From patchwork Mon Apr 13 18:02:20 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 85928 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1E3BF34C6B for ; Mon, 13 Apr 2026 18:02:35 +0000 (UTC) Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.278778.1776103350711184863 for ; Mon, 13 Apr 2026 11:02:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=Cm4KSpbz; spf=pass (domain: gmail.com, ip: 209.85.221.43, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f43.google.com with SMTP id ffacd0b85a97d-43d73352cf2so1266255f8f.1 for ; Mon, 13 Apr 2026 11:02:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776103349; x=1776708149; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=gfquxUGVr1Yq42jr5evwA2E4LJMxPVY3hcUa16KIdGs=; b=Cm4KSpbzATAwAYeG48h/ivy1hVcU5khD0ofKd6kmbzyvGh0y5NKXt4rndU6ytxQ4Lb 4gS3gqrLwptL7zQ235bTuTBE0FCBARbFnpRs7LtHZyIrWsecvo8Da9lEMjYFXC9cJ6CG /byORYd2c2+wW5lX8qfxHq7GdE27f/4gwGa2u1nwjfLLUAyLKp2oigWOT4bcLs3RNyWf 2VOblsQ7Q//39VuXnyJof18GxnJiUViaGEwVxsyA07TPZPJQKS3QoE1G2OuCzyhNw8Lz vuLaYUtIfU01TxHO0Kdzh1Rp8nqQBguJnLxp/uFerQ5BZmMPf3gZPHCQ2wLe94sXWQYI kW0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776103349; x=1776708149; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gfquxUGVr1Yq42jr5evwA2E4LJMxPVY3hcUa16KIdGs=; b=Ul3zlpcwh0OiAgRvXgMwsRNGcCYARFZPDazqklNF30wNy4F2TDfHjSPm4U5lSfjg8U g+lFZV/2DoVzZT/uYKxxwhyUANJ4IcxFumWfVtsn1CTzADlDi6usKQWcCzMBdk/tgycx F+eKke+7M5PlJrPwv2GkWgdk4YCXooqpSLapE+ZBzrB6hgWix87Sk8PRKOxWO8l6pQm8 SaJqsKO0uNPNWX9TXJWbxvEu5tSamLSPRUTqr3ztojZRhg43+9Pf7IzA0mIdfgHnqP3L iY1rCpihGTNgoHFcDxbQ6B8Or4xZVU825UGPJ3eAWQld+ZR9jEvRs5TScpSDXS898iYS dpNQ== X-Gm-Message-State: AOJu0Yw+xDq1TFV/rPMSvJHeZ1QE+wA9uUXRAXebyrzXg7URpQyasvD2 J1ENUJXJdxe4L4Jp/ig6CZc4BhI8jyQHHyKyKmjNwwPmXZw4FRcsBwx6aBbDeQ== X-Gm-Gg: AeBDieu0tEo97rAMKA7miI5XJCtb/gl/QBQGtuoUViQB+1Hle59fHdIUGiA7tcG1We3 fT3EnuadbaUWCC/Ec48+KEqr57SBTdlz8HRaZC3IjFycrHVxcFAuBs/BckOJW3GHSsyuh1yhacL XnCSD7iHHUXLsS9uEsPkkm28hxb1x9WH8q/9akr7x/g4cIX7lkO8vR7ENuApHSXwV0lshoGoqpp bs6ETHtcmNx1Und9ly882kw9AYqdgONB4OcuJQQp3BmANUwfo90e3DSf5dt0+4u68izEk1HwefV kiEu/kXB/rSystIevBkPstrC79zGkKaiN8dyG5DoIiQEOpqQBuw/vZYK3QAfDkliMC4MOZRssry H/1PiTihhh0/wjWpF46nw9lDKGcWFGuHwImmcHDFCsLRbjybIVO4afoVEtiQJtA0TPW5u2PzxpH KwRBZg2v3FXgtZzKzvEZQIOhElWknbMA4= X-Received: by 2002:a05:6000:24c2:b0:43b:3d80:b0b9 with SMTP id ffacd0b85a97d-43d64291cf9mr20677066f8f.12.1776103348523; Mon, 13 Apr 2026 11:02:28 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d762decf6sm20841686f8f.8.2026.04.13.11.02.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 11:02:27 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][PATCH 1/6] corosync: patch CVE-2026-35091 Date: Mon, 13 Apr 2026 20:02:20 +0200 Message-ID: <20260413180227.755337-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Apr 2026 18:02:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126281 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35091 Pick the patch that mentions the CVE ID explicitly (it was identified by Debian also as the fix[1]) [1]: https://security-tracker.debian.org/tracker/CVE-2026-35091 Signed-off-by: Gyorgy Sarvari --- .../corosync/corosync/CVE-2026-35091.patch | 47 +++++++++++++++++++ .../corosync/corosync_3.1.10.