From patchwork Mon Apr 20 09:33:16 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 86465 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D52C4F55804 for ; Mon, 20 Apr 2026 09:33:34 +0000 (UTC) Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15572.1776677606880741998 for ; Mon, 20 Apr 2026 02:33:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=Kh7p7DrO; spf=pass (domain: gmail.com, ip: 209.85.221.50, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-43eada6d900so2831366f8f.0 for ; Mon, 20 Apr 2026 02:33:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776677605; x=1777282405; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=nQgUYEuRuf9IFHHKNyIKspWOfhWfPTntWK3aRczPoC0=; b=Kh7p7DrOHuAcu4b0xJ71ijPF7Xm+qh2ea8M2AIa+md/ONhKImbWPqv9bsWnM6nEeFY R5qRJ207UhGZOyACesTaD8+a71o/mzT59/L0ySwC6qqbnkzWk5JqWsDmIHGZIaVJCc+J FxeNdAc1+GHIqHaWnuvpOcneMz3k8lnlezvFqAxmzxoVROiFoxPDl7NHGT9ndgW1goce /E3BLOZX+l0xrVgV6Mzpy5OvyFqXRYwXWFrtI+dK1pzuCqD0G7UAiUdMjmyd/RQlVwu0 P5xvss1puQ8nZekx+jnbMs2T4VLzdp1tA+6Jn0KWLLL9B+apAG1faBAIlsVXi/GF8e3n ZSGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776677605; x=1777282405; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nQgUYEuRuf9IFHHKNyIKspWOfhWfPTntWK3aRczPoC0=; b=AD2llurU4hEwsJ5CjNyrvBL/dahA49A7u7wSsH0+cud9TE9itgTb3b9zYW/hNpUlZC VtjNjyK6OTiwwHOoMTOVmlAeC+QLRr1GQgW1wJkeXytbZrg/Z2T+KhSglhc/TOZvpbmG /gpOD6nV7v7veu5uttQpEbsa6oloXCpg4xyEiPVvGj+Y0PlDFxnAq+znEgQYpJj52c+j wOpIXGQCcXgtU2p1sY3Qb17ZtDDsvL7Kk8DoGePZYJJUSRD1E5Al77H2j3w4Lwh+JHXV rvY6TtDTC7RJPhWnbSTShXl+zv3xpH5o6aFx2m8LIo6MfClMUAVJVHO1kzVzIQ23yhul pNbQ== X-Gm-Message-State: AOJu0YxkoCBTkjjyqfxdBL1Dwq+RYnlaxEnH6czqX1R/HTK8t+VEGyV/ umnP5Vi/HyFD7PNQvaczzPO3d1rcLknvGcXeSBy7nsEu0QW/LUrJgVi2B8ImGg== X-Gm-Gg: AeBDiet4hK2aAT37Dy56lgpBgoxgLd6tuiGGrYZTSPcgXMKQMIBFi0Idj//oBN8/Ono luq7msNKmjzC5bAVSrkRCJnWOBlaxDtUC1glaKhBcphtmuG96LkLTNb4i4/D+Aw+eg5h9/sNmBJ LuKsFvN+aIETQwXXnaWh7s3MUp+OJaMSJ3aZkvEQj7B0RF1CCjbiusco0+evfXo6LxBoDfDgnfy tgQBcnt46hQTmpbxC66bA90VaBkiHIxM09Phknpuu+VPTJa8cv7M4g1XfJBxNt1Sa3fs7FHvpPV KMWeMdxmfQbwkpn1KKAK29UMylpActDw0ZdUDY/h6H/SnIvwuJ0zS6PYo0tSW5WWDu8+0FMmn5k DOHQz+FVow4MHhQd026QZGtQ96IUHNGu9O62JxM4lJacXHCix14FXvxbQlNWGC0NlgfLw92PphJ /Qi2m4qDgR5QPTJ246Iy0xUn09h+Mh7d8= X-Received: by 2002:a05:6000:2212:b0:43d:68dc:9ca6 with SMTP id ffacd0b85a97d-43fe3dc7b4bmr19566145f8f.18.1776677604841; Mon, 20 Apr 2026 02:33:24 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43fe4e4eec9sm26577488f8f.34.2026.04.20.02.33.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Apr 2026 02:33:24 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][PATCH 1/8] ngtcp2: upgrade 1.22.0 -> 1.22.1 Date: Mon, 20 Apr 2026 11:33:16 +0200 Message-ID: <20260420093323.357053-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 09:33:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126487 Contains fix for CVE-2026-40170 (which is tracked without version by NVD, so also mark explicitly as patched). Changelog: https://github.com/ngtcp2/ngtcp2/releases/tag/v1.22.1 Signed-off-by: Gyorgy Sarvari --- .../ngtcp2/{ngtcp2_1.22.0.bb => ngtcp2_1.22.1.bb} | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) rename meta-networking/recipes-protocols/ngtcp2/{ngtcp2_1.22.0.bb => ngtcp2_1.22.1.bb} (84%) diff --git a/meta-networking/recipes-protocols/ngtcp2/ngtcp2_1.22.0.bb b/meta-networking/recipes-protocols/ngtcp2/ngtcp2_1.22.1.bb similarity index 84% rename from meta-networking/recipes-protocols/ngtcp2/ngtcp2_1.22.0.bb rename to meta-networking/recipes-protocols/ngtcp2/ngtcp2_1.22.1.bb index f7c0ee0d4f..acff7b548b 100644 --- a/meta-networking/recipes-protocols/ngtcp2/ngtcp2_1.22.0.bb +++ b/meta-networking/recipes-protocols/ngtcp2/ngtcp2_1.22.1.bb @@ -4,8 +4,8 @@ BUGTRACKER = "https://github.com/ngtcp2/ngtcp2/issues" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=de0966c8ff4f62661a3da92967a75434" -SRC_URI = "gitsm://github.com/ngtcp2/ngtcp2;protocol=https;branch=main;tag=v${PV};name=ngtcp2" -SRCREV = "2a441e8540d192b0707989b146ce80efcae5f0d6" +SRC_URI = "gitsm://github.com/ngtcp2/ngtcp2;protocol=https;branch=release-1.22;tag=v${PV}" +SRCREV = "716e64b05f4a3709dfc0b0522cf9fd4456d055e5" DEPENDS = "brotli libev nghttp3" @@ -18,3 +18,5 @@ PACKAGECONFIG[shared] = "-DENABLE_SHARED_LIB=ON, -DENABLE_SHARED_LIB=OFF" PACKAGECONFIG[build-lib-only] = "-DENABLE_LIB_ONLY=ON, -DENABLE_LIB_ONLY=OFF" PACKAGECONFIG[openssl] = "-DENABLE_OPENSSL=ON, -DENABLE_OPENSSL=OFF, openssl" PACKAGECONFIG[gnutls] = "-DENABLE_GNUTLS=ON, -DENABLE_GNUTLS=OFF, gnutls" + +CVE_STATUS[CVE-2026-40170] = "fixed-version: fixed in 1.22.1" From patchwork Mon Apr 20 09:33:17 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 86463 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0ACDF55802 for ; Mon, 20 Apr 2026 09:33:34 