From patchwork Sat Mar  7 22:52:18 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 82778
X-Patchwork-Delegate: yoann.congal@smile.fr
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 86403F55119
	for <webhook@archiver.kernel.org>; Sat,  7 Mar 2026 22:52:56 +0000 (UTC)
Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com
 [209.85.128.47])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.19037.1772923974850886205
 for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:52:55 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=BkYMOmvZ;
 spf=pass (domain: smile.fr, ip: 209.85.128.47,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f47.google.com with SMTP id
 5b1f17b1804b1-483487335c2so86946495e9.2
        for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:52:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1772923973; x=1773528773;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=vTqA8WctbHwI2mVOZIWaQhzbYg+so1hCFQfeMRXMWvE=;
        b=BkYMOmvZZRSDxB9le0aQ0UMGbrpmqAY8XAsAHUiUOZGNTvO5aAQ+7IMgsjsjfds6T0
         BmqBxIc9v+ZTUmVMe/bfmWdrupz+MPGVY6nUSNC08hohZgd6xs9p7k294lFYqk10aAjG
         pcxffikcl6h3oay+bRz1NrbxM2h/n/8EXdQFQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772923973; x=1773528773;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=vTqA8WctbHwI2mVOZIWaQhzbYg+so1hCFQfeMRXMWvE=;
        b=t0xzP22WwQOuyJ2kMXX8oQbvHiLmnGM4UnO64mJCp2jNYTxr9L/ZHG1wH29i4AShND
         y7/xrdJnDNwGk6bEb7wH8sRDqe/XCsr9VxOnpQU/m+kXFWGYFX2JpadHihOjr4is2zIW
         gghFATOrRwn6IJwThVyymY8Y2qOBvvM7or9pvkKhaJFkwQXCJ1jea6AUioZqIFagl5xM
         UkCsW1Yg6g8/CsuKmcHaLJkSLRDCkGDAaLsmJXvWkQxyfPuMaiUbevJfMWhgBgBNT+Ek
         Ajfl7kjUTFt6yrjqkgwWNGN2WN86H6RfwnqdjXJw9yRAoUXNvO6KN8QWuZuM7d2MJIcL
         nm2A==
X-Gm-Message-State: AOJu0YwqHoR3nMdpuBcL7ZDaXErGnfVemlo4rIuuCD2Jcom+3/FValQj
	2pikik5JkvHljzzElB2s6SKYYOSnw3DvAVyZ6k/Ssy7soJCd4uECT+M0PXx8bzp14C2D7KS8KWU
	9AnJZ
X-Gm-Gg: ATEYQzyJhyfrtCvs8ka0cTkPe4eJh+GpOIdS1beVjFUZNi83Kuz8tnLcQ/r9tKEcmNf
	P2MciKFyq1DCiyRxyIAXmKIEbf0lLdbkRgwNviMEkAOlqR/Fr/FDQnN9+1TYs+cu9caDu9ioAcT
	JgGhJKDni/qkKmdstL+ImEVGrXdlCfuDp7a8UIRcruvFHz0U0z0og3bVZtYhIGiRaDFNqRoDSq1
	+RM7UMKEpQLZo+sv11Q6AD9t2LSPUgfpgmJtkqu7XoJYVNKsFLrXHg0Df9W+HXM012rLE6fQ2YQ
	418C7uj179ZtrdgT4FPCykSAyxfOONThgGjbPwyg6zSAsEnBNH3Ug0ZSAxmNQAwoSjY1rcYRCvZ
	IIWirrMsQO2iAmbXw1Tq2AMW5adujtRUlgHO2qzYwYcwi5287Lxi7HBqnrbpHcFYF3Lv3OzHX9b
	8jqromcH1NiXBnuxKQZEJU0jBPdOeuhiOL9f2lOB+jWfCpqMcF27Hnst9qBIn+8c4noIwwxQ8fQ
	BVV3nzjtHxxkyYftayk8KOf9mo=
X-Received: by 2002:a05:600c:474f:b0:485:35d3:ce73 with SMTP id
 5b1f17b1804b1-48535d3cf36mr7777055e9.32.1772923972884;
        Sat, 07 Mar 2026 14:52:52 -0800 (PST)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48527681e3fsm133287175e9.6.2026.03.07.14.52.52
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Mar 2026 14:52:52 -0800 (PST)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 01/11] gdk-pixbuf: Fix CVE-2025-6199
Date: Sat,  7 Mar 2026 23:52:18 +0100
Message-ID: 
 <f9c759f488ad398e88607ab800b955ef10092aec.1772923420.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1772923420.git.yoann.congal@smile.fr>
References: <cover.1772923420.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 07 Mar 2026 22:52:56 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/232626

From: Shaik Moin <careers.myinfo@gmail.com>

Backport the fix for CVE-2025-6199
Add below patch to fix
CVE-2025-6199.patch

Reference: In Ubuntu and debian, fixed patch is given -> [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32]

Signed-off-by: Shaik Moin <moins@kpit.com>
[YC: Link to Debian security tracker: https://security-tracker.debian.org/tracker/CVE-2025-6199 ]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch | 36 +++++++++++++++++++
 .../gdk-pixbuf/gdk-pixbuf_2.42.12.bb          |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch

diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch
new file mode 100644
index 00000000000..1952e3ceaf5
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch
@@ -0,0 +1,36 @@
+From 140200be0b4d5355aab76a6fd474e17d117045ca Mon Sep 17 00:00:00 2001
+From: lumi <lumi@suwi.moe>
+Date: Sat, 7 Jun 2025 22:27:06 +0200
+Subject: [PATCH] lzw: Fix reporting of bytes written in decoder
+
+When the LZW decoder encounters an invalid code, it stops
+processing the image and returns the whole buffer size.
+It should return the amount of bytes written, instead.
+
+Fixes #257
+
+CVE: CVE-2025-6199
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32]
+
+Signed-off-by: Shaik Moin <moins@kpit.com>
+---
+ gdk-pixbuf/lzw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
+index 15293560b..4f3dd8beb 100644
+--- a/gdk-pixbuf/lzw.c
++++ b/gdk-pixbuf/lzw.c
+@@ -208,7 +208,7 @@ lzw_decoder_feed (LZWDecoder *self,
+                                 /* Invalid code received - just stop here */
+                                 if (self->code >= self->code_table_size) {
+                                         self->last_code = self->eoi_code;
+-                                        return output_length;
++                                        return n_written;
+                                 }
+ 
+                                 /* Convert codeword into indexes */
+-- 
+2.34.1
+
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
index ff1c7a1fb2c..7c58fe1e1d6 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
            file://fatal-loader.patch \
            file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \
            file://CVE-2025-7345.patch \
+           file://CVE-2025-6199.patch \
            "
 
 SRC_URI[sha256sum] = "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7"

From patchwork Sat Mar  7 22:52:19 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 82780
X-Patchwork-Delegate: yoann.congal@smile.fr
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7D3ACF5511A
	for <webhook@archiver.kernel.org>; Sat,  7 Mar 2026 22:53:06 +0000 (UTC)
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com
 [209.85.128.43])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.19038.1772923977009531313
 for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:52:57 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=Z73TH7A3;
 spf=pass (domain: smile.fr, ip: 209.85.128.43,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f43.google.com with SMTP id
 5b1f17b1804b1-4853510b4f3so2233445e9.0
        for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:52:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1772923975; x=1773528775;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=asSZSFR5s9lAOWJohLIOefjCUAGvqS41IV/qtzwmtB0=;
        b=Z73TH7A3vVCLvLoiDNfIbPfKoGI6bBo4hOzopGa9j0vHfJViNa9UDJBV7f58K/vj9f
         RzgY5h4NO/0822q4+k971QlbWu4lfJnMThpJen1MJMLyQ9eysSG4nQBkA9J8qHK3wegt
         InGRZDnk+JPsnYcOslDmivaVZ3eZ2tyBOemw4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772923975; x=1773528775;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=asSZSFR5s9lAOWJohLIOefjCUAGvqS41IV/qtzwmtB0=;
        b=sdryLOoZlf/6j+YXzjUrP16nBcpZsBeOUNMv8jCT1VkK3TJokFPCkdL+xlhytn8Vsp
         vbjciWOt08tB1vBak2ZpC5BT15T2E1/MbTM9Inkanmzz795jipIzAsBvXE8kFUQ/IAlL
         imVOvbo+VsLutCcHiV3QU+XEoOVFoGA045Ox3sTkVgR51P0DPKoQfimPdyctOm6Rrbkv
         SaxR46hZFuR2haaSY1GkMLRkhD5q5yAeOlePk+oEs/RDos7XnJFS6OyI+vb06AFj/eWA
         mj2vwD1Vs3K9nMzXpXu19hAwhsBKsko948bwwPYMD2/h/G3LInaDOnQFH8Dq52eiHMP5
         S0tA==
X-Gm-Message-State: AOJu0YwnL61KQDZLcKqXQCCz5doLcHzeaK8y2ngY+kt9SByA/EgzK/L5
	OcuzDuMG9h/aFuH50A+ibYXYIqXD96SylG2cL6Oih7oOQCG4bOjhhQtwRtO5XaigXey4y5i0TT0
	kAagV
X-Gm-Gg: ATEYQzy9HKfj9FdoOAHJ944IsAr0/tEPUsjPtvVmr88vF59RFv6n5IN8BYxXxhQA+7D
	3iJrbiioeOscHEjcKc9qrNBYh9AkIXb2jZQg1vovJ+xrr/OXXdMLpn8ktDMiBn4a5XsaXY89mRU
	njyDchvzclBNhlL0q2fpq5ak16TLhPpzj18hm2jVn6gKVA/UJcmIXbW82IXIi43EZ1pi9kCQa5x
	t7JmmFqux2QPoukIWdG+kiCaVyWhcA1sYIgjVRhkkYYULJe4dM2Sqvaam4fmoVdygEzUFXoO3fH
	paVyPrFooDoQg84Xi7Iz4UajrU6up1sfy8SkjyJVWkLNYwXG9rK1V+q9MqvxO6T560pcSVU8HBq
	ngaCmyx2UhT9frYmHYs4+PNsr+qzoAbvWzziaR9i67J2A1Ah/NKKblEwfuGE6twTICgoowD9Bq3
	qXDb9I2LEV5mNLAYhi1UXqZNu4uUETyhCxMHA/uKRFa1VHTNzIjAXe8sFdAajthvR0t5uUP2wj6
	QUdCV2k3MSXOuK/qLCR7ATcXGw=
X-Received: by 2002:a05:600c:4ec6:b0:47f:b737:5ce0 with SMTP id
 5b1f17b1804b1-48526964261mr112444415e9.23.1772923975077;
        Sat, 07 Mar 2026 14:52:55 -0800 (PST)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48527681e3fsm133287175e9.6.2026.03.07.14.52.54
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Mar 2026 14:52:54 -0800 (PST)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 02/11] ffmpeg: set status for CVE-2025-10256
Date: Sat,  7 Mar 2026 23:52:19 +0100
Message-ID: 
 <26da85be0717c00201e1ae1c1bdb67963a03ed92.1772923420.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1772923420.git.yoann.congal@smile.fr>
References: <cover.1772923420.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 07 Mar 2026 22:53:06 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/232627

From: Peter Marko <peter.marko@siemens.com>

Per [1] is patch for this CVE [2].
This is equivalent of [3] which is included in n6.1.3.