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch diff --git a/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch new file mode 100644 index 0000000000..8afa5d6841 --- /dev/null +++ b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch @@ -0,0 +1,47 @@ +From b9cb461121c8721c94a94309eb345a3c2f9ee9b4 Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Thu, 2 Apr 2026 09:00:39 +0200 +Subject: [PATCH] totemsrp: Return error if sanity check fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Previously, the check_memb_commit_token_sanity function correctly +checked the minimum message length. However, if the message was too +short, it incorrectly returned a success code (0) instead of the +expected failure code (-1). + +This commit ensures the appropriate error code is returned when the +message length sanity check fails. + +Fixes: CVE-2026-35091 + +Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) +Signed-off-by: Jan Friesse +Also-proposed-by: nicholasyang +Reviewed-by: Christine Caulfield + +CVE: CVE-2026-35091 +Upstream-Status: Backport [https://github.com/corosync/corosync/commit/a16614accfdb3481264d7281843fadf439d9ab1b] +Signed-off-by: Gyorgy Sarvari +--- + exec/totemsrp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index 35bf971..94d6c21 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3811,10 +3811,10 @@ static int check_memb_commit_token_sanity( + log_printf (instance->totemsrp_log_level_security, + "Received memb_commit_token message is too short... ignoring."); + +- return (0); ++ return (-1); + } + +- addr_entries= mct_msg->addr_entries; ++ addr_entries = mct_msg->addr_entries; + if (endian_conversion_needed) { + addr_entries = swab32(addr_entries); + } diff --git a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb index 07d9333ec8..7ccccefed5 100644 --- a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb +++ b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb @@ -9,6 +9,7 @@ inherit autotools pkgconfig systemd github-releases SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \ file://corosync.conf \ + file://CVE-2026-35091.patch \ " SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8" UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+(\.\d+)+)" From patchwork Mon Apr 13 18:02:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 85932 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 222A4F531C0 for ; Mon, 13 Apr 2026 18:02:38 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.278779.1776103351330935725 for ; Mon, 13 Apr 2026 11:02:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=QSn2h7uJ; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-4852b81c73aso45035995e9.3 for ; Mon, 13 Apr 2026 11:02:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776103349; x=1776708149; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=nYPuPUpN6Y4UXSvwJq742vxQBWSNjm3kQvZiRSr9/a8=; b=QSn2h7uJViiDLl8heX5t0ykXqRcKrdKSwupIOupz/q4b7FKsS3ROHdBeYOaOxytEiH UNDMxppMEx8dhxLthVtJyahmUz0URxNJmr3ZQTEZgnBfuAd6me/DNHfI/Y5ACx0YapTZ U/rlyshg/xXQO3w2eXVHK4GAG1Y4PFEzsfpfNjsVqTuHbV+aAn2Yu969i3kcs6K2tRKP cxLE2yKVHjvUFV3/6hhHY86OTY6HUxSeiQIXijLhWSjKmJQMJsX25Nd5Ai2Fd95pBTE5 n96/Oog7bsnRKWJ+c+mgZsrkLQ6V8+rf1hKADFYQhyPoZckATIAN8fMe1j92UZ/9ulG9 1kVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776103349; x=1776708149; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=nYPuPUpN6Y4UXSvwJq742vxQBWSNjm3kQvZiRSr9/a8=; b=aYbcxIQOxRJY2TYDvuF5izFiz83qt8bGxfF+sMY25/K0y5HwUnb/VQEejkuJl4G7o0 /Tlasr90/QSRs5IlXNZO1moJC/CmnAqsyxDQefwNOh6TsdPNFHXYef3KlRxNUNaMS0xL 57SMgFxC4YVHqQ+JTK29YR4j//He524wYgysqrK0wPxCQoZko7GcBQLGli5oO9vM9gpJ 3qbE4GwntI0nX23JEoBK9lrtAVQjCfSIHSWZuYA51Zs5mx8Rzg/Ies8mEcqNRuNQLrUF 44wHu5S/38VE6b2iS+OIlnn/KNY6chWBagMgSztLXFolM8BqX+WvZNtwdRWbRM2zGtze a+HA== X-Gm-Message-State: AOJu0Yyfy82VV4GEe2IqLo1SBcktmOlvsBzrFcPR/M8YcmkXp+WGo6My cUMQxaBJDxeCc+KEZMduyxq0tHmlIdVstV5HkAySqG72cl368I/KWPNO2yqPcA== X-Gm-Gg: AeBDievIXhjPATXCdlPzyJb4LNbg07c+un7/IgqFB1I0RlK+ihX78JjeSaKP8+sGz9R IE0aliyA1PJmVXnZlgMxUrc5/WyUJ9JbvvOyR98WLI5gSprDazoM7pNFHDYket/DPhREQFDIaGS Q588vRBA2rprv4TBtWn+Wg/T3N4F0TV2JSCpJoPuNprW/TxAu6nxgIOH+3EXSfnCeEwvzlg8qTA JsIsHa3zbcS3AS+yiYmI2x6Ke2cEXQ5M9fdBySjN2thTA4X6a5y1Ho/Rl8y9smVuVx93uduHmkj Vv5XhjtHGIrHM/heyrIw5G7m5pqRAQhwNLh2esp5tDnkA4P4HFaEU1EhgcbpOAaSQIy7nCFDQYt C4vnDhRcC5It5bOqbt2aild9n/Xl0Aub8Yn9AHGtd1OQxdsDVX64533asR/T19CRrPgnieNxIo4 EI5+5z3D289fUKermW/xHJ02Ftfnb5vow= X-Received: by 2002:a05:6000:2583:b0:43d:7d24:b506 with SMTP id ffacd0b85a97d-43d7d24b82bmr3910100f8f.38.1776103349340; Mon, 13 Apr 2026 11:02:29 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d762decf6sm20841686f8f.8.2026.04.13.11.02.