From patchwork Tue Feb 24 19:04:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81828 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD8ABF4BB79 for ; Tue, 24 Feb 2026 19:04:55 +0000 (UTC) Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.28133.1771959894815195812 for ; Tue, 24 Feb 2026 11:04:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=e+I1TsUC; spf=pass (domain: gmail.com, ip: 209.85.221.52, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-43767807cf3so4401656f8f.1 for ; Tue, 24 Feb 2026 11:04:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771959893; x=1772564693; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=7PVdWh9ClLetwwvRiheqNWweN9sgftOpRe1Q9Vg3zug=; b=e+I1TsUCwaWSwqDYpIuBtFCoLzgbgPfyXuCpb6duLYF/M1F7Dk9BKCBxfgrnF/tl3m arM3BAANdy4MiqnYPxUh/bQLe83mvGL7Jt/9U6HhYswQihUCWfm6iI1aZrl60JQ/FpFA 3Z7deRdbjIWPgF+JpSPB1qnUHd1zD3XaJr7HESCSDb1YVWJleo14nArgbFUFZQ3Cz/YS mv9PCec815Ym0vPyNvQvvyCD06+lHla/UZ4VAIFG5vUNLWyO3GuKo37ijAVbxHdfhzFm tyIa4ckJyZ7qCHG4ux2jsGAZ/fbSnai0nbuwvwCah29xS78S49d70byhb5YCxmg5zKtK GiRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771959893; x=1772564693; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7PVdWh9ClLetwwvRiheqNWweN9sgftOpRe1Q9Vg3zug=; b=oquOT7ys78kruiBqVXEUdwBCtG8cDEsKeDRn/jWmPCGe0gob3AibVUJ67neqPIR0oi egiTzJeYaf2Jbu6n36QenEMDyntq2Q3bfBWH8INOlzEVG0fJ+jBVgxo+CiAP44yNoiIp Jh/4OXsiYSXwLPcirrblStpDwv+/8BTtOhw7+bgLmR3cbDfL1/57AludLQ4ZLu9dmkeH b5xb/AHAuT3acxqqv4C5LVGVq+FMvXumwpCpzPFaxDcdYW9YJg5Cxy0vgRT42tdkNR9D HoqFpYYNqrSLbQC2FGqHz3kypU7P62N4QxTW/vW54XC7BTpBMeciPtqZOyeWdpmEQR9D +dVg== X-Gm-Message-State: AOJu0Yz8s4kPQLobbVr5PHO/OdK2Qb+FPStOZeia8BulpuNiQnP8KMhx oIhJFiyuoIToPuhAFyZCQfjVQhOORtD2mqV1E0xApTiHrh6jKOeQFoZ0pmFcEA== X-Gm-Gg: ATEYQzxVdZtB6WFXEFyM9e9P+9KZyvbagP3BSUTMgVypgf1LaczFBa5ASjycHHpXTkj YHwjwsnXGnGHdRugyjjncILK5Hxv3BTmkSiPpMzptnF5IWGdzb+21heeK7EiJp2C7OWvdWfZZEe x5iq2ZnaWfxsgaA8USkmoY+polysOMSbXGz3C6Sf70YwEdFSjP3qY8baIC5fMhIt6lSgdzLyXL3 B87Ni0geFwQZH+AkQwXPuqw57woUL+rE2UheaNOMv7tW+pZA7oZWQBWk8tV98umqgQdQx84z+hz nI3LzKdKrn7AmTH1UurpIHBt+cDttxMdcs5ui97s7KlVKKWgEflLAmBurD9WkFpPiMyJj5CxWrb oXG0HY3p1mQ9+YE2+isbSWVJGSHXKvdXmrVZFDFTuX9bcOBRq69HZ5KJzJG6UZdxj11Fm+04eY3 XDLC1Ia8a4SZxap3JRCI/5ockTTHGq9+Y= X-Received: by 2002:a05:6000:2411:b0:439:872f:b49f with SMTP id ffacd0b85a97d-439872fb5f7mr5936776f8f.3.1771959892905; Tue, 24 Feb 2026 11:04:52 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970c09897sm29394920f8f.17.2026.02.24.11.04.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Feb 2026 11:04:52 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-webserver][whinlatter][PATCH 1/8] nginx: patch CVE-2026-1642 Date: Tue, 24 Feb 2026 20:04:44 +0100 Message-ID: <20260224190451.1596179-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 24 Feb 2026 19:04:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124589 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-1642 Note: this is only for v1.29.1. v1.28.x recipe contains this fix already. Pick the commit that was identified by the reporter on the oss-sec mailing list[1] [1]: https://www.openwall.com/lists/oss-security/2026/02/05/1 Signed-off-by: Gyorgy Sarvari --- .../nginx/files/CVE-2026-1642.patch | 46 +++++++++++++++++++ .../recipes-httpd/nginx/nginx_1.29.1.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch new file mode 100644 index 0000000000..0f20d1c157 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch @@ -0,0 +1,46 @@ +From 12bb8081dcfdecc38fbff9283f8d8c66dc3d29ae Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Thu, 29 Jan 2026 13:27:32 +0400 +Subject: [PATCH] Upstream: detect premature plain text response from SSL + backend. + +When connecting to a backend, the connection write event is triggered +first in most cases. However if a response arrives quickly enough, both +read and write events can be triggered together within the same event loop +iteration. In this case the read event handler is called first and the +write event handler is called after it. + +SSL initialization for backend connections happens only in the write event +handler since SSL handshake starts with sending Client Hello. Previously, +if a backend sent a quick plain text response, it could be parsed by the +read event handler prior to starting SSL handshake on the connection. +The change adds protection against parsing such responses on SSL-enabled +connections. + +CVE: CVE-2026-1642 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/a59f5f099a89dc8eaebd48077292313f9f7e33e3] +Signed-off-by: Gyorgy Sarvari +--- + src/http/ngx_http_upstream.