From patchwork Wed Apr 29 19:36:41 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 87178
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5BB79FF8875
	for <webhook@archiver.kernel.org>; Wed, 29 Apr 2026 19:37:12 +0000 (UTC)
Received: from mta-64-225.siemens.flowmailer.net
 (mta-64-225.siemens.flowmailer.net [185.136.64.225])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.4483.1777491422797661378
 for <openembedded-core@lists.openembedded.org>;
 Wed, 29 Apr 2026 12:37:04 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=Ydct4n8h;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225,
 mailfrom:
 fm-256628-20260429193659e5d109808300020709-vhm_6i@rts-flowmailer.siemens.com)
Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id
 20260429193659e5d109808300020709
        for <openembedded-core@lists.openembedded.org>;
        Wed, 29 Apr 2026 21:37:00 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc;
 bh=1GajbPkDq9iPOghRlYPX67QoOYM3alFsXex7xM3Jffo=;
 b=Ydct4n8hGeCCZsqtW2n2j0k4EhSqNHkcb0tIhm/3QHO7LyLmm91/aXlWWEVVt3A8C+plo2
 RiSRjx3no633ONQhrOIxvyePX4gsH83DGW3KCA2WrpPhpe3bOxvnMc6gqg9yKHciKEZo1V6f
 Ua9hc8bcetnyvBGeUzAmvfF563YG74iog4xRxlOOP4wLfNxNIUgyUe8XKb97EIcM0t5Mspzv
 xCP+P5V3YLdP5ZYyMZRVE5l7s6rL6CRffM/HhmHcM5kY6voUdw30Cl6bwiieklkwSvCPTIG7
 018pQvBaRU0deZru1sILIhjpkUVX1c4ANGbykEhcHJ0JF4zt9ZlS54Cw==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [PATCH 1/7] libgcrypt: upgrade 1.12.1 -> 1.12.2
Date: Wed, 29 Apr 2026 21:36:41 +0200
Message-ID: <20260429193647.3090502-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 29 Apr 2026 19:37:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/236131

From: Peter Marko <peter.marko@siemens.com>

Solves CVE-2026-41989 and CVE-2026-41990.

Release notes: [1]

Refereshed patches.

[1] https://lists.gnu.org/archive/html/info-gnu/2026-04/msg00007.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../files/0001-tests-Fix-link-errors-for-t-thread-local.patch | 2 +-
 ...tests-Makefile.am-fix-undefined-reference-to-pthread.patch | 4 ++--
 .../libgcrypt/{libgcrypt_1.12.1.bb => libgcrypt_1.12.2.bb}    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)
 rename meta/recipes-support/libgcrypt/{libgcrypt_1.12.1.bb => libgcrypt_1.12.2.bb} (95%)