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 11:02:28 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][PATCH 2/6] corosync: patch CVE-2026-35092 Date: Mon, 13 Apr 2026 20:02:21 +0200 Message-ID: <20260413180227.755337-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413180227.755337-1-skandigraun@gmail.com> References: <20260413180227.755337-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Apr 2026 18:02:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126282 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35092 Pick the patch that mentions the CVE ID explicitly (the same commit was identified by Debian also[1]) [1]: https://security-tracker.debian.org/tracker/CVE-2026-35092 Signed-off-by: Gyorgy Sarvari --- .../corosync/corosync/CVE-2026-35092.patch | 57 +++++++++++++++++++ .../corosync/corosync_3.1.10.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch diff --git a/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch new file mode 100644 index 0000000000..8182647840 --- /dev/null +++ b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch @@ -0,0 +1,57 @@ +From 8f8a4747a0223b8897deda9a40a8a099c61fa80f Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Thu, 2 Apr 2026 09:44:06 +0200 +Subject: [PATCH] totemsrp: Fix integer overflow in memb_join_sanity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This commit addresses an integer overflow (wraparound) vulnerability +in the check_memb_join_sanity function. + +Previously, the 32-bit unsigned network values proc_list_entries and +failed_list_entries were added together before being promoted to +size_t. This allowed the addition to wrap around in 32-bit arithmetic +(e.g., 0x80000000 + 0x80000000 = 0), resulting in a required_len +calculation that was incorrectly small. + +The solution is to cast the list entries to size_t and verify that +neither exceeds the maximum allowed value before the addition occurs. + +Fixes: CVE-2026-35092 + +Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) +Signed-off-by: Jan Friesse +Also-proposed-by: nicholasyang +Reviewed-by: Christine Caulfield + +CVE: CVE-2026-35092 +Upstream-Status: Backport [https://github.com/corosync/corosync/commit/4082294f5094a7591e4e00658c5a605f05d644f1] +Signed-off-by: Gyorgy Sarvari +--- + exec/totemsrp.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index 94d6c21..6845cec 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3786,7 +3786,17 @@ static int check_memb_join_sanity( + failed_list_entries = swab32(failed_list_entries); + } + +- required_len = sizeof(struct memb_join) + ((proc_list_entries + failed_list_entries) * sizeof(struct srp_addr)); ++ if (proc_list_entries > PROCESSOR_COUNT_MAX || ++ failed_list_entries > PROCESSOR_COUNT_MAX) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received memb_join message list_entries exceeds the maximum " ++ "allowed value... ignoring."); ++ ++ return (-1); ++ } ++ ++ required_len = sizeof(struct memb_join) + ++ (((size_t)proc_list_entries + (size_t)failed_list_entries) * sizeof(struct srp_addr)); + if (msg_len < required_len) { + log_printf (instance->totemsrp_log_level_security, + "Received memb_join message is too short... ignoring."); diff --git a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb index 7ccccefed5..77dea16e98 100644 --- a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb +++ b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb @@ -10,6 +10,7 @@ inherit autotools pkgconfig systemd github-releases SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \ file://corosync.conf \ file://CVE-2026-35091.patch \ + file://CVE-2026-35092.patch \ " SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8" UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+(\.