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c +index de0f92a..69dda96 100644 +--- a/src/http/ngx_http_upstream.c ++++ b/src/http/ngx_http_upstream.c +@@ -2507,6 +2507,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u) + return; + } + ++#if (NGX_HTTP_SSL) ++ if (u->ssl && c->ssl == NULL) { ++ ngx_log_error(NGX_LOG_ERR, c->log, 0, ++ "upstream prematurely sent response"); ++ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); ++ return; ++ } ++#endif ++ + u->state->bytes_received += n; + + u->buffer.last += n; diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb index c08c8539c4..0282388817 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb @@ -8,3 +8,4 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3dc49537b08b14c8b66ad247bb4c4593" SRC_URI[sha256sum] = "c589f7e7ed801ddbd904afbf3de26ae24eb0cce27c7717a2e94df7fb12d6ad27" +SRC_URI += "file://CVE-2026-1642.patch" From patchwork Tue Feb 24 19:04:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81832 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A955FF4BB7D for ; Tue, 24 Feb 2026 19:05:05 +0000 (UTC) Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.28134.1771959895345826985 for ; Tue, 24 Feb 2026 11:04:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=YcI8hdUl; spf=pass (domain: gmail.com, ip: 209.85.221.48, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f48.google.com with SMTP id ffacd0b85a97d-43770c94dfaso5763438f8f.2 for ; Tue, 24 Feb 2026 11:04:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771959894; x=1772564694; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=7MbJLB61wvgORgx1WPAMij7z5TOyyRs6D91L9ql4jQI=; b=YcI8hdUlZwaSOqBL2lDWEpTqsg6gDgXu32QosMQz3o9z4Z93wfb9s5cy/h3DMBnLq1 Bu+7a2rK2LCU600110UuVFVO9Vecvrbt6PBcT0/XxNsNvbEmlkHwy5tqne4By/b/UXeO AX94NhDdY7kGEhx98CyHIhT1gZ5jcnwP4fayMv25i5a9PV052OIIowDnAOUm90PV7OSH VzGqtw/POjSEoB00P+y5fw9Kr0HFbrJnjIOii613IaDe/jHyy2wwMAdTCNOd1IClDcxO 0DMm1iU4FLlhqslumkSfYf6UJv1XVfNBnbp339s7nqcKrsakdZXGg0b4frCg++F90/9R k+dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771959894; x=1772564694; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=7MbJLB61wvgORgx1WPAMij7z5TOyyRs6D91L9ql4jQI=; b=NvSJfCu0BrQ3vXryj0RqEQ9vT6rPHC7k+dT1iYIyE77+/9cZ4gHNpstIOoB8id3CTh M71rPmNdBqKZXeruW9I0jgNZ9/VTrHPvF6KtiC/leJew6aM/b3bjbJcsHXSKQp6x1hpY qZ7CshiUGmOztJhIDkI/eoXAjykpTawIiTCqmOjRd1T9G/Rr1taqLS+muMNMe57YYA3K e5VLmiUeAHtj6gow+yf1FaF93M/+v0y42jyATZNeoRcq9I8D/+ljSd9wImDFXlEepxBg Dyxy7ohNWanqovpVdrngY//swnd3pYFjWbDExtGgvVx1nzV430x0Xa48Gu3eeErprq3Z eRWQ== X-Gm-Message-State: AOJu0YzwYxQ4Or8bSxiHlCBm3kGIjEOYgtUvD/h3cMR4DJR4ufPILPJz 96Rc1MIIjNp5p3ic2ZWO/oSURcryW2cPR5CoKVWTApoRhMewFRldYlRn4LfnNw== X-Gm-Gg: ATEYQzwMuVKraquYrwIig9lNIBxSX0u25F0Phz18sI+0iQP7z3Up+znE/nNsMl4cHFP sAPw6/OKIsijbpdwLF9dniInuTd+BoUOxaJ8uPasw/iUlNi1hpL2MiM+0xhpRboOYm7R5hXXUqI IM1T6rgNiHGYOK6zEvWE8yQIV/Ga0Gp1HJZ/S+3TRhpRluiT/rlgXXH/+rDXr10TIj1KBJac3uv E6OZEFpIcyFFRVDYOApYIB8YDyhcQd8o8SbAHb+VgWX435RC37PBJSPIxFDZtrSoYdeUVhZ/zV+ +G80EvQu3iOCnQjy/vKscBzrH/KRVVvzYCE2LYItoDIoEU4ylfl4wnH8KPGK8zoPf8qw50+xE2P +2o92dbzoAy37KhbPz867qljMyyf6RfQ62WOJpdRYCxCffwTNnVGU3TMbxX4Q7Fuku4cvh2IUUV AWqsC/WMoEyP0ydlrXsMC1zzN2zC/hjCc= X-Received: by 2002:a05:6000:2285:b0:437:71b2:6f34 with SMTP id ffacd0b85a97d-4396f154b8emr23979947f8f.1.1771959893577; Tue, 24 Feb 2026 11:04:53 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970c09897sm29394920f8f.17.2026.02.24.11.04.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Feb 2026 11:04:53 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 2/8] openjpeg: patch CVE-2023-39327 Date: Tue, 24 Feb 2026 20:04:45 +0100 Message-ID: <20260224190451.1596179-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260224190451.1596179-1-skandigraun@gmail.com> References: <20260224190451.1596179-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 24 Feb 2026 19:05:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124590 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39327 Take the patch that is used by OpenSUSE to mitigate this vulnerability. Upstream seems to be unresponsive to this issue. Signed-off-by: Gyorgy Sarvari --- .../openjpeg/openjpeg/CVE-2023-39327.patch | 50 +++++++++++++++++++ .../openjpeg/openjpeg_2.5.4.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch new file mode 100644 index 0000000000..05e504a18e --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch @@ -0,0 +1,50 @@ +From a3504b2484cf7443c547037511c40f59aff8ae5a Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Mon, 23 Feb 2026 17:22:18 +0100 +Subject: [PATCH] CVE-2023-39327 + +This patch fixes CVE-2023-39327. + +This patch comes from OpenSuse: +https://build.opensuse.org/projects/openSUSE:Factory/packages/openjpeg2/files/openjpeg2-cve-2023-39327-limit-iterations.patch + +Upstream seems to unresponsive to this vulnerability. + +Upstream-Status: Inactive-Upstream [inactive, when it comes to CVEs] + +Signed-off-by: Gyorgy Sarvari +--- + src/lib/openjp2/t2.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c +index 4e8cf601..ad39cd74 100644 +--- a/src/lib/openjp2/t2.c ++++ b/src/lib/openjp2/t2.c +@@ -441,6 +441,8 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t* tcd, + * and no l_img_comp->resno_decoded are computed + */ + OPJ_BOOL* first_pass_failed = NULL; ++ OPJ_UINT32 l_packet_count = 0; ++ OPJ_UINT32 l_max_packets = 100000; + + if (l_current_pi->poc.prg == OPJ_PROG_UNKNOWN) { + /* TODO ADE : add an error */ +@@ -457,6 +459,17 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t* tcd, + + while (opj_pi_next(l_current_pi)) { + OPJ_BOOL skip_packet = OPJ_FALSE; ++ ++ /* CVE-2023-39327: Check for excessive packet iterations */ ++ if (++l_packet_count > l_max_packets) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "Excessive packet iterations detected (>%u). Possible malformed stream.