diff --git a/meta/recipes-support/libgcrypt/files/0001-tests-Fix-link-errors-for-t-thread-local.patch b/meta/recipes-support/libgcrypt/files/0001-tests-Fix-link-errors-for-t-thread-local.patch
index 8dc2fe328c..19a925c2c6 100644
--- a/meta/recipes-support/libgcrypt/files/0001-tests-Fix-link-errors-for-t-thread-local.patch
+++ b/meta/recipes-support/libgcrypt/files/0001-tests-Fix-link-errors-for-t-thread-local.patch
@@ -24,7 +24,7 @@ diff --git a/tests/Makefile.am b/tests/Makefile.am
 index 4800135..f0f7adb 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
-@@ -98,7 +98,7 @@ testapi_LDADD = $(standard_ldadd) @LDADD_FOR_TESTS_KLUDGE@
+@@ -102,7 +102,7 @@ testapi_LDADD = $(standard_ldadd) @LDADD_FOR_TESTS_KLUDGE@
  t_lock_LDADD = $(standard_ldadd) $(GPG_ERROR_MT_LIBS) @LDADD_FOR_TESTS_KLUDGE@
  t_lock_CFLAGS = $(GPG_ERROR_MT_CFLAGS) -lpthread
  t_thread_local_LDADD = $(standard_ldadd) $(GPG_ERROR_MT_LIBS) @LDADD_FOR_TESTS_KLUDGE@
diff --git a/meta/recipes-support/libgcrypt/files/0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch b/meta/recipes-support/libgcrypt/files/0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch
index bbd48ebeee..090948c3c5 100644
--- a/meta/recipes-support/libgcrypt/files/0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch
+++ b/meta/recipes-support/libgcrypt/files/0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch
@@ -17,7 +17,7 @@ diff --git a/tests/Makefile.am b/tests/Makefile.am
 index 93daf3c..4800135 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
-@@ -96,7 +96,7 @@ t_mpi_bit_LDADD = $(standard_ldadd) @LDADD_FOR_TESTS_KLUDGE@
+@@ -100,7 +100,7 @@ t_mpi_bit_LDADD = $(standard_ldadd) @LDADD_FOR_TESTS_KLUDGE@
  t_secmem_LDADD = $(standard_ldadd) @LDADD_FOR_TESTS_KLUDGE@
  testapi_LDADD = $(standard_ldadd) @LDADD_FOR_TESTS_KLUDGE@
  t_lock_LDADD = $(standard_ldadd) $(GPG_ERROR_MT_LIBS) @LDADD_FOR_TESTS_KLUDGE@
@@ -26,7 +26,7 @@ index 93daf3c..4800135 100644
  t_thread_local_LDADD = $(standard_ldadd) $(GPG_ERROR_MT_LIBS) @LDADD_FOR_TESTS_KLUDGE@
  t_thread_local_CFLAGS = $(GPG_ERROR_MT_CFLAGS)
  testdrv_LDADD = $(LDADD_FOR_TESTS_KLUDGE)
-@@ -117,7 +117,7 @@ else
+@@ -122,7 +122,7 @@ else
  xtestsuite_libs = ../src/.libs/libgcrypt.so*
  xtestsuite_driver = testdrv
  t_kdf_LDADD = $(standard_ldadd) $(GPG_ERROR_MT_LIBS) @LDADD_FOR_TESTS_KLUDGE@
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.12.1.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.12.2.bb
similarity index 95%
rename from meta/recipes-support/libgcrypt/libgcrypt_1.12.1.bb
rename to meta/recipes-support/libgcrypt/libgcrypt_1.12.2.bb
index b3c0d050b7..1eb6c472a3 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.12.1.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.12.2.bb
@@ -26,7 +26,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
            file://no-bench-slope.patch \
            file://run-ptest \
            "
-SRC_URI[sha256sum] = "7df5c08d952ba33f9b6bdabdb06a61a78b2cf62d2122c2d1d03a91a79832aa3c"
+SRC_URI[sha256sum] = "7ce33c2492221a0436f96a8500215e9f3e3dcb5fd26a757cd415e7a843babd5e"
 
 BINCONFIG = "${bindir}/libgcrypt-config"
 