\d+)+)" From patchwork Mon Apr 13 18:02:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 85931 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D14E4F34C7D for ; Mon, 13 Apr 2026 18:02:35 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.279318.1776103351798665532 for ; Mon, 13 Apr 2026 11:02:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=WzieEcxp; spf=pass (domain: gmail.com, ip: 209.85.128.51, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-488971db0fdso46841065e9.0 for ; Mon, 13 Apr 2026 11:02:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776103350; x=1776708150; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=p1NtRZWv2V60lVoqqkrvRHf7gEgarcsweskfDJGuLeM=; b=WzieEcxpDV1+KbIrxyd0Wp6KgTehtgOtYEsyQBhhywOiUO4U8BMPk39PJbkuFOwShP MGd2qHWcvxqABrz9M6/hEHZlgBmabTMgtPz3Ro4bNUdzdKKaAlgE+8Q8HZ4vSWuBzt8i c7UcdNsGQC9ZNT2p1T7MYBA8+qHK7q0lA2pertFl6yM6K+/l4BL5VMmUYPgQ8MT5IcQn CN69NCe+v1S7GRVcDAp89sM80NwU2UdHe8FIHZENq2S/Xlz4nqmjgd4A3e9U1+R0SNmz LVsvsyzLZvq+VIDzBZ5JRUCI/G9mJ+3UDY1rsa3P2DIs7hb7rQ0E/Ce8mw/iuoyd7D15 Fh+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776103350; x=1776708150; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=p1NtRZWv2V60lVoqqkrvRHf7gEgarcsweskfDJGuLeM=; b=Y6IwixlezD5q8gv1jIwCnEr/nCdvBVkftXXgJkxDdUQkjUKm6/DEskWB3JfVUex5ud 5VewuN6A9rVZ1LbyoXINrFGYDnE/3OqFKz8pOhoIj14t6IedXtkGv7E414uZfwXMAB9G VFKGk7PN/lKuN+nQrvqajtu25RO9L3xODdfgtg0hCT+xW7N2fSG//PunrprNr9C1tyzb qZa+/AN70AFVmBrwfI61RSx/uVK0dBGmw5lkhrCHhF6XQ8o9RqVnq/qCtHN+P5LFy4vk xcQGN6MYTsEmxXE7tkmy6A0xTHWiaj9bqzp106F2Wr/WtsKz97Olc6FLo/iWj6dkEOLe N4+Q== X-Gm-Message-State: AOJu0Yxdw0fdo2DJo+ObHwJ1L/t1JnEESmaBsLAmDSTK03QrA+FqDVKd HF8SSgLGQ2tSsf8w6XNJuuB8gxUVkoMcZNOJSz3gE1UXmPgxJrThbACFparcfA== X-Gm-Gg: AeBDiet9fT7I4gqjduUuhSgkZSicUxyCFs7uEqk2WTKi2HcYZhyHJ4tmnoieWrw+6I7 efWYByyTPVWUka6cs4xdXH1u9KWxCVunM95ASBVetyBqGc9cd5ACgF1HM61r4NAZnV8CfnZS1uM O21npy6XzlSq62u6MZ342XCtJrf1QoPdqxoHRjCYDhCqr1RdcRKsP/PBkdxzhza2PyyDyDpvLGl GBqEYlB8gpTJaovbVYeWyxLCCwYQwm9di8XKser1lDEN7Y7afYiOO6I1rjXQONfiHx0VK6rMLNv OT8oDbDbItQ3wFH9YHbksYpgqVPm1miaFM3s3IyVou3b7emY2bRBP2BLN0i2LCVHbW/EcTziQoZ haPh3eLHiX68w0yI70urvPLC5nC5vnZsxtUlAz/3dZoClNkHOSZsjXPFtfXIkQtlFG6KDan37K7 g7r9QGFncTfcUf7tCUU3aCG1j/vGR2d34= X-Received: by 2002:a05:600c:4e16:b0:488:966f:70a7 with SMTP id 5b1f17b1804b1-488d67bbc7emr218203035e9.2.1776103350122; Mon, 13 Apr 2026 11:02:30 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d762decf6sm20841686f8f.8.2026.04.13.11.02.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 11:02:29 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][PATCH 3/6] ez-ipupdate: add CVE tag to CVE-fixing patch Date: Mon, 13 Apr 2026 20:02:22 +0200 Message-ID: <20260413180227.755337-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413180227.755337-1-skandigraun@gmail.com> References: <20260413180227.755337-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Apr 2026 18:02:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126283 An already existing patch fixes a CVE (CVE-2004-0980), but it since the patch didn't have the CVE tag, the cve checker did not pick it up. Rectify this ommission. CVE details: https://nvd.nist.gov/vuln/detail/CVE-2004-0980 The same patch is used by Gentoo to mitigate this issue. Gentoo CVE advisory: https://security.gentoo.org/glsa/200411-20 Linked Gentoo bug, containing this patch: https://bugs.gentoo.org/69658 Signed-off-by: Gyorgy Sarvari --- .../recipes-connectivity/ez-ipupdate/files/wformat.patch | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/meta-networking/recipes-connectivity/ez-ipupdate/files/wformat.patch b/meta-networking/recipes-connectivity/ez-ipupdate/files/wformat.patch index 3b791559d5..7463e3c535 100644 --- a/meta-networking/recipes-connectivity/ez-ipupdate/files/wformat.patch +++ b/meta-networking/recipes-connectivity/ez-ipupdate/files/wformat.patch @@ -1,4 +1,9 @@ -Upstream-Status: Pending + +This patch is used by Gentoo to mitigate CVE-2004-0980: +https://bugs.gentoo.org/69658 + +CVE: CVE-2004-0980 +Upstream-Status: Inactive-Upstream [last commit: 2002] Index: ez-ipupdate-3.0.11b7/ez-ipupdate.c =================================================================== From patchwork Mon Apr 13 18:02:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 85929 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96FFEF3ED5C for ; Mon, 13 Apr 2026 18:02:36 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.279320.1776103352673018427 for ; Mon, 13 Apr 2026 11:02:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=bR0ihJgk; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-488b0046078so46843655e9.1 for ; Mon, 13 Apr 2026 11:02:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776103351; x=1776708151; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=zpGaIny5CWEpkWfQ6eCVNZDRNUdZgk9XEw5rJsw9q+s=; b=bR0ihJgkY3O/Kr1CSvN3Fir6D6jmF0WqJMc59qdQ1g0v05wZgJ1D2HTsTJIIoTy5T6 a56ltRo572HEB2tKT0IZwbG53eMCDNGlEbPLzGOt7I/QAJmZK9zgWnge3WIN7Uz0KS2O AegTwJnCW1l7S6m08/ZoZBEla87wH/i4FqDNkL5hrXRbP4v1oAugYKU6h/vYj7H6HUMX PAYC7dOW5Z1V25TxiA+kOS3Zwey3YIy7DaBMWIg7/ruCIcjEsDH282ArWKs0aFnnnE74 6PXockvPVjjiZoiOBQ1ciYkJHAR6xF42S00cAaVJf6HNahWBogZNc0cf4fAUKjkVsk3x N/ig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776103351; x=1776708151; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=zpGaIny5CWEpkWfQ6eCVNZDRNUdZgk9XEw5rJsw9q+s=; b=E6jfeQnXd1tYAQfILDFNBbp0kFXgmm6rB26SBRAO0P1Af9uFiZHq0sUxVDJUKGMQdp ICiORuGUC6fmuJxa6UPRhFKLvd25mZ8v+LCgk8RV4D1p0k8FItNIZYH76o+e8lEztY9P NyAUskRh3Thh0nFSXSZkYSM8FXevTbYKlayr+6F92Zf4n0OZzWM+X7KK+GorRXfYIUaC fuyBCw2hY7oG5//CaWM9er2/z+wituHr3uXdbN6zQyQmM7fRsV3pP0hpuPC4EYsKu0UA Io0xlLdcU1LAIwqsTe/n9YvkV60KQsFBi3SaZozMoNof8wZBNOdKGjqW/e2/NNUn9Ryq WPYw== X-Gm-Message-State: AOJu0YwuMwko4+2iLcdor2sjU+Qk9wkbyN2qF4SnzPzekfS1+JWmxvSi piH8HyXEHJPfEUwd2jKhynhZn2pQb8QUd4eYBMILk/39voJKk+8bMiIqJTg+TQ== X-Gm-Gg: AeBDievymD+qj+xwoBUzcBNhSfrhx3yxQ5WtMnOeSDfnMZ/IEPgFE5VkXTQF3ic/16A wHFfOXSI6KZ3lIlwDk80ojqx/VDRnzV+DPrY9MsLFQTMTvJTeew94uW1lUr2VNhETwO8VAZSMQo zn7pHueSNIut8zrO27x1u9zT/ZKX3vN/utS2MuffiSeMwCoI73YXSsZ/XjCagWGA5KfjcCeAIbR b0eeKifwiJ37VbMK9IY3n5eFCIuVDyzHt45gqOql74uHmHv51dzgjEf/26OhiIvpyAZjlsjPc92 VH+sndRlO3qOCL6cPlGXLUTUs4U3aKafVxE6rNJn36VXYjlD105f3Nek+VKvw8mcizBJht/rexy tzGmyrIq2OmV0zOeE0waWzdflSDLq0rvHFi16spwp17aYdNmXutLRxlY4pxqIfRILW3m31H9OsN nxN2GEk9+FX6odxfdh7zQr2jRLuoE+pYji9YYc71J6Yw== X-Received: by 2002:a05:600c:3b24:b0:480:2521:4d92 with SMTP id 5b1f17b1804b1-488d687adb3mr206412455e9.24.1776103350863; Mon, 13 Apr 2026 11:02:30 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d762decf6sm20841686f8f.8.2026.04.13.11.02.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 11:02:30 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 4/6] flatpak: upgrade 1.17.3 -> 1.17.6 Date: Mon, 13 Apr 2026 20:02:23 +0200 Message-ID: <20260413180227.755337-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413180227.755337-1-skandigraun@gmail.com> References: <20260413180227.755337-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Apr 2026 18:02:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126284 Contains fixes for CVE-2026-34078 and CVE-2026-34079 Add explicit CVE_STATUS tags for these CVEs, because they are tracked without version info by NVD at this time. Changelog: 17.6: Bug