[Buildroot] [PATCH] pacakge/jq: update CPE vendor

[