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-10256
[2] https://github.com/FFmpeg/FFmpeg/commit/a25462482c02c004d685a8fcf2fa63955aaa0931
[3] https://github.com/FFmpeg/FFmpeg/commit/00b5af29a4203a31574c11b3df892d78d5d862ec

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb
index eb64b5c8d59..080241d34f9 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb
@@ -48,7 +48,7 @@ CVE_STATUS[CVE-2023-39018] = "cpe-incorrect: This issue belongs to ffmpeg-cli-wr
 CVE_STATUS[CVE-2025-1373]  = "fixed-version: Vulnerable code not present in any release"
 
 CVE_STATUS_GROUPS += "CVE_STATUS_FIXED_61x"
-CVE_STATUS_FIXED_61x = "CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2023-50009 CVE-2023-50010 CVE-2024-31578 CVE-2024-31582 CVE-2024-31585 CVE-2025-1594"
+CVE_STATUS_FIXED_61x = "CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2023-50009 CVE-2023-50010 CVE-2024-31578 CVE-2024-31582 CVE-2024-31585 CVE-2025-1594 CVE-2025-10256"
 CVE_STATUS_FIXED_61x[status] = "cpe-incorrect:these CVEs are fixed in 6.1.x"
 
 CVE_STATUS[CVE-2025-25468] = "cpe-incorrect:vulnerability was introduced in v8.0"

From patchwork Sat Mar  7 22:52:20 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 82782
X-Patchwork-Delegate: yoann.congal@smile.fr
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B2C60F5511F
	for <webhook@archiver.kernel.org>; Sat,  7 Mar 2026 22:53:06 +0000 (UTC)
Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com
 [209.85.128.42])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.19039.1772923979283487155
 for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:52:59 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=gLnilCPj;
 spf=pass (domain: smile.fr, ip: 209.85.128.42,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f42.google.com with SMTP id
 5b1f17b1804b1-4852e9ca034so6959875e9.2
        for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:52:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1772923977; x=1773528777;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=yKKlAvnBumaDqIgFoh2UXV1HyKr3d0OGIRzXkWqpdL0=;
        b=gLnilCPjZkJMOs7rrsrh594tCO+nryDUou75+tBWWFfzNpOf380s+7yBg+GkrcCZ0P
         y1/t9BqA8PNJgn780McI+oVXZreYkmAfRq29MQUJ1eTo4EUg3fmKI7ryQnhsTsUukfM2
         6rz805RlODX/+XmSKYsAlYKaa/GMP6zkzWaQI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772923977; x=1773528777;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=yKKlAvnBumaDqIgFoh2UXV1HyKr3d0OGIRzXkWqpdL0=;
        b=tJR7ISaO9CN86A+NPPXuRPPGOyArpStn+CbyhaNAHIjuNP251K/OcnEYqfWSuCTXLA
         qLbeEMVbDi7PxYf/yrcAimNyi+pJ30da1MjqGES3BoGl3QCIQEofpD1PsrDSov6ZfKjG
         5OkwsqbfT1ti+iOzw3KcW3bKULlJ5ZrzpP4CuudS58V507zKs/iLrUiIIjovxYF6HQ5r
         fwI2/KYTM4n1f4BNY4xB3V/RfzCDbXdwrYS0wBc/EHuMOF4baYcTdwoTzw7ZklP4bXG6
         Ld+R7fV4q9TBY0e015E8NWUDmFEyhWnXu03FVwNwkWIzBxre1rDUXYDlZ0CVhgEb7bhP
         OtHg==
X-Gm-Message-State: AOJu0Yw+8ff7TmMnyi87kAdp5EtHt4fwJRhvrJszn1050PJEEEE3Ev12
	SNIqEkv4MGS9YYcBiHxqnbAIuJj49lHkaObvYx2YD4FFtsZw3b4Epsemp24Y4j6rvpFdu9HXzEz
	TF6iN
X-Gm-Gg: ATEYQzxVCNNm3nPj8duMl5UJZ7RzsfMX6sgkcpDfgLwovKvWwZnDYizpHlhfdFZsKRz
	tyd59izNR3/s1Ef/suXIGGAg1f9/IowdGZpBt/9RaW7eWXNq9jDZc1ISZnmVnuKu3+rF+qCXf67
	2NlInPm/cuVyIIlSDVnRsH7DtBMIA3wHK7a6zqDXSw1Kwa8bzLJ95pYANTRKZwGP4SLfesP65y/
	7boQI14u6kbkaao4FlG5mNoftYu/jyd1eLvp1vXOEjVpJrebbIGzWvAbvf90i7pC+1gplXzrJ37
	BW+H6T4AXmimdb/7r+CchUtcdCjZQQv5SHGJocqJSfKz1NlNnyz6JaiXMTP78BLkkbQVoRRBm3N
	n9xxcTu6EtfoJRaisWBqtXxrjqGybgRcCVk0hsISYrJjur3o9Dhqr36SlZV2vZX4aKWUxq5+N5P
	vK7UYJEhKWbB23Hy6T0kqZYLZfnXBRASiTlpvlfSB/F5aGVv2vTC7tJdS5V80yfSrFkrPxE/Pwd
	VHxp2QOVTTVamlsuMy3t6j7vUQ=
X-Received: by 2002:a05:600c:34d2:b0:47a:814c:ee95 with SMTP id
 5b1f17b1804b1-485269305b2mr108860535e9.12.1772923977418;
        Sat, 07 Mar 2026 14:52:57 -0800 (PST)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48527681e3fsm133287175e9.6.2026.03.07.14.52.56
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Mar 2026 14:52:56 -0800 (PST)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 03/11] ffmpeg: set status for CVE-2025-12343
Date: Sat,  7 Mar 2026 23:52:20 +0100
Message-ID: 
 <4cc6f4302483d227c2e26223da43b8811165febf.1772923420.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1772923420.git.yoann.congal@smile.fr>
References: <cover.1772923420.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 07 Mar 2026 22:53:06 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/232628

From: Peter Marko <peter.marko@siemens.com>

Per [1] is patch for this CVE [2].
This is equivalent of [3] which is included in n6.1.3.

[1] https://security-tracker.debian.org/tracker/CVE-2025-12343
[2] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/b8d5f65b9e89d893f27cf00799dbc15fc0ca2f8e
[3] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/6250ed77a6fb5bb089e533e30985d197e8323dcf

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb
index 080241d34f9..849835c8493 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb
@@ -48,7 +48,7 @@ CVE_STATUS[CVE-2023-39018] = "cpe-incorrect: This issue belongs to ffmpeg-cli-wr
 CVE_STATUS[CVE-2025-1373]  = "fixed-version: Vulnerable code not present in any release"
 
 CVE_STATUS_GROUPS += "CVE_STATUS_FIXED_61x"
-CVE_STATUS_FIXED_61x = "CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2023-50009 CVE-2023-50010 CVE-2024-31578 CVE-2024-31582 CVE-2024-31585 CVE-2025-1594 CVE-2025-10256"
+CVE_STATUS_FIXED_61x = "CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2023-50009 CVE-2023-50010 CVE-2024-31578 CVE-2024-31582 CVE-2024-31585 CVE-2025-1594 CVE-2025-10256 CVE-2025-12343"
 CVE_STATUS_FIXED_61x[status] = "cpe-incorrect:these CVEs are fixed in 6.1.x"
 
 CVE_STATUS[CVE-2025-25468] = "cpe-incorrect:vulnerability was introduced in v8.0"

From patchwork Sat Mar  7 22:52:21 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 82784
X-Patchwork-Delegate: yoann.congal@smile.fr
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A54C1F55118
	for <webhook@archiver.kernel.org>; Sat,  7 Mar 2026 22:53:06 +0000 (UTC)
Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com
 [209.85.128.45])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.19042.1772923981676060655
 for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:01 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=WFBJI2GO;
 spf=pass (domain: smile.fr, ip: 209.85.128.45,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f45.google.com with SMTP id
 5b1f17b1804b1-48529c325f0so10434895e9.0
        for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1772923980; x=1773528780;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=IsKR1+SnB1vrj8wiGq0g2iX5I0+sY+IuJ2KnQvo3jdM=;
        b=WFBJI2GOYq9CG7Ta05eriPobFETr90cJS37aivD6VsEoj6FWjMYOngfJJ9M2nUV+TC
         x3VQvHZiVEMha30nQKf/dJNyOwe2YLlzJr02UttkCb3vcBcoGG4Ei4n0aJm5EbjFYU2/
         X0h7SQcz3bDHX4oGKBQLap3aQ7zZZKPMrNq4U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772923980; x=1773528780;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=IsKR1+SnB1vrj8wiGq0g2iX5I0+sY+IuJ2KnQvo3jdM=;
        b=CF49QLFSDwz9PNtTL59CQ70vcbhY+Qq158+Wif/TIG+NTURBr00BR+w9Pe0wdf7IQc
         ga+hUedMh8CN/Ze74VvIszpSKj7Is27xHAvNEGgThvF6OSzsB/+UEVKXHnpJWeV+jE1k
         MBWVJd/iwcES6o77vJTsI4885uyJL1v94sMXYu55UU8YCUFwk5dOo+i3OjxoCEoHgKOj
         uij9BDGIzDl2/FwR76pkXSWg1hm1Cm59iAsroMikf5exV0TqeTRHCK2onFsSljINaXLC
         Yv1Cnn/Fl+cDEX9gz9GYKOuYdJv511jXOXMKBCx6InbVPBDxK2Oza1X+ToeTQeafDXiU
         Imow==
X-Gm-Message-State: AOJu0YxdV38cVv+b6Enr289nTGlwrbCLDazc+/vKzabI2u/Zc8mb16KE
	1Tfqitp3TU/cqQK+pclvP4gSWtl4VHMjhNqRjmvjjy3K0Eoh9VQo7zl9SL/VJ71h3xk1VPLbMzA
	aCUQp
X-Gm-Gg: ATEYQzzVKIQSsBLUV2WGI8rl90WLJWImvhm2aONXPy91ISZBgLqFEZXlksh+L9PER+0
	nP39RileBOe5YrBlvhvo+snmwM/d/ETW7Nn2CSP5QtgRpi7QVWdZiEi16oY+TFPuC6Khp68wGyy
	nwon+XgXw0dGfT0H4GAN5VyGWHFgdjzYiaBEeC300G/s7qYgZqshHHwbXnKYgbPbhbPNiq8ghy6
	IwZyhb65vcTjiD8Cq97SfOJBsTqv1ouHz+90e28JpYVUxtOhRwcjm0nILsEzeBFsrGDndzPbz/A
	oaeLqeExm2lOgD0ouPhn/0mA/MMDBZv5n5DS1mBCcnspijCE+YQAEctqxVZDdOrDziCDHnxiSOk
	bUN5/ZYBC5KugsxaGcMAW7nWmdLI9feTOzAWzDJj5OOyyttfoOhOQtXmbDW3pR3k8O7mv+OXNVm
	bH01Q53nvOcZJsI3lpG0IbA2FGDkVKu+cBqoMDbkTd2JbcK1heEgtchVo1b31tWUe3BvnfcZNPh
	iA0jmolSIKaD0Il1gjetvmX/U8=
X-Received: by 2002:a05:600c:888c:b0:485:3812:36da with SMTP id
 5b1f17b1804b1-48538123853mr1476945e9.9.1772923979742;
        Sat, 07 Mar 2026 14:52:59 -0800 (PST)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48527681e3fsm133287175e9.6.2026.03.07.14.52.59
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Mar 2026 14:52:59 -0800 (PST)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 04/11] zlib: Fix CVE-2026-27171
Date: Sat,  7 Mar 2026 23:52:21 +0100
Message-ID: 
 <f158dd570946b05b41d054e45fe594623f5387c6.1772923420.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1772923420.git.yoann.congal@smile.fr>
References: <cover.1772923420.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 07 Mar 2026 22:53:06 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/232629