fixes: - Fix the remaining regression for Chromium based browsers by not leaking file descriptors down to wrapped command - Fix a regression when installing extra-data without a runtime, which is the case for openh264 - Fix the remaining regression for Epiphany by ignoring unusable sandbox-expose paths for sub-sandboxes in the portal - Fix the installed tests by allowing to add a new ref to an existing temporary ostree repo - Avoid closing fds 0/1/2 when they are used as a bad argument to flatpak-run, and reduce duplication in handling file descriptor arguments Enhancements: - Disable auto-pin in flatpak-repair to preserve the pin state across re-installs - Small improvements for the tests 17.5: Bug fixes: - Fix regressions caused by the sandbox escape security fix, which impact some browsers, browser-based apps and Steam (#6577, #6569, #6576, #6574) Enhancements: - Expand test coverage of flatpak-run features used by flatpak-portal (#6573) 17.4: Security fixes: - Fix a complete sandbox escape which leads to host file access and code execution in the host context (CVE-2026-34078) - Prevent arbitrary file deletion on the host filesystem (CVE-2026-34079) - Prevent arbitrary read-access to files in the system-helper context (GHSA-2fxp-43j9-pwvc) - Prevent orphaning cross-user pull operations (GHSA-89xm-3m96-w3jg) Enhancements: - Enable ntsync unconditionally - Automatic branch following for extensions to ensure that "no-autodownload" extensions stay functional after an update that requires a new branch - Translation updates: eo, kk, sr, zh_CN Bug fixes: - Prevent CPR sequence from showing up in the terminal - Fix a crash for apps/runtimes with multiarch permission - Fixes for Coverity warnings - Add test-preinstall.sh to the test matrix source - Fix a test message to refer to "systemd-localed" instead of "located" Signed-off-by: Gyorgy Sarvari --- .../flatpak/{flatpak_1.17.3.bb => flatpak_1.17.6.bb} | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) rename meta-oe/recipes-extended/flatpak/{flatpak_1.17.3.bb => flatpak_1.17.6.bb} (93%) diff --git a/meta-oe/recipes-extended/flatpak/flatpak_1.17.3.bb b/meta-oe/recipes-extended/flatpak/flatpak_1.17.6.bb similarity index 93% rename from meta-oe/recipes-extended/flatpak/flatpak_1.17.3.bb rename to meta-oe/recipes-extended/flatpak/flatpak_1.17.6.bb index cd461e2632..1512b7239f 100644 --- a/meta-oe/recipes-extended/flatpak/flatpak_1.17.3.bb +++ b/meta-oe/recipes-extended/flatpak/flatpak_1.17.6.bb @@ -8,7 +8,7 @@ SRC_URI = " \ file://0001-flatpak-pc-add-pc_sysrootdir.patch \ " -SRCREV = "13b26a94a3bd6fec309a16982a3a80d83776d7ac" +SRCREV = "9b21874f1a175a9b7c79175a221fa043e202ca73" inherit meson pkgconfig gettext systemd gtk-doc gobject-introspection python3native mime features_check useradd @@ -76,3 +76,6 @@ USERADD_PACKAGES = "${PN}" USERADD_PARAM:${PN} = "--system --no-create-home --user-group --shell /sbin/nologin flatpak" FILES:${PN} += "${libdir} ${datadir}" + +CVE_STATUS[CVE-2026-34078] = "fixed-version: fixed in v1.17.4" +CVE_STATUS[CVE-2026-34079] = "fixed-version: fixed in v1.17.4" From patchwork Mon Apr 13 18:02:24 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 85930 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CBF11F45A1C for ; Mon, 13 Apr 2026 18:02:36 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.278780.1776103353429457981 for ; Mon, 13 Apr 2026 11:02:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=UsDuwolt; spf=pass (domain: gmail.com, ip: 209.85.221.41, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-43cfe71e5d3so3520732f8f.0 for ; Mon, 13 Apr 2026 11:02:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776103352; x=1776708152; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=oNswvFMWqVoH6MgHczXagHVD3px8lhIbrCY0+IQMHTU=; b=UsDuwoltdnEcxnfiL5FlBShbHGJ9PGFb7GvS3s7Eo3QOq7XBj70T1PIRnVQoQNAfUl