\n", ++ l_max_packets); ++ opj_pi_destroy(l_pi, l_nb_pocs); ++ opj_free(first_pass_failed); ++ return OPJ_FALSE; ++ } ++ + JAS_FPRINTF(stderr, + "packet offset=00000166 prg=%d cmptno=%02d rlvlno=%02d prcno=%03d lyrno=%02d\n\n", + l_current_pi->poc.prg1, l_current_pi->compno, l_current_pi->resno, diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb index 23f46c45cd..971cdb2ff9 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb @@ -7,6 +7,7 @@ DEPENDS = "libpng tiff lcms zlib" SRC_URI = "git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \ file://0001-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \ + file://CVE-2023-39327.patch \ " SRCREV = "6c4a29b00211eb0430fa0e5e890f1ce5c80f409f" From patchwork Tue Feb 24 19:04:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81830 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1651F4BB7F for ; Tue, 24 Feb 2026 19:05:05 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.28135.1771959896321152674 for ; Tue, 24 Feb 2026 11:04:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=k29rsSX4; spf=pass (domain: gmail.com, ip: 209.85.128.47, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-480706554beso70772265e9.1 for ; Tue, 24 Feb 2026 11:04:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771959894; x=1772564694; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=q8iwZpxFr8mRCe5LfX3dmjT+EZFkdIQkKfTN7SgKuxg=; b=k29rsSX4gX0D+4lhbytLvdNxXMyMDLUPFvwLJoZKWq2lcL5RvvQ3lqNAJUIl43tDv0 Ki4G4MWsBHuLskixNnYQZzlbS0lAbmPVHZGPnqYlGl0XQA8RqJmY6fLSPqP+nHbb3E/X xQFOGudS+f50YXGq53QF4Mah4QvgxgOLr6o7R+c3fOPZGN2R9qA4bAFu/rAo3XksTNXE eznWHCTeoLsgR92SHO7wnPZHmpPJe/L8iBPcgyra1B6g9+H5IiRwJWlk3Rpmrqw8hCsd frm87CoDsIQ8C6EcxKm8CTBbKJnO+NEHISDDiq9haAbm/HhDdVXRG/WHqt5WOP27gg5j LCMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771959894; x=1772564694; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=q8iwZpxFr8mRCe5LfX3dmjT+EZFkdIQkKfTN7SgKuxg=; b=CxvjZGTYs+NTyxameunMWn5IVpv4y1rNvpSxYLwwAYiF4a/87NEDlzDBAeRmRnADi9 65y8YqDGS/0B0Rdq99dQUZ62h/kXvMc1CkSV02XU41jK+g8I96BusXgPeEEdJVWaGGUj EFF1dIvIjHMKL9KrSB6jrYMN5/iEdnpEGdNYYFO3QSIpA2Hiu0xOw1gj+uRCA0CeqtlB B7iVwYJZjvcAUDUODS4cjnmf/79P0brs+wUEgB7EUUpLDK5eOBhxQnkYAnd5IoGyL8NW LeiDsEyjYn1prVZO8u1roc3BGdHt1QnQXJ1GCCeK0YN1nUfaiTewy+NthNO/Ol22r5dS 3a4g== X-Gm-Message-State: AOJu0Yzi+9g1lU8AdrgLbnw+8E62Fv2B339NgkWKCRLrW+4lB2qsxD97 mjoLZk2gzSgqgRYfKKQA2htYVrk8HdnbRUK8p0WKgCeV4SOk3IHCj1+qips+iQ== X-Gm-Gg: AZuq6aK0d2lGNglEXo4n8aqUwr4A82wXbhNbLh09pyW4BXSqCIcp2zm1/Mb2Pav+ONH SAHBngg91xqh2JFZpPLQVBr0UTjfMkum5CH37T7B8+z2C02zsgs6NaWEi0EW8D5QXe6C8hnZpeZ TemdED9J6FndLH/C1lKNnwlb0mG+brf25XdTu5jwFf5LU2woAcORiuneFybDnmXlp2//MFq/9yW PXiaVv3NP9tSWh981ca+UHRFvZX0REy7Mfapd6PkyHVNovqjQs/24DT33PH2HIG0G0oF0DOD9y+ E9ZjNkmhFeeVu9J+4OiKGGGPTDPV2peTniwsxcKLYhJzsvFhQdjD82R2uW7fCguhDnwUMhooA3p 3sYc2tT8fd00s1YY1x0nU/LfCWnithZZYIjABTSgRs69FCsu8293zvm46EOHz36cFjRMwFflXlY 7UUSUI6xDZisQYoW54fxpK X-Received: by 2002:a05:600c:530f:b0:483:bcff:7948 with SMTP id 5b1f17b1804b1-483bcff7bd8mr29273255e9.10.1771959894272; Tue, 24 Feb 2026 11:04:54 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970c09897sm29394920f8f.17.2026.02.24.11.04.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Feb 2026 11:04:53 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 3/8] postgresql: upgrade 17.7 -> 17.8 Date: Tue, 24 Feb 2026 20:04:46 +0100 Message-ID: <20260224190451.1596179-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260224190451.1596179-1-skandigraun@gmail.com> References: <20260224190451.1596179-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 24 Feb 2026 19:05:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124591 From: Ankur Tyagi License-Update: Update license year to 2026 Refreshed patches for version 17.8 Includes fix for CVE-2026-2003, CVE-2026-2004, CVE-2026-2005, CVE-2026-2006 Release Notes: https://www.postgresql.org/docs/release/17.8/ Signed-off-by: Ankur Tyagi Signed-off-by: Gyorgy Sarvari --- .../postgresql/files/0001-tcl.m4-Recognize-tclsh9.patch | 2 +- .../postgresql/files/0002-Improve-reproducibility.patch | 9 +++------ ...configure.ac-bypass-autoconf-2.69-version-check.patch | 6 +++--- .../files/0004-config_info.c-not-expose-build-info.patch | 4 ++-- .../0005-postgresql-fix-ptest-failure-of-sysviews.patch | 5 +---- .../recipes-dbs/postgresql/files/not-check-libperl.patch | 6 +++--- .../{postgresql_17.7.bb => postgresql_17.8.bb} | 4 ++-- 7 files changed, 15 insertions(+), 21 deletions(-) rename meta-oe/recipes-dbs/postgresql/{postgresql_17.7.bb => postgresql_17.8.bb} (76%) diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-tcl.m4-Recognize-tclsh9.patch b/meta-oe/recipes-dbs/postgresql/files/0001-tcl.m4-Recognize-tclsh9.patch index 89a509087f..445a6d4910 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-tcl.m4-Recognize-tclsh9.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-tcl.m4-Recognize-tclsh9.patch @@ -1,4 +1,4 @@ -From f0d8240dbf594e6dfab31fd7d70ce340ac365a65 Mon Sep 17 00:00:00 2001 +From ab23817b4f4a02de21f63800adc30d6236c15c8b Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Sun, 3 Nov 2024 15:50:50 -0800 Subject: [PATCH] tcl.m4: Recognize tclsh9 diff --git a/meta-oe/recipes-dbs/postgresql/files/0002-Improve-reproducibility.patch b/meta-oe/recipes-dbs/postgresql/files/0002-Improve-reproducibility.patch index b3e87cbc46..e0605347e3 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0002-Improve-reproducibility.