From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>

Pick patch from [1] also mentioned in [2]

[1] https://github.com/madler/zlib/issues/904
[2] https://security-tracker.debian.org/tracker/CVE-2026-27171

Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../zlib/zlib/CVE-2026-27171.patch            | 63 +++++++++++++++++++
 meta/recipes-core/zlib/zlib_1.3.1.bb          |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 meta/recipes-core/zlib/zlib/CVE-2026-27171.patch

diff --git a/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch b/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch
new file mode 100644
index 00000000000..e6a8a3eac5f
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch
@@ -0,0 +1,63 @@
+From f234bdf5c0f94b681312452fcd5e36968221fa04 Mon Sep 17 00:00:00 2001
+From: Mark Adler <git@madler.net>
+Date: Sun, 21 Dec 2025 18:17:56 -0800
+Subject: [PATCH] Check for negative lengths in crc32_combine functions.
+
+Though zlib.h says that len2 must be non-negative, this avoids the
+possibility of an accidental infinite loop.
+
+Upstream-Status: Backport [https://github.com/madler/zlib/commit/ba829a458576d1ff0f26fc7230c6de816d1f6a77]
+CVE: CVE-2026-27171
+
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+---
+ crc32.c | 4 ++++
+ zlib.h  | 4 ++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/crc32.c b/crc32.c
+index 6c38f5c..33d8c79 100644
+--- a/crc32.c
++++ b/crc32.c
+@@ -1019,6 +1019,8 @@ unsigned long ZEXPORT crc32(unsigned long crc, const unsigned char FAR *buf,
+ 
+ /* ========================================================================= */
+ uLong ZEXPORT crc32_combine64(uLong crc1, uLong crc2, z_off64_t len2) {
++    if (len2 < 0)
++        return 0;
+ #ifdef DYNAMIC_CRC_TABLE
+     once(&made, make_crc_table);
+ #endif /* DYNAMIC_CRC_TABLE */
+@@ -1032,6 +1034,8 @@ uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2) {
+ 
+ /* ========================================================================= */
+ uLong ZEXPORT crc32_combine_gen64(z_off64_t len2) {
++    if (len2 < 0)
++        return 0;
+ #ifdef DYNAMIC_CRC_TABLE
+     once(&made, make_crc_table);
+ #endif /* DYNAMIC_CRC_TABLE */
+diff --git a/zlib.h b/zlib.h
+index 8d4b932..8c7f8ac 100644
+--- a/zlib.h
++++ b/zlib.h
+@@ -1758,14 +1758,14 @@ ZEXTERN uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2);
+    seq1 and seq2 with lengths len1 and len2, CRC-32 check values were
+    calculated for each, crc1 and crc2.  crc32_combine() returns the CRC-32
+    check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and
+-   len2. len2 must be non-negative.
++   len2. len2 must be non-negative, otherwise zero is returned.
+ */
+ 
+ /*
+ ZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t len2);
+ 
+      Return the operator corresponding to length len2, to be used with
+-   crc32_combine_op(). len2 must be non-negative.
++   crc32_combine_op(). len2 must be non-negative, otherwise zero is returned.
+ */
+ 
+ ZEXTERN uLong ZEXPORT crc32_combine_op(uLong crc1, uLong crc2, uLong op);
+-- 
+2.43.0
+
diff --git a/meta/recipes-core/zlib/zlib_1.3.1.bb b/meta/recipes-core/zlib/zlib_1.3.1.bb
index 4992f834637..e42578fd7e0 100644
--- a/meta/recipes-core/zlib/zlib_1.3.1.bb
+++ b/meta/recipes-core/zlib/zlib_1.3.1.bb
@@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://zlib.h;beginline=6;endline=23;md5=5377232268e952e9ef6
 SRC_URI = "https://zlib.net/${BP}.tar.gz \
            file://0001-configure-Pass-LDFLAGS-to-link-tests.patch \
            file://run-ptest \
+           file://CVE-2026-27171.patch \
            "
 UPSTREAM_CHECK_URI = "http://zlib.net/"
 

From patchwork Sat Mar  7 22:52:22 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 82783
X-Patchwork-Delegate: yoann.congal@smile.fr
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EF105F55121
	for <webhook@archiver.kernel.org>; Sat,  7 Mar 2026 22:53:06 +0000 (UTC)
Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com
 [209.85.128.45])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.19043.1772923983490477848
 for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:03 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=VS3n8sCv;
 spf=pass (domain: smile.fr, ip: 209.85.128.45,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f45.google.com with SMTP id
 5b1f17b1804b1-4852ff06541so6738675e9.2
        for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1772923982; x=1773528782;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=4NH6mxgGf9EEHqAN0rBySdwQBtUgRzUaJ6bJfwrt6Cg=;
        b=VS3n8sCvrGtS6lI3q0JaVUE8Z/vdou27TDL4a8B5N/BNmn+8mUDCcrCDiGviXuatEl
         urOeavertph/csC9RkEcq+VU+sL5GovwkpwBn7R04ouzcBQ2ZYiG7/xYXLBL0uGu9KkF
         cnSrmvblDJaLUyWoCx/gGvVuPlm+iyqzBI1PE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772923982; x=1773528782;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=4NH6mxgGf9EEHqAN0rBySdwQBtUgRzUaJ6bJfwrt6Cg=;
        b=eInCfMCpG1MwbRwm7Q5JtyfkqwHIFciJ3vELMrLKp0Z+SL7Fay+HhZ9rrVCU5ju/rU
         h2xebQ9G9Ou6RSdvrDtDplrbuFH/FqqICw8sFwE/uvcL7FTn9n2TEJmPdXCTg61OJpBD
         0BtAplN36Hda4i6/wACO6bpwp9JYe7bNZow4R5I+w6BaTT/0001BJh3jOS7JQd8m+nfh
         MoEx6sEuw2HLRCTTDiz2F0t0Nux5BWuwwdjLp7Nd4MuVY+LjbU3gvqMIEGA0F2g22tAF
         CaUeHl/l356faUMA0pgP3mJTT8/LInZTRtAYmla718sx6vJxq8tJLXMoDNPL4p7wgnE6
         OmnQ==
X-Gm-Message-State: AOJu0YxdSaUiFd75r4HAIoU+OcR865gzXpx8i0/AvsZFiFQTw39jxolj
	4A7qXrbuPws4Yp0lL69DlGrSpkIBeiIDqiP4HOdOsN3gME9AeAVPJ5EGpsXn8tLDUdVQCEtglTD
	IXLV5
X-Gm-Gg: ATEYQzxgaHybp3ORIB4p1Z7Zm0yRJ+rARMsXqZL880KkBpJGl52NcpZN1R90SUGIkxv
	HrRg0hIp63+uVvD/nfmfB/f964/9BH2b6X9t2lLskgZNQuqcZc8nhb5Tt/OIXG6JK21Uq8rlmRj
	ejLr8RWQhB6FFxrJYePCF79mJwmikqHiHhO5xbyqXTh99fGT15O9h+pe9Ld2KNSxnX+8q5BSiVG
	jvOJDlvfaVaV2I0y8h+xv9FFKH1RolAEN+3PuC2M4bVsYO0YuzQhNmPMmuEfOyx2CtDTOiEFcll
	EdF9CC8XzlCkHOW8i57qHQwCq4PYntP8KiPik9khISKPaVWwLxCqR3oMTDxB2kKoHRQA2vWoXbl
	RSPobgdGj1R+gYhcl6jp5uWEuQdeEOKh4daPykOpHmGXl+qhW6WuJnJK8qD/+lZStisB/vXlZl9
	cACI23dHn382NlDw1MkwYkvZDRTL5LjVRUhaXnEcw1qRcIdsiWYVBr179KkUkI3uJEoRDt6Ga3h
	Ph77sW0PRd1+PbqS+hQAKCqbCap7+jGHWrb5g==
X-Received: by 2002:a05:600c:45d1:b0:477:7c7d:d9b2 with SMTP id
 5b1f17b1804b1-4852697844emr110689295e9.32.1772923981696;
        Sat, 07 Mar 2026 14:53:01 -0800 (PST)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48527681e3fsm133287175e9.6.2026.03.07.14.53.01
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Mar 2026 14:53:01 -0800 (PST)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 05/11] harfbuzz: Fix CVE-2026-22693
Date: Sat,  7 Mar 2026 23:52:22 +0100
Message-ID: 
 <568094a54f7a0aa6ad059d3085b1fecf5875871a.1772923420.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1772923420.git.yoann.congal@smile.fr>
References: <cover.1772923420.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 07 Mar 2026 22:53:06 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/232630

From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>

Pick patch mentioned in NVD report [1]

[1] https://nvd.nist.gov/vuln/detail/CVE-2026-22693

Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../harfbuzz/files/CVE-2026-22693.patch       | 33 +++++++++++++++++++
 .../harfbuzz/harfbuzz_8.3.0.bb                |  4 ++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-graphics/harfbuzz/files/CVE-2026-22693.patch

diff --git a/meta/recipes-graphics/harfbuzz/files/CVE-2026-22693.patch b/meta/recipes-graphics/harfbuzz/files/CVE-2026-22693.patch
new file mode 100644
index 00000000000..c57859a7b35
--- /dev/null
+++ b/meta/recipes-graphics/harfbuzz/files/CVE-2026-22693.patch
@@ -0,0 +1,33 @@
+From 95d38abd1293cae1f2aa700a3949288fd2c9a4c4 Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad@behdad.org>
+Date: Fri, 9 Jan 2026 04:54:42 -0700
+Subject: [PATCH] [cmap] malloc fail test (#5710)
+
+Fixes https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww
+
+Upstream-Status: Backport [https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae]
+CVE: CVE-2026-22693
+
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+---
+ src/hb-ot-cmap-table.hh | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/hb-ot-cmap-table.hh b/src/hb-ot-cmap-table.hh
+index e2e258185..2f7d72700 100644
+--- a/src/hb-ot-cmap-table.hh
++++ b/src/hb-ot-cmap-table.hh
+@@ -1534,6 +1534,10 @@ struct SubtableUnicodesCache {
+   {
+     SubtableUnicodesCache* cache =
+         (SubtableUnicodesCache*) hb_malloc (sizeof(SubtableUnicodesCache));
++
++    if (unlikely (!cache))
++      return nullptr;
++
+     new (cache) SubtableUnicodesCache (source_table);
+     return cache;
+   }
+-- 
+2.43.0
+
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_8.3.0.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_8.3.0.bb
index d733342682b..440ca1043d1 100644
--- a/meta/recipes-graphics/harfbuzz/harfbuzz_8.3.0.bb
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz_8.3.0.bb
@@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b98429b8e8e3c2a67cfef01e99e4893d \
                     file://src/hb-ucd.cc;beginline=1;endline=15;md5=29d4dcb6410429195df67efe3382d8bc \
                     "
 
-SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BPN}-${PV}.tar.xz"
+SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BPN}-${PV}.tar.xz \
+           file://CVE-2026-22693.patch \
+           "
 SRC_URI[sha256sum] = "109501eaeb8bde3eadb25fab4164e993fbace29c3d775bcaa1c1e58e2f15f847"
 
 DEPENDS += "glib-2.0-native"

