From patchwork Mon Apr 27 21:51:17 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 87028 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D99A2FF8864 for ; Mon, 27 Apr 2026 21:51:34 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7212.1777326690521047065 for ; Mon, 27 Apr 2026 14:51:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=QHH/lMK+; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20260427215127772e8b1bc300020706-tzxrzn@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20260427215127772e8b1bc300020706 for ; Mon, 27 Apr 2026 23:51:27 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=HANnLk3pKqW23Mgi1qbCtQgqUCV4g34Wll+QJKr5hyY=; b=QHH/lMK+7+hq3fjdq40bcy8LbSRmbiwwZG/w8/NIa7iKM0ssvdyUdmEuTT9zgaGi1PJD27 /hcV5UcpRZdk7RCtANSSeHYm1EvpJxdz/f+23FduBVN6ds15+OkVJM7Q9RPzljjL1GLapj5P hAqmYbUFaNmBMOxqWrEN4/hD8oLGHDeGEae4iqqylXOBbnN1M1kpUabwmLgpcmptGGU4VbuI OdfNnbKq2mYZWloyPnhr5dwl8cKq4bALQVw9jqZyodU8mrgMzRPqEljHJkLFQtq+FrZ+XSU1 kW/Hg/PL5oGpm8+/sDN1fofkezY/9JzxjaVrVVLubcBrGUCgOOEukfyQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 1/4] coreutils: set CVE_PRODUCT Date: Mon, 27 Apr 2026 23:51:17 +0200 Message-ID: <20260427215120.199335-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 27 Apr 2026 21:51:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236031 From: Peter Marko This removes rust uutils coreutils CVEs from reports. Comparing sbom-cve-check shows that only CVE-2026-35338..CVE-2026-35381 are removed and all of them contained reference to uutils. Signed-off-by: Peter Marko --- meta/recipes-core/coreutils/coreutils_9.10.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-core/coreutils/coreutils_9.10.bb b/meta/recipes-core/coreutils/coreutils_9.10.bb index 984c5b5292..8109244f44 100644 --- a/meta/recipes-core/coreutils/coreutils_9.10.bb +++ b/meta/recipes-core/coreutils/coreutils_9.10.bb @@ -19,6 +19,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \ " SRC_URI[sha256sum] = "16535a9adf0b10037364e2d612aad3d9f4eca3a344949ced74d12faf4bd51d25" +CVE_PRODUCT = "gnu:coreutils" + # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842 # CVE_STATUS[CVE-2016-2781] = "disputed: runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue." From patchwork Mon Apr 27 21:51:18 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 87029 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE4B3FF8864 for ; Mon, 27 Apr 2026 21:51:54 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.7310.1777326705063825424 for ; Mon, 27 Apr 2026 14:51:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=QWMBKoRx; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-2026042721514364b2bd55dd00020712-agyhnu@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 2026042721514364b2bd55dd00020712 for ; Mon, 27 Apr 2026 23:51:43 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=AWKQZ9ZNW4Zuyjkn1glHa8B0RlD+nGBayspIL5fHubU=; b=QWMBKoRxynoeFgGIp7OMhf4Ev2ZTABM+gd/grgW7rjHoThIcOjAi5xFLanHwXawlqIb/RN 6vzkAOGKm5GXTNot3voSepyPWcIEcus2ClMLV7eSWVf7ZR8+Zt3PXTO7PvvnT028rCByUxdX xlE1+hmMGAre44sRNN/uh1RPrVouQL1cSAO2eojXfU3FsZOTPetmgsFCV18tbG1y/Thns+V6 9frBI158ZjJVd3kbDQJEPStV1jQwIKNDjksQ7NpS6bdjQYMCL2/u/BQH01Zt8ytMWlsvK7Cf hF8xVHQ9LBEnyP3+tfAEEnOmPHwVef976HRmLoEmlwnWUTbyVZgq2oIg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 2/4] cups: upgrade 2.4.16 -> 2.4.19 Date: Mon, 27 Apr 2026 23:51:18 +0200 Message-ID: <20260427215120.199335-2-peter.marko@siemens.com> In-Reply-To: <20260427215120.199335-1-peter.marko@siemens.com> References: <20260427215120.199335-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 27 Apr 2026 21:51:54 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236032 From: Peter Marko Release notes: * https://github.com/OpenPrinting/cups/releases/tag/v2.4.19 * CUPS 2.4.19 fixes a regression in shared printing from non-local accounts (Issue #1557) * https://github.com/OpenPrinting/cups/releases/tag/v2.4.18 * The new release 2.4.18 contains a hotfix after the CVE-2026-27447 fix: * Fixed cupsd crash if user does not exist (Issue #1555) * https://github.com/OpenPrinting/cups/releases/tag/v2.4.17 * The new release 2.4.17 contains the following security fixes: * CVE-2026-27447: The scheduler treated local user and group names as case- insensitive. * CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS directory. * CVE-2026-34980: The scheduler did not filter control characters from option values. * CVE-2026-34979: The scheduler did not always allocate enough memory for a job's options string. * CVE-2026-34990: The scheduler incorrectly allowed local certificates over the loopback interface. * CVE-2026-39314: Fixed the range check for job password strings. * CVE-2026-39316: Fixed a printer subscription bug in the scheduler. * CVE-2026-NNNNN: Fixed a SNMP string conversion bug in the backends. Signed-off-by: Peter Marko --- meta/recipes-extended/cups/{cups_2.4.16.bb => cups_2.4.19.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-extended/cups/{cups_2.4.16.bb => cups_2.4.19.bb} (51%) diff --git a/meta/recipes-extended/cups/cups_2.4.16.bb b/meta/recipes-extended/cups/cups_2.4.19.bb similarity index 51% rename from meta/recipes-extended/cups/cups_2.4.16.bb rename to meta/recipes-extended/cups/cups_2.4.19.bb index 6c08e49728..c4885b60bc 100644 --- a/meta/recipes-extended/cups/cups_2.4.16.bb +++ b/meta/recipes-extended/cups/cups_2.4.19.bb @@ -2,4 +2,4 @@ require cups.inc LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRC_URI[sha256sum] = "0339587204b4f9428dd0592eb301dec0bf9ea6ea8dce5d9690d56be585aba92d" +SRC_URI[sha256sum] = "820984b12a67f98705785aae2dd1347fe0ac097828001d4583ff64574aed6389" From patchwork Mon Apr 27 21:51:19 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 87030 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE934FF8870 for ; Mon, 27 Apr 2026 21:51:54 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.7311.1777326711151909281 for ; Mon, 27 Apr 2026 14:51:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=J3ZBgYmU; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20260427215149b532a654ac00020774-yf6xqp@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20260427215149b532a654ac00020774 for ; Mon, 27 Apr 2026 23:51:49 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=esKSzHrMB3woUXmeGNOSOEvG4xM9AyOUc+2nzcWhqB0=; b=J3ZBgYmU+6GMiwnsFZ472RakXabq4zcCqWppYR+pSUwqFrhE3ZIGaW7iklkb51QxBMj9mW 2Ix4MrMK/K12bvN3moVUwt9xacNMsFOyxw3RFjNP3kGwUPqLekcsXhEaLns31UXYODMI/8Dr tD9MhVJ/D8aOeJZeGJbrwv6zPk0wXhM/h0gKM4LRvvGHu+5qna3QD48UhSgl6BrarWRny8G0 2PuyzYl2w2LKgi0M7cEMT8DWEIuhqmdojvdMcQth5xqKjoYDnzDP+k6h0g1OxXNfGPc9+Q3f Ek2DWHkmk1Z3EGAZhPNNGHMQUWnAdjvj2Z3jmnRqSchfCRUUSgIT5Hjw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 3/4] libsoup: set status for CVE-2026-2436 Date: Mon, 27 Apr 2026 23:51:19 +0200 Message-ID: <20260427215120.199335-3-peter.marko@siemens.com> In-Reply-To: <20260427215120.199335-1-peter.marko@siemens.com> References: <20260427215120.199335-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 27 Apr 2026 21:51:54 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236033 From: Peter Marko Commit fixing this CVE is [2] (per [1]). That was backported to 3.6.6 as [3]. [1] https://security-tracker.debian.org/tracker/CVE-2026-2436 [2] https://gitlab.gnome.org/GNOME/libsoup/-/commit/e9b681a5b23f8259a5e29c5351a5284ae5cd1189 [3] https://gitlab.gnome.org/GNOME/libsoup/-/commit/31052a2327c81fe3b7a3d4a66d8a7c9c1aaa47ca Signed-off-by: Peter Marko --- meta/recipes-support/libsoup/libsoup_3.6.6.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-support/libsoup/libsoup_3.6.6.bb b/meta/recipes-support/libsoup/libsoup_3.6.6.bb index 9bc3f2f86f..206daa091f 100644 --- a/meta/recipes-support/libsoup/libsoup_3.6.6.bb +++ b/meta/recipes-support/libsoup/libsoup_3.6.6.bb @@ -62,4 +62,5 @@ BBCLASSEXTEND = "native nativesdk" CVE_STATUS[CVE-2026-1467] = "fixed-version: fixed in 3.6.6" CVE_STATUS[CVE-2026-1536] = "fixed-version: fixed in 3.6.6" CVE_STATUS[CVE-2026-1801] = "fixed-version: fixed in 3.6.6" +CVE_STATUS[CVE-2026-2436] = "fixed-version: fixed in 3.6.6" CVE_STATUS[CVE-2026-2443] = "fixed-version: fixed in 3.6.6" From patchwork Mon Apr 27 21:51:20 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 87031 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3CF1FF8864 for ; Mon, 27 Apr 2026 21:52:04 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7221.1777326716898058894 for ; Mon, 27 Apr 2026 14:51:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=LoNPcnl2; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-2026042721515513499d931700020736-4un688@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2026042721515513499d931700020736 for ; Mon, 27 Apr 2026 23:51:55 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=fuq8C3mW9J2wJS21ksvGsVHS+/ow/vhWC2w/+zEO2uU=; b=LoNPcnl28J8VmMMMzXqrcl39kdgBHcEbAkSw6/SgnXFevb7gF4aJpaxSIizaCq2GKev3iF otXiQndD7KCkDgkmVgQNOH4cO6ipguqqk71S/Ly0DuAshX8QyQxFA+1NVHFSZN0TWp/Vm75T 9w7Ux4vO8n1KhdjNVnb7e6m9ooYIrX8GDG954KmisnG897HK1C1HABn2lIBIqF5iElERMEOK p9A6kSnABsEWdQYwZnDZLsNY9xfFPdTGWQBHvN09ORe7a8JqbgDkyllKxWqZHrKrzqkYJRX+ zuRYc7ckIVljf92lCIWgPj6OtV7pPOHBEPMCZDgiQV2VbPHbL0+u/PLw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 4/4] libsoup: patch CVE-2026-5119 Date: Mon, 27 Apr 2026 23:51:20 +0200 Message-ID: <20260427215120.199335-4-peter.marko@siemens.com> In-Reply-To: <20260427215120.199335-1-peter.marko@siemens.com> References: <20260427215120.199335-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 27 Apr 2026 21:52:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236034 From: Peter Marko Pick commit which closed [1]. [1] https://gitlab.gnome.org/GNOME/libsoup/-/work_items/502#note_cb3be24d375814549d21c03821672ed6749df36a Signed-off-by: Peter Marko --- .../libsoup/libsoup/CVE-2026-5119.patch | 122 ++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.6.6.bb | 1 + 2 files changed, 123 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2026-5119.patch diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2026-5119.patch b/meta/recipes-support/libsoup/libsoup/CVE-2026-5119.patch new file mode 100644 index 0000000000..f5e3f91b00 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2026-5119.patch @@ -0,0 +1,122 @@ +From b0626fff8538e3dd4a52f148d91c8348d51d64d1 Mon Sep 17 00:00:00 2001 +From: Carlos Garcia Campos +Date: Fri, 27 Feb 2026 12:03:25 +0100 +Subject: [PATCH] cookies: do not send cookies to a HTTP proxy for a HTTPS + request + +Closes #502 + +CVE: CVE-2026-5119 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/b0626fff8538e3dd4a52f148d91c8348d51d64d1] +Signed-off-by: Peter Marko + +--- + libsoup/cookies/soup-cookie-jar.c | 24 +++++++++++----- + tests/proxy-test.c | 47 +++++++++++++++++++++++++++++++ + 2 files changed, 64 insertions(+), 7 deletions(-) + +diff --git a/libsoup/cookies/soup-cookie-jar.c b/libsoup/cookies/soup-cookie-jar.c +index 7e200f8f..6a996ffe 100644 +--- a/libsoup/cookies/soup-cookie-jar.c ++++ b/libsoup/cookies/soup-cookie-jar.c +@@ -885,18 +885,28 @@ process_set_cookie_header (SoupMessage *msg, gpointer user_data) + g_slist_free (new_cookies); + } + ++static gboolean ++allow_cookies_for_request (SoupMessage *msg) ++{ ++ /* Do not send cookies to a HTTP proxy for a HTTPS request */ ++ return soup_message_get_method (msg) != SOUP_METHOD_CONNECT || !soup_connection_is_tunnelled (soup_message_get_connection (msg)); ++} ++ + static void + msg_starting_cb (SoupMessage *msg, gpointer feature) + { + SoupCookieJar *jar = SOUP_COOKIE_JAR (feature); +- GSList *cookies; ++ GSList *cookies = NULL; ++ ++ if (allow_cookies_for_request (msg)) { ++ cookies = soup_cookie_jar_get_cookie_list_with_same_site_info (jar, soup_message_get_uri (msg), ++ soup_message_get_first_party (msg), ++ soup_message_get_site_for_cookies (msg), ++ TRUE, ++ SOUP_METHOD_IS_SAFE (soup_message_get_method (msg)), ++ soup_message_get_is_top_level_navigation (msg)); ++ } + +- cookies = soup_cookie_jar_get_cookie_list_with_same_site_info (jar, soup_message_get_uri (msg), +- soup_message_get_first_party (msg), +- soup_message_get_site_for_cookies (msg), +- TRUE, +- SOUP_METHOD_IS_SAFE (soup_message_get_method (msg)), +- soup_message_get_is_top_level_navigation (msg)); + if (cookies != NULL) { + char *cookie_header = soup_cookies_to_cookie_header (cookies); + soup_message_headers_replace_common (soup_message_get_request_headers (msg), SOUP_HEADER_COOKIE, cookie_header, SOUP_HEADER_VALUE_TRUSTED); +diff --git a/tests/proxy-test.c b/tests/proxy-test.c +index 68c97aca..945de2cc 100644 +--- a/tests/proxy-test.c ++++ b/tests/proxy-test.c +@@ -406,6 +406,52 @@ do_proxy_connect_error_test (gconstpointer data) + soup_test_session_abort_unref (session); + } + ++static void ++connect_message_wrote_headers_cb (SoupMessage *msg, guint *counter) ++{ ++ SoupMessageHeaders *hdrs; ++ ++ *counter += 1; ++ ++ hdrs = soup_message_get_request_headers (msg); ++ if (soup_message_get_method (msg) == SOUP_METHOD_CONNECT) ++ g_assert_null (soup_message_headers_get_one (hdrs, "Cookie")); ++ else ++ g_assert_nonnull (soup_message_headers_get_one (hdrs, "Cookie")); ++} ++ ++static void ++request_queued_cb (SoupSession *session, SoupMessage *msg, guint *counter) ++{ ++ g_signal_connect (msg, "wrote-headers", G_CALLBACK (connect_message_wrote_headers_cb), counter); ++} ++ ++static void ++do_proxy_secure_cookies_test (void) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ SoupCookieJar *jar; ++ guint counter = 0; ++ ++ SOUP_TEST_SKIP_IF_NO_APACHE; ++ SOUP_TEST_SKIP_IF_NO_TLS; ++ ++ session = soup_test_session_new ("proxy-resolver", proxy_resolvers[SIMPLE_PROXY], NULL); ++ g_signal_connect (session, "request-queued", G_CALLBACK (request_queued_cb), &counter); ++ ++ soup_session_add_feature_by_type (session, SOUP_TYPE_COOKIE_JAR); ++ jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR)); ++ ++ msg = soup_message_new (SOUP_METHOD_GET, HTTPS_SERVER); ++ soup_cookie_jar_set_cookie (jar, soup_message_get_uri (msg), "user=password; secure"); ++ soup_test_session_send_message (session, msg); ++ soup_test_assert_message_status (msg, SOUP_STATUS_OK); ++ g_assert_cmpuint (counter, ==, 2); ++ ++ soup_test_session_abort_unref (session); ++} ++ + int + main (int argc, char **argv) + { +@@ -438,6 +484,7 @@ main (int argc, char **argv) + g_test_add_func ("/proxy/auth-redirect", do_proxy_auth_redirect_test); + g_test_add_func ("/proxy/auth-cache", do_proxy_auth_cache_test); + g_test_add_data_func ("/proxy/connect-error", base_https_uri, do_proxy_connect_error_test); ++ g_test_add_func ("/proxy/secure-cookies", do_proxy_secure_cookies_test); + + ret = g_test_run (); + diff --git a/meta/recipes-support/libsoup/libsoup_3.6.6.bb b/meta/recipes-support/libsoup/libsoup_3.6.6.bb index 206daa091f..b36976a2be 100644 --- a/meta/recipes-support/libsoup/libsoup_3.6.6.bb +++ b/meta/recipes-support/libsoup/libsoup_3.6.6.bb @@ -18,6 +18,7 @@ SRC_URI += "file://CVE-2025-32049-1.patch \ file://CVE-2025-32049-3.patch \ file://CVE-2025-32049-4.patch \ file://CVE-2026-1539.patch \ + file://CVE-2026-5119.patch \ " PROVIDES = "libsoup-3.0"