[Buildroot] [PATCH 1/1] package/containerd: security bump to v2.0.7

[Buildroot] [PATCH 1/1] package/containerd: security bump to v2.0.7

[Thomas Perale via buildroot]

For more information on the version bump, see:
  - https://github.com/containerd/containerd/releases/tag/v2.0.7
  - https://github.com/containerd/containerd/releases/tag/v2.0.6
  - https://github.com/containerd/containerd/releases/tag/v2.0.5
  - https://github.com/containerd/containerd/releases/tag/v2.0.4
  - https://github.com/containerd/containerd/releases/tag/v2.0.3

Fixes the following vulnerabilities:

- CVE-2024-25621:
    Versions 2.0.0-beta.0 through 2.0.6 have an overly broad default
    permission vulnerability. Directory paths `/var/lib/containerd`,
    `/run/containerd/io.containerd.grpc.v1.cri` and
    `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all
    created with incorrect permissions.

    https://www.cve.org/CVERecord?id=CVE-2024-25621

- CVE-2024-40635:
    A bug was found in containerd prior to versions 2.0.4 where
    containers launched with a User set as a `UID:GID` larger than the
    maximum 32-bit signed integer can cause an overflow condition where
    the container ultimately runs as root (UID 0). This could cause
    unexpected behavior for environments that require containers to run
    as a non-root user.

    https://www.cve.org/CVERecord?id=CVE-2024-40635

- CVE-2025-47291:
    A bug was found in the containerd's CRI implementation where
    containerd, starting in version 2.0.1 and prior to version 2.0.5,
    doesn't put usernamespaced containers under the Kubernetes' cgroup
    hierarchy, therefore some Kubernetes limits are not honored. This
    may cause a denial of service of the Kubernetes node.

    https://www.cve.org/CVERecord?id=CVE-2025-47291

- CVE-2025-64329:
    Versions 2.0.0-beta.0 through 2.0.6 contain a bug in the CRI Attach
    implementation where a user can exhaust memory on the host due to
    goroutine leaks.

    https://www.cve.org/CVERecord?id=CVE-2025-64329

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/containerd/containerd.hash | 2 +-
 package/containerd/containerd.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/containerd/containerd.hash b/package/containerd/containerd.hash
index 4ec78897d9..0916c603bb 100644
--- a/package/containerd/containerd.hash
+++ b/package/containerd/containerd.hash
@@ -1,3 +1,3 @@
 # Computed locally
-sha256  472747a7a6b360a0864bab0ee00a8a6f51da5795171e6a60ab17aa80cbd850a2  containerd-2.0.2-go2.tar.gz
+sha256  2bbf9fedcf4ab31736fcb3ce224ef22610a87da9d53bbd8f6d205710fd849831  containerd-2.0.7-go2.tar.gz
 sha256  4bbe3b885e8cd1907ab4cf9a41e862e74e24b5422297a4f2fe524e6a30ada2b4  LICENSE
diff --git a/package/containerd/containerd.mk b/package/containerd/containerd.mk
index 2ef70ab5d7..a334f0fdac 100644
--- a/package/containerd/containerd.mk
+++ b/package/containerd/containerd.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CONTAINERD_VERSION = 2.0.2
+CONTAINERD_VERSION = 2.0.7
 CONTAINERD_SITE = $(call github,containerd,containerd,v$(CONTAINERD_VERSION))
 CONTAINERD_LICENSE = Apache-2.0
 CONTAINERD_LICENSE_FILES = LICENSE
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH] package/wireshark: security bump to v4.4.13

[Thomas Perale via buildroot]

For more information on the version bump, see:
  - https://www.wireshark.org/docs/relnotes/wireshark-4.4.13.html
  - https://www.wireshark.org/docs/relnotes/wireshark-4.4.12.html
  - https://www.wireshark.org/docs/relnotes/wireshark-4.4.11.html
  - https://www.wireshark.org/docs/relnotes/wireshark-4.4.10.html

Fixes the following vulnerabilities:

- CVE-2025-11626:
    MONGO dissector infinite loop in Wireshark 4.4.0 to 4.4.9 and 4.2.0 to
    4.2.13 allows denial of service

    https://www.cve.org/CVERecord?id=CVE-2025-11626

- CVE-2025-13499:
    Kafka dissector crash in Wireshark 4.6.0 and 4.4.0 to 4.4.10 allows
    denial of service

    https://www.cve.org/CVERecord?id=CVE-2025-13499

- CVE-2025-13946:
    MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0
    to 4.4.11 allows denial of service

    https://www.cve.org/CVERecord?id=CVE-2025-13946

- CVE-2026-0959:
    IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and
    4.4.0 to 4.4.12 allows denial of service

    https://www.cve.org/CVERecord?id=CVE-2026-0959

- CVE-2026-0960:
    HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2
    allows denial of service

    https://www.cve.org/CVERecord?id=CVE-2026-0960

- CVE-2026-0961:
    BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12
    allows denial of service

    https://www.cve.org/CVERecord?id=CVE-2026-0961

- CVE-2026-0962:
    SOME/IP-SD protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and
    4.4.0 to 4.4.12 allows denial of service

    https://www.cve.org/CVERecord?id=CVE-2026-0962

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/wireshark/wireshark.hash | 6 +++---
 package/wireshark/wireshark.mk   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/wireshark/wireshark.hash b/package/wireshark/wireshark.hash
index 88eb7ef494..87d5781eed 100644
--- a/package/wireshark/wireshark.hash
+++ b/package/wireshark/wireshark.hash
@@ -1,6 +1,6 @@
-# From https://www.wireshark.org/download/src/all-versions/SIGNATURES-4.4.9.txt
-sha1  dc91c68b03b389645fa6dade92960863d74bca1d  wireshark-4.4.9.tar.xz
-sha256  60551dc787f41e87aeaa1e9c33304f9008037e3baf9fa11aef9c2d584cc0b54b  wireshark-4.4.9.tar.xz
+# From https://www.wireshark.org/download/src/all-versions/SIGNATURES-4.4.13.txt
+sha1  2e85bc1231775283d3e1593ce700566e0dc4efb9  wireshark-4.4.13.tar.xz
+sha256  cdaaf455954b45990651ba334ddcc691ee446fcfb332e78d27b0a8451f22dc0f  wireshark-4.4.13.tar.xz
 
 # Locally calculated
 sha256  edaef632cbb643e4e7a221717a6c441a4c1a7c918e6e4d56debc3d8739b233f6  COPYING
diff --git a/package/wireshark/wireshark.mk b/package/wireshark/wireshark.mk
index 9ccd8f9a9e..196ac63271 100644
--- a/package/wireshark/wireshark.mk
+++ b/package/wireshark/wireshark.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-WIRESHARK_VERSION = 4.4.9
+WIRESHARK_VERSION = 4.4.13
 WIRESHARK_SOURCE = wireshark-$(WIRESHARK_VERSION).tar.xz
 WIRESHARK_SITE = https://www.wireshark.org/download/src/all-versions
 WIRESHARK_LICENSE = wireshark license
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/wireshark: security bump to v4.4.13

[Thomas Perale via buildroot]

The wireshark bump is a resend by mistake nothing has changed from the previous
iteration. It has been removed from patchwork.

In reply of:
> For more information on the version bump, see:
>   - https://www.wireshark.org/docs/relnotes/wireshark-4.4.13.html
>   - https://www.wireshark.org/docs/relnotes/wireshark-4.4.12.html
>   - https://www.wireshark.org/docs/relnotes/wireshark-4.4.11.html
>   - https://www.wireshark.org/docs/relnotes/wireshark-4.4.10.html
> 
> Fixes the following vulnerabilities:
> 
> - CVE-2025-11626:
>     MONGO dissector infinite loop in Wireshark 4.4.0 to 4.4.9 and 4.2.0 to
>     4.2.13 allows denial of service
> 
>     https://www.cve.org/CVERecord?id=CVE-2025-11626
> 
> - CVE-2025-13499:
>     Kafka dissector crash in Wireshark 4.6.0 and 4.4.0 to 4.4.10 allows
>     denial of service
> 
>     https://www.cve.org/CVERecord?id=CVE-2025-13499
> 
> - CVE-2025-13946:
>     MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0
>     to 4.4.11 allows denial of service
> 
>     https://www.cve.org/CVERecord?id=CVE-2025-13946
> 
> - CVE-2026-0959:
>     IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and
>     4.4.0 to 4.4.12 allows denial of service
> 
>     https://www.cve.org/CVERecord?id=CVE-2026-0959
> 
> - CVE-2026-0960:
>     HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2
>     allows denial of service
> 
>     https://www.cve.org/CVERecord?id=CVE-2026-0960
> 
> - CVE-2026-0961:
>     BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12
>     allows denial of service
> 
>     https://www.cve.org/CVERecord?id=CVE-2026-0961
> 
> - CVE-2026-0962:
>     SOME/IP-SD protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and
>     4.4.0 to 4.4.12 allows denial of service
> 
>     https://www.cve.org/CVERecord?id=CVE-2026-0962
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

> ---
>  package/wireshark/wireshark.hash | 6 +++---
>  package/wireshark/wireshark.mk   | 2 +-
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/package/wireshark/wireshark.hash b/package/wireshark/wireshark.hash
> index 88eb7ef494..87d5781eed 100644
> --- a/package/wireshark/wireshark.hash
> +++ b/package/wireshark/wireshark.hash
> @@ -1,6 +1,6 @@
> -# From https://www.wireshark.org/download/src/all-versions/SIGNATURES-4.4.9.txt
> -sha1  dc91c68b03b389645fa6dade92960863d74bca1d  wireshark-4.4.9.tar.xz
> -sha256  60551dc787f41e87aeaa1e9c33304f9008037e3baf9fa11aef9c2d584cc0b54b  wireshark-4.4.9.tar.xz
> +# From https://www.wireshark.org/download/src/all-versions/SIGNATURES-4.4.13.txt
> +sha1  2e85bc1231775283d3e1593ce700566e0dc4efb9  wireshark-4.4.13.tar.xz
> +sha256  cdaaf455954b45990651ba334ddcc691ee446fcfb332e78d27b0a8451f22dc0f  wireshark-4.4.13.tar.xz
>  
>  # Locally calculated
>  sha256  edaef632cbb643e4e7a221717a6c441a4c1a7c918e6e4d56debc3d8739b233f6  COPYING
> diff --git a/package/wireshark/wireshark.mk b/package/wireshark/wireshark.mk
> index 9ccd8f9a9e..196ac63271 100644
> --- a/package/wireshark/wireshark.mk
> +++ b/package/wireshark/wireshark.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -WIRESHARK_VERSION = 4.4.9
> +WIRESHARK_VERSION = 4.4.13
>  WIRESHARK_SOURCE = wireshark-$(WIRESHARK_VERSION).tar.xz
>  WIRESHARK_SITE = https://www.wireshark.org/download/src/all-versions
>  WIRESHARK_LICENSE = wireshark license
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/containerd: security bump to v2.0.7

[Julien Olivain via buildroot]

On 25/02/2026 10:48, Thomas Perale via buildroot wrote:
> For more information on the version bump, see:
>   - https://github.com/containerd/containerd/releases/tag/v2.0.7
>   - https://github.com/containerd/containerd/releases/tag/v2.0.6
>   - https://github.com/containerd/containerd/releases/tag/v2.0.5
>   - https://github.com/containerd/containerd/releases/tag/v2.0.4
>   - https://github.com/containerd/containerd/releases/tag/v2.0.3
[...]
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/containerd: security bump to v2.0.7

[Thomas Perale via buildroot]

In reply of:
> For more information on the version bump, see:
>   - https://github.com/containerd/containerd/releases/tag/v2.0.7
>   - https://github.com/containerd/containerd/releases/tag/v2.0.6
>   - https://github.com/containerd/containerd/releases/tag/v2.0.5
>   - https://github.com/containerd/containerd/releases/tag/v2.0.4
>   - https://github.com/containerd/containerd/releases/tag/v2.0.3
> 
> Fixes the following vulnerabilities:
> 
> - CVE-2024-25621:
>     Versions 2.0.0-beta.0 through 2.0.6 have an overly broad default
>     permission vulnerability. Directory paths `/var/lib/containerd`,
>     `/run/containerd/io.containerd.grpc.v1.cri` and
>     `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all
>     created with incorrect permissions.
> 
>     https://www.cve.org/CVERecord?id=CVE-2024-25621
> 
> - CVE-2024-40635:
>     A bug was found in containerd prior to versions 2.0.4 where
>     containers launched with a User set as a `UID:GID` larger than the
>     maximum 32-bit signed integer can cause an overflow condition where
>     the container ultimately runs as root (UID 0). This could cause
>     unexpected behavior for environments that require containers to run
>     as a non-root user.
> 
>     https://www.cve.org/CVERecord?id=CVE-2024-40635
> 
> - CVE-2025-47291:
>     A bug was found in the containerd's CRI implementation where
>     containerd, starting in version 2.0.1 and prior to version 2.0.5,
>     doesn't put usernamespaced containers under the Kubernetes' cgroup
>     hierarchy, therefore some Kubernetes limits are not honored. This
>     may cause a denial of service of the Kubernetes node.
> 
>     https://www.cve.org/CVERecord?id=CVE-2025-47291
> 
> - CVE-2025-64329:
>     Versions 2.0.0-beta.0 through 2.0.6 contain a bug in the CRI Attach
>     implementation where a user can exhaust memory on the host due to
>     goroutine leaks.
> 
>     https://www.cve.org/CVERecord?id=CVE-2025-64329
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2025.11.x. Thanks

> ---
>  package/containerd/containerd.hash | 2 +-
>  package/containerd/containerd.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/containerd/containerd.hash b/package/containerd/containerd.hash
> index 4ec78897d9..0916c603bb 100644
> --- a/package/containerd/containerd.hash
> +++ b/package/containerd/containerd.hash
> @@ -1,3 +1,3 @@
>  # Computed locally
> -sha256  472747a7a6b360a0864bab0ee00a8a6f51da5795171e6a60ab17aa80cbd850a2  containerd-2.0.2-go2.tar.gz
> +sha256  2bbf9fedcf4ab31736fcb3ce224ef22610a87da9d53bbd8f6d205710fd849831  containerd-2.0.7-go2.tar.gz
>  sha256  4bbe3b885e8cd1907ab4cf9a41e862e74e24b5422297a4f2fe524e6a30ada2b4  LICENSE
> diff --git a/package/containerd/containerd.mk b/package/containerd/containerd.mk
> index 2ef70ab5d7..a334f0fdac 100644
> --- a/package/containerd/containerd.mk
> +++ b/package/containerd/containerd.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -CONTAINERD_VERSION = 2.0.2
> +CONTAINERD_VERSION = 2.0.7
>  CONTAINERD_SITE = $(call github,containerd,containerd,v$(CONTAINERD_VERSION))
>  CONTAINERD_LICENSE = Apache-2.0
>  CONTAINERD_LICENSE_FILES = LICENSE
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot