
+character of a bnode ID only if bnode length >0
+
+CVE: CVE-2024-57823
+Upstream-Status: Backport [https://github.com/dajobe/raptor/commit/ece2c79df43091686a538b8231cf387d84bfa60e]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/raptor_ntriples.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/raptor_ntriples.c b/src/raptor_ntriples.c
+index 3276e79..ecc4247 100644
+--- a/src/raptor_ntriples.c
++++ b/src/raptor_ntriples.c
+@@ -212,7 +212,7 @@ raptor_ntriples_parse_term_internal(raptor_world* world,
+             locator->column--;
+             locator->byte--;
+           }
+-          if(term_class == RAPTOR_TERM_CLASS_BNODEID && dest[-1] == '.') {
++          if(term_class == RAPTOR_TERM_CLASS_BNODEID && position > 0 && dest[-1] == '.') {
+             /* If bnode id ended on '.' move back one */
+             dest--;
+ 
diff --git a/meta-oe/recipes-support/raptor2/raptor2_2.0.16.bb b/meta-oe/recipes-support/raptor2/raptor2_2.0.16.bb
index 85012bcfb3..7a96634803 100644
--- a/meta-oe/recipes-support/raptor2/raptor2_2.0.16.bb
+++ b/meta-oe/recipes-support/raptor2/raptor2_2.0.16.bb
@@ -12,6 +12,8 @@ DEPENDS = "libxml2 libxslt curl yajl"
 SRC_URI = " \
     http://download.librdf.org/source/${BPN}-${PV}.tar.gz \
     file://0001-Remove-the-access-to-entities-checked-private-symbol.patch \
+    file://CVE-2024-57822.patch \
+    file://CVE-2024-57823.patch \
 "
 SRC_URI[sha256sum] = "089db78d7ac982354bdbf39d973baf09581e6904ac4c92a98c5caadb3de44680"
 

From patchwork Sat Feb  7 10:33:55 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 80617
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 78058EE0AC8
	for <webhook@archiver.kernel.org>; Sat,  7 Feb 2026 10:34:21 +0000 (UTC)
Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com
 [209.85.221.53])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2681.1770460451332358432
 for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:11 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=Z/vKlNmz;
 spf=pass (domain: gmail.com, ip: 209.85.221.53,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f53.google.com with SMTP id
 ffacd0b85a97d-4362197d174so1766035f8f.3
        for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770460450; x=1771065250;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=+gSYmsKX0nHo37qRqK+3iKcJeoEl7tvf5wGY4url11Q=;
        b=Z/vKlNmzpo/Whv/HQ3cXr64Qi5nbnomDpBHTUP4E6fR+oPa9iuE9yzbnQv/VFdMSci
         8JntMj+hcXIrbUb257TLJMBeQGqUDpA6WMvJC9eOvZ9qqXb0hkxLkGryz4nci8YIuI8b
         zv7mXWIHFpq2fvhpP+9gwxZ/8ytV5P24dUU23/YJba63Xzrp72s7IEZj099FAipzjqLN
         RR4CjCXDoygVMbtpm/vnse9lF6SGoTbX08p5YlPMJEYNyCYfAtibTFUzS3vB6xXYQq7K
         PFT2GHunGlbu/VnJbAcnR4a8kePup+MJBUBubAbwQCshV9BjUlIYOColnbttFC0mSqc3
         jVQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770460450; x=1771065250;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=+gSYmsKX0nHo37qRqK+3iKcJeoEl7tvf5wGY4url11Q=;
        b=T8F/CyIGiJFOT5b2Cd8bDW5xO4hjxAKMmf+Vl1zaEVA6zDBJjby87Qnd+zQp8Q7PgO
         yhWI+DX2IMal3IzHC6iQJodynb4rVeee5t+jjhf5WeGbpl0VxTEe3fVE778B8yGEwCe8
         rGf4kL9Ogr4ZS1h7fQNmdfB8CLOz6dQXdJeVt8yJHH2t9THURwoZ79fbbE8GyIntcK6G
         lG+KTdvZcM0VGgfDh7IVmNXNOVX35cq9B6yRrt5OeU2seoW7alCydnrWB0NzCmhPkmJq
         r6bI11cUmeosPYbChTxHcTzU58A9NNLKTyd3cTmXlW4cjwBv5uy5FScxrm+JAwgzF4mo
         7iPw==
X-Gm-Message-State: AOJu0YzBbq2nxy0/1fM+ICWIrSrCWJTIMfXh4WWj1ESrwxxE7UbxJ8oR
	Cbn8Rjo28ViOWF8ggQ9VGfglPyrul6+/GUvk6oNHoddf99XDPAAarkjGFMo69w==
X-Gm-Gg: AZuq6aLyWzkqTfp/Ob4NAuf2d5QSPnRMGOrYBbJHALui7XN7w1spzJd+KjgGgIzOpKo
	sSAYaNEmc+bKQUbtNqth91A/3/EE6iq2N16czcN0ezVVKxwL2xowONmH+NMXtlwBMfouwCP6XN3
	4bj9lGskvLrtmb8i6YrbHgxY96jfgfnpQ8ZKn8ZbbqgkZoyRnMd3ZCECuqjYIoj2SQ8RABJC6ps
	i5a91he4Ez2QLfa7ZpChF5MuSiETJCZKQFbKoUQ4FMDni+Hv+7x5c73/pj4pHWIpRsOto7PKm3Y
	UQ4pLKnagNEjqkgV/MA50//moilFE/xmsk985/bvdMG6KjOmfB0fBQ4r4ZhtZKg+Gyqnf6MFlOx
	TZVs0SOe6YmrJ5QPMuupAOmYF9StvcDjXEq82CpH5RlEY4I5nydeby8d1qDDMOuKv10JJXLiFpB
	OQDHJMxLkl
X-Received: by 2002:a05:6000:2303:b0:435:9612:2d24 with SMTP id
 ffacd0b85a97d-4362937e1d7mr8683219f8f.53.1770460449568;
        Sat, 07 Feb 2026 02:34:09 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43629664632sm12077622f8f.0.2026.02.07.02.34.09
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Feb 2026 02:34:09 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][scarthgap][PATCH 13/15] python3-eventlet: switch to
 PEP-517 build backend
Date: Sat,  7 Feb 2026 11:33:55 +0100
Message-ID: <20260207103359.4177243-13-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260207103359.4177243-1-skandigraun@gmail.com>
References: <20260207103359.4177243-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 07 Feb 2026 10:34:21 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124254

From: alperak <alperyasinak1@gmail.com>

The project has a proper pyproject.toml which declares the hatchling.build PEP-517 backend.

Fix:

WARNING: python3-eventlet-0.36.1-r0 do_check_backend: QA Issue: inherits setuptools3 but has pyproject.toml with hatchling.build, use the correct class [pep517-backend]

Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 19affc7a212d4edca4faa4119fa8e5f9e0b7daf4)

This is cherry-picked into Scarthgap, because the Setuptools backend
seems to be broken - it doesn't install the submodules, making import fail:

root@qemux86-64:~# python3
Python 3.12.12 (main, Oct  9 2025, 11:07:00) [GCC 13.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import eventlet
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.12/site-packages/eventlet/__init__.py", line 6, in <module>
    from eventlet import convenience
  File "/usr/lib/python3.12/site-packages/eventlet/convenience.py", line 4, in <module>
    from eventlet import greenpool
  File "/usr/lib/python3.12/site-packages/eventlet/greenpool.py", line 4, in <module>
    from eventlet import queue
  File "/usr/lib/python3.12/site-packages/eventlet/queue.py", line 48, in <module>
    from eventlet.event import Event
  File "/usr/lib/python3.12/site-packages/eventlet/event.py", line 1, in <module>
    from eventlet import hubs

See also https://github.com/eventlet/eventlet/issues/1071

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../recipes-devtools/python/python3-eventlet_0.36.1.bb        | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta-python/recipes-devtools/python/python3-eventlet_0.36.1.bb b/meta-python/recipes-devtools/python/python3-eventlet_0.36.1.bb
index 72032c756c..170e4b3fd7 100644
--- a/meta-python/recipes-devtools/python/python3-eventlet_0.36.1.bb
+++ b/meta-python/recipes-devtools/python/python3-eventlet_0.36.1.bb
@@ -8,7 +8,9 @@ SRC_URI[sha256sum] = "d227fe76a63d9e6a6cef53beb8ad0b2dc40a5e7737c801f4b474cfae1d
 
 SRC_URI += "file://CVE-2025-58068.patch"
 
-inherit pypi setuptools3
+inherit pypi python_hatchling
+
+DEPENDS += "python3-hatch-vcs-native"
 
 RDEPENDS:${PN} += " \
 	python3-dnspython \

From patchwork Sat Feb  7 10:33:56 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 80616
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 78092EE0AD2
	for <webhook@archiver.kernel.org>; Sat,  7 Feb 2026 10:34:21 +0000 (UTC)
Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com
 [209.85.221.42])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2757.1770460452032359043
 for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:12 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=VEMoh5+1;
 spf=pass (domain: gmail.com, ip: 209.85.221.42,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f42.google.com with SMTP id
 ffacd0b85a97d-43590777e22so919505f8f.3
        for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770460450; x=1771065250;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=m6viYGVKsWeBJsse2iWI0EUwIexJiydLp5Ys88oKPBM=;
        b=VEMoh5+1rWlMXuGTGMjHNH7W9SIb3yXfz1AT8mM0iiaZjYfQ57+qFqk2knk2VqmLXr
         SmhobJaSPbnBiYw5z/u/OtPQQ+ONAu4oDIBcyrnzJS+pCNNPtkS4pSgFkEKHqN0ixm+V
         Wh7MtaDe/j8Tk7fIueK4pcHE38N9mXa/VV23SwMeSclRQKeVoNcALOF7lGYrLXakZ9/V
         N0iyLjXAe20MXm5NVekANUhrfFvEYdKHZ4b5xT37IyfOJQ0TzNI8mlR2jfLX/ITZTLLt
         fPIEHivsdrXuX9eUUoX9tMx3TIIkx5h1CXRKFpYtsbIWJoLXACS8UwbSv2kbtr/rTPSI
         4VVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770460450; x=1771065250;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=m6viYGVKsWeBJsse2iWI0EUwIexJiydLp5Ys88oKPBM=;
        b=E1bh8s4/uSEEzULlcbd1OrJL/gqsnewVk918g9ctuhVwRVIlnzhmGfe1nPoreCEJGs
         C6+Og/JCZkUh/IajRU88Is6DInmuHzaEavL6BFG7dDhbZUkN0l1LlDPpf/s1oP2RANTI
         cW8loYPSun2k0gse7tiHTggfQn5kKpei46FyZ4QI8/zPAyfNvXxuqem5xlQ8CDsHTPEt
         Ld5SFPFln8GiSfq1/dGBdFJM2Le8SYFTEvb8aycqcO3JiFdsiLADmztvY92XR1hzheGg
         M/XeKF+KZMo8LhWbodfghlpoWeNGxNJuFtgMZ5kH4MS/gDXl2i3VR12VT7d8o4rxq3kX
         NkEg==
X-Gm-Message-State: AOJu0Yyw16MjmDdwd/TcPICS173bJB73psFI8pK2TsYyUmQhh3v5+SSw
	7+4cF4zRVlCzf4NUzZaOdD3KwEfiwx7gOOnryTkhLUWr1xEaLh1V5x1Dox1b9g==
X-Gm-Gg: AZuq6aKvFLmaHm/BOO8tklVr5FzaDezFyUydOUf5n7U8Plxbkb87VkfOCsiljjIwlfq
	3CoQM7zixl8BH2Q4Ffl9H62qRxxdhwBxnmGpsKxH21jg8OWzuM/oWz9H+r8jJzJRfuK0HhF8E0G
	uEQBL0u6hWTKDDmvl2zovO16Z/yWWj2XFZAzcHLjdR8Kiewidbd9/qo8LWDQ0Px6WBJoWh5Svxu
	MHurtWkavoEajxaxP7aujQhx9Qe4yfADaum0EgtqgKCG1VlotZrmkgXSt5CvKYJmXjSUdqieSzs
	FGiQxWfSPpTSSuKlUOWAnA3RBmiZDJN/r0lggrTOHYktQFb3pLpgsoBXFr1i4tKqrdJNKwQm7Yz
	iPXlACHtz5goqYw9bu4O2Wl+xsGzJlpSCxWjSAEwLzxf+tS3B8y5G9Blb+3UbjK1KI8WwpTdH1q
	8RRwpgSSMM
X-Received: by 2002:a05:6000:144c:b0:431:808:2d58 with SMTP id
 ffacd0b85a97d-436293bb5e4mr7864118f8f.51.1770460450233;
        Sat, 07 Feb 2026 02:34:10 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43629664632sm12077622f8f.0.2026.02.07.02.34.09
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Feb 2026 02:34:09 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][scarthgap][PATCH 14/15] python3-tornado: mark
 CVE-2025-67725 patched
Date: Sat,  7 Feb 2026 11:33:56 +0100
Message-ID: <20260207103359.4177243-14-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260207103359.4177243-1-skandigraun@gmail.com>
References: <20260207103359.4177243-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 07 Feb 2026 10:34:21 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124255

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-67725

According to the NVD advisory references the same commit
fixes it as CVE-2025-67726. Just extend the CVE tag to
make the cve-checker also see this.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../python/python3-tornado/CVE-2025-67726.patch                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-python/recipes-devtools/python/python3-tornado/CVE-2025-67726.patch b/meta-python/recipes-devtools/python/python3-tornado/CVE-2025-67726.patch
index 7b210aea42..01f18e3bd9 100644
--- a/meta-python/recipes-devtools/python/python3-tornado/CVE-2025-67726.patch
+++ b/meta-python/recipes-devtools/python/python3-tornado/CVE-2025-67726.patch
@@ -8,7 +8,7 @@ certain inputs, which could be a DoS vector. This change adapts
 logic from the equivalent function in the python standard library
 in https://github.com/python/cpython/pull/136072/files
 
-CVE: CVE-2025-67726
+CVE: CVE-2025-67726 CVE-2025-67725
 Upstream-Status: Backport [https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd]
 (cherry picked from commit 771472cfdaeebc0d89a9cc46e249f8891a6b29cd)
 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>

From patchwork Sat Feb  7 10:33:57 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 80618
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8E15FEE0AD8
	for <webhook@archiver.kernel.org>; Sat,  7 Feb 2026 10:34:21 +0000 (UTC)
Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com
 [209.85.221.53])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2758.1770460452637020066
 for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:12 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=g/IFbYEI;
 spf=pass (domain: gmail.com, ip: 209.85.221.53,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f53.google.com with SMTP id
 ffacd0b85a97d-4359a16a400so2730960f8f.1
        for <openembedded-devel@lists.openembedded.org>;
 Sat, 07 Feb 2026 02:34:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770460451; x=1771065251;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=h2RnrjwClWxvXgJR42KSyztbAv6ET8SLHtNpgK93LbU=;
        b=g/IFbYEIIC8KjU9+Xpi2qpRIiVr8ya43W1HOkX22yl4CvA7wq+TCD8qAnnWF+24rrN
         VZYngI9yp3sEwuGOysHqFMcjcHnvlsHdRfY22N71sZZWitAqtYPgNjDWIVp8mPgUR600
         cTqQg15JbkI2hH9u+3oliVHK/R4KZ2Rgg1It7JzCvQ8ggAx8i24T6faEoPfvKijEp6C+
         09jD5iQT4OnFmdcvyp42m/6156QWMKA/Q+GimVbG4CneI/UCIpd7EerHfoQ+hF78cjSS
         KRVhRE01NawAyIJ6WbqyHbF9qLlH8+909nCJw0a4u7jFEXBYlH9U4X4oDthajemLQEFG
         m4Ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770460451; x=1771065251;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=h2RnrjwClWxvXgJR42KSyztbAv6ET8SLHtNpgK93LbU=;
        b=d2Th7bQVzR3XHyDMrMewHH+9+IG8heaV3PK3niM0R97/hxAWBPH2FJueEAZmVkKNMv
         4JRNyGeMXcQs2nDzEVOK23Ur6xg+KYgmK14AWBbWm0m1l6Ltt506v6wmEKxrMMY8QCiI
         rWpkhfh/7yw29a375IZKMzREf+5vAz19uJbxWi1lCtcc9LxMC2zo3sm4URs/VMKhW7PL
         Ecef7tRNKMcIHCGUoLIcxs8gJEdeaXwokEJoERB9Lu6seEdIuKvnZ7biflEoZEXhBSJn
         eqN/6HTbxTg17Zjj7Rl3UQlb1l8cdxwuaD2fw5s6O0iI2JN815K/+QuzIqDcz6HqTjpJ
         kgrw==
X-Gm-Message-State: AOJu0Yz/oLzxIPDs4RaSIarQNMn8lxc4bj7Y0XuCRu4676G8AOGLS5WX
	FxMNyjZrxfq/yGoqPM7+0qagqzjqLqdzDYl7rS0lneG4VUHZrUmvm1qY0+CgLQ==
X-Gm-Gg: AZuq6aIveQPHD/J08LhgEazz/R5uk062JJM7+NucKSfikh3N3yOn2kdnS+IWcAKJPdQ
	cfI1CA6do9gyoBjEWo0R5RSB5LJwYA9bXRZWTdm288MXOiZ4ZPI+MAvynAWSCYAt5KnQYcIACl5
	KH7+fWX0ZZVJtJNSbvAWxbKSOKGlwunxrJk/1GIrGOLA5csEKN3VQrXIeP/Lt36vG8yKOD+jE4A
	nY54ZT2E538V2XQnQtKrxpLJRYx8tzXwTvOh5x7cjQwcYgFoYEHm5YxApHcoMqdY+3ZT/kgePSZ
	w4Iw8jQRcA00/ZatxihpUJ7ltJICxCG0PRcpHvCnb07R3tUI+zkILn91sVRACWFWJsbGc3Jg17U
	/GlDsx2u8sJfSv9i+VHADdIg1zpV5xAKsznvucu3XzWmVXekxy1ImhDV9S5M5RONHBIOG4fJCjZ
	5vlNY2j09Q
X-Received: by 2002:a5d:4c8b:0:b0:436:34d9:4627 with SMTP id
 ffacd0b85a97d-43634d94904mr1227148f8f.37.1770460450844;
        Sat, 07 Feb 2026 02:34:10 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43629664632sm12077622f8f.0.2026.02.07.02.34.10
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Feb 2026 02:34:10 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][scarthgap][PATCH 15/15] python3-virtualenv: patch
 CVE-2026-22702
Date: Sat,  7 Feb 2026 11:33:57 +0100
Message-ID: <20260207103359.4177243-15-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260207103359.4177243-1-skandigraun@gmail.com>
References: <20260207103359.4177243-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 07 Feb 2026 10:34:21 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124256

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22702

Backport the patch that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../python3-virtualenv/CVE-2026-22702.patch   | 60 +++++++++++++++++++
 .../python/python3-virtualenv_20.25.3.bb      |  1 +
 2 files changed, 61 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-virtualenv/CVE-2026-22702.patch

diff --git a/meta-python/recipes-devtools/python/python3-virtualenv/CVE-2026-22702.patch b/meta-python/recipes-devtools/python/python3-virtualenv/CVE-2026-22702.patch
new file mode 100644
index 0000000000..ef9922ab55
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-virtualenv/CVE-2026-22702.patch
@@ -0,0 +1,60 @@
+From c43b7ce784de42511f80b45d741715646cc4fa44 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bern=C3=A1t=20G=C3=A1bor?= <gaborjbernat@gmail.com>
+Date: Fri, 9 Jan 2026 10:19:39 -0800
+Subject: [PATCH] Merge pull request #3013 from gaborbernat/fix-sec
+
+CVE: CVE-2026-22702
+Upstream-Status: Backport [https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/virtualenv/app_data/__init__.py | 11 +++++------
+ src/virtualenv/util/lock.py         |  7 +++----
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/src/virtualenv/app_data/__init__.py b/src/virtualenv/app_data/__init__.py
+index 148c941..301a00f 100644
+--- a/src/virtualenv/app_data/__init__.py
++++ b/src/virtualenv/app_data/__init__.py
+@@ -34,12 +34,11 @@ def make_app_data(folder, **kwargs):
+     if is_read_only:
+         return ReadOnlyAppData(folder)
+ 
+-    if not os.path.isdir(folder):
+-        try:
+-            os.makedirs(folder)
+-            logging.debug("created app data folder %s", folder)
+-        except OSError as exception:
+-            logging.info("could not create app data folder %s due to %r", folder, exception)
++    try:
++        os.makedirs(folder, exist_ok=True)
++        logging.debug("created app data folder %s", folder)
++    except OSError as exception:
++        logging.info("could not create app data folder %s due to %r", folder, exception)
+ 
+     if os.access(folder, os.W_OK):
+         return AppDataDiskFolder(folder)
+diff --git a/src/virtualenv/util/lock.py b/src/virtualenv/util/lock.py
+index b4dc66a..a28b32f 100644
+--- a/src/virtualenv/util/lock.py
++++ b/src/virtualenv/util/lock.py
+@@ -15,9 +15,8 @@ from filelock import FileLock, Timeout
+ class _CountedFileLock(FileLock):
+     def __init__(self, lock_file) -> None:
+         parent = os.path.dirname(lock_file)
+-        if not os.path.isdir(parent):
+-            with suppress(OSError):
+-                os.makedirs(parent)
++        with suppress(OSError):
++            os.makedirs(parent, exist_ok=True)
+ 
+         super().__init__(lock_file)
+         self.count = 0
+@@ -109,7 +108,7 @@ class ReentrantFileLock(PathLockBase):
+         # a lock, but that lock might then become expensive, and it's not clear where that lock should live.
+         # Instead here we just ignore if we fail to create the directory.
+         with suppress(OSError):
+-            os.makedirs(str(self.path))
++            os.makedirs(str(self.path), exist_ok=True)
+ 
+         try:
+             lock.acquire(0.0001)
diff --git a/meta-python/recipes-devtools/python/python3-virtualenv_20.25.3.bb b/meta-python/recipes-devtools/python/python3-virtualenv_20.25.3.bb
index fee5250c4d..5cb99647b3 100644
--- a/meta-python/recipes-devtools/python/python3-virtualenv_20.25.3.bb
+++ b/meta-python/recipes-devtools/python/python3-virtualenv_20.25.3.bb
@@ -6,6 +6,7 @@ HOMEPAGE = "https://github.com/pypa/virtualenv"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=0ce089158cf60a8ab6abb452b6405538"
 
+SRC_URI += "file://CVE-2026-22702.patch"
 SRC_URI[sha256sum] = "7bb554bbdfeaacc3349fa614ea5bff6ac300fc7c335e9facf3a3bcfc703f45be"
 
 BBCLASSEXTEND = "native nativesdk"