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0002-Improve-reproducibility.patch @@ -1,7 +1,7 @@ -From 084cc44215c1d5e6d33bc3d2e1d24da4fc98bdcd Mon Sep 17 00:00:00 2001 +From 736c190e0c8a1c5ce3dc84292d066292e969d81e Mon Sep 17 00:00:00 2001 From: Changqing Li Date: Mon, 28 Dec 2020 16:38:21 +0800 -Subject: [PATCH 2/5] Improve reproducibility, +Subject: [PATCH] Improve reproducibility, Remove build patch from binaries which pg_config do not record var-CC, var-CFLAGS, and configure @@ -23,7 +23,7 @@ Signed-off-by: Changqing Li 1 file changed, 3 deletions(-) diff --git a/src/common/Makefile b/src/common/Makefile -index 113029b..58842a6 100644 +index 3d83299..e14cda6 100644 --- a/src/common/Makefile +++ b/src/common/Makefile @@ -31,9 +31,6 @@ include $(top_builddir)/src/Makefile.global @@ -36,6 +36,3 @@ index 113029b..58842a6 100644 override CPPFLAGS += -DVAL_CFLAGS_SL="\"$(CFLAGS_SL)\"" override CPPFLAGS += -DVAL_LDFLAGS="\"$(STD_LDFLAGS)\"" override CPPFLAGS += -DVAL_LDFLAGS_EX="\"$(LDFLAGS_EX)\"" --- -2.25.1 - diff --git a/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch b/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch index ce19bacc47..b91228aedd 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch @@ -1,4 +1,4 @@ -From 30b1b37d309f67ba6d58f2197bd917107bc7d56c Mon Sep 17 00:00:00 2001 +From 29289c6f5b665ed9943bb7701a542fcdf64c4a22 Mon Sep 17 00:00:00 2001 From: Yi Fan Yu Date: Fri, 5 Feb 2021 17:15:42 -0500 Subject: [PATCH] configure.ac: bypass autoconf 2.69 version check @@ -13,12 +13,12 @@ Signed-off-by: Yi Fan Yu 1 file changed, 4 deletions(-) diff --git a/configure.ac b/configure.ac -index 642dbde..af37179 100644 +index 856b091..646394c 100644 --- a/configure.ac +++ b/configure.ac @@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros - AC_INIT([PostgreSQL], [17.7], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) + AC_INIT([PostgreSQL], [17.8], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) -m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required. -Untested combinations of 'autoconf' and PostgreSQL versions are not diff --git a/meta-oe/recipes-dbs/postgresql/files/0004-config_info.c-not-expose-build-info.patch b/meta-oe/recipes-dbs/postgresql/files/0004-config_info.c-not-expose-build-info.patch index d94f028036..1514c223c1 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0004-config_info.c-not-expose-build-info.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0004-config_info.c-not-expose-build-info.patch @@ -1,4 +1,4 @@ -From 62733bdc9346651637d9e5ac7cbf8d7311ef5d97 Mon Sep 17 00:00:00 2001 +From e4b32033827ed73c95e6e6aa26dd45e828ffc18b Mon Sep 17 00:00:00 2001 From: Mingli Yu Date: Mon, 1 Aug 2022 15:44:38 +0800 Subject: [PATCH] config_info.c: not expose build info @@ -14,7 +14,7 @@ Signed-off-by: Mingli Yu 2 files changed, 2 insertions(+), 70 deletions(-) diff --git a/configure.ac b/configure.ac -index f0fa973..8ccd8bc 100644 +index 646394c..f5a5590 100644 --- a/configure.ac +++ b/configure.ac @@ -23,7 +23,7 @@ AC_COPYRIGHT([Copyright (c) 1996-2024, PostgreSQL Global Development Group]) diff --git a/meta-oe/recipes-dbs/postgresql/files/0005-postgresql-fix-ptest-failure-of-sysviews.patch b/meta-oe/recipes-dbs/postgresql/files/0005-postgresql-fix-ptest-failure-of-sysviews.patch index 8219fc80e9..753cd1bb97 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0005-postgresql-fix-ptest-failure-of-sysviews.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0005-postgresql-fix-ptest-failure-of-sysviews.patch @@ -1,4 +1,4 @@ -From d1fb37569b5a8c21968f69164e8bc6e4bb0185eb Mon Sep 17 00:00:00 2001 +From 220b65291734b81a3c232877cf5fced20fe773e3 Mon Sep 17 00:00:00 2001 From: Manoj Saun Date: Wed, 22 Mar 2023 08:07:26 +0000 Subject: [PATCH] postgresql: fix ptest failure of sysviews @@ -44,6 +44,3 @@ index b047fb5..d1e3999 100644 -- We expect no cursors in this test; see also portals.sql select count(*) = 0 as ok from pg_cursors; --- -2.34.1 - diff --git a/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch b/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch index a2f0500a8c..1142ff4878 100644 --- a/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch +++ b/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch @@ -1,4 +1,4 @@ -From 1a9416bae71aa935797add3fa11407732ad010c0 Mon Sep 17 00:00:00 2001 +From 29e76cad362c7154920aa49aa0137e1773c4d3ec Mon Sep 17 00:00:00 2001 From: Changqing Li Date: Tue, 27 Nov 2018 13:25:15 +0800 Subject: [PATCH] not check libperl under cross compiling @@ -20,10 +20,10 @@ Signed-off-by: Changqing Li 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac -index f398184..493d5cd 100644 +index ce0966f..856b091 100644 --- a/configure.ac +++ b/configure.ac -@@ -2336,7 +2336,7 @@ Use --without-tcl to disable building PL/Tcl.]) +@@ -2340,7 +2340,7 @@ Use --without-tcl to disable building PL/Tcl.]) fi # check for diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_17.7.bb b/meta-oe/recipes-dbs/postgresql/postgresql_17.8.bb similarity index 76% rename from meta-oe/recipes-dbs/postgresql/postgresql_17.7.bb rename to meta-oe/recipes-dbs/postgresql/postgresql_17.8.bb index 81b096194c..ad1e9704cc 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_17.7.