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15573.1776677607545246619 for ; Mon, 20 Apr 2026 02:33:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=PWCvNJhI; spf=pass (domain: gmail.com, ip: 209.85.128.42, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-488d2079582so32796645e9.2 for ; Mon, 20 Apr 2026 02:33:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776677606; x=1777282406; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Q2q0Teh2VFw0LnVYc9T+opIhA7hDqQCUg0IsSd9+54g=; b=PWCvNJhIIXCAbU8xuSOd7QSshUDT7RBOrjchX4u2gZAzCB3N6Wf92K86aknhQToynO +hpEb5Z4DLIpxWf4q5AbwvDSDTMknXN82vjyw/smA3jyT/82eF8GqluvZKvw86aUWZaH vZIjw6BofAUanbtPJxH3YyO9VFe8eGjrzuy/7OFla9kCOHhdjZn+Xpcbwna9p1HtSpjR A7fydaJHokeoqBqK0r64xxeePu+mWBuz0xs0aDnF+nTctw4537uQ2XN8mgPMbIYCmtPc Q+3+n1wfpNHw2IOp7/Q6IFwn5aRzWoWS5JH3+/QFPrkZgLw4VnS7IQVBNl6RYbpxRKAq d51w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776677606; x=1777282406; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Q2q0Teh2VFw0LnVYc9T+opIhA7hDqQCUg0IsSd9+54g=; b=FCWYMLksv6m+dMb/Kw0h3aXM/9pMfsRlTKonsOy1u6W6PIgnEEnlNX4Zr6f+LkZFU8 aO3On/oyzntv2M3uphUV177Pn6y14PsMwXHTHTPkhti41nkgjHwTXSFdAsHAB2nOuvwp /GV/G7ly3oQYyxNJ5DYGZVDBTnP1hlFxvo/3GF7c1CGfltGXEk2gUwZYurwBASP5qxdp 2PbYqmoRsye8MjpqSMZ54Vvj1qTKJOl6NULbpqBbOhCoFNcy65jKLQspyandkfX1NiJO qSMMvrQzrGqxiRw/31rATXVbF85rlbxXyTxb/crszxfeaFscNujCYrj8C9jJVSgV30xd tP/w== X-Gm-Message-State: AOJu0Yx2x8YbnJIQ5q9e1dGJwCaM/+IQzVgA/M1n98lV7mFj4RXruW0f khU6DFpmXYlkW2SHcQd+doXSnVZ5kj5We3ju9QW9YhvzPpRDCbFNQv8/EgR4MQ== X-Gm-Gg: AeBDiesdHPTbSJkEBKSQ9/nF5RtCyxpJpYMQbUUswMCN/C9M19fFwYTnKJdFZTNhWDL qva9pDIKJGnAz82fE04E7HnBX1Vvsv36tfckYeAv+9NdlPwK7whfhBxwanx3KWc1SOnp16qWoNd xq1i1GgSSAmQ7jyNU0MePN3uFiaKwixThGH25gfX4+zlRBTLF3DZMnBpMI+WNzmWtGa31P6S/Pk gvn5TtZR782whzfQh9KKPeqZ274lby6fTbJMdImAU0gaW5bEfwYjdYTyRuuYSISSZXkk1m18o3s MEi8axIP8kEKl09TAemndfIlAe8T1yNyuFDpLAuY1cW8Pbe2QYKRCkQrZRcI0ZGiGL6uNuBf80i AUWpH4PMbjLmpExvYcD6C46SA57HGdLUlz4eahh7b89kYACbVhwc0Ohm7ZRB7eWSRID95F5/NVc n7pQj5wLPyqndQs4JywhO5SczBwz/QbFo= X-Received: by 2002:a05:600c:a416:b0:488:90ac:8f71 with SMTP id 5b1f17b1804b1-488fb73a9fcmr146543575e9.5.1776677605528; Mon, 20 Apr 2026 02:33:25 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43fe4e4eec9sm26577488f8f.34.2026.04.20.02.33.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Apr 2026 02:33:25 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 2/8] openjpeg: patch CVE-2026-6192 Date: Mon, 20 Apr 2026 11:33:17 +0200 Message-ID: <20260420093323.357053-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260420093323.357053-1-skandigraun@gmail.com> References: <20260420093323.357053-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 09:33:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126488 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6192 Backport the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari --- .../openjpeg/openjpeg/CVE-2026-6192.patch | 35 +++++++++++++++++++ .../openjpeg/openjpeg_2.5.4.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2026-6192.patch diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2026-6192.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2026-6192.patch new file mode 100644 index 0000000000..49be9bd0a6 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2026-6192.patch @@ -0,0 +1,35 @@ +From 776b00ff792a3c54b65f3bd92dbe7476a5a54106 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 5 Apr 2026 13:25:27 +0200 +Subject: [PATCH] opj_pi_initialise_encode() (write code path): avoid potential + integer overflow leading to insufficient memory allocation + +Fixes #1619 + +CVE: CVE-2026-6192 +Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/839936aa33eb8899bbbd80fda02796bb65068951] +Signed-off-by: Gyorgy Sarvari +--- + src/lib/openjp2/pi.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c +index 15ac3314..4abb87af 100644 +--- a/src/lib/openjp2/pi.c ++++ b/src/lib/openjp2/pi.c +@@ -1694,9 +1694,12 @@ opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image, + l_current_pi = l_pi; + + /* memory allocation for include*/ +- l_current_pi->include_size = l_tcp->numlayers * l_step_l; +- l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size, +- sizeof(OPJ_INT16)); ++ l_current_pi->include = NULL; ++ if (l_step_l <= UINT_MAX / l_tcp->numlayers) { ++ l_current_pi->include_size = l_tcp->numlayers * l_step_l; ++ l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size, ++ sizeof(OPJ_INT16)); ++ } + if (!l_current_pi->include) { + opj_free(l_tmp_data); + opj_free(l_tmp_ptr); diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb index 33dc48b2ea..968b7a0a5c 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb @@ -8,6 +8,7 @@ DEPENDS = "libpng tiff lcms zlib" SRC_URI = "git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \ file://0001-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \ file://CVE-2023-39327.patch \ + file://CVE-2026-6192.patch \ " SRCREV = "6c4a29b00211eb0430fa0e5e890f1ce5c80f409f" From patchwork Mon Apr 20 09:33:18 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 86464 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9609DF557FE for ; Mon, 20 Apr 2026 09:33:34 +0000 (UTC) Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.15999.1776677608257631929 for ; Mon, 20 Apr 2026 02:33:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=WDYtnw6/; spf=pass (domain: gmail.com, ip: 209.85.221.46, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-43fe3e22e33so1859990f8f.0 for ; Mon, 20 Apr 2026 02:33:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776677606; x=1777282406; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=4N2xlaeLp2/CMKm1isWlWPF6H1MIDOwPC80NytbQfSI=; b=WDYtnw6/c/CUP1XVm++t3SkoPn3vVJMJoFfcFbH6sM4GSq9ogazr2Vjos/vmvDFYFe VvauaHSfln/9HpNORrDkMrIh0uuS+HBsh3uTpyN6MEC476idVnripXU3l1lxfCc4K9x7 CAshjWfDaqyGkggI9WKdWv5N+UVwiOT44+Guh7amF79bjmXZsMseaQrmss2vH0a/2QSs KLgpsOYmC2wApQp645peSLbB+mejvFVPIckysdG0mtZe+l+x9L4ydwiBgNNYV4UKZzZW G5xFIKeAIpckakJZ7cvnN9Af+ZFdr3s0GD0UN0haSkPsGwOX8/8gB+jHrONh+cUm/kZb Hc7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776677606; x=1777282406; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=4N2xlaeLp2/CMKm1isWlWPF6H1MIDOwPC80NytbQfSI=; b=YOI65yQ9A6eIHkk2gZnnd7Qnfi94PIe8CZZhPXK6+IgcyeV+u2TeDMteYBHnityuOm lO7zJF5wN/sanaNoK5UvETJF3GeXzjp2ycFcspPmJiDNRR/KFSTdRIR9qZrIXfb27ugP psw/GXa6a2xggEZxM8+lLbbBDluQCxUO7YFfrpmtdP6nkCCHRknj3IPkkCfgywNt5PeS NpG8txDW1hntFUJVHYP1s8hULLMNbRvijUF/eZ0v0S6qRvDMyPTws1BZ8qmkbSyXoiyu Jz5LIGNUUdoq9I/wOAjTbHlAD+JsXZYUg6CJ0yE/7BmpXY1jdJM4d+s3CRqw+OSSdSSV P3hA== X-Gm-Message-State: AOJu0YxLF6omwHXxIZtZmVAANziSMj6qy2n1/sJpIaywgeyvE3AY+QaH TJ7WjxFrEjN6JvSWcrLWTvmco2qJg7Fy0wXh+APAH/GrDppMZbO+nLAOI7/qKg== X-Gm-Gg: AeBDietEPP/ET1Url+Xy7z2Fv4htztMdRoqEsKtzSx+YyQIAqdwcUPDItvw2gOyKNgT V2peJNz1pJ+VWmSPBnCHM9uzcRnd1HOagpKKftIYbfKldrVn+XSoLJ0jaW3CnKcMDOOITF3umTP rzINLe4Bqyv50kiep2B5653/gs5k5WpnR/OvaAEUwvGOHpeUWLRcZvoOzLRld7FGfmAF93lRuKS u47eq1fztHgyIbBJ/i+AsZQIRb6kI6KQBfo5ULgR4rfgHau2uyHWewGMVj3fVDSRlyXbpAyC1V0 7xcdgxEaLepGV5r/Kf8nFCBy7Cv3mMqxZzdwCNHKPZQWLDs6fcpK9OQyWEeviRlhpNwKnsFxZbP RKnxnp25ZgoC4EFIRICc0wA5B2BTNGBcSwT1RoI2sPfnv5BWU4XQANCsYn9jOAAYKWfIuBHudiF dCa1Gln9DI6m1d4J1z8ZH/sVjbvRTZFGc= X-Received: by 2002:a05:6000:25c7:b0:43d:77a8:3bb5 with SMTP id ffacd0b85a97d-43fe3e1134amr17790589f8f.37.1776677606392; Mon, 20 Apr 2026 02:33:26 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43fe4e4eec9sm26577488f8f.34.2026.04.20.02.33.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Apr 2026 02:33:25 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 3/8] protobuf, python3-protobuf: ignore CVE-2026-6409 Date: Mon, 20 Apr 2026 11:33:18 +0200 Message-ID: <20260420093323.357053-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260420093323.357053-1-skandigraun@gmail.com> References: <20260420093323.357053-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 09:33:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126489 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6409 The vulnerability impacts only the PHP library component, not the cpp/python one. Ignore this CVE due to this. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-devtools/protobuf/protobuf_6.33.6.bb | 1 + meta-python/recipes-devtools/python/python3-protobuf_6.33.6.bb | 1 + 2 files changed, 2 insertions(+) diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_6.33.6.bb b/meta-oe/recipes-devtools/protobuf/protobuf_6.33.6.bb index 4af48b0b99..880dd82b1d 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf_6.33.6.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf_6.33.6.bb @@ -29,6 +29,7 @@ UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d\.\d+\.\d+)" CVE_PRODUCT = "google:protobuf protobuf:protobuf google-protobuf protobuf-cpp" CVE_STATUS[CVE-2026-0994] = "cpe-incorrect: the vulnerability affects only python3-protobuf recipe" +CVE_STATUS[CVE-2026-6409] = "cpe-incorrect: the vulnerability affects only the php library" inherit cmake pkgconfig ptest diff --git a/meta-python/recipes-devtools/python/python3-protobuf_6.33.6.bb b/meta-python/recipes-devtools/python/python3-protobuf_6.33.6.bb index bbc713442b..0595ec2a47 100644 --- a/meta-python/recipes-devtools/python/python3-protobuf_6.33.6.bb +++ b/meta-python/recipes-devtools/python/python3-protobuf_6.33.6.bb @@ -14,6 +14,7 @@ SRC_URI[sha256sum] = "a6768d25248312c297558af96a9f9c929e8c4cee0659cb07e780731095 CVE_PRODUCT += "google:protobuf protobuf:protobuf google-protobuf protobuf-python" CVE_STATUS[CVE-2026-0994] = "fixed-version: it is fixed in 6.33.5" +CVE_STATUS[CVE-2026-6409] = "cpe-incorrect: the vulnerability affects only the php library" # http://errors.yoctoproject.org/Errors/Details/184715/ # Can't find required file: ../src/google/protobuf/descriptor.proto From patchwork Mon Apr 20 09:33:19 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 86460 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 820C6F557FB for ; Mon, 20 Apr 2026 09:33:34 +0000 (UTC) Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15574.1776677608983443282 for ; Mon, 20 Apr 2026 02:33:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=WJwoKPIl; spf=pass (domain: gmail.com, ip: 209.85.221.50, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-43d70c30767so2135756f8f.0 for ; Mon, 20 Apr 2026 02:33:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776677607; x=1777282407; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=MfDaKm3Erg4yDWaYdRMkMdMUST6KAYYFoWJQV2cT9go=; b=WJwoKPIl/AmpPcMyYF4hq8f29l2qG0OG7l2z4SClIS1E34C3UrM1lx1ZTQRBbIcrHG CUPoo1q40vUDiR+hr4CQG5Usoioa5MTxYTbuKLfkI3bU/AJ9Kz/KlQP0fv44OFcyFf5A HmM3gXgurqPU1v9dk/ZYYDK5lARl2EgLtDruTIMoAVAHVi0Y/jz/3HxJEn3PGeSLJHQQ x23NvQAjnC+GoAUw2TY3d2zoIcgF35aXFAv7vJUMGfAVvCBSKuyTJXUwagllCIpEam4l Yk39jjsTHnJb6ynB4QH/n6kf947MNVRXB1vf+/AU5K2oAFcj2O7KTgDdEsBSgI8lTyHi NebA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776677607; x=1777282407; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=MfDaKm3Erg4yDWaYdRMkMdMUST6KAYYFoWJQV2cT9go=; b=GFKddXZWaLwbSS9T59qb4qxe/NdXk5uJiZv+nrA5G364y7LeHWTQQT50tV7QhnQFId nbgH6B55aRptTB2eVRqAaizIXvnDDtOQU+e78M2XBvyOH6Ou1MybrDMzFtfPt9T5z3QP Vqb3PUAg8yvUzAGptW1olyIBu/gNJFuPBREUzGtCsesaEn2LsnwAwMojk0dxcpzW2iq7 mTNbEFxYDiMT0KUVbKPvDGYiQ6CSNGCS1QAuLGOvOraXQOG7crwI35hXRxYlNAsL1z1I aaPhzjvohpVWbOm1+F+t7tlQCE7NiXjKub5pvnJ2OWHn3v394jmtMctGKJzNn2o2iU3y KM2Q== X-Gm-Message-State: AOJu0YyIQP4MixoJxq5fZ62UzgUUIzMT5+9gbE5wIDfPmXWwkJtb437B eszUL0KTHTBNvU4QwAfHCZ2xxDGVbGc8pujlAT0Puw1YhJyiXMm71j5deDby7A== X-Gm-Gg: AeBDievIcpKIZv2gf5SD8Gs7oyLLMjZCQ9ahFcKWFWyP6dthMpeuNTupV0uFhEv7u0z mGWTEBys0MTL9oQSWf5veQ3G4dRCkebeWJdkw3QFQm1/iojR2MeZXpoNa4sGWoy5OfOB6GCZVfw mQLeaeAi3VBp5HfgvAIwXdqUO9OCGIG4KmiXYaD5tGe+08Ye95DGtdeBd6NuY8JmHqZgFhk/BBj CgRaYj8hgJLd9aK5DsoWAGzTSGmw67+ZWxNQ9XkW0PYX4qct2hyyc612kQ+0CgHk4xDosUp/d7T AdYF6zolufl7nOf3OHt+bmeHtCo2PW+p3AX+MPcMXHOKyvF9H0xxEkhMQQvNnb5fxXFfxryVZRm +mWLxly7oaEeWWQ7E40Z7ATgHGvl9lDzCd7Hrf62BWKtKAPYbAkiBT6YH4VLIFafea563aOtEur L0oX3zxZJOXr+cUQ8+/lx14Xh4Uc4vct8= X-Received: by 2002:a5d:6f14:0:b0:43d:7086:b03 with SMTP id ffacd0b85a97d-43fe4032b76mr16197692f8f.1.1776677607168; Mon, 20 Apr 2026 02:33:27 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43fe4e4eec9sm26577488f8f.34.2026.04.20.02.33.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Apr 2026 02:33:26 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 4/8] python3-grpcio: ignore CVE-2026-33186 Date: Mon, 20 Apr 2026 11:33:19 +0200 Message-ID: <20260420093323.357053-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260420093323.357053-1-skandigraun@gmail.com> References: <20260420093323.357053-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 09:33:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126490 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33186 The vulnerability only affects the Go implememtation of the library, not the Python one. Ignore this CVE due to this. Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-grpcio_1.78.0.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-python/recipes-devtools/python/python3-grpcio_1.78.0.bb b/meta-python/recipes-devtools/python/python3-grpcio_1.78.0.bb index 6ac6a72d25..d9ec337427 100644 --- a/meta-python/recipes-devtools/python/python3-grpcio_1.78.0.bb +++ b/meta-python/recipes-devtools/python/python3-grpcio_1.78.0.bb @@ -50,3 +50,4 @@ BBCLASSEXTEND = "native nativesdk" CCACHE_DISABLE = "1" CVE_PRODUCT += "grpc:grpc" +CVE_STATUS[CVE-2026-33186] = "cpe-incorrect: the vulnerabilty affects only the go implementation" From patchwork Mon Apr 20 09:33:20 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 86461 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E591F557FC for ; Mon, 20 Apr 2026 09:33:34 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15576.1776677609915746814 for ; Mon, 20 Apr 2026 02:33:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=p4wFiRC5; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-488c2690057so27404795e9.0 for ; Mon, 20 Apr 2026 02:33:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776677608; x=1777282408; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=BF2J7ismD70kKVx5e6IErCQNi+RPzQ0hiNSuRSR84fo=; b=p4wFiRC5Sxq1ahzzNQ3r6tdHiFjezqWz/Ojqsa0Zc4Hl3wQn0dAI9ztLnGhl5lEns1 cbVp+nFMa1GXM12fXw9oGi9aObmROuXxXNRfjpz1pTmcKNE76SN7rxAlADbOeSLUYHB3 2QSRV+1oYgmCgAIawCkTWFmE6eZ3qrVvSjhOXTi3cAmFeoCqsd0WLBVA1cshjAeW6h7V 3kVx4/eCwe6dKLea4mJPA7pJvFQ2kAO3k8Mr5nSjdPSI2k912bkTPD/M3AD+WNgXr+ka vje8z981S5SCOjmYwkEBdir5fZPOQ9N6hHGEQZC5glAzm/pcdE8SPs4rbuq9Hehs2oaK 1D8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776677608; x=1777282408; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=BF2J7ismD70kKVx5e6IErCQNi+RPzQ0hiNSuRSR84fo=; b=NDyxNbMjaBYPNfwoUX5pWbM2GGPSJvCUzMGm6uMKs1MWZmTsNHmqape6EXnEyWy5+R QNSooDXjZX+y368oryD4dlo7qqTXxDFjUxsz8hLKzFZXHlHI6EMxbcVhTPGqYETLzoCz /rvtgTMuc/uCToqsLUrbTwVIWdWBoGwiHjrPOATRKhXRC2JQmgHIz874H2TTIiVxbFKq KXZo6vx5dB5Qa44XF8z23yEPZaZr5eeXD0ReM+4aCT/YxpE5KNnwrSZZ2R4FcHkcAhLx Qc3BCeh9wpWYROAln0cJTVufYqoQf4E9Sr8fFcDMk+biDZLYRHxH49HGeomtll4gI9uM qNdA== X-Gm-Message-State: AOJu0YyPdAIkTxfjDclHIslFFmbSOMjMPdNI7qpG+0I9nC+GSd9XiB+w xwjrCnTot4fECiC+voQapmlD6qsblyCFxdO4/5xBPHurE87jehs3m1y+1yERZQ== X-Gm-Gg: AeBDieuFEMAy4jsjJMBmyWugEvvDPfdFGRAOrUalFZ2Gn0Cu4d5XBy1sxpJydUm20Jv 1O7yfRmCKbUEUFp22EauOmIkcOmjR2qgCwq9PRyf1eOKI7tP+TgReWFUeI4WQS7QVKPwC0I4d3V f9AOINCsgXTE2EUo5OOAl0Y9nU9N7MfB+JIwQ6WyiTnMqaMGwWtMDOQqMDSrv4S+lyXjOpvcV+i Mx5Lk23n/ZKDUlHlP5SI7/MmzdJo/+DlYXW2IJ//U4DvzwMYExTEJ/tq4Ps5Q3Zebes+Ft3ZtQR KQoiqiDyNaT7/AQ9K47qXe+QEfTciDY4PTwnu30Ru3wokvH/oiK7Ikzrc2ZlhjZKHPXzoeK+BEj aMyEvH56yjEGIXXoX+VP+mB1BTlr7q2v4QUGGVJAAUK0F+PI9Cm1/iI3MIoK7BxL7rU9uQ18lx2 MwIPm9kz/ccuCrqPsgPGgYBrRNzbbKMJo= X-Received: by 2002:a5d:5889:0:b0:43b:93af:e124 with SMTP id ffacd0b85a97d-43fe3e0968cmr19988206f8f.26.1776677608078; Mon, 20 Apr 2026 02:33:28 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43fe4e4eec9sm26577488f8f.34.2026.04.20.02.33.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Apr 2026 02:33:27 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 5/8] python3-pillow: upgrade 12.1.1 -> 12.2.0 Date: Mon, 20 Apr 2026 11:33:20 +0200 Message-ID: <20260420093323.357053-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260420093323.357053-1-skandigraun@gmail.com> References: <20260420093323.357053-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 09:33:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126491 Contains fix for CVE-2026-40192 License-update: Copyright holder's name is spelled out fully instead of using abbreviation. Changelog: https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html Signed-off-by: Gyorgy Sarvari --- .../{python3-pillow_12.1.1.bb => python3-pillow_12.2.0.bb} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename meta-python/recipes-devtools/python/{python3-pillow_12.1.1.bb => python3-pillow_12.2.0.bb} (86%) diff --git a/meta-python/recipes-devtools/python/python3-pillow_12.1.1.bb b/meta-python/recipes-devtools/python/python3-pillow_12.2.0.bb similarity index 86% rename from meta-python/recipes-devtools/python/python3-pillow_12.1.1.bb rename to meta-python/recipes-devtools/python/python3-pillow_12.2.0.bb index 2b3660fc56..f3fcb2d3c1 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_12.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_12.2.0.bb @@ -3,12 +3,12 @@ Clark and Contributors. PIL is the Python Imaging Library by Fredrik Lundh and \ Contributors." HOMEPAGE = "https://pillow.readthedocs.io" LICENSE = "MIT-CMU" -LIC_FILES_CHKSUM = "file://LICENSE;md5=a1b708da743e3fc0e5c35e92daac0bf8" +LIC_FILES_CHKSUM = "file://LICENSE;md5=a6f0ac3777cfc96ded1b825e32ae7c99" -SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=12.1.x;protocol=https;tag=${PV} \ +SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https;tag=${PV} \ file://0001-support-cross-compiling.patch \ " -SRCREV = "5158d98c807e719c5938aa3886913ef0ea6814e9" +SRCREV = "3c41c095064200a02672d89cc5ff629eaf4b0d4f" inherit python_setuptools_build_meta ptest-python-pytest From patchwork Mon Apr 20 09:33:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 86462 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 596E2F557FA for ; Mon, 20 Apr 2026 09:33:34 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16001.1776677610536490900 for ; Mon, 20 Apr 2026 02:33:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=iVVRbMr9; spf=pass (domain: gmail.com, ip: 209.85.128.42, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-4891c00e7aeso6417855e9.2 for ; Mon, 20 Apr 2026 02:33:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776677609; x=1777282409; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=eRZc7ncDLgeA9v/MGJfU+RC6smWWWCog7MF0OBIIEyg=; b=iVVRbMr9BF5yzBJSih93wFbPf6RaH9GdEDJPW0oingfyjOvjItd42eHzGyC7wYhYsM 7nGpjxHK49ohhhhYUmg4p52ZbznGRxmI/VEQjWVpZORqutRUVC0ELw+bZoFTS4NOG5tr vXz1SxBKHlQF8lWkUhDtLKPQG7DBlwgB9ta/VLuIk6JsVODg7SHzD90MFUx90ndzIiCm Knrs/YKau+0IlpYVmSpnKVbSFk3fkHP2xfpBti0DczW0+CJeiOgmyiEfKA0wGYahbdJ7 9SwNQlPRnLUCDRiXzMqd3/w/cTx778TqA5+0LXDPg4mdVHNeRdbziCTne4mOtUCk+qR6 fEWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776677609; x=1777282409; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=eRZc7ncDLgeA9v/MGJfU+RC6smWWWCog7MF0OBIIEyg=; b=GXUFhBHT5BjvrWvzekwgKz+12DMqswqwWbtrlV8XbgzE88a3fSrJaoZhEMakCFTDWd 94eXvpBLBid4FfXOCNvNdyEKt/R5auVKdvepeozdwN8y7zXScNgdEcUgZNadv2KHjtc4 GereSLwzO05CADzkFaEYSBJ1e5e2DrYfrIjRl+w7HVRGtyroyoF8Et56Rr0f7TfES+mq nWj2tugIi2ShwJQKVBVHNotKKmwVmrzJosw+MalfAjnwewJ0qhSXijKgtHgxhublDlgr 3sNfQ/nGy3fg4whnFNlonJ4ToGWFWzviJYTWOfZ7nfiZsivDX0YTSYPpy7Fd9UigzSe4 83lg== X-Gm-Message-State: AOJu0YzAc+w67VC8cqP+IFd4JeYLkjCNyfWCNGZGFQIRE7gfuSDHnaG0 yWj1hqdy9eGUut6MahnvT/eqVmOvES7c2AZuzja9dFEsvha2xB0TebQrPBs3ug== X-Gm-Gg: AeBDietjEPJewYV5hKxuqmejW3iR30yf5t2KnuiXodnXyFTr4AAARs5jpVFX5HiRqPe aCMHLQjaOr6Fl4R0r6Rtid0mFYZhqLSPwaVoqGwzwYTtyhTepSY+WEjzqzY2nT3CvQWocRs1qh1 ybPBQ9/IpqtB+y1fyRAsPfWWajM3AyS+j9e1Cvr+stuLyE9dvA8g2ez//TZjOtSTnF3DAEYVqZt +bVnAY/Zht9f0bbicCSfybmLGWb0yGxMaGt+xRVR/96glxxoLGjwl5Qtbwa8aFBvgPQua6pcfi2 jS73r1uFDj3b4mmkCSg/ZgQWpumW1WTBjLFV2x+P5rQtst1WHjtcXtX20Ll3kEg5QK5ppkP4Tvd fRKmgZvL3EvwLiUplYm5Bwo8ZzyBAtnlr3XnwUdjS8XlEu9OUDkEzAaYQaFcSpoD4Wj7A0L/hjc dUJL58EqVykaHHJM8+JeTa8LFWgf/f7ko= X-Received: by 2002:a05:600c:4707:b0:488:bfc3:efc with SMTP id 5b1f17b1804b1-488fb6e8eb5mr179920335e9.0.1776677608781; Mon, 20 Apr 2026 02:33:28 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43fe4e4eec9sm26577488f8f.34.2026.04.20.02.33.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Apr 2026 02:33:28 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][PATCH 6/8] wolfssl: mark fixed CVEs as patched Date: Mon, 20 Apr 2026 11:33:21 +0200 Message-ID: <20260420093323.357053-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260420093323.357053-1-skandigraun@gmail.com> References: <20260420093323.357053-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 09:33:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126492 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-5188 https://nvd.nist.gov/vuln/detail/CVE-2026-5392 https://nvd.nist.gov/vuln/detail/CVE-2026-5393 https://nvd.nist.gov/vuln/detail/CVE-2026-5447 https://nvd.nist.gov/vuln/detail/CVE-2026-5448 https://nvd.nist.gov/vuln/detail/CVE-2026-5460 https://nvd.nist.gov/vuln/detail/CVE-2026-5466 https://nvd.nist.gov/vuln/detail/CVE-2026-5479 https://nvd.nist.gov/vuln/detail/CVE-2026-5500 All of these CVEs are fixed in the current recipe version, however NVD tracks them without version. Each NVD advisory references the corresponding fix, and each of them are contained in 5.9.1. Mark all of them as patched explicitly. Signed-off-by: Gyorgy Sarvari --- .../recipes-connectivity/wolfssl/wolfssl_5.9.1.bb | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.9.1.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.9.1.bb index 22ab04a02c..2978ff1cc1 100644 --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.9.1.bb +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.9.1.bb @@ -51,10 +51,19 @@ CVE_STATUS[CVE-2026-0819] = "fixed-version: fixed in 5.9.0" CVE_STATUS[CVE-2026-2646] = "fixed-version: fixed in 5.9.0" CVE_STATUS[CVE-2026-3503] = "fixed-version: fixed in 5.9.0" CVE_STATUS[CVE-2026-3548] = "fixed-version: fixed in 5.9.0" +CVE_STATUS[CVE-2026-5188] = "fixed-version: fixed in 5.9.1" CVE_STATUS[CVE-2026-5194] = "fixed-version: fixed in 5.9.1" CVE_STATUS[CVE-2026-5263] = "fixed-version: fixed in 5.9.1" CVE_STATUS[CVE-2026-5264] = "fixed-version: fixed in 5.9.1" +CVE_STATUS[CVE-2026-5392] = "fixed-version: fixed in 5.9.1" +CVE_STATUS[CVE-2026-5393] = "fixed-version: fixed in 5.9.1" CVE_STATUS[CVE-2026-5446] = "fixed-version: fixed in 5.9.1" +CVE_STATUS[CVE-2026-5447] = "fixed-version: fixed in 5.9.1" +CVE_STATUS[CVE-2026-5448] = "fixed-version: fixed in 5.9.1" +CVE_STATUS[CVE-2026-5460] = "fixed-version: fixed in 5.9.1" +CVE_STATUS[CVE-2026-5466] = "fixed-version: fixed in 5.9.1" +CVE_STATUS[CVE-2026-5479] = "fixed-version: fixed in 5.9.1" +CVE_STATUS[CVE-2026-5500] = "fixed-version: fixed in 5.9.1" CVE_STATUS[CVE-2026-5503] = "fixed-version: fixed in 5.9.1" CVE_STATUS[CVE-2026-5504] = "fixed-version: fixed in 5.9.1" CVE_STATUS[CVE-2026-5507] = "fixed-version: fixed in 5.9.1" From patchwork Mon Apr 20 09:33:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 86459 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4BC6FF557F8 for ; Mon, 20 Apr 2026 09:33:34 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16002.1776677611453219885 for ; Mon, 20 Apr 2026 02:33:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=WYRaFlRI; spf=pass (domain: gmail.com, ip: 209.85.128.42, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-488ad135063so22048485e9.0 for ; Mon, 20 Apr 2026 02:33:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776677610; x=1777282410; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=vXy8eHAkbTOPDQWNkxSRCYMfHGiZy7oFyN/TADXh4oM=; b=WYRaFlRIJ9YI9PiVR7C0ibqtdtQsD9QwvSC3YDrJX42sDtX/dA96BjhAC3RkFTZVG3 AYRFkLRfV6OKj7/eyQtkKkD+FhA/neD34AZcuSvJ879AmMLsd2ICOfWENZs5taoQRFFf guD5XEhIUvxl3a0uWvMIAE1pnAMZu74SKdIX+0Y78dvGiZ+Lnf1A6uqMFR4tYHuYwki+ grPjLukqTRo8HB+ES6fpEEjHEeFAs6NaPij1lxyFyugX92UAQ8KBlTBKLbLSvV5b8tVu VzHS1hKKE0TUvWMiEZg5AhL8dwX8aHXULEP6voSqUjnDMJP/NBG78+k/VBrXu6r3YMi2 rcnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776677610; x=1777282410; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=vXy8eHAkbTOPDQWNkxSRCYMfHGiZy7oFyN/TADXh4oM=; b=SYKcgi118R+Qq1hevROcIbUhb8aU2sxt+/89FTjoX0Qi11VtmkdD4HYL2rFKl5tWDt X0SW2X58JVLRrvN1kJMSJheDCS4PBhD0/NWgxQGM2yfG2ofN8/3TuWoR0ClOz7IvnLiU 3gRJ2i9TVU9kg0+k00KJSwimpYqRxjQfQZ6UGc5BUiTS5azvjWAcBGaBtVTgpGyInINQ dZ/uoroLz5jqfJlY8BrrrEl93mCQEXA4jkPmn3OEifd7N8zRewhOHOJsMRQXeadTKXS5 mBN3lMHeaSza5Pf8pUTdgCQ7HAtP9Am7U/vpFgRTTFY2QTp6DGYqDbpZUuk/7igIEzZy kHxQ== X-Gm-Message-State: AOJu0Yx0p6ddkGo72jPyZygJD+cmHBi7VmxVJCIXYjehwJErAOy5sUSv B61RzvfmfPp+5urZeyl7lOwbcAsDvGlMBVp1ac0rkLILtleMQLcx1GM9eUL7Ag== X-Gm-Gg: AeBDievrHmcq9OnVl+8TPKIRPoNq2Spniqjta/Z3tSwJidLCSH1tBeWgf7H176hQ3cE wyDMvMsTCwB1RxRZUGCxQSy1OuapoxvvYgxvx8BQ8JXCPD7QC0TlcvLO0+mjSMsx03EpJgJk+Qh MKgSnYFMRnJt5cjJS6cYoT8rgrymPgPHD8jGu/d2AWYPLTlujpe6zC4ZtmQsRzPhZZFH42BBE0f PcHgnreHk0S5krqiykeAALttJ9bEtfJqJ6bhZzPklBO0VuROb6LEKMhls5iF4K3gRtpijCTTWPP DZG3dwUl72rBZuqTzkR6mVJ2IrGYyFOfGaWIhdb+KarAVvlr8/grwAOXoTbHSaWQr3aqaQYxFQT BHQXbiscTV7+Vna94Xofz3wE3YcfFcdTeazVrK97HigQjw/I8ZZ2zlUlWkWb1FDENaZ/ljFdm8j K4HV/lePxclzuZE5GMeitf8GoV8EksIf4= X-Received: by 2002:a05:600c:8a08:b0:488:a82f:bb9b with SMTP id 5b1f17b1804b1-488ff369a1cmr111135255e9.30.1776677609638; Mon, 20 Apr 2026 02:33:29 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43fe4e4eec9sm26577488f8f.34.2026.04.20.02.33.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Apr 2026 02:33:29 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 7/8] xdg-desktop-portal: upgrade 1.20.3 -> 1.20.4 Date: Mon, 20 Apr 2026 11:33:22 +0200 Message-ID: <20260420093323.357053-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260420093323.357053-1-skandigraun@gmail.com> References: <20260420093323.357053-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 09:33:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126493 Fixes CVE-2026-40354: https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4 Also mark the CVE explicitly patched, as it is tracked without version info at this time. The project now has a dependency on libglnx, which by default it tries to download from the internet during configuring. To avoid that error, this dependency is added to the SRC_URI. Signed-off-by: Gyorgy Sarvari --- ...portal_1.20.3.bb => xdg-desktop-portal_1.20.4.bb} | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) rename meta-oe/recipes-support/xdg-desktop-portal/{xdg-desktop-portal_1.20.3.bb => xdg-desktop-portal_1.20.4.bb} (71%) diff --git a/meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.3.bb b/meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.4.bb similarity index 71% rename from meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.3.bb rename to meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.4.bb index e0aca558fd..be3c2be069 100644 --- a/meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.3.bb +++ b/meta-oe/recipes-support/xdg-desktop-portal/xdg-desktop-portal_1.20.4.bb @@ -27,11 +27,17 @@ RDEPENDS:${PN} = "bubblewrap rtkit ${PORTAL_BACKENDS} fuse3-utils" inherit meson pkgconfig python3native features_check SRC_URI = " \ - git://github.com/flatpak/xdg-desktop-portal.git;protocol=https;branch=xdg-desktop-portal-1.20 \ + git://github.com/flatpak/xdg-desktop-portal.git;protocol=https;branch=xdg-desktop-portal-1.20;name=main;tag=${PV} \ + git://gitlab.gnome.org/GNOME/libglnx.git;protocol=https;branch=master;name=libglnx;destsuffix=${BB_GIT_DEFAULT_DESTSUFFIX}/subprojects/libglnx \ file://0001-meson.build-add-a-hack-for-crosscompile.patch \ " -SRCREV = "23a76c392170dbbd26230f85ef56c3a57e52b857" +SRCREV_main = "f5aec228c9eb0c9a70eadd6424d92c0ca8a78247" + +# this revision comes from subprojects/libglnx.wrap file of the main source repo +SRCREV_libglnx = "ccea836b799256420788c463a638ded0636b1632" + +SRCREV_FORMAT = "main" FILES:${PN} += "${libdir}/systemd ${datadir}/dbus-1" @@ -47,3 +53,5 @@ do_write_config:append() { bwrap = '${bindir}/bwrap' EOF } + +CVE_STATUS[CVE-2026-40354] = "fixed-version: fixed in 1.20.4" From patchwork Mon Apr 20 09:33:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 86458 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 454F7F557F7 for ; Mon, 20 Apr 2026 09:33:34 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15579.1776677612702440979 for ; Mon, 20 Apr 2026 02:33:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=VrDXLvbC; spf=pass (domain: gmail.com, ip: 209.85.128.46, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-488a8ca4aadso38595375e9.3 for ; Mon, 20 Apr 2026 02:33:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776677611; x=1777282411; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=aBmsKEoAuaOLxqeDzv+upI1fxj9mAepjkXxqyIFeza0=; b=VrDXLvbCcCUJJftd6T/u5mKsojUs4KwnqaeGMyb+S3uRxLSizKhYHYUFuiP7tvT9JV Vspdhcy0ZcbmDpCyckY6PL6ibXJpnULGYf7K+30zMHmNCVrmXbwq/iUQDFV7VrjdGzq7 KNv1VQ9bRGAvZAYRNwQJyri3i+G6uY/HK6jPJs0Dr89xwFJdMWubWhe75nyYHmcM8vmF QE2Ll6IjOkha9Ad97Qdji8GDgRUxkpikg4pjs5wknjiWdvmhc3Kdd7cRQ6NYwVm33Kzf M9LKGwZgc9KUJRDpZNlm/XRVeVpUdBRSuJCTgvtY2eVKSayURyftM0ZG0AWofFsauUCh h1AQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776677611; x=1777282411; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=aBmsKEoAuaOLxqeDzv+upI1fxj9mAepjkXxqyIFeza0=; b=gRJg16a3OUM8o1NfJcU6Danl9kA25OSWcr44d335zjeLfIGZamxKU5kktwx15WM0g1 e8sEyNk22p+0PZZZGBG5GYdEfqRrw5fsHw/tQL/kqAcbDeIU4KXdnB21zyvxa2adavWg x28OOce/y1qQs1rIBgLBgj4PEENfD4AZ2rhuLocPIrkgr5rQa14N/Ia6CcVgFqwoy2Ur ywLn2C42PQ3vq77IA3/tAgCETdpEaf6Y5ajQZqEn8ITIIfbyMvZSNRRL3cs/SnXOLP05 j0u88dxNndpx94j7yjMqZW9Ix+JgMSnmfagP/lukhUgGtHKs4MRWz3WaTlMTSIdQl6fc XDlg== X-Gm-Message-State: AOJu0Yzu/xzIYYywHiQsxbYgtI/uc4LvB+HhAaotf/gvUvaJMFddra2K GK1NrBx9sus0OKIK7oHFRvfxemNUFgqrNAHRiD7KYh310CpnL2DQsXO5R2VWEg== X-Gm-Gg: AeBDietCJAaoe6XtZjZhVLyWqEbG5fvRgetCaxk38ZX1RzHUib6d1KCrl7z5GTCgJU7 3+RGg80XYwQKkcqfg4J6BMw/Efovvt3zKgk2LdeFhPE8LbsUCoapiwvnY65WxCZBuoKQbsuZQr4 tPSs4sceWu8Ay2CrgzqS+QKzT2D7DFC9VVmr3I5J/S1EMt8Lowzb4P0GVjCgJo6GjdmnDtgVhzZ gztgW+NHB+uln0NPGAzcFLNiC00RN6pVBets/lz6jDJRBAklt/SluozSeebZ9fJoBwstMMvEGnF zxHgTOFA6/NZ8xI5M4GhySp9Te+XsxJtf8w4lNeFBewcZwyXghq+E856G/lmuJEfTfn15E7BtYe nosb18JmdyHUpe6gqDxexfsOAW13lI4fbayBiFXNoUDGNurr8TagkATaBDwsC48ETrAGTyZ3qAm XcXMXcujV6rrcFAJCFvsgOjWE1A5m8TW5BSWA8f2Tnrg== X-Received: by 2002:a05:600c:4746:b0:488:9439:881a with SMTP id 5b1f17b1804b1-488fb738412mr166061835e9.2.1776677610792; Mon, 20 Apr 2026 02:33:30 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43fe4e4eec9sm26577488f8f.34.2026.04.20.02.33.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Apr 2026 02:33:30 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 8/8] xrdp: upgrade 0.10.5 -> 0.10.6 Date: Mon, 20 Apr 2026 11:33:23 +0200 Message-ID: <20260420093323.357053-8-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260420093323.357053-1-skandigraun@gmail.com> References: <20260420093323.357053-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 09:33:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126494 Mark fixed CVEs explicitly patched,because NVD tracks them without version info. Changelog: Security fixes: CVE-2026-32105 CVE-2026-32107 CVE-2026-32623 CVE-2026-32624 CVE-2026-33145 CVE-2026-33516 CVE-2026-33689 CVE-2026-35512 New features: Support for xorgxrdp bug fixes Bug fixes: Honour pass_shell_as_env setting only if user sets a shell We no longer try to create a NULL authentication file when using VNC over UDS Problems with the Brazilian ABNT2 keyboard mapping have been corrected A 'file exists' error when installing xrdp over an existing installation has been addressed Signed-off-by: Gyorgy Sarvari --- .../xrdp/{xrdp_0.10.5.bb => xrdp_0.10.6.bb} | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) rename meta-oe/recipes-support/xrdp/{xrdp_0.10.5.bb => xrdp_0.10.6.bb} (89%) diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.10.5.bb b/meta-oe/recipes-support/xrdp/xrdp_0.10.6.bb similarity index 89% rename from meta-oe/recipes-support/xrdp/xrdp_0.10.5.bb rename to meta-oe/recipes-support/xrdp/xrdp_0.10.6.bb index 8d7c5807f2..152b37cb37 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.10.5.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.10.6.bb @@ -17,7 +17,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://0001-arch-Define-NO_NEED_ALIGN-on-ppc64.patch \ file://0001-mark-count-with-unused-attribute.patch \ " -SRC_URI[sha256sum] = "9abc96d164de4b1c40e2f3f537d0593d052a640cf3388978c133715ea69fb123" +SRC_URI[sha256sum] = "dfc21d5d603b642cf583987b36706b685bf05fd3aaaaacefb8f57c5f4a448677" UPSTREAM_CHECK_URI = "https://github.com/neutrinolabs/xrdp/releases" UPSTREAM_CHECK_REGEX = "releases/tag/v(?P\d+(\.\d+)+)" @@ -127,3 +127,12 @@ pkg_postinst:${PN}() { fi fi } + +CVE_STATUS[CVE-2026-32105] = "fixed-version: fixed in 0.10.6" +CVE_STATUS[CVE-2026-32107] = "fixed-version: fixed in 0.10.6" +CVE_STATUS[CVE-2026-32623] = "fixed-version: fixed in 0.10.6" +CVE_STATUS[CVE-2026-32624] = "fixed-version: fixed in 0.10.6" +CVE_STATUS[CVE-2026-33145] = "fixed-version: fixed in 0.10.6" +CVE_STATUS[CVE-2026-33516] = "fixed-version: fixed in 0.10.6" +CVE_STATUS[CVE-2026-33689] = "fixed-version: fixed in 0.10.6" +CVE_STATUS[CVE-2026-35512] = "fixed-version: fixed in 0.10.6"