From patchwork Sat Mar  7 22:52:23 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 82781
X-Patchwork-Delegate: yoann.congal@smile.fr
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 955F5F5511B
	for <webhook@archiver.kernel.org>; Sat,  7 Mar 2026 22:53:06 +0000 (UTC)
Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com
 [209.85.221.53])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.19045.1772923985746283372
 for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:06 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=WroXqqfX;
 spf=pass (domain: smile.fr, ip: 209.85.221.53,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wr1-f53.google.com with SMTP id
 ffacd0b85a97d-439c4a93841so3226780f8f.1
        for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1772923984; x=1773528784;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=oU1tD4w1Vhm4cMCVBytBOY6COwEo02HSqRuRiI8pGsI=;
        b=WroXqqfXMV38bs5JfdN4t6ED6fGLCRaQqpvGMAW3SWWewEFuVHfhYXZ0hH0oMejiGx
         a1KR9TkprO4xZG+nsqWi78JtjN68pGwkdnSCFG6d9Xd03HTi4nK8y2gfrId/07xJsjso
         Af6PQ3sGQHwCj2J1QfnknHNIAXOP+xVJuFOgM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772923984; x=1773528784;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=oU1tD4w1Vhm4cMCVBytBOY6COwEo02HSqRuRiI8pGsI=;
        b=XqA2+lRF/RyKhPyvqDemI+1ZGdV4pr+yFay2Q+v9vfi2gesq7prpVdLJJWLPeHj2PU
         CAhA9ehCJvXRfUF2z553S1+nqGW0EGJQY202LxfDF2EjZnl9jE1qSVxRllPLTnhOM3MO
         rXZsMxu4UY1qCmd9yaFQfURC2Ibn+jbL9AsbMnzSOFRM4PbeG3LrZhSW+S+VcYDjNYRo
         tKQfNPDqI5XdRNZq6FXDoSRWym3loc62sjyL35Ewj5lXJxrfrDLxz3UagIHgWvyV5qW0
         m5uBDkdcDeSIGrnoCATSEusWI04pupg95asSewQDDzk6pmXzRqOzds2Eo/jBhyzwkFZX
         H75Q==
X-Gm-Message-State: AOJu0YyGJ8ZSCsDLDrU6bnCT3GCkTcy6xEBHrrFdc7y89rufFGOBNB8I
	tH/DU/Z760cwVJHjBz5ECYYPbs46/n5BhkPz06r6yJvRFLkoW905MLOEivcBjPSWEKrF6ap/p0j
	yuk8N
X-Gm-Gg: ATEYQzzeDj9+ptqTzXAQ+/F3U1LxGmwXoVJ3+cl/QgnsbF3RqCPOX+tiajrE3Eym2eC
	Mb5uj9fZb5nCaWTc+UImixSyVFg01ls/LWblH4bmanHco/dkvmiVGDLHdK66tU10CNibPXQtpXT
	MlO+MSLchAh4BoLqwhD9UV94Bzgeke2zZ1P46kGOXnFXlDtqt37xTXGCvyXAZDqsrCgbQAYHE71
	g98MNurFbbdJ6au0ZhP7m5v/avfIZvPqHb+40f/kSEwZ7qdH7qjpiE9w3K7TsEbiZ7B5Ptu3vvi
	tW0pAU8JDI02mOVG9enCjSyTQ52Ozp3IDvBV+oyrrC9tvetr5fgXMzn7YfNptzKaSNE2qLHOMxd
	niJh1+w5XIQYHCl5s/B8/ZpP0GtsGgSdtY1eNT8qWvbKWA0bqCM3QlsMv+oaqbrfYm2+2/xNKFn
	vpm8sk+0e//kn+a78MVZe9L8Zo6BH0k0yzrBEZGHYBJjjCmSjbH+oddnvfTBpJIct0JaQWjqUom
	C6ufG5aBVRTrHOUKx16DJIatbk=
X-Received: by 2002:a05:600c:1e2a:b0:471:700:f281 with SMTP id
 5b1f17b1804b1-4852695d227mr104476065e9.25.1772923983707;
        Sat, 07 Mar 2026 14:53:03 -0800 (PST)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48527681e3fsm133287175e9.6.2026.03.07.14.53.03
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Mar 2026 14:53:03 -0800 (PST)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 06/11] openssl: upgrade 3.2.6 -> 3.5.5
Date: Sat,  7 Mar 2026 23:52:23 +0100
Message-ID: 
 <b256f4348efd66125328624da8d523d0f3c3a59e.1772923420.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1772923420.git.yoann.congal@smile.fr>
References: <cover.1772923420.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 07 Mar 2026 22:53:06 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/232631

From: Peter Marko <peter.marko@siemens.com>

Openssl 3.2 has reached EOL.
Some projects would like to use LTS version due to criticality and
exposure of this component, so upgrade to 3.5 branch.

Copy recipe from oe-core master fd3b1efb6f7ffb5505ff7eb95cae222e1db9f776
which is the last revision before disabling TLS 1/1.1 by default.
Single change is replacing UNPACKDIR by WORKIDR (one occurence).

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../openssl/files/environment.d-openssl.sh    |  9 ++-
 ...ke-history-reporting-when-test-fails.patch | 32 ++++----
 ...1-Configure-do-not-tweak-mips-cflags.patch |  4 +-
 ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
 .../0001-extend-check_cwm-test-timeout.patch  | 32 ++++++++
 .../openssl/openssl/CVE-2024-41996.patch      | 44 -----------
 .../openssl/openssl/CVE-2025-15468.patch      | 39 ----------
 .../openssl/openssl/CVE-2025-69419.patch      | 61 ---------------
 .../{openssl_3.2.6.bb => openssl_3.5.5.bb}    | 75 ++++++++++++-------
 9 files changed, 119 insertions(+), 203 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15468.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-69419.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb => openssl_3.5.5.bb} (76%)

diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
index d72edcb5edf..77747c1fdaf 100644
--- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
+++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
@@ -1,14 +1,15 @@
-export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf"
+export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/openssl.cnf"
 export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/"
 export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
+export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} OPENSSL_CONF OPENSSL_MODULES OPENSSL_ENGINES"
 
 # Respect host env SSL_CERT_FILE/SSL_CERT_DIR first, then auto-detected host cert, then cert in buildtools
-# CAFILE/CAPATH is auto-deteced when source buildtools
+# CAFILE/CAPATH is auto-detected when source buildtools
 if [ -z "${SSL_CERT_FILE:-}" ]; then
 	if [ -n "${CAFILE:-}" ];then
 		export SSL_CERT_FILE="$CAFILE"
 	elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
-		export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt"
+		export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs/ca-certificates.crt"
 	fi
 fi
 
@@ -16,7 +17,7 @@ if [ -z "${SSL_CERT_DIR:-}" ]; then
 	if [ -n "${CAPATH:-}" ];then
 		export SSL_CERT_DIR="$CAPATH"
 	elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
-		export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs"
+		export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs"
 	fi
 fi
 
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
index b05d7abf7cb..a74c79303f6 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
@@ -6,18 +6,17 @@ Subject: [PATCH] Added handshake history reporting when test fails
 Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
 
 Signed-off-by: William Lyu <William.Lyu@windriver.com>
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
 ---
- test/helpers/handshake.c | 137 +++++++++++++++++++++++++++++----------
+ test/helpers/handshake.c | 136 ++++++++++++++++++++++++++++++---------
  test/helpers/handshake.h |  70 +++++++++++++++++++-
  test/ssl_test.c          |  44 +++++++++++++
- 3 files changed, 217 insertions(+), 34 deletions(-)
+ 3 files changed, 217 insertions(+), 33 deletions(-)
 
 diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
-index e0422469e4..ae2ad59dd4 100644
+index f611b3a..5703b48 100644
 --- a/test/helpers/handshake.c
 +++ b/test/helpers/handshake.c
-@@ -24,6 +24,102 @@
+@@ -25,6 +25,102 @@
  #include <netinet/sctp.h>
  #endif
  
@@ -120,7 +119,7 @@ index e0422469e4..ae2ad59dd4 100644
  HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
  {
      HANDSHAKE_RESULT *ret;
-@@ -725,15 +821,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
+@@ -724,15 +820,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
          SSL_set_post_handshake_auth(client, 1);
  }
  
@@ -136,7 +135,7 @@ index e0422469e4..ae2ad59dd4 100644
  /* An SSL object and associated read-write buffers. */
  typedef struct peer_st {
      SSL *ssl;
-@@ -1080,17 +1167,6 @@ static void do_shutdown_step(PEER *peer)
+@@ -1077,16 +1164,6 @@ static void do_shutdown_step(PEER *peer)
      }
  }
  
@@ -149,12 +148,11 @@ index e0422469e4..ae2ad59dd4 100644
 -    SHUTDOWN,
 -    CONNECTION_DONE
 -} connect_phase_t;
--
 -
  static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
  {
      switch (test_ctx->handshake_mode) {
-@@ -1168,19 +1244,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
+@@ -1164,19 +1241,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
      }
  }
  
@@ -174,7 +172,7 @@ index e0422469e4..ae2ad59dd4 100644
  /*
   * Determine the handshake outcome.
   * last_status: the status of the peer to have acted last.
-@@ -1545,6 +1608,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+@@ -1541,6 +1605,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
  
      start = time(NULL);
  
@@ -185,8 +183,8 @@ index e0422469e4..ae2ad59dd4 100644
      /*
       * Half-duplex handshake loop.
       * Client and server speak to each other synchronously in the same process.
-@@ -1566,6 +1633,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
-                                       0 /* server went last */);
+@@ -1562,6 +1630,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+                 0 /* server went last */);
          }
  
 +        save_loop_history(&(ret->history),
@@ -197,7 +195,7 @@ index e0422469e4..ae2ad59dd4 100644
          case HANDSHAKE_SUCCESS:
              client_turn_count = 0;
 diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h
-index 78b03f9f4b..b9967c2623 100644
+index 78b03f9..b9967c2 100644
 --- a/test/helpers/handshake.h
 +++ b/test/helpers/handshake.h
 @@ -1,5 +1,5 @@
@@ -293,16 +291,16 @@ index 78b03f9f4b..b9967c2623 100644
  
  HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
 @@ -95,4 +159,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
-                                     CTX_DATA *server2_ctx_data,
-                                     CTX_DATA *client_ctx_data);
+     CTX_DATA *server2_ctx_data,
+     CTX_DATA *client_ctx_data);
  
 +const char *handshake_connect_phase_name(connect_phase_t phase);
 +const char *handshake_status_name(handshake_status_t handshake_status);
 +const char *handshake_peer_status_name(peer_status_t peer_status);
 +
- #endif  /* OSSL_TEST_HANDSHAKE_HELPER_H */
+ #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */
 diff --git a/test/ssl_test.c b/test/ssl_test.c
-index ea608518f9..9d6b093c81 100644
+index ea60851..9d6b093 100644
 --- a/test/ssl_test.c
 +++ b/test/ssl_test.c
 @@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL;
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
index 3f6ab97795a..cf5ff356ee7 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -17,10 +17,10 @@ Signed-off-by: Tim Orling <tim.orling@konsulko.com>
  1 file changed, 10 deletions(-)
 
 diff --git a/Configure b/Configure
-index 4569952..adf019b 100755
+index fff97bd..5ee54c1 100755
 --- a/Configure
 +++ b/Configure
-@@ -1485,16 +1485,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+@@ -1552,16 +1552,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
          push @{$config{shared_ldflag}}, "-mno-cygwin";
          }
  
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
index ce2acb24629..dadc034c913 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
@@ -30,23 +30,26 @@ Update to fix buildpaths qa issue for '-ffile-prefix-map'.
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 
 ---
- Configurations/unix-Makefile.tmpl | 12 +++++++++++-
+ Configurations/unix-Makefile.tmpl | 16 +++++++++++++++-
  crypto/build.info                 |  2 +-
- 2 files changed, 12 insertions(+), 2 deletions(-)
+ 2 files changed, 16 insertions(+), 2 deletions(-)
 
-Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
-===================================================================
---- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl
-+++ openssl-3.0.4/Configurations/unix-Makefile.tmpl
-@@ -481,13 +481,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index 09303c4..011bda1 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -513,13 +513,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
                           '$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
  BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
  
 -# CPPFLAGS_Q is used for one thing only: to build up buildinf.h
 +# *_Q variables are used for one thing only: to build up buildinf.h
  CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g;
++              $cppflags1 =~ s|-isystem/[^ ]+/usr/include||g;
                $cppflags2 =~ s|([\\"])|\\$1|g;
++              $cppflags2 =~ s|-isystem/[^ ]+/usr/include||g;
                $lib_cppflags =~ s|([\\"])|\\$1|g;
++              $lib_cppflags =~ s|-isystem/[^ ]+/usr/include||g;
                join(' ', $lib_cppflags || (), $cppflags2 || (),
                          $cppflags1 || ()) -}
  
@@ -54,6 +57,7 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
 +              s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g;
 +              s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g;
 +              s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g;
++              s|-isystem/[^ ]+/usr/include ||g;
 +            }
 +            join(' ', @{$config{CFLAGS}}) -}
 +
@@ -63,10 +67,10 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
  PERLASM_SCHEME= {- $target{perlasm_scheme} -}
  
  # For x86 assembler: Set PROCESSOR to 386 if you want to support
-Index: openssl-3.0.4/crypto/build.info
-===================================================================
---- openssl-3.0.4.orig/crypto/build.info
-+++ openssl-3.0.4/crypto/build.info
+diff --git a/crypto/build.info b/crypto/build.info
+index aee5c46..95c9577 100644
+--- a/crypto/build.info
++++ b/crypto/build.info
 @@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
  
  DEPEND[info.o]=buildinf.h
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
new file mode 100644
index 00000000000..f6eb28069ac
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
@@ -0,0 +1,32 @@
+From c7000672296f4c367341aa3415f26c4d9f5e4749 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Thu, 23 Oct 2025 11:24:36 +0200
+Subject: [PATCH] extend check_cwm test timeout
+
+The default, 3s long test timeout isn't always enough for this
+particular test in case there is a high load on the host machine
+(assuming it is running in qemu). Extend the default timeout to 6s
+for the check_cwm test to avoid timeouts.
+
+Upstream-Status: Inappropriate [upstream issue: https://github.com/openssl/openssl/issues/28983]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ test/radix/main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/test/radix/main.c b/test/radix/main.c
+index 4a1e886a71..39f8c61ef9 100644
+--- a/test/radix/main.c
++++ b/test/radix/main.c
+@@ -25,6 +25,11 @@ static int test_script(int idx)
+     int testresult;
+     TERP_CONFIG cfg = { 0 };
+ 
++    // check_cwm test sometimes times out, the default 3000ms is
++    // not enough if the test execution starves for CPU
++    if (!strncmp("check_cwm", script_info->name, strlen("check_cwm")))
++        cfg.max_execution_time = ossl_ms2time(6000);
++
+     if (!TEST_true(bindings_process_init(0, 0)))
+         return 0;
+ 
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
deleted file mode 100644
index dc18e0bef19..00000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Mon, 5 Aug 2024 17:54:14 +0200
-Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known
- safe-prime groups
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The partial validation is fully sufficient to check the key validity.
-
-Thanks to Szilárd Pfeiffer for reporting the issue.
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-(Merged from https://github.com/openssl/openssl/pull/25088)
-
-CVE: CVE-2024-41996
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e70e34d857d4003199bcb5d3b52ca8102ccc1b98]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
-index 82c3093b12..ebdce76710 100644
---- a/providers/implementations/keymgmt/dh_kmgmt.c
-+++ b/providers/implementations/keymgmt/dh_kmgmt.c
-@@ -387,9 +387,11 @@ static int dh_validate_public(const DH *dh, int checktype)
-     if (pub_key == NULL)
-         return 0;
- 
--    /* The partial test is only valid for named group's with q = (p - 1) / 2 */
--    if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
--        && ossl_dh_is_named_safe_prime_group(dh))
-+    /*
-+     * The partial test is only valid for named group's with q = (p - 1) / 2
-+     * but for that case it is also fully sufficient to check the key validity.
-+     */
-+    if (ossl_dh_is_named_safe_prime_group(dh))
-         return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
- 
-     return DH_check_pub_key_ex(dh, pub_key);
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15468.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15468.patch
deleted file mode 100644
index dcd862bedf6..00000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15468.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 1f08e54bad32843044fe8a675948d65e3b4ece65 Mon Sep 17 00:00:00 2001
-From: Daniel Kubec <kubec@openssl.org>
-Date: Fri, 9 Jan 2026 14:33:24 +0100
-Subject: [PATCH] ossl_quic_get_cipher_by_char(): Add a NULL guard before
- dereferencing SSL_CIPHER
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes CVE-2025-15468
-
-Reviewed-by: Saša Nedvědický <sashan@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-MergeDate: Mon Jan 26 19:36:04 2026
-(cherry picked from commit 293b55de0c434a99d0e744d0521170ca280606a9)
-
-CVE: CVE-2025-15468
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/1f08e54bad32843044fe8a675948d65e3b4ece65]
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- ssl/quic/quic_impl.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
-index 98b6a0a..4abde64 100644
---- a/ssl/quic/quic_impl.c
-+++ b/ssl/quic/quic_impl.c
-@@ -3646,6 +3646,8 @@ const SSL_CIPHER *ossl_quic_get_cipher_by_char(const unsigned char *p)
- {
-     const SSL_CIPHER *ciph = ssl3_get_cipher_by_char(p);
- 
-+    if (ciph == NULL)
-+        return NULL;
-     if ((ciph->algorithm2 & SSL_QUIC) == 0)
-         return NULL;
- 
--- 
-2.50.1
-
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-69419.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-69419.patch
deleted file mode 100644
index dcfdba82acb..00000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2025-69419.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 41be0f216404f14457bbf3b9cc488dba60b49296 Mon Sep 17 00:00:00 2001
-From: Norbert Pocs <norbertp@openssl.org>
-Date: Thu, 11 Dec 2025 12:49:00 +0100
-Subject: [PATCH] Check return code of UTF8_putc
-
-Signed-off-by: Norbert Pocs <norbertp@openssl.org>
-
-Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
-Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/29376)
-
-CVE: CVE-2025-69419
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296]
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- crypto/asn1/a_strex.c   |  6 ++++--
- crypto/pkcs12/p12_utl.c | 11 +++++++++--
- 2 files changed, 13 insertions(+), 4 deletions(-)
-
-diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
-index f64e352..7d76700 100644
---- a/crypto/asn1/a_strex.c
-+++ b/crypto/asn1/a_strex.c
-@@ -204,8 +204,10 @@ static int do_buf(unsigned char *buf, int buflen,
-             orflags = CHARTYPE_LAST_ESC_2253;
-         if (type & BUF_TYPE_CONVUTF8) {
-             unsigned char utfbuf[6];
--            int utflen;
--            utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
-+            int utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
-+
-+            if (utflen < 0)
-+                return -1; /* error happened with UTF8 */
-             for (i = 0; i < utflen; i++) {
-                 /*
-                  * We don't need to worry about setting orflags correctly
-diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c
-index a96623f..b109dab 100644
---- a/crypto/pkcs12/p12_utl.c
-+++ b/crypto/pkcs12/p12_utl.c
-@@ -206,8 +206,15 @@ char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen)
-     /* re-run the loop emitting UTF-8 string */
-     for (asclen = 0, i = 0; i < unilen; ) {
-         j = bmp_to_utf8(asctmp+asclen, uni+i, unilen-i);
--        if (j == 4) i += 4;
--        else        i += 2;
-+	/* when UTF8_putc fails */
-+        if (j < 0) {
-+            OPENSSL_free(asctmp);
-+            return NULL;
-+        }
-+        if (j == 4)
-+	    i += 4;
-+        else
-+	    i += 2;
-         asclen += j;
-     }
- 
--- 
-2.50.1
-
diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
similarity index 76%
rename from meta/recipes-connectivity/openssl/openssl_3.2.6.bb
rename to meta/recipes-connectivity/openssl/openssl_3.5.5.bb
index 074ab121316..1321adda92a 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
@@ -7,21 +7,19 @@ SECTION = "libs/network"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
 
-SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/openssl-${PV}.tar.gz \
+SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://run-ptest \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
            file://0001-Added-handshake-history-reporting-when-test-fails.patch \
-           file://CVE-2024-41996.patch \
-           file://CVE-2025-15468.patch \
-           file://CVE-2025-69419.patch \
+           file://0001-extend-check_cwm-test-timeout.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "89681a9ddaa9ed7cf25ea8ef61338db805200bae47d00510490623547380c148"
+SRC_URI[sha256sum] = "b28c91532a8b65a1f983b4c28b7488174e4a01008e29ce8e69bd789f28bc2a89"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -34,10 +32,13 @@ PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,crypt
 PACKAGECONFIG[no-tls1] = "no-tls1"
 PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
 PACKAGECONFIG[manpages] = ""
+PACKAGECONFIG[fips] = "enable-fips"
 
 B = "${WORKDIR}/build"
 do_configure[cleandirs] = "${B}"
 
+EXTRA_OECONF = "${@bb.utils.contains('PTEST_ENABLED', '1', '', 'no-tests', d)}"
+
 #| ./libcrypto.so: undefined reference to `getcontext'
 #| ./libcrypto.so: undefined reference to `setcontext'
 #| ./libcrypto.so: undefined reference to `makecontext'
@@ -46,12 +47,15 @@ EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
 
 # adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
 # (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
-EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom"
-EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
+EXTRA_OECONF:append:class-native = " --with-rand-seed=os,devrandom"
+EXTRA_OECONF:append:class-nativesdk = " --with-rand-seed=os,devrandom"
 
 # Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
-CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
-CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
+EXTRA_OEMAKE:append:task-compile:class-native = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
+EXTRA_OEMAKE:append:task-compile:class-nativesdk = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
+
+#| threads_pthread.c:(.text+0x372): undefined reference to `__atomic_is_lock_free'
+EXTRA_OECONF:append:toolchain-clang:x86 = " -latomic"
 
 # This allows disabling deprecated or undesirable crypto algorithms.
 # The default is to trust upstream choices.
@@ -138,21 +142,26 @@ do_configure () {
 		;;
 	esac
 
-	useprefix=${prefix}
-	if [ "x$useprefix" = "x" ]; then
-		useprefix=/
-	fi
 	# WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
 	# environment variables set by bitbake. Adjust the environment variables instead.
 	PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
 	test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
 	HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
-	perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target
+	perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=${prefix} --openssldir=${libdir}/ssl-3 --libdir=${baselib} $target
 	perl ${B}/configdata.pm --dump
 }
 