From patchwork Wed Apr 29 19:36:42 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 87179
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5CADECD13D2
	for <webhook@archiver.kernel.org>; Wed, 29 Apr 2026 19:37:12 +0000 (UTC)
Received: from mta-65-225.siemens.flowmailer.net
 (mta-65-225.siemens.flowmailer.net [185.136.65.225])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.4485.1777491425638566711
 for <openembedded-core@lists.openembedded.org>;
 Wed, 29 Apr 2026 12:37:05 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=fjJLMcMs;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225,
 mailfrom:
 fm-256628-20260429193703c8f71daa38000207c6-damf4_@rts-flowmailer.siemens.com)
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
 20260429193703c8f71daa38000207c6
        for <openembedded-core@lists.openembedded.org>;
        Wed, 29 Apr 2026 21:37:03 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=HHj+K6pJdNWW5fGL21Pobf2Qq5mPwoahqqRXv3f4vUs=;
 b=fjJLMcMs9KXNL9g9DG9iFV2o5gPDFIxh7EGGbZvFMMCjP7xpx3w6Smk+BRdlmFXjDVhJ7B
 we6YuZxCa1r3RQ7E4Rg9alRGryZtB4MqGG3UqN1F5gro6dxsWi0XvNf+n3CQV8LcvCTNDaLE
 8yzTni4F6u3FPb0KWx8PSAIWblDYpntzdjPjexFKNcp+HrckTMB9kd0O8eoUV6WmOUJEOUBX
 tUfwn0bPMREMirGUj9xxXPbuVJ1fsCLdgB6a/vXvp+0TQdI6rGTOqSQDcLF+16tKqQABqIaj
 8LayggX7CZHq70hZ8Grk5gpYXRgevQaqbIT2qnTKACqXd8KGvAlcf1/A==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [PATCH 2/7] libpng: upgrade 1.6.56 -> 1.6.58
Date: Wed, 29 Apr 2026 21:36:42 +0200
Message-ID: <20260429193647.3090502-2-peter.marko@siemens.com>
In-Reply-To: <20260429193647.3090502-1-peter.marko@siemens.com>
References: <20260429193647.3090502-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 29 Apr 2026 19:37:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/236132

From: Peter Marko <peter.marko@siemens.com>

Solves CVE-2026-34757 (in 1.6.57, as described in CVE description).
Solves also regression of CVE-2026-33416 (in 1.56.58).

Explicit CVE_STATUS is needed to remove it from open CVE list.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../libpng/{libpng_1.6.56.bb => libpng_1.6.58.bb}             | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 rename meta/recipes-multimedia/libpng/{libpng_1.6.56.bb => libpng_1.6.58.bb} (95%)

diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.56.bb b/meta/recipes-multimedia/libpng/libpng_1.6.58.bb
similarity index 95%
rename from meta/recipes-multimedia/libpng/libpng_1.6.56.bb
rename to meta/recipes-multimedia/libpng/libpng_1.6.58.bb
index 7ede0a6c8b..630b489d00 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.56.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.58.bb
@@ -14,7 +14,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \
            file://run-ptest \
 "
 
-SRC_URI[sha256sum] = "f7d8bf1601b7804f583a254ab343a6549ca6cf27d255c302c47af2d9d36a6f18"
+SRC_URI[sha256sum] = "28eb403f51f0f7405249132cecfe82ea5c0ef97f1b32c5a65828814ae0d34775"
 
 MIRRORS += "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/ ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/"
 
@@ -70,3 +70,5 @@ do_install_ptest() {
 }
 
 BBCLASSEXTEND = "native nativesdk"
+
+CVE_STATUS[CVE-2026-34757] = "fixed-version: fixed since 1.6.57"

From patchwork Wed Apr 29 19:36:43 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 87180
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6900FCCFA13
	for <webhook@archiver.kernel.org>; Wed, 29 Apr 2026 19:37:12 +0000 (UTC)
Received: from mta-65-227.siemens.flowmailer.net
 (mta-65-227.siemens.flowmailer.net [185.136.65.227])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.4540.1777491430668408517
 for <openembedded-core@lists.openembedded.org>;
 Wed, 29 Apr 2026 12:37:11 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=bF3yOSmK;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227,
 mailfrom:
 fm-256628-202604291937086785e7f45900020743-qnkipp@rts-flowmailer.siemens.com)
Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id
 202604291937086785e7f45900020743
        for <openembedded-core@lists.openembedded.org>;
        Wed, 29 Apr 2026 21:37:08 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=rz16NynGVVGcLscGi2TLWm1dww0KpGY8q6gD9m5XbZs=;
 b=bF3yOSmKTfDGXPD0E8FwuVYMJ99f1elzO53INhOKOZsc85WJkyZHE2iQIQLW8mVgVHh7L3
 iTB9XYFEoNkvn/r9O/hgz6D7VOtleq8bjSOxNNGJOko2urHYJFo3g7xrz9ebZvwtqIcZLKto
 kvDLpb3i0BtudUUDctZmFSIRgLX0bMGSKi1XB/L2DMJCK0umwGINzIfnVYMmR44JN2V0ycoR
 olHROaWBJzjmDHa5QQXei6SfZVGf91d6ORgcNcAPkMgMixRs1itFuRe29BWUiPCCTh3IBCtY
 eNdhmazT/tHSL/qF9q91ogNiL4eX7+83rbjC6g/9j9n4xYquegFGX/vg==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [PATCH 3/7] libmicrohttpd: set status for CVE-2025-59777 and
 CVE-2025-62689
Date: Wed, 29 Apr 2026 21:36:43 +0200
Message-ID: <20260429193647.3090502-3-peter.marko@siemens.com>
In-Reply-To: <20260429193647.3090502-1-peter.marko@siemens.com>
References: <20260429193647.3090502-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 29 Apr 2026 19:37:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/236133

From: Peter Marko <peter.marko@siemens.com>

This was fixed in the same commit includeded in 1.0.3 per [1] and [2].
The CVEs have dates instead of version in CPE.

[1] https://security-tracker.debian.org/tracker/CVE-2025-59777
[2] https://security-tracker.debian.org/tracker/CVE-2025-62689

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-support/libmicrohttpd/libmicrohttpd_1.0.5.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-support/libmicrohttpd/libmicrohttpd_1.0.5.bb b/meta/recipes-support/libmicrohttpd/libmicrohttpd_1.0.5.bb
index cca3496a19..935fbfcf89 100644
--- a/meta/recipes-support/libmicrohttpd/libmicrohttpd_1.0.5.bb
+++ b/meta/recipes-support/libmicrohttpd/libmicrohttpd_1.0.5.bb
@@ -25,3 +25,6 @@ do_compile:append() {
 }
 
 BBCLASSEXTEND = "native nativesdk"
+
+CVE_STATUS[CVE-2025-59777] = "fixed-version: fixed since 1.0.3"
+CVE_STATUS[CVE-2025-62689] = "fixed-version: fixed since 1.0.3"

From patchwork Wed Apr 29 19:36:44 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 87181
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 564F5CCFA13
	for <webhook@archiver.kernel.org>; Wed, 29 Apr 2026 19:37:22 +0000 (UTC)
Received: from mta-65-225.siemens.flowmailer.net
 (mta-65-225.siemens.flowmailer.net [185.136.65.225])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.4550.1777491437162002096
 for <openembedded-core@lists.openembedded.org>;
 Wed, 29 Apr 2026 12:37:17 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=jpTRxCHo;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225,
 mailfrom:
 fm-256628-20260429193715ae95c5e78e0002075f-zw2lve@rts-flowmailer.siemens.com)
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
 20260429193715ae95c5e78e0002075f
        for <openembedded-core@lists.openembedded.org>;
        Wed, 29 Apr 2026 21:37:15 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=cs3cBzvJCnwWvJHvqtopa0GMiaKx6ExjpxAYuvCm3xY=;
 b=jpTRxCHoNySuNJGS8alVaiWilESR1rTBzdMxR4ke49e8lrfrXZ14uzhNNUStwidqwUploa
 8bp2b851uxKp7t2RyzXo46Ba36/aD+y/YgARCR0g2tlXNXdZsREHl79488V2HhkH/W8atu79
 OSluZAHBRN3VG2i55KwS4nt8fNn7Lu24an0aIFGB0/ARHdBrqaJr8iXB0WWWpydzgTE0i5/j
 U2C3L6SHy3cbBfd7xyPWfQGm0k2lsD56938R6iuwmH2WQK1uey7mmp1viYgHANozagmBIiEe
 dCZNIIhkv86opPOU9ZPhTTdQFJsmusgpqS18inYG3O6WAGiYR7uTzbOA==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [PATCH 4/7] libsdl2: set status for CVE-2026-35444
Date: Wed, 29 Apr 2026 21:36:44 +0200
Message-ID: <20260429193647.3090502-4-peter.marko@siemens.com>
In-Reply-To: <20260429193647.3090502-1-peter.marko@siemens.com>
References: <20260429193647.3090502-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 29 Apr 2026 19:37:22 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/236134

From: Peter Marko <peter.marko@siemens.com>

This CVE is for SDL_IMAGE, not SDL.

Mapping in sbom-cve-check tool seems to be wrong at [1].
It maps both SDL and SDL_IMAGE to the same CPE.

[1] https://github.com/bootlin/sbom-cve-check/blob/v1.3.0/src/sbom_cve_check/products/products.toml#L1608

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-graphics/libsdl2/libsdl2_2.32.10.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.32.10.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.32.10.bb
index 834cf096b9..2b583448ef 100644
--- a/meta/recipes-graphics/libsdl2/libsdl2_2.32.10.bb
+++ b/meta/recipes-graphics/libsdl2/libsdl2_2.32.10.bb
@@ -85,3 +85,5 @@ CFLAGS:append:class-native = " -DNO_SHARED_MEMORY"
 FILES:${PN} += "${datadir}/licenses/SDL2/LICENSE.txt"
 
 BBCLASSEXTEND = "native nativesdk"
+
+CVE_STATUS[CVE-2026-35444] = "cpe-incorrect: this CVE is for sdl_image"

From patchwork Wed Apr 29 19:36:45 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 87182
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6AE59CD13D2
	for <webhook@archiver.kernel.org>; Wed, 29 Apr 2026 19:37:22 +0000 (UTC)
Received: from mta-64-225.siemens.flowmailer.net
 (mta-64-225.siemens.flowmailer.net [185.136.64.225])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.4493.1777491441821897956
 for <openembedded-core@lists.openembedded.org>;
 Wed, 29 Apr 2026 12:37:22 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=KUPBqeqo;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225,
 mailfrom:
 fm-256628-202604291937195e6b975f300002073a-zzyjmy@rts-flowmailer.siemens.com)
Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id
 202604291937195e6b975f300002073a
        for <openembedded-core@lists.openembedded.org>;
        Wed, 29 Apr 2026 21:37:20 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=lkOElQ+uNEjrmGQ6rHIQxBHVEebz4DcUdrr0VrBC5Wg=;
 b=KUPBqeqogQbN/AqXG5WHkaCZc0HcMLmmzspFjxz0CmW2i8mgvnf41/nCF87Y1AwyCTqeaa
 ZmM/ghVJMnzChDFLtQiNDh9TXR4WsRdfl5b+JYMMowhwy5Mq4acm5gaZz04JLXA6GB33uqrs
 wa1rGbChfRUOCkBsc4LiB4tRC5h0cWyh+5NFBABhg3WMEgUFyayKMeDyzgmYAv64I73B1LRR
 EpYuoZJyJ3ZtqCs/wYbKU/4AOaCpmHLOelOCekKtA/N4lY6n9pk34R/L1d3XeOjSLhcsnjVh
 t63kOajfQ0w+Api8rZQMkBIpWRdXlgunlSKQTmholVo1YyRaus+LRsPw==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [PATCH 5/7] python3-lxml: upgrade 6.0.4 -> 6.1.0
Date: Wed, 29 Apr 2026 21:36:45 +0200
Message-ID: <20260429193647.3090502-5-peter.marko@siemens.com>
In-Reply-To: <20260429193647.3090502-1-peter.marko@siemens.com>
References: <20260429193647.3090502-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 29 Apr 2026 19:37:22 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/236135

From: Peter Marko <peter.marko@siemens.com>

Solves CVE-2026-41066.

Release notes: [1]

[1] https://lxml.de/6.1/changes-6.1.0.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../python/{python3-lxml_6.0.4.bb => python3-lxml_6.1.0.bb}     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-devtools/python/{python3-lxml_6.0.4.bb => python3-lxml_6.1.0.bb} (95%)

diff --git a/meta/recipes-devtools/python/python3-lxml_6.0.4.bb b/meta/recipes-devtools/python/python3-lxml_6.1.0.bb
similarity index 95%
rename from meta/recipes-devtools/python/python3-lxml_6.0.4.bb
rename to meta/recipes-devtools/python/python3-lxml_6.1.0.bb
index 1257534c0f..b7bbf5c3d6 100644
--- a/meta/recipes-devtools/python/python3-lxml_6.0.4.bb
+++ b/meta/recipes-devtools/python/python3-lxml_6.1.0.bb
@@ -18,7 +18,7 @@ LIC_FILES_CHKSUM = "file://LICENSES.txt;md5=e4c045ebad958ead4b48008f70838403 \
 
 DEPENDS += "libxml2 libxslt"
 
-SRC_URI[sha256sum] = "4137516be2a90775f99d8ef80ec0283f8d78b5d8bd4630ff20163b72e7e9abf2"
+SRC_URI[sha256sum] = "bfd57d8008c4965709a919c3e9a98f76c2c7cb319086b3d26858250620023b13"
 
 SRC_URI += "${PYPI_SRC_URI}"
 inherit pkgconfig pypi setuptools3

From patchwork Wed Apr 29 19:36:46 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 87183
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4F51ECCFA13
	for <webhook@archiver.kernel.org>; Wed, 29 Apr 2026 19:37:32 +0000 (UTC)
Received: from mta-65-225.siemens.flowmailer.net
 (mta-65-225.siemens.flowmailer.net [185.136.65.225])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.4557.1777491446585937523
 for <openembedded-core@lists.openembedded.org>;
 Wed, 29 Apr 2026 12:37:26 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=RgTy+jHI;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225,
 mailfrom:
 fm-256628-202604291937255c4d205f8300020745-tz1_6w@rts-flowmailer.siemens.com)
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
 202604291937255c4d205f8300020745
        for <openembedded-core@lists.openembedded.org>;
        Wed, 29 Apr 2026 21:37:25 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=L2hva+XzARHN9BVDrwBVZsEpk0O+dLRNJPyTCpIJ1w8=;
 b=RgTy+jHICHXlLSO7+RXazXRdZGt4XRJcQsAX+3+pmy4n8vjWpcI4E6AiFP8klC351ka+hZ
 U+E9EdqEgxu68Qq8oMiGcIWtebjuJHERwaWdJPDIgIxNBmAYGD9PySS/fklBhk/9zjBaXOKF
 QPk/e4chkHjCIpfYev8bd7LNtyETDBNVcFcdpVnNIYBvG8xyhlLEUnwnJysqi8XF+pliZFxF
 QYYNmNlN1Z4GnStS181xyXG312dmpAIulGZ04TkFtFoCNFnNPyYmDvkjbSfpA1uORg11rZPw
 ukn6E8ApuLvY55tl7nBBmmjJBmwr2VRCpQ4juCziHF/ob8Ygd/b4Kt0g==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [PATCH 6/7] libcap: set status for CVE-2026-4878
Date: Wed, 29 Apr 2026 21:36:46 +0200
Message-ID: <20260429193647.3090502-6-peter.marko@siemens.com>
In-Reply-To: <20260429193647.3090502-1-peter.marko@siemens.com>
References: <20260429193647.3090502-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 29 Apr 2026 19:37:32 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/236136

From: Peter Marko <peter.marko@siemens.com>

This is version-less RedHat CVE, so needs explicit status.
Fix reference: [1]

[1] https://security-tracker.debian.org/tracker/CVE-2026-4878

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-support/libcap/libcap_2.78.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/libcap/libcap_2.78.bb b/meta/recipes-support/libcap/libcap_2.78.bb
index 449260f7dc..782ad02665 100644
--- a/meta/recipes-support/libcap/libcap_2.78.bb
+++ b/meta/recipes-support/libcap/libcap_2.78.bb
@@ -70,3 +70,5 @@ LICENSE:${PN} = "(BSD-3-Clause | GPL-2.0-only)${@bb.utils.contains('PACKAGECONFI
 LICENSE:${PN}-dev = "(BSD-3-Clause | GPL-2.0-only)"
 
 BBCLASSEXTEND = "native nativesdk"
+
+CVE_STATUS[CVE-2026-4878] = "fixed-version: fixed since 2.78"

From patchwork Wed Apr 29 19:36:47 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 87184
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 69895FF8875
	for <webhook@archiver.kernel.org>; Wed, 29 Apr 2026 19:37:32 +0000 (UTC)
Received: from mta-65-227.siemens.flowmailer.net
 (mta-65-227.siemens.flowmailer.net [185.136.65.227])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.4496.1777491451377406366
 for <openembedded-core@lists.openembedded.org>;
 Wed, 29 Apr 2026 12:37:31 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=UpNFbAL0;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227,
 mailfrom:
 fm-256628-202604291937293c1fec037e00020778-drj_u1@rts-flowmailer.siemens.com)
Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id
 202604291937293c1fec037e00020778
        for <openembedded-core@lists.openembedded.org>;
        Wed, 29 Apr 2026 21:37:29 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=aeGPg691dgTI3s9hx2iYhbhFXUo0uRthjZojJb1eGPE=;
 b=UpNFbAL0SrvIsy1vgaN3WLtQAP7JQPV8gOJF3IjL0Dj7B74SggW1m+5Or/KVvmVZPJ0URi
 bn3DkDsRJUaoxrRqLDBPeDnk2Vc6zXDBl+QN282QwrXuZLs29GWQJIOT4kkXE2epz3EePzCR
 Ljh0iG8LDSnp6nkBJY7Esff1TOaM9RvqUCaGgZ9HETxx1byR+HWsNvPui0W0f4Q8N5rPHeWJ
 mImphApMIVcNkCPKrqAaT1aGUHArGLXLru/ff4Za992Vyac9y5iV+BrEG9jq+LDabp8h0as5
 nFjr1Czt5As5l5llEtSOHr103cdTb0ebnYA0egKrF4MiBmHDFd8OqGOg==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [PATCH 7/7] libarchive: set status for CVE-2026-4426
Date: Wed, 29 Apr 2026 21:36:47 +0200
Message-ID: <20260429193647.3090502-7-peter.marko@siemens.com>
In-Reply-To: <20260429193647.3090502-1-peter.marko@siemens.com>
References: <20260429193647.3090502-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 29 Apr 2026 19:37:32 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/236137

From: Peter Marko <peter.marko@siemens.com>

This is a version-less RedHat CVE so needs explicit status.
Fix reference: PR/commit listed in [1] backported as [2].

[1] https://security-tracker.debian.org/tracker/CVE-2026-4426
[2] https://github.com/libarchive/libarchive/commit/ec1bc43156b84e12ff363f39005533e6f7067297

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-extended/libarchive/libarchive_3.8.7.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-extended/libarchive/libarchive_3.8.7.bb b/meta/recipes-extended/libarchive/libarchive_3.8.7.bb
index a65afb7b22..577362ef8b 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.8.7.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.8.7.bb
@@ -89,4 +89,5 @@ do_install_ptest() {
 
 RDEPENDS:${PN}-ptest += "bsdtar bsdcpio"
 
+CVE_STATUS[CVE-2026-4426] = "fixed-version: fixed since 3.8.7"
 CVE_STATUS[CVE-2026-5121] = "fixed-version: fixed since 3.8.7"