U/nds7H9VZjC1SxrE4NMdS6fl29H+nkQbBgrKEG0M1H9vsgpdR7PEehYpEUbQuszTey6 7eLdg4qqUlM8ofWKHB5GLFQNPpAbVD2QH/a9YGNgcpVnKn7TcjIp9EI0aHz2PIbL4GHK 8TIsPaDzm5Jvt1QKUNJARl2eHkqo8FkyOfgPszf7gUon5oS9galj3i1wOoGkav+vkLII nvsn5PWf8rER314Ok/z6F2nvsNKxX1QAhkAraE2TZhE3rFv+EW8Q1iIZ1dlAZzrc/wM9 NRMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776103352; x=1776708152; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=oNswvFMWqVoH6MgHczXagHVD3px8lhIbrCY0+IQMHTU=; b=bQ0fXcIBzgAR7AUjxFYlBxkPhiZZKtkEL3W3m7Z3jaxKqddyRxpFItx1VjKrnmV3yS 6HA7obhqhipf7Z2eGMueDrUdZdhSX8d/Masd5AcVM7JmqQCR2qg49V9G+zl2POnHjT6Z DaF/AUfc3EM2diLtUBXyl2nb3YITJsapmlNWF5FlMJXkZkOSUzJlNDLe+Wb9aWkwebdZ lcts2YZ545EON3kaMKi1FiB0dm5phvKwen0dUeHtdJ6VqEswCa2Rf0NZ3ZLKUWoFKmwc pQ3S28SLHlZp6uHaIynrsWL8O2s06Kn/MoYJySY+OsxqCYgbgoe9CbcRLid4Eu79vAgw hAaQ== X-Gm-Message-State: AOJu0Yzvhbg62/XvOLsJcVct+P3SJuRJj4+TI6LpaB4o86KHVf6w08cg FydOe5zF0NwY6tFbvt1o84corWOPM4xFI+f8abmS9as0oQyqV0y1aoyeQblGYA== X-Gm-Gg: AeBDieuGx3TneWrM9Be+Zr/DsXTls4MbcOaRAr4dB+gO5teztZ/sHsXPPVMvDtsAh71 ctPeDoOOoC6M3pNMS6V6th3iMhRrdknfgmcX0KrvotvLOP1WMNSA43VzLq2Ksot0YSswvPx8OEz WmFHB/stFsac26/LTQL94Zyvur+TrXIh34gWXNjZOIZcABOXe3CJx88710aS6jL71YT5sU6XDLN av8dRG1YEcDRwtjYWHWx9ykGm7ZbQhMX5XWSXe1cq5FiWibV9u9duiLi8/0qsVl06vO7+/uVeI0 7ANs+1n0Tt0vOgo6APIvAiUwmfjFA5jXn1oU6AEAJuJFndvjvDFMfFIC9ftShllHBr4fpbqyHbs AakHCqgFsucCVwssmnQ7HZ4dORenoF7C4ZuamzSHSgxMAxeX/AsesxoRcCuoDE09zxHG7gbD5I4 NMKiwG/sxUeQGeUKKzoYYM8qz7/9+jduizRGu0s52d3g== X-Received: by 2002:a05:6000:238a:b0:43d:7883:87c2 with SMTP id ffacd0b85a97d-43d788389b2mr6678046f8f.39.1776103351656; Mon, 13 Apr 2026 11:02:31 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d762decf6sm20841686f8f.8.2026.04.13.11.02.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 11:02:31 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 5/6] libraw: mark fixed CVEs patched Date: Mon, 13 Apr 2026 20:02:24 +0200 Message-ID: <20260413180227.755337-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413180227.755337-1-skandigraun@gmail.com> References: <20260413180227.755337-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Apr 2026 18:02:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126285 These CVEs have been fixed already in the current version, however NVD tracks them with incorrect version information. Commits that fix them: CVE-2026-20884: https://github.com/LibRaw/LibRaw/commit/aa4458eb511daeae90676c1ce5c587106e4aaec1 CVE-2026-24450: https://github.com/LibRaw/LibRaw/commit/c911c9b9edffa5fab99f828d0fee6dd2d0f6105f These commits were identified from the changelog of this version[1], which mentions the Talos ID of the vulnerabilities (and the Talos ID is mentioned in the NVD reports[2][3]). [1]: https://github.com/LibRaw/LibRaw/releases/tag/0.22.1 [2]: https://nvd.nist.gov/vuln/detail/CVE-2026-24450 [3]: https://nvd.nist.gov/vuln/detail/CVE-2026-20884 Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-support/libraw/libraw_0.22.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-support/libraw/libraw_0.22.1.bb b/meta-oe/recipes-support/libraw/libraw_0.22.1.bb index bd0a4c0b03..2e11a7f1f9 100644 --- a/meta-oe/recipes-support/libraw/libraw_0.22.1.bb +++ b/meta-oe/recipes-support/libraw/libraw_0.22.1.bb @@ -11,3 +11,5 @@ DEPENDS = "jpeg jasper lcms" CVE_STATUS[CVE-2026-5318] = "fixed-version: fixed since 0.22.1" CVE_STATUS[CVE-2026-5342] = "fixed-version: fixed since 0.22.1" +CVE_STATUS[CVE-2026-20884] = "fixed-version: fixed since 0.22.1" +CVE_STATUS[CVE-2026-24450] = "fixed-version: fixed since 0.22.1" From patchwork Mon Apr 13 18:02:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 85927 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2E4EF34C7E for ; Mon, 13 Apr 2026 18:02:35 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.279322.1776103354106132759 for ; Mon, 13 Apr 2026 11:02:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=CjfFV7sA; spf=pass (domain: gmail.com, ip: 209.85.128.46, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-48897fd88ebso50924365e9.2 for ; Mon, 13 Apr 2026 11:02:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776103352; x=1776708152; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/am54Lv5Pyv+kDwO6PtkIN25z3E7LiSfWfsu5C8gMT8=; b=CjfFV7sAWcWIhEEFci0QaEgPHs1rxCrhllOHhA85pIBBtaGJtAmfsrI3p+tZrYt/pK eJditqmKCAsyuTFpRJBn/PM3BQjkpg+8be4oeRBovSQkXC5Pb1gX99saodE/D2TAzQLA janxSe1kaDNMf29ScyDS2TXgWWTWO8o0gPhmS7Lq40Uz4Hm9HR7x9CuWCnBigozvhqaE K0WRStMH+vHxkwNn0zSRwZbp6SZxt2YsUBRjo9KFtXV3R9JXLnh24PodOzrIjKlQR0rK +xjhcPAmpPhZnCq1iWCNxjmmDEKn8iINtQCllM24AJKVMV6jeRHKbU+FBRj1PbpfqSvq HEtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776103352; x=1776708152; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=/am54Lv5Pyv+kDwO6PtkIN25z3E7LiSfWfsu5C8gMT8=; b=MOn/Gejy1oRFcBIhtUAp2V83lF5JFnJdZ2XSBRju75tavk8F/nqqSWDmQSczc8PL+3 srorJw8UNzTnGUC6+7sDSSygaBSGCSeICly/0g2jnzlEgRZGDSeJdkr/+UKESFrXfgBK eM31aCRbW0UEjLSk8MBuqwd9xyuE36XZi+LboeY8l2Uvic1WL4JPv3iwGzV/OktlcviN 51ldgIAwyUwx07gkOk92QvnDDy+gzKms7V3zWCwDvBdj+WB4CnR018pxxdzBoubvNuEQ 06xBLyT1dRxE7cLy4OBPQP7VW5HBt7keDZkQDGv7WxhyHo9WAwsfLKbL+oXAkk2tUlgr ABKw== X-Gm-Message-State: AOJu0Yx56fgTgLe+sy/8DUHpiJv60GEmSNknyUsoo4FHYdf3yqjeby9G jWuvnQQ3lKAq4uq62XBVuaTwr6aNI7+DbcYYdDMuHXsnjUA6BYZGp1uR22Gi/w== X-Gm-Gg: AeBDievTa7FGRMdRdX+goPBE+crhdWP6NKjpwS1uyq6DVr4p1lvO0NE1CxVu7I/3Aqy JyhPsXVwyGXZ7cmDHy4eBFpdWuHVoUAdat894LRL+P0ZNfo+qR7/v2kg6hScoROQdWuu4UtzWSS 5+zW6/e9DE/ECVH3ga+GOMSzn8ZBvluMxcAC4iydPkFFULnvhfnu/6iu6N0U37kYQrJZqwyMxPr cN3B81hIffrQK/Kjgq9eiO+DL8qmHdpy0NEiLeSX+UNrGwtAw+Q7iJZzZRADscpnZq6koZSsGtq ayyy96sUgItkvcTVPiJqHlGSbRDmbgFEE93S9qPrCLSqzmnit1okHUjut1gceykJjjG267DwIGB leI+ZAZyjNT6lz6F87kuQ2c03ssnj2rzr3A4BC59N9Bk7CZGsd5HRHwXeBo1ftoVYFtquMgISHj qXd8nYc2p5U9mZf4+hJft/hVfiNdU9XCo= X-Received: by 2002:a05:600c:4709:b0:488:caed:5ccf with SMTP id 5b1f17b1804b1-488d68af17bmr162824295e9.16.1776103352355; Mon, 13 Apr 2026 11:02:32 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d762decf6sm20841686f8f.8.2026.04.13.11.02.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 11:02:31 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 6/6] minio: ignore irrelevant CVEs Date: Mon, 13 Apr 2026 20:02:25 +0200 Message-ID: <20260413180227.755337-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413180227.755337-1-skandigraun@gmail.com> References: <20260413180227.755337-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Apr 2026 18:02:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126286 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33419 https://nvd.nist.gov/vuln/detail/CVE-2026-34204 These CVEs were filed against minio server, but this recipe is for minio client tools, which is a related, but different project. Ignore these CVEs. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-extended/minio/minio_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-extended/minio/minio_git.bb b/meta-oe/recipes-extended/minio/minio_git.bb index 511dd4d869..d08b5e754d 100644 --- a/meta-oe/recipes-extended/minio/minio_git.bb +++ b/meta-oe/recipes-extended/minio/minio_git.bb @@ -169,4 +169,4 @@ CVE_STATUS_GROUPS += "CVE_STATUS_WRONG_CPE" CVE_STATUS_WRONG_CPE[status] = "cpe-incorrect: The vulnerability is in minio server, not in minio client-tools" CVE_STATUS_WRONG_CPE = "CVE-2018-1000538 CVE-2020-11012 CVE-2021-21287 CVE-2021-21362 \ CVE-2021-21390 CVE-2021-43858 CVE-2022-35919 CVE-2023-28433 \ - CVE-2023-28434 CVE-2024-36107" + CVE-2023-28434 CVE-2024-36107 CVE-2026-33419 CVE-2026-34204"