+do_compile:append () {
+	# The test suite binaries are large and we don't need the debugging in them
+	if test -d ${B}/test; then
+		find ${B}/test -type f -executable -exec ${STRIP} {} \;
+	fi
+}
+
 do_install () {
-	oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)}
+	oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs \
+	    ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} \
+	    ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'install_fips', '', d)}
 
 	oe_multilib_header openssl/opensslconf.h
 	oe_multilib_header openssl/configuration.h
@@ -170,21 +179,30 @@ do_install () {
 	ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
 	ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
 	ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
+
+	# Generate fipsmodule.cnf in pkg_postinst_ontarget
+	if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
+		rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf
+	fi
 }
 
 do_install:append:class-native () {
 	create_wrapper ${D}${bindir}/openssl \
-	    OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \
-	    SSL_CERT_DIR=${libdir}/ssl-3/certs \
-	    SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \
-	    OPENSSL_ENGINES=${libdir}/engines-3 \
-	    OPENSSL_MODULES=${libdir}/ossl-modules
+	    OPENSSL_CONF=\${OPENSSL_CONF:-${libdir}/ssl-3/openssl.cnf} \
+	    SSL_CERT_DIR=\${SSL_CERT_DIR:-${libdir}/ssl-3/certs} \
+	    SSL_CERT_FILE=\${SSL_CERT_FILE:-${libdir}/ssl-3/cert.pem} \
+	    OPENSSL_ENGINES=\${OPENSSL_ENGINES:-${libdir}/engines-3} \
+	    OPENSSL_MODULES=\${OPENSSL_MODULES:-${libdir}/ossl-modules}
+
+	# Setting ENGINESDIR and MODULESDIR to invalid paths prevents host contamination,
+	# but also breaks the generated libcrypto.pc file. Post-Fix it manually here.
+	sed -i 's|^enginesdir=\($.libdir.\)/.*|enginesdir=\1/engines-3|' ${D}${libdir}/pkgconfig/libcrypto.pc
+	sed -i 's|^modulesdir=\($.libdir.\)/.*|modulesdir=\1/ossl-modules|' ${D}${libdir}/pkgconfig/libcrypto.pc
 }
 
 do_install:append:class-nativesdk () {
 	mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
 	install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
-	sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
 }
 
 PTEST_BUILD_HOST_FILES += "configdata.pm"
@@ -228,12 +246,18 @@ do_install_ptest() {
 	ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers
 }
 
+pkg_postinst_ontarget:${PN}-ossl-module-fips () {
+	if test -f ${libdir}/ossl-modules/fips.so; then
+		${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so
+	fi
+}
+
 # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
 # package RRECOMMENDS on this package. This will enable the configuration
 # file to be installed for both the openssl-bin package and the libcrypto
 # package since the openssl-bin package depends on the libcrypto package.
 
-PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy"
+PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy ${PN}-ossl-module-fips"
 
 FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
 FILES:libssl = "${libdir}/libssl${SOLIBS}"
@@ -245,6 +269,7 @@ FILES:${PN}-engines = "${libdir}/engines-3"
 FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
 FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
 FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
+FILES:${PN}-ossl-module-fips = "${libdir}/ossl-modules/fips.so"
 FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
 FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
 
@@ -256,9 +281,9 @@ RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed openssl-engines
 
 RDEPENDS:${PN}-bin += "openssl-conf"
 
+# The test suite is installed stripped
+INSANE_SKIP:${PN} = "already-stripped"
+
 BBCLASSEXTEND = "native nativesdk"
 
 CVE_PRODUCT = "openssl:openssl"
-
-CVE_VERSION_SUFFIX = "alphabetical"
-

From patchwork Sat Mar  7 22:52:24 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 82785
X-Patchwork-Delegate: yoann.congal@smile.fr
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C1405F5511B
	for <webhook@archiver.kernel.org>; Sat,  7 Mar 2026 22:53:16 +0000 (UTC)
Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com
 [209.85.221.45])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.19029.1772923988389235793
 for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:08 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=NprwHOl3;
 spf=pass (domain: smile.fr, ip: 209.85.221.45,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wr1-f45.google.com with SMTP id
 ffacd0b85a97d-439af00d33cso7318071f8f.1
        for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1772923986; x=1773528786;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=McpU87rYmefGYXPbiVv7nxTKixb1L15uX8Twb+Nzw7g=;
        b=NprwHOl3kH3hXqdOLIkSsf+toZaxW/pH3QmYvVotzW+2EKLmpoKk51eowT68HiIjz5
         feGpQLaaZiS7bTPsvYAffnh3C1KUoGBr4rKkrTRO+Dx9KIqNKt+E3pam8aeGQDvP/68C
         u/qjByX4UUA3lTI75ja4ERm9nCKyNREhfSjFk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772923986; x=1773528786;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=McpU87rYmefGYXPbiVv7nxTKixb1L15uX8Twb+Nzw7g=;
        b=MX4uaGNfUYIzCpXcldXQxZJvbzIH/07hzkgW8QJWyExxbe0J2nme85/i4cvyaP9JgG
         Y4joNhhFSkJ/AhZdEcQYm2Duh/Ym36MvVifNKNBjGazPx/K/7QOzRjiQxezJBB25U0+7
         yNhpTuvdXC4zaAL9wD9nCkQzSixCVXV3+I1GW2jCe9k+AZj9gHffWZ24f/HOqRU/lO7G
         qxRhMFTcBfq6bUfeph17s5i4AoKWYMa7mUZzq9WTHwWvan1iW2rC6zgvobe77QGWSqPk
         oi1yu4OEgSU5wUgdESRLT720DCiu3mWLl24BkLX+N37SI8Tv/+KZaV/6QLqjBst8+tgk
         qqUA==
X-Gm-Message-State: AOJu0YzCLtIUgli5Md4YSnG6BeAtbvFgu3Ujyp+PnVFkyo5kP4pzeNXj
	Gzok/PH63CxmagMhKy5Nn1OWjN6rvSaYQZOlwPdV7QaTIer/5fRLfwFgcAijGzU/6Z9S0WKOSUL
	9T6pt
X-Gm-Gg: ATEYQzwz5zttAA3Fcf+HIMitt3dB8com2NnIwkOCF/qmtxws0fy5xiEP628ypmSIop0
	K5U8E5neiI+th+b4UWEQDwxW87o1aNe35lojJNX3sN7HU1edaLtpI0rUmil+iWUFhGVZQUvA9v2
	xMgBTA6UerC2cgaR0CtBnpgYW+sr7r6Wcjfti73WEacz2ebmACAc0S6QOV71PgOHDu8lkXvzRCE
	t+dM8jX3CuAPZBx2+xi97gw7stAaZ9sy5YKpAIqBXv4JvmhFZZUgu4juepufruMgwu4dGJUaiVJ
	ZIPopnFr9YHbbZvolyXqYiiZqP3mjAupCaNa9tVRMw+pSR4LAaC2uQrDcrQVW2MAkVk+5d02VTX
	necv4DnVqNBomP6UCFgYZ03loSh04HQga8EB2aiPJNgzgALH0KED6Kf7iqZ6sW3bhp08nf2Y03d
	brIS7Jv+E9NgmIq2H23K33YZ0RfgZVrpUhEsVY8VG56MOzTrKjgiKx5M5E3qfMpKr9x6BJJsBer
	JKvRPiCHpZfwQnnpEZIi/lCCJ4=
X-Received: by 2002:a05:600c:6385:b0:485:3471:cffb with SMTP id
 5b1f17b1804b1-4853471d079mr18732485e9.15.1772923986256;
        Sat, 07 Mar 2026 14:53:06 -0800 (PST)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48527681e3fsm133287175e9.6.2026.03.07.14.53.05
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Mar 2026 14:53:05 -0800 (PST)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 07/11] scripts/install-buildtools: Update to
 5.0.16
Date: Sat,  7 Mar 2026 23:52:24 +0100
Message-ID: 
 <7ed3e45b5da52c6017b5e93175f14c2cd17e1070.1772923420.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1772923420.git.yoann.congal@smile.fr>
References: <cover.1772923420.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 07 Mar 2026 22:53:16 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/232632

From: Yoann Congal <yoann.congal@smile.fr>

Update to the 5.0.16 release of the 5.0 series for buildtools

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 scripts/install-buildtools | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/install-buildtools b/scripts/install-buildtools
index c874494f4ab..d95d5839c93 100755
--- a/scripts/install-buildtools
+++ b/scripts/install-buildtools
@@ -57,8 +57,8 @@ logger = scriptutils.logger_create(PROGNAME, stream=sys.stdout)
 
 DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools')
 DEFAULT_BASE_URL = 'https://downloads.yoctoproject.org/releases/yocto'
-DEFAULT_RELEASE = 'yocto-5.0.15'
-DEFAULT_INSTALLER_VERSION = '5.0.15'
+DEFAULT_RELEASE = 'yocto-5.0.16'
+DEFAULT_INSTALLER_VERSION = '5.0.16'
 DEFAULT_BUILDDATE = '202110XX'
 
 # Python version sanity check

From patchwork Sat Mar  7 22:52:25 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 82788
X-Patchwork-Delegate: yoann.congal@smile.fr
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EE16CF55123
	for <webhook@archiver.kernel.org>; Sat,  7 Mar 2026 22:53:16 +0000 (UTC)
Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com
 [209.85.128.46])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.19030.1772923989939773477
 for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:10 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=Z3RTgmIR;
 spf=pass (domain: smile.fr, ip: 209.85.128.46,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f46.google.com with SMTP id
 5b1f17b1804b1-4852ff06541so6739015e9.2
        for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1772923988; x=1773528788;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=PJgCLMawk6y1hfFBEYE0RxI5K6lFpC4N7Cc055o7MGU=;
        b=Z3RTgmIRTwEmHRy8d7unuPFscJbRMnL1uB83+M6kJBQTbsn87o3SZzTfen2t44lVJF
         qgN2KtsCWgUWfCScSQm3PcwlX7blHfOIETEKQ5VOkq1IkXEobmMyqmmJls2fvb/sVBdw
         p4Ht7+yW6KQcqWfYrIMTTpqn9QCKSF8w/Mf2E=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772923988; x=1773528788;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=PJgCLMawk6y1hfFBEYE0RxI5K6lFpC4N7Cc055o7MGU=;
        b=JMgccksh3rblTdBOAJW82n1BW5p0bGia+KvjqnkJvQ+wB+O5f89YK9Qrmk6WRfxk2x
         b/DmiGpzvbX8+OPP/le+Qamb+VBwcy9+1Jzd/NVkLzzXONFOCDTPapksLkJYf0zHdPwg
         J3YF92TBob96Y+jnsZRXqtqzN20uKYGNkNGina4EL8muGTZqK5zMAfHl9/d9vTOp+/Lj
         Ni6buHee0qNgPosaW6ww0R+6O+4lYtpPJwYiiw90LVqdHtmghUK/RhfUroFq48n533Do
         1UQarbPq9jtpHF1zm0QtCQVZ8uJ8ACTiDL5j+PqM2y0CmuBU4hpOyMT9iF9g99Mm7JGU
         lqYA==
X-Gm-Message-State: AOJu0YxdhmykE//3EtmYwx8SDCWk7pf6/T+A8nhl+TJeJlZg4j4Aj+kA
	/lqTps2mh+BA+6vK43sCqXMb6HEDH2ZjpPQcmxxnyNoqCMNAfUCd0qzUBSitMN9WQGB/JxagdEp
	OPy7N
X-Gm-Gg: ATEYQzzkNYWCRwecSLSp0A2Xtb+iatlrpPiMd2UDqDvlNLQPGt10NX2piPpT25xOYlA
	RHnq5M50jRl83QhD0yjRtuOuCElQaOnX4RdlAca5v4kwZJaGlz01C4LZjXWMfbDeOp09MlE3GVq
	VITT/AoMZ7nzXAf9NfSLNUjTDEo5aKGRiVDGm1C5zpw4c7ax7RruDJ7Mh08of0++bj4Hf+3WB+z
	TuX7hb3QzKNNITXPjLi+KC58/Qb1ZIkdLFupsalHcxZwkfocqCV9gouCBjpS6soLLzxoUjomWPS
	NOtyE317k4MgJaJjH275yYBqMvRv7MOF9fcGYx/DMEQJOttH6mj1GLerE2f9bSaZNoBazAQVUTO
	iGjGfACDxOpnfP5Es4PjDRnJ2/0pWeR6ac6UAnG+beQJ7L+0nEoHKWtqUwmGxkW/g/EuvI7gEHG
	jHbiDLHw+AB9AlgVMELDG6IaZFTlRxvGcSBdoz2QFdd2u2C+t/20eASA4kX/IkXoNffcq/+BJrz
	Bzd4cTsC+//cKUvv7SzyU4dQj8=
X-Received: by 2002:a05:600c:1c10:b0:485:30f7:6e88 with SMTP id
 5b1f17b1804b1-48530f76fefmr40414545e9.31.1772923988010;
        Sat, 07 Mar 2026 14:53:08 -0800 (PST)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48527681e3fsm133287175e9.6.2026.03.07.14.53.07
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Mar 2026 14:53:07 -0800 (PST)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 08/11] uboot-config: Fix devtool modify
Date: Sat,  7 Mar 2026 23:52:25 +0100
Message-ID: 
 <f26325079e8333142904f6c7d688412a195ad08b.1772923420.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1772923420.git.yoann.congal@smile.fr>
References: <cover.1772923420.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 07 Mar 2026 22:53:16 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/232633

From: Tom Hochstein <tom.hochstein@oss.nxp.com>

Fix a problem with `devtool modify` as suggested by Marcus Flyckt on
the mailing list:
```
    I encountered an issue with `do_config` when using `devtool modify`
    on `u-boot-imx`.

    ```
    [...]
    | cp: cannot stat '[...]/u-boot-imx/2024.04/build/imx8mp_wl400s_defconfig/.config': No such file or directory
    | WARNING: exit code 1 from a shell command.
    ERROR: Task ([...]/sources/poky/../meta-freescale/recipes-bsp/u-boot/u-boot-imx_2024.04.bb:do_configure) failed with exit code '1'
    NOTE: Tasks Summary: Attempted 963 tasks of which 962 didn't need to be rerun and 1 failed.
    Summary: 1 task failed:
      [...]/sources/poky/../meta-freescale/recipes-bsp/u-boot/u-boot-imx_2024.04.bb:do_configure
    Summary: There was 1 ERROR message, returning a non-zero exit code
    ```

    The issue seems to originate from the following lines in
    `workspace/appends/u-boot-imx_2024.04.bbappend`:

    ```
    do_configure:append() {
        if [ ${@oe.types.boolean(d.getVar("KCONFIG_CONFIG_ENABLE_MENUCONFIG"))} = True ]; then
            cp ${KCONFIG_CONFIG_ROOTDIR}/.config ${S}/.config.baseline
            ln -sfT ${KCONFIG_CONFIG_ROOTDIR}/.config ${S}/.config.new
        fi
    }
    ```

    For some reason `KCONFIG_CONFIG_ROOTDIR` does not point to the
    correct directory. It gets its value in `uboot-config.bbclass`:

    ```
    if len(ubootconfig) == 1:
                    d.setVar('KCONFIG_CONFIG_ROOTDIR', os.path.join(d.getVar("B"), d.getVar("UBOOT_MACHINE").strip()))
    ```

    So the main issue is that B gets expanded in this expression, and
    then later B gets changed by `externalsrc.bbclass`.
    `d.getVar("B", False)` does not solve the issue, however the
    proposed change does.
```
- https://lists.yoctoproject.org/g/yocto/topic/109254298#msg64152]

Fixes [YOCTO #15603]

Suggested-by: Marcus Flyckt <marcus.flyckt@gmail.com>
Signed-off-by: Tom Hochstein <tom.hochstein@oss.nxp.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 57b21065a25100c31515b32fd7c77bde3355d684)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/classes-recipe/uboot-config.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes-recipe/uboot-config.bbclass b/meta/classes-recipe/uboot-config.bbclass
index f360050042e..b235b954d4d 100644
--- a/meta/classes-recipe/uboot-config.bbclass
+++ b/meta/classes-recipe/uboot-config.bbclass
@@ -149,7 +149,7 @@ python () {
             # Ensure the uboot specific menuconfig settings do not leak into other recipes
             if 'u-boot' in recipename:
                 if len(ubootconfig) == 1:
-                    d.setVar('KCONFIG_CONFIG_ROOTDIR', os.path.join(d.getVar("B"), d.getVar("UBOOT_MACHINE").strip()))
+                    d.setVar('KCONFIG_CONFIG_ROOTDIR', os.path.join("${B}", d.getVar("UBOOT_MACHINE").strip()))
                 else:
                     # Disable menuconfig for multiple configs
                     d.setVar('KCONFIG_CONFIG_ENABLE_MENUCONFIG', "false")

From patchwork Sat Mar  7 22:52:26 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 82789
X-Patchwork-Delegate: yoann.congal@smile.fr
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EEDBFF55124
	for <webhook@archiver.kernel.org>; Sat,  7 Mar 2026 22:53:16 +0000 (UTC)
Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com
 [209.85.128.51])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.19046.1772923991411922768
 for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:11 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=OPhlPHpq;
 spf=pass (domain: smile.fr, ip: 209.85.128.51,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f51.google.com with SMTP id
 5b1f17b1804b1-48534237460so3103385e9.3
        for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1772923990; x=1773528790;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=hr+ocRH4edyFsjlxf5iMqDHJFUSMtSMGbAQynXpMxvY=;
        b=OPhlPHpqFNIvuNhNVV62+7wfZXEXhKRDtFIvL3rVMWVbIFPKWm0sAp46vyXV7EYEOY
         oL2MznXCbM1jINRO8sTVmbM9n6TgDhSw/RxInZQGMkPtk5W63xiYVVNFO9xIGveQS4vJ
         wtKqAmSaMrJE/zcm/h+/D2WAjg+yhWpfYojDM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772923990; x=1773528790;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=hr+ocRH4edyFsjlxf5iMqDHJFUSMtSMGbAQynXpMxvY=;
        b=mmJeZ+7CJ3VDzVAzsLbPinbr9jzEI8AeFLWZPbIxStnc68ZvXShNm6XarxWI9qzGZA
         iPLPMKC779eWOHEzoUJm+lno0/BGDShTNfzsjC0JmpwuUjcHXurAqXuYuZTi4o0hebF8
         n1SWYRJJL6Cyn9iirtSrjC0v+L+TU8Zi0c07wgIGW9DfsN1s5eDoP7eIPBmQPN14UZKx
         zPwSOJ+15aACGn5+mRVO8K6EKESGhbbRpmVccmJgk+tmg313qmTARxeTT0IRKpuYuvNH
         gZ6TWuZam9+s0Byo/hgL/F6PR2jbgU2ffnQwLLJtoLQrA9N0pj2T2RqTxFywYz6hYZQI
         NrLA==
X-Gm-Message-State: AOJu0YwSeOpeSAQS7f50UYxHsiFVBVgK9MKssa4ybmLIsZ3lyDJfrAuk
	ldjcpXo544zHa2zBAeZL7/8Ssr8VZiGmeRXEK7+gDtrA0LJ4trbo1G7LdGJgxJFLAz01VJtwp+Z
	V4ruJ
X-Gm-Gg: ATEYQzzehJP254zbqKSz4Lj/krOFw/GhKJumJB9J6LzGdiWg1NdYbmIF+xunhzOTNJ2
	X81vIUO7GooANKdNuykPo59vpa3vwLTKr3P1W53Hnrc4UlVxHhdL0CLDyAB6YjnHwMCW5IYwHBP
	hnB3YJDZ3MF3UAmU6GiVvqFt225NZIhYXVSQHx279ajE5fP5dIuianEcwr/lzStgfRsGtuGPUDy
	QG8Zn03MaZk9rNj2SQQZ767j+ULwgN7RSli4L0/MGAIDG37TeVR9FwOCorSLWYk2t6kYwAGKN0L
	Q+GiSPtPZvfAUA6DNDrRgoNg247z7Fa4+r9vyRsOIDWR19JS0q0s+aPX/yr0CMVGehKzYahvgNQ
	5VP/AkIYeI0XieTkOhZjIorHVKMXmyHXDQO/VpJ/X7A0kpVu0sM0syrkgv6GPqki3QTFBJkwAM0
	9pL98aAzlqCpA79YW4ET/tJowq6t+cNDdzyM5R/rZUMrDko4xq4g0qTdswsGbRqkSWkly8gMTLT
	lpjo8RcQwyE15DfhOXZ6+KIcVo8romdNJD2Iw==
X-Received: by 2002:a05:600c:a00f:b0:485:379b:57bb with SMTP id
 5b1f17b1804b1-485379b5d88mr2654475e9.3.1772923989609;
        Sat, 07 Mar 2026 14:53:09 -0800 (PST)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48527681e3fsm133287175e9.6.2026.03.07.14.53.09
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Mar 2026 14:53:09 -0800 (PST)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 09/11] README: Add scarthgap subject-prefix to
 git-send-email suggestion
Date: Sat,  7 Mar 2026 23:52:26 +0100
Message-ID: 
 <45852c240a708ef49fe9dec1b3a385385c5bb4ec.1772923420.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1772923420.git.yoann.congal@smile.fr>
References: <cover.1772923420.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 07 Mar 2026 22:53:16 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/232634

From: Yoann Congal <yoann.congal@smile.fr>

That might help new users send correct first stable patches.

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 README.OE-Core.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.OE-Core.md b/README.OE-Core.md
index 687c58e410c..e85092ad825 100644
--- a/README.OE-Core.md
+++ b/README.OE-Core.md
@@ -22,7 +22,7 @@ for full details on how to submit changes.
 As a quick guide, patches should be sent to openembedded-core@lists.openembedded.org
 The git command to do that would be:
 
-     git send-email -M -1 --to openembedded-core@lists.openembedded.org
+     git send-email -M -1 --to openembedded-core@lists.openembedded.org --subject-prefix='scarthgap][PATCH'
 
 Mailing list:
 

From patchwork Sat Mar  7 22:52:27 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 82787
X-Patchwork-Delegate: yoann.congal@smile.fr
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 200A2F55126
	for <webhook@archiver.kernel.org>; Sat,  7 Mar 2026 22:53:17 +0000 (UTC)
Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com
 [209.85.221.43])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.19047.1772923992742376332
 for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:13 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=rdedFA5t;
 spf=pass (domain: smile.fr, ip: 209.85.221.43,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wr1-f43.google.com with SMTP id
 ffacd0b85a97d-439b73f4ab4so7080231f8f.1
        for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1772923991; x=1773528791;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=lrXin+/BxoEdBjBVSUTfE+iM5flf4TUK2XcBa2YBdIg=;
        b=rdedFA5tIT896fen2mC48LTfmGpdSzIM6cyEANY6faR8UUQXMKl0r/lKo88+cHkPVX
         N3IqP5L9Rg0naVbtR902//R4C3wfZc3GU7shInmoOu7uO8awFPkXaDKRrDQupPnT4Sbb
         mWD+EThPmQPKr5Z4oPSbcTM+xMmFX4V8QrNHQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772923991; x=1773528791;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=lrXin+/BxoEdBjBVSUTfE+iM5flf4TUK2XcBa2YBdIg=;
        b=g40iqthz5279AdrPZuyhqN4a4mqNVRlxb87/rFMNWfgFCDLXCL2NL4iIAu2ZybJ0ff
         kAt81tOgnh7p0Z8ZMAnPZJtzYrP9msD2n2QeDZ9jt4atdHs1eTa9pKEHnqkvE/WYEaGy
         YzcCQZ/biLDMRgCOmk3aOt439MmyzOLPStyYuotY498igZO1c0G7Sn7/J0dyHKDbWrcf
         vzgfnD6/dpFsap3JFy2SeN0KWgMWrSnRy/EUNvg8fYWUUJSBn9EeDzBzvArRRHNe+Gkb
         pMcK6TDv6Gv5NQuyPDOvkZIzJ19vWCelUdqvw166nYtcnKspdLpF3Pz6pctZCS7A/lqs
         2sZg==
X-Gm-Message-State: AOJu0YwFF+xviQB2weBm9MkOCygDr3NoG92FAuxnk8kixGBqV1m4XVE1
	yVX1WIouAoPYyDOD6G81VVt9o0S0WPqp0gSG6AgO2g5BUM9KO3dGjBcdP/BWO2RSJp33GQRltbr
	OBxDc
X-Gm-Gg: ATEYQzz/hFylmWo5zzaz3oV8gArxslzEAwX7R7uVKomvld1dIaox0Mhv+zWPh/6IVdV
	HqKN2h4LvNVMa18tDieo3BRKBzQOmSWSTSeSwvmGVtXBNBSDQOGhtfCMQijr7uUYdNTFT4YdJEp
	znJpFUVrYG30o6DUmZE9/Tj0gDKyXSBmlL6rfPzTfjrQwbmTQVO/xmZ14MYW48wSeh6ssIxvn5l
	mH+S3xkvhbyiIViAsG7Zq9+fYVehPczL0tRLT6TqHQ+HgeXDqRHCYP5HorL7wO1DImCRq0JKKV9
	a2Boh9fTWz4nEIfdBXQzoKeN4p+52MqzuyHsKyIM3zBTuuyR+COsPd+FegaIgy73zSWOrBYru0k
	V1rl7kc+ZfsaBYVJiPsLRrp6WE3jPfObWa21FmfupWheXyn16tHzdRe1B3PBzStS/mRICrPMLvT
	D4WYwi+ce1wovtifcSnQsoWGG1WmN53apWPmFPOXI4jt5V0DbjM/wNvE23H1A3MJrK5Uk3KDn4a
	ALCO7BSWBqW3JX8u05S1aKq4SQ=
X-Received: by 2002:a05:600c:64c7:b0:47a:935f:61a0 with SMTP id
 5b1f17b1804b1-485268bd694mr120904695e9.0.1772923990921;
        Sat, 07 Mar 2026 14:53:10 -0800 (PST)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48527681e3fsm133287175e9.6.2026.03.07.14.53.10
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Mar 2026 14:53:10 -0800 (PST)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 10/11] create-pull-request: Keep commit hash to
 be pulled in cover email
Date: Sat,  7 Mar 2026 23:52:27 +0100
Message-ID: 
 <f3ab36d30e3661e5968969ba70967e1b4e365413.1772923420.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1772923420.git.yoann.congal@smile.fr>
References: <cover.1772923420.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 07 Mar 2026 22:53:17 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/232635

From: Paul Barker <paul@pbarker.dev>

The cover email mangling in create-pull-request was cutting off the
actual commit hash to be pulled, making it difficult to verify that the
changes a maintainer merges exactly match those intended by the pull
request author.

The extra lines we want to include are, for example from a recent
whinlatter stable branch PR:

    for you to fetch changes up to 6c4c6d39ea3202d756acc13f8ce81b114a468541:

      cups: upgrade from 2.4.14 to 2.4.15 (2025-12-29 09:49:31 -0800)

Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c78f5ae4a5ba3675b78cc226feb7b9fbbfd8da19)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 scripts/create-pull-request | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/create-pull-request b/scripts/create-pull-request
index 885105fab3d..5c4414ecd5f 100755
--- a/scripts/create-pull-request
+++ b/scripts/create-pull-request
@@ -219,7 +219,7 @@ fi
 
 # The cover letter already has a diffstat, remove it from the pull-msg
 # before inserting it.
-sed -n "0,\#$REMOTE_URL# p" "$PM" | sed -i "/BLURB HERE/ r /dev/stdin" "$CL"
+sed -n "0,\#^----------------------------------------------------------------# p" "$PM" | sed -i "/BLURB HERE/ r /dev/stdin" "$CL"
 rm "$PM"
 
 # If this is an RFC, make that clear in the cover letter

From patchwork Sat Mar  7 22:52:28 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 82786
X-Patchwork-Delegate: yoann.congal@smile.fr
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CE155F55120
	for <webhook@archiver.kernel.org>; Sat,  7 Mar 2026 22:53:16 +0000 (UTC)
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com
 [209.85.128.43])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.19048.1772923994328943035
 for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:14 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=052N/1HI;
 spf=pass (domain: smile.fr, ip: 209.85.128.43,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f43.google.com with SMTP id
 5b1f17b1804b1-4852afd42ceso12566085e9.2
        for <openembedded-core@lists.openembedded.org>;
 Sat, 07 Mar 2026 14:53:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1772923992; x=1773528792;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=vNa+29cKciESwiLw+mq5rHlFNA9JDur0LvP/qhMyxlY=;
        b=052N/1HI2Fg+Tqo223CI55G0HHT13I2UOs5dOPXcArfAH9up+1eCin6BIkAZbKwLc2
         +/VAlT39zWoRExCK8hQaZheTpOotMOUrrY7FFNOa5ZkJVJPIlF7heDRzdKLm029sDm3b
         1u9//Am3qb79WOjbPrt6oHDNLZ8bAw4NRuC50=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772923992; x=1773528792;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=vNa+29cKciESwiLw+mq5rHlFNA9JDur0LvP/qhMyxlY=;
        b=ZNzNle78SnT4s1MsFlRY1NCmfJWk6pfJ19eRFKOHTpG0uGL2oIqbNNVn25lnpXnxn6
         RXtqMfgVzr0oRyk2LyQmcqvYMDRp+0olFpgDgRE1fB9rDIenijGkedd5muk7P8FZRu4M
         HEWMRlYfVl8VXRo3kUihxDtXh50H1mILcLwii1UmTBAkzmWo5mP2stVpkfxEqVdUCbIW
         fYz7dCRu3eUHlcoDn4oOY3RhILp+eM7VsK5X9wVupJcxHVITmyfPnWJc7LON0vgIAmbA
         tWAPpVgSrS0POoedltt4+ucqX/xmEt3p2Myn6VY64cKAwPM7ylfGkyxxp7JEr6n3z05z
         6P6g==
X-Gm-Message-State: AOJu0YyFlh+aJ/bRN+I8Ik/WACyZRW7szQbVYhgxz2pg7/enjqZ2DwN2
	hAygHWd5QNJYiAqfafm1N2P5hELIUiVBcTfUegBwyGLHBPO/zbnRiX/gvma6tu2dAKIlNqj20O0
	F3WSx
X-Gm-Gg: ATEYQzzcC/5Xyuu+BWaWa8DDINtDuZ06qNRSY8Mh/lDKXQQLHeQ1DTdEFavIMzaB/AC
	S6TOUNWX8NJ8nX81b6EO5Tq+1yCtfqwplV7fed5e3E/a4xLT1CreuzYZQlFKuKZWPxBzmBFMCL4
	/crA4kstd2QxHJ09D71kr0z5p9DzR/lzXlGfX08Nk/xw4f4sJnhJmTWpkdG5WkoYVpKkBCi2Lpx
	yEgPA7rgJ5R2SaoIvlDDiuZn1ZJnmdL9kAMccsrSelCd+inHdKtmIjFxDBJs8jiOPsj2fB20dzW
	VQV4Rz99HBriaTfxbSbYBnoKZo/OFOW/kKk3i6pCwfUB9oOiqsOEacwAdL7e9qGdwKaK9HkipAK
	a+zDvdkE6TLMJJ1D5V/iOHXBaA1A9i1F9P5+oBNhBI56VHLoxuoF0mWloZFbxbyRHjMUTzVLRWc
	xsWjbpXGdrzwqdzzqkSQwrp8hYftP8SA9KjhBe2+H3iVlHuYhrnFccCNuQBYTcrCegssF5tOqus
	nk+DCgUzbmdifc5jZGbJBWFqkI=
X-Received: by 2002:a05:600c:37cc:b0:46e:761b:e7ff with SMTP id
 5b1f17b1804b1-48526967a63mr106425025e9.28.1772923992365;
        Sat, 07 Mar 2026 14:53:12 -0800 (PST)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48527681e3fsm133287175e9.6.2026.03.07.14.53.11
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Mar 2026 14:53:12 -0800 (PST)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 11/11] busybox: Fixes CVE-2025-60876
Date: Sat,  7 Mar 2026 23:52:28 +0100
Message-ID: 
 <fd8a140eb0742bbc12a23e36c9d24378bc0f462d.1772923420.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1772923420.git.yoann.congal@smile.fr>
References: <cover.1772923420.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 07 Mar 2026 22:53:16 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/232636

From: Livin Sunny <livinsunny519@gmail.com>

This addresses CVE-2025-60876[1], which allows malicious URLs to inject
HTTP headers. It has been accepted by Debian[2] and is tracked here [4].
The upstream fix has been submitted [3] and is pending merge.

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-60876
[2] https://bugs.debian.org/1120795
[3] https://lists.busybox.net/pipermail/busybox/2025-November/091840.html
[4] https://security-tracker.debian.org/tracker/CVE-2025-60876

Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-November/0918
40.html]

Signed-off-by: Livin Sunny <livinsunny519@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f12af98df8f627c6d1836d27be48bac542a4f00e)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../busybox/busybox/CVE-2025-60876.patch      | 42 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.36.1.bb   |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-60876.patch

diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-60876.patch b/meta/recipes-core/busybox/busybox/CVE-2025-60876.patch
new file mode 100644
index 00000000000..1cf29680e01
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2025-60876.patch
@@ -0,0 +1,42 @@
+From: Radoslav Kolev <radoslav.kolev@suse.com>
+Date: Fri, 21 Nov 2025 11:21:18 +0200
+Subject: wget: don't allow control characters or spaces in the URL
+Bug-Debian: https://bugs.debian.org/1120795
+
+Fixes CVE-2025-60876 malicious URL can be used to inject
+HTTP headers in the request.
+
+Signed-off-by: Radoslav Kolev <radoslav.kolev@suse.com>
+Reviewed-by: Emmanuel Deloget <logout@free.fr>
+
+Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-November/091840.html]
+
+CVE: CVE-2025-60876
+
+Signed-off-by: Livin Sunny <livinsunny519@gmail.com>
+---
+ networking/wget.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/networking/wget.c b/networking/wget.c
+index ec3767793..fa555427b 100644
+--- a/networking/wget.c
++++ b/networking/wget.c
+@@ -536,6 +536,15 @@ static void parse_url(const char *src_url, struct host_info *h)
+ {
+	char *url, *p, *sp;
+
++	/* Fix for CVE-2025-60876 - don't allow control characters or spaces in the URL */
++	/* otherwise a malicious URL can be used to inject HTTP headers in the request */
++	const unsigned char *u = (void *) src_url;
++	while (*u) {
++		if (*u <= ' ')
++			bb_simple_error_msg_and_die("Unencoded control character found in the URL!");
++		u++;
++	}
++
+	free(h->allocated);
+	h->allocated = url = xstrdup(src_url);
+
+--
+2.47.3
diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb
index d3f259d45b4..d870e2ee10c 100644
--- a/meta/recipes-core/busybox/busybox_1.36.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
@@ -61,6 +61,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://CVE-2023-39810.patch \
            file://CVE-2025-46394-01.patch \
            file://CVE-2025-46394-02.patch \
+           file://CVE-2025-60876.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg "
 # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html