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_17.8.bb @@ -1,6 +1,6 @@ require postgresql.inc -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=08b6032a749e67f6e3de84ea8e466933" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=55760ee57ce4e51e4b57f0801ff032dd" SRC_URI += "\ file://not-check-libperl.patch \ @@ -12,6 +12,6 @@ SRC_URI += "\ file://0001-tcl.m4-Recognize-tclsh9.patch \ " -SRC_URI[sha256sum] = "ef9e343302eccd33112f1b2f0247be493cb5768313adeb558b02de8797a2e9b5" +SRC_URI[sha256sum] = "a88d195dd93730452d0cfa1a11896720d6d1ba084bc2be7d7fc557fa4e4158a0" CVE_STATUS[CVE-2017-8806] = "not-applicable-config: Doesn't apply to our configuration of postgresql so we can safely ignore it." From patchwork Tue Feb 24 19:04:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81834 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D3307F4BB84 for ; Tue, 24 Feb 2026 19:05:05 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.28136.1771959896701009385 for ; Tue, 24 Feb 2026 11:04:57 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=MNj6Pxwg; spf=pass (domain: gmail.com, ip: 209.85.128.43, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-48375f10628so38259505e9.1 for ; Tue, 24 Feb 2026 11:04:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771959895; x=1772564695; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=751z94Jlomkn4R3vp71SvCUADCs0j7PE042T1I7nO4k=; b=MNj6Pxwg+GajnDEIYwaeHKO9aZUz6o/ZkmIe5gvmUmVGY2eTO/14YjwbRsYtfxZU1H Iw785pTpOh93wyqaCDegL5lJWfI7pvPRwzbdsWZtEkEbi6RDcJxHRHdM2opoG3tdHrZb pm/WV8EEygC2OgHItNTim7gri2luLm+E5rr8Fc2oVWcr3VoMsaoo/6IOw+0DHio+G76R xTkYKasN1+6f48emJ+1hbRDUWJyjSMhEPTiox1KV0AMtOyA5foQHT7PyFhTWIP1AIA3a Rh6wJVaO/gZzKictjUE0daBgLLu8K3sVWFwChLjWiXoWmtlF2vcgaRHN3/H/TqFFT3Ws zdJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771959895; x=1772564695; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=751z94Jlomkn4R3vp71SvCUADCs0j7PE042T1I7nO4k=; b=ahQETMPRohVl4yugMPH83QP/jyJ6jUCuhK1rDFF8A6Et2SNj+b5Ed9F9t/T8qQxYTx qmDuJnU+PSkg6552vi2usOKn9+7sbLPRwxzY26WHrgLfdDkMGg0xy3HP5VdNKiDK7F/u chCbx1/j40oTWvw79RjvzVg3yhfIEHDCEDRkKY4pJZpVYoCK7QhovWw5nwuW5fPxYKfd WE2OMNhlPXCVCS9CzoPxgFWJQzrMuHFIW/FwiiO3BfcD6j9ZI59AB5x5ZEIYP6sLRoR7 +A/vwcw1ZV3fD7s734oy/sgZacM7qtPtrnBDrcnj6dGJLv7dJ68lrekn8iVaHQ4VgbQW niRQ== X-Gm-Message-State: AOJu0Yz7mYphyUDjm/egE5GmlJOqWNqdkAJqv/z4saRtc9UTKe0anjlw W+QA6wGDxVNNHcKtr7yKeY6VecjRfXOJishZDPIXfgNzjVZfxJwJbr/HSTMWtQ== X-Gm-Gg: AZuq6aJvT9FQkHsBFHzXhWb2w644tdltvh8CmKZsfn6J725amuYc66i9ytIeepI8Hon eVzizs8YKxlpJG8+DS9IALGsYoJscd33WIU1nxqT4n7I2z6+vvYaDHifltvyYtYVYzCF63kMcGp fxX3huZ2R0EilNzpKsdrDrIVf3/TBMTtcbX/J/P+8PXill14wHOz6j0gtW9ydpt93bHmsIEcXO9 DlGmNGsZL0FBVGBIzsecMLwssb9XMfQxBTA31xe4lucaS3hYbttYBZCij/IDHiRaXMWbZObGDty T94tlWj3MQSPu25T5FerzQ3Trh5zIow/9yZgHG5Mfb35b2QijM3o+2T3LQRtndK4JGBCN7/Qk2F WSFzIFkq2GvoLKc8WQbIaLfanDAAqcvNbN/aokxCWsxD4Uk5XYAi3iLYkOixAHaIK1N9CcfmVIf FUPqiEBMHY3VOO5B+YjDlA X-Received: by 2002:a05:600c:8b2c:b0:480:1b1a:5526 with SMTP id 5b1f17b1804b1-483a95e24ebmr259756315e9.16.1771959894877; Tue, 24 Feb 2026 11:04:54 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970c09897sm29394920f8f.17.2026.02.24.11.04.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Feb 2026 11:04:54 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 4/8] protobuf: ignore CVE-2026-0994 Date: Tue, 24 Feb 2026 20:04:47 +0100 Message-ID: <20260224190451.1596179-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260224190451.1596179-1-skandigraun@gmail.com> References: <20260224190451.1596179-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 24 Feb 2026 19:05:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124592 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994 The vulnerability impacts only the python bindings of protobuf, which is in a separate recipe (python3-protobuf, where it is patched). Ignore this CVE in this recipe due to this. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-devtools/protobuf/protobuf_6.31.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_6.31.1.bb b/meta-oe/recipes-devtools/protobuf/protobuf_6.31.1.bb index 37b26b610d..4356ebeecf 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf_6.31.1.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf_6.31.1.bb @@ -26,6 +26,8 @@ UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d\.\d+\.\d+)" CVE_PRODUCT = "google:protobuf protobuf:protobuf google-protobuf protobuf-cpp" +CVE_STATUS[CVE-2026-0994] = "cpe-incorrect: the vulnerability affects only python3-protobuf recipe" + inherit cmake pkgconfig ptest PACKAGECONFIG ??= "" From patchwork Tue Feb 24 19:04:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81835 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0F01F4BB83 for ; Tue, 24 Feb 2026 19:05:05 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.28137.1771959897279436173 for ; Tue, 24 Feb 2026 11:04:57 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=m3iBhks2; spf=pass (domain: gmail.com, ip: 209.85.128.42, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-48069a48629so60101345e9.0 for ; Tue, 24 Feb 2026 11:04:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771959896; x=1772564696; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=T8HpiKGBJcUVoV/SeO8noKMt/M5xY1d6EHZteU5E9iw=; b=m3iBhks25pH8lFgY6dZCXhq775biS4mu5XVZBn9aXICHGFBxOaALU7axdr5et+iTan dbNGPbD3x+XpXwPRxCW+zRvtB8nGjkauvsJtDVQqeZOfwEC/cA6TpbbtHHLtKZx5sTp0 QikJZIlrAjWx/XNHpknEW8vOMfqhZ4e/ILH9faa1OO1wY7NgtOR4/6oRA4br2g5HhOgT uIvCBtdw9qxFxBchZ9lmbWcGkbe9kp68tdUkOMU+yYN7N9yVQ8l8PGr/qypL/NVsYU3m 3KC/j8arR1LjNmspovbKxUQ3bZt79sU0byX9jkk706rtvprPodAFpELuNDAeN4BhiNG3 Eg/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771959896; x=1772564696; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=T8HpiKGBJcUVoV/SeO8noKMt/M5xY1d6EHZteU5E9iw=; b=WThg8XeIgHZ8Sc8qgyWM/VHqVNkbOalBkWVmer7BQPwec7WPLDBvtYFnF8Lpbgt8zO 3JVq1JYU7qLBzSTbZOdJK7MzQWkS1G/u920Ke1vjrLQl0Rrpg+iErqV09/JPoGi4Uhs2 j/hf1oDLHOxxcd6xzdh1JuwfPZN8N4dTpHQ6atke3ZztcaBAdVRHQkVx04379z4Hriu8 gDyqvlEoDf4US/imuJSCjiHUc/AcOah6KriIoBNCE9Gxl9zDccu65veQKvvlmPOcPafO O5GvR6FemL3I3GTimPUMpahil7kU8u7r7Jq80Rn1oQAOQduH8CK6EaoiHcoKX3o4m6Vl j6BQ== X-Gm-Message-State: AOJu0YywUCYDBoW1C9Yb750qvR7P8nxnSII/IgFNwyIFekVDoA8Lh1sD Wb/pgoG1rBIGAgfIPlwCYPxcGkerYFrvOHflkA42XKrZsAWNOgSiuCq0uJXNyA== X-Gm-Gg: AZuq6aLVfXlQhIfrHyDmRnEYA5z4w5gJD8yPRRWctVV4AKD2vUsNfUiQ+QgdYceP48s Gx5emlwBu4zlJ9kCb2MWDmpXjWf3x6XpTJgDCP2iVL/OqqSGI+5PwWLKlC79Fq1o2kjxO4SwCas rO7k786iSqPuj6VVGMIhY0OK916ho1mqxu6XzN9GyPs22aMyTXiG5mKtDmpdpr2siN46hhhIoNZ dbWVfkpGL9Up/pdhMqQvR5sLPKk/7TPm7dTjQYPdNV1vzYqV4c6zMk6+Xv6P+/dJKXXJKeOv/TX SWRd3sdPQo0UChXBFJH5Bcmfatccu0E5zXxEIShGiLF2Vklt0ACVtzhzw1QIENl47n1TO/lqa3p qwrLtxgK6R6ahdQiPUQduuJx3lIrdY9sgekD32Kbvj3c7ZqwtIlzaWUNp45JjxYfby+VTVSiVaJ JMbqqZOrpDleRDpqKVVv3+ X-Received: by 2002:a05:600c:1e28:b0:477:5af7:6fa with SMTP id 5b1f17b1804b1-483a95fe96bmr194892795e9.32.1771959895486; Tue, 24 Feb 2026 11:04:55 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970c09897sm29394920f8f.17.2026.02.24.11.04.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Feb 2026 11:04:55 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 5/8] libjxl: upgrade 0.11.1 -> 0.11.2 Date: Tue, 24 Feb 2026 20:04:48 +0100 Message-ID: <20260224190451.1596179-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260224190451.1596179-1-skandigraun@gmail.com> References: <20260224190451.1596179-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 24 Feb 2026 19:05:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124593 From: Ankur Tyagi - fix tile dimension in low memory rendering pipeline (CVE-2025-12474) - fix number of channels for gray-to-gray color transform (CVE-2026-1837) - djxl: reject decoding JXL files if "packed" representation size overflows size_t https://github.com/libjxl/libjxl/releases/tag/v0.11.2 Signed-off-by: Ankur Tyagi Signed-off-by: Gyorgy Sarvari --- .../libjxl/{libjxl_0.11.1.bb => libjxl_0.11.2.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta-oe/recipes-multimedia/libjxl/{libjxl_0.11.1.bb => libjxl_0.11.2.bb} (96%) diff --git a/meta-oe/recipes-multimedia/libjxl/libjxl_0.11.1.bb b/meta-oe/recipes-multimedia/libjxl/libjxl_0.11.2.bb similarity index 96% rename from meta-oe/recipes-multimedia/libjxl/libjxl_0.11.1.bb rename to meta-oe/recipes-multimedia/libjxl/libjxl_0.11.2.bb index ad5b5d169b..1157f07d84 100644 --- a/meta-oe/recipes-multimedia/libjxl/libjxl_0.11.1.bb +++ b/meta-oe/recipes-multimedia/libjxl/libjxl_0.11.2.bb @@ -8,11 +8,11 @@ inherit cmake pkgconfig mime DEPENDS = "highway brotli" -SRC_URI = "gitsm://github.com/libjxl/libjxl.git;protocol=https;nobranch=1 \ +SRC_URI = "gitsm://github.com/libjxl/libjxl.git;protocol=https;nobranch=1;tag=v${PV} \ file://0001-cmake-Do-not-use-mrelax-all-with-clang-on-RISCV64.patch \ " -SRCREV = "794a5dcf0d54f9f0b20d288a12e87afb91d20dfc" +SRCREV = "332feb17d17311c748445f7ee75c4fb55cc38530" EXTRA_OECMAKE = " \ -DCMAKE_BUILD_TYPE=Release \ From patchwork Tue Feb 24 19:04:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81831 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BEB77F4BB82 for ; Tue, 24 Feb 2026 19:05:05 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.28138.1771959897764885236 for ; Tue, 24 Feb 2026 11:04:58 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=LFf+ocUP; spf=pass (domain: gmail.com, ip: 209.85.128.47, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-4837584120eso41116355e9.1 for ; Tue, 24 Feb 2026 11:04:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771959896; x=1772564696; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ydCDIDHnyhPJIpJtD8Xdxi8SMCd+lw1zqfUxtCknUt8=; b=LFf+ocUPqkUD+WBStHDSUPRBKsX2yrewX34Hs/LDCYO/3WSIeooGDpztpkTrAMpVGk l4FAcemq7LCLqfs7doSSp41BSpMFxmAU8OfJPiyxBn3QDchRptLSmMVQqqEfJWHvGFo4 uYo3GAoJduElmJKb/QY7qWkX2QzJggklZo+elYoZWRV0QrQ2wJoeTWBJD2C94dokaoM5 G4OdqcnRhopffWyIaXZpoS5ZDimtCqIJhBhn2QvhBrhCkCOkkbGXu2zv2v/EAAlMFFa0 Lu5/yAwYdGlMFlGs5RHgQ/l5GSRKURBzBPJFzUTytdPhPw6cnH42H5MMHv0P8+stRwFG tkMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771959896; x=1772564696; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ydCDIDHnyhPJIpJtD8Xdxi8SMCd+lw1zqfUxtCknUt8=; b=MPB6wEsMXf2pMhKBJHdPMsGSjFJcMhZPD7dLOSS8esmhM7li3TV3enkmXVtXSuP3yF aYpn7Ay9T2B7EgczdUXFoBGTQUnTfpVahLkNwHj0hut0kjIPMB80pmJQ5mcArXQSyNv4 BGjfeKy7RbmyDf2sC4rBgbcI7zHwZt4MlWK3KBa3qlrJJ7YVddHj8HH5PSwK6byigW0e eEfXFnP87a02m/hPktK/6gndMCUOlvqCahK2QP8C1QGg30c+zjnKN5pGovUdup5zPlI0 dOXbxxh459MYnm4iJhUSEV6NBs1rSXvs//Xnc2b1KqNZUkGZQqj7IHBA5sxAjK172CuI 7k8A== X-Gm-Message-State: AOJu0YxS1pBZsd+ptPJswvfCPofNS5ZC4Hknc2BrUW+y24ZXq9iDYnx9 DTEat04NIw+23Si9HEfGi0v3PG+FJxkpqCmziGMQGd+WWX5Op9PvbJoHrwKcRQ== X-Gm-Gg: AZuq6aKPu2lEOJ+ka8Zx2ZthbbgWqVXT95CR6/EvGhzgMuIEDeUJBBxv2cNB5eFIiSp TAQi+Wz7D1vAPef880Jt0IxQh+OqmrbC6mms/LGucf7JtLNOBXGiNNdVXKkZ0bN4neDyD2+0SrO zz5M0VArbg7g/5fOUFtCdBUOAbi6HlvOvdJ8krWLS4QpVaH463/JMoz3mzHKznKXgoB62PXUy5R T5N5gmeiB/S03nmOHJpD+PP1MSg4phVSxaXz3EvTrlU6oT7OUBxexfgYh5srVpUieTuh3cx+T8O Yc/b7dY3iN0UhGDvIdgKKVf0s1YLdvEDk+9spwAnIm8IgD2iKntdFniNNdK+yfXq9+eKrH8wycj YwWkJ385RlqYokLKt+gAX0L6nwpHfumMqIt6Up7CVqAt8oIdhJTvRo7t/5Imagx3CeDjYq2t5/B beIaA2t3hmKUdopMGy+6Sf X-Received: by 2002:a05:600c:3484:b0:483:7f4e:fef6 with SMTP id 5b1f17b1804b1-483a95fa4e7mr176787995e9.26.1771959896089; Tue, 24 Feb 2026 11:04:56 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970c09897sm29394920f8f.17.2026.02.24.11.04.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Feb 2026 11:04:55 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][whinlatter][PATCH 6/8] gnome-shell: ignore CVE-2021-3982 Date: Tue, 24 Feb 2026 20:04:49 +0100 Message-ID: <20260224190451.1596179-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260224190451.1596179-1-skandigraun@gmail.com> References: <20260224190451.1596179-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 24 Feb 2026 19:05:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124594 Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3982 The vulnerability is about a privilege escalation, in case the host distribution sets CAP_SYS_NICE capability on the gnome-shell binary. OE distros don't do that, and due to this this recipe is not affected by this issue. The CVE is ignored. Signed-off-by: Gyorgy Sarvari --- meta-gnome/recipes-gnome/gnome-shell/gnome-shell_48.3.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-gnome/recipes-gnome/gnome-shell/gnome-shell_48.3.bb b/meta-gnome/recipes-gnome/gnome-shell/gnome-shell_48.3.bb index 33ba5eaa39..428717566d 100644 --- a/meta-gnome/recipes-gnome/gnome-shell/gnome-shell_48.3.bb +++ b/meta-gnome/recipes-gnome/gnome-shell/gnome-shell_48.3.bb @@ -91,3 +91,4 @@ PACKAGES =+ "${PN}-tools ${PN}-gsettings" FILES:${PN}-tools = "${bindir}/*-tool" RDEPENDS:${PN}-tools = "python3-core" +CVE_STATUS[CVE-2021-3982] = "not-applicable-config: OE doesn't set CAP_SYS_NICE capability" From patchwork Tue Feb 24 19:04:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81833 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B60DDF4BB80 for ; Tue, 24 Feb 2026 19:05:05 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.28139.1771959898494550980 for ; Tue, 24 Feb 2026 11:04:58 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=DWtzGJeF; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-4837907f535so52790205e9.3 for ; Tue, 24 Feb 2026 11:04:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771959897; x=1772564697; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=BcpNwamY0aYUD774U7ILtCJap41jYlb9ONMHQrpFu8w=; b=DWtzGJeFMsJMXj4OIp0E49TSl8xhHRqmb/Ff3F0AXUKNYTBuh8C8t+NPVo/WdyHeCV fSz+/Rgn+9Bafhc9VA8nSJdQJJHYc6MRvU6gnM2xavgYE1YsrI8yuVT8cL9ov+bkWJcf PoIg9vjKt5sBlnsEJPFQ0My0k1mgh9RfQN9MyASZXLNEMr0Flr2CIMfHHKw1a9cB5NTE 4O8ArUKCzN+a5z2k3cG7bV7qrS6dbNANU2xz22y5p91jF8VTvag5oeYZS7PhxXO+2cEZ RlIkg+j07iCg0S9Df6h5v/DA3fLCJE0h1bjOk8U4polMUqMRGwCXdEqkXcTdR+CqluzN zGxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771959897; x=1772564697; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=BcpNwamY0aYUD774U7ILtCJap41jYlb9ONMHQrpFu8w=; b=rciUE1TWNb0HTw+gZx9lBCz6mT0oCBEP+WznHwOMvoowbpbFIgaFWVyQSIu4cV2Y17 4rSyXjT1ieR7v36ysr79F9lAYH/9hG8pfafkrkVIcdiL7W4wwxcKP9FcQZqPSmlJnoEe R8H9qBv8Jin6bKv9lBc2Q2ADiaME0QuaaSTd9QTyHmPRixWNpnXFBCcBKgBj2C4D/BLS AHEzqEkcK3obSaTa/AGwlYRhodi6EvCBeRghLZho2RJyZbQBoOT4SkFp427XvXQhlQMv Maw+doBaNhWo8AbzZq+Miy8ZPr1IC9Th7LDyG1YjFhm0j6u+uNOVmIM79MmABz0poAaZ N0cw== X-Gm-Message-State: AOJu0Yw7WJrS/vISSHrMuHrBYVg0QQCrbbHddf3J8jjY9CoC7h2Re9io 8F4B3XUA1ZjEk0cSIxVPNk6KHHdH7k+aqZFfjk/roPJJWQQNsT+0/gfEwqi1pw== X-Gm-Gg: AZuq6aLXwp0uJhA/hXl5DL1Co8rW0dD8Tc3dia2W1UP2XInWJ5BORE4gBDQ6c8oYIEE +fCGQeqNEAdL85TNNBua8SerXFWD+9mC+F7jdLJJJFIvXd6imp5wDo7iAh+deE0X//DMWnNJ1Lr W0/bCYuG8YO6PBHV3oXU9T65bvEa5DE8GYU70OhbuW3L8svDJiPyasLDe1Lz/q1zJDelYkZYFGs Rlpbhsw0US49BWSI4nZjs0zwyqwFRF1oA/EE6hkGuEMikU5McMKgLqO57vgT4DpW09BCFLKRPNC 7mpIkEfWFWIce1/LH7wfSJewJNXPjYW0rk3pmYnfAX7yXRjGK+xKLzlFbWPYYkcV61Jwr54f0Io 79sEH+YDmc9RL12wttpf7yVlb0sKMSGLB1NU6J64MpWuufnXm4tIJ63uKxGK5eo75GTraTMkWFk R2iMhCG6O9Ms+rshgNuxlJ X-Received: by 2002:a05:600c:3b27:b0:483:702f:4641 with SMTP id 5b1f17b1804b1-483a95bd842mr209610635e9.3.1771959896711; Tue, 24 Feb 2026 11:04:56 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970c09897sm29394920f8f.17.2026.02.24.11.04.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Feb 2026 11:04:56 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][whinlatter][PATCH 7/8] gimp: ignore already fixed CVEs Date: Tue, 24 Feb 2026 20:04:50 +0100 Message-ID: <20260224190451.1596179-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260224190451.1596179-1-skandigraun@gmail.com> References: <20260224190451.1596179-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 24 Feb 2026 19:05:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124595 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0797 https://nvd.nist.gov/vuln/detail/CVE-2026-2044 https://nvd.nist.gov/vuln/detail/CVE-2026-2045 https://nvd.nist.gov/vuln/detail/CVE-2026-2047 https://nvd.nist.gov/vuln/detail/CVE-2026-2048 All these CVEs are already fixed in the recipe version, however NVD tracks them currently without CPE info. Ignore them. Relevant upstream commits: CVE-2026-0797: https://gitlab.gnome.org/GNOME/gimp/-/commit/ca449c745d58daa3f4b1ed4c2030d35d401a009d Note that the commit referenced by NVD is incorrect. This commit was identified from the relevant upstream Gitlab issue: https://gitlab.gnome.org/GNOME/gimp/-/issues/15555 CVE-2026-2044: https://gitlab.gnome.org/GNOME/gimp/-/commit/3b5f9ec2b4c03cf4a51a5414f2793844c26747e5 CVE-2026-2045: https://gitlab.gnome.org/GNOME/gimp/-/commit/bb896f67942557658b3fbfc67a1c073775c002c7 CVE-2026-2047: https://gitlab.gnome.org/GNOME/gimp/-/commit/5873e16f80cf4152d25a4c86b08553008a331e90 CVE-2026-2048: https://gitlab.gnome.org/GNOME/gimp/-/commit/fa69ac5ec5692f675de5c50a6df758f7d3e45117 --- meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb index 860fb5d26b..5cbb94055a 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb @@ -135,4 +135,7 @@ RDEPENDS:${PN} = "mypaint-brushes-1.0 glib-networking python3-pygobject" CVE_STATUS[CVE-2007-3741] = "not-applicable-platform: This only applies for Mandriva Linux" CVE_STATUS[CVE-2025-8672] = "not-applicable-config: the vulnerability only affects MacOS" -CVE_STATUS[CVE-2025-15059] = "fixed-version: The issue is fixed since v3.0.8" + +CVE_STATUS_GROUPS += "CVE_STATUS_FIXED_ALREADY" +CVE_STATUS_FIXED_ALREADY[status] = "fixed-version: The issue is fixed since v3.0.8" +CVE_STATUS_FIXED_ALREADY = "CVE-2025-15059 CVE-2026-0797 CVE-2026-2044 CVE-2026-2045 CVE-2026-2047 CVE-2026-2048" From patchwork Tue Feb 24 19:04:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81829 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6268F4BB7A for ; Tue, 24 Feb 2026 19:05:05 +0000 (UTC) Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.28250.1771959899107367625 for ; Tue, 24 Feb 2026 11:04:59 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=bC730COf; spf=pass (domain: gmail.com, ip: 209.85.221.51, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-4327790c4e9so4468013f8f.2 for ; Tue, 24 Feb 2026 11:04:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771959897; x=1772564697; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=0mZybY8ejKUJzuWmzbVMLFYqsVlFSkCmeDmW32np0/A=; b=bC730COfmyFhOUSSRA6P9tOy+gCNBxZHO/ql/MFXPilzV5QzxoeJW3ppxW8g31O6td 4+G2+MsJGsVh9hYg2G/T4K2Lg/6GnR/zCcPlB6a4vrUAtCxLjvbRJw5fzWscAEmTk4T8 3Y6xdFl3xExbTfXZ3G10+d3bHC2nWzorSn/HVa0R8kZw1IbS1L3qXEn6iS42MwQ/gc/M sANzgx1plne43Ba2vFKHZ7RXLdDgW96nJMXXav4YTlFgBat0EDDWFBLO09LrimBhDTpe EIbqIVm6x4LKdFrAH66QCoPB5OPg2H/r+fqJzb4KQYv/SehLHx6L/W1FGz/unS2GBVcl GblQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771959897; x=1772564697; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=0mZybY8ejKUJzuWmzbVMLFYqsVlFSkCmeDmW32np0/A=; b=UpzAq1xDSL6poNfTGpZs6RdIRn2WiVWI+ag05/ySihrVVzO0zw4x4A9McNMs+7rG2y Dcp0gqBgchBilvlLKtsuVdg/k2eicgvGt37WsSesB/oclzTCxAVbX5PczusmifcTt/Ns 2+nHQaVkTmLuIhZC1FhhOK5zQqXrBWTOzd67g+Jbsg5lOllerCH4rKlaLiLgFuP+4gb4 YCPfGcCANFuS9yzTTJ736vvANalMkVTKgGTaD/Q7FtY00cXLKgSGjx88JXfiHwDHibTP tKWFpeTXJnyxFKq4jWZHdtryzsCFHZ8MJY4O2ERLzGfcuqX7i60FrrxtDFqnb9N6Xgqe exWw== X-Gm-Message-State: AOJu0YxwOdGm2QQo4HRIp3Qen0Qjv4qwsuqtLV5SCrHN4wafm5G54ZWf M8Pa5athh/BiUk7PiiHq1PRdN9+l0/F8xn0K57wc94PEKfEXL+PuHrRK81cWjw== X-Gm-Gg: ATEYQzyjB2otRzrgcuvMbUakU1dy8DvMsoZc+PD3TFtse0JTSwlcV8FWvGWWQSF03lv jW85l/JxkQdQCFUeBUBxaGfOcMbJbniKNoxv7rGcdo1pfW20XHv9evNGrOClZq1tLktXCVDgLL2 /m7WOokqrIC2/3iakWkl62OkfrFOg6Y3FxRPKYSBAySHmCnX7KtjeEjdMOnUi9CDq4pf0AgcAU9 3g9Frut8Hp24j+y7xS147XBzKRKbPw7LuFcvDPsqJX83KEkc57wG5nFmFH+UPYI6QWjarjggRoX h9aMtVMSF2E49LDd5nM9JoxjcAFuE4HP78DpM5fXiUvoL/CRFEMg/fXuTw4pHRrBlyk/TgblZGn SbemP97zYHwAcbqAW1d8XzoDFBFJDnblT/QtD9GcM+9IJcnGUu1C2nXK1mGHT3tQ7V4YhAjihQi VZF9UIWbrpuon9AsKuV5ax X-Received: by 2002:a05:6000:1acd:b0:436:1964:e3d with SMTP id ffacd0b85a97d-4396f173dd8mr24096973f8f.14.1771959897368; Tue, 24 Feb 2026 11:04:57 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970c09897sm29394920f8f.17.2026.02.24.11.04.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Feb 2026 11:04:57 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-multimedia][whinlatter][PATCH 8/8] minidlna: ignore CVE-2024-51442 Date: Tue, 24 Feb 2026 20:04:51 +0100 Message-ID: <20260224190451.1596179-8-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260224190451.1596179-1-skandigraun@gmail.com> References: <20260224190451.1596179-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 24 Feb 2026 19:05:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124596 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-51442 The description of the vulnerability says "attacker [...] execute arbitrary OS commands via a specially crafted minidlna.conf configuration file". There is no official fix for this CVE, and upstream seems to be inactive for the past 3 years. The reason for ignoring this CVE is that the referenced minidlna.conf file is in the /etc folder, and the file is not world-writable. Which means that this vulnerability can be exploited only when someone is root - but if the attacker is already root, they don't need to resort to minidlna config-file modifications to execute any command they want. Signed-off-by: Gyorgy Sarvari --- meta-multimedia/recipes-multimedia/minidlna/minidlna.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc b/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc index cb2a1865e8..0dd297098c 100644 --- a/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc +++ b/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc @@ -43,3 +43,4 @@ SYSTEMD_SERVICE:${PN} = "minidlna.service" INITSCRIPT_NAME = "minidlna" INITSCRIPT_PARAMS = "defaults 90" +CVE_STATUS[CVE-2024-51442] = "not-applicable-config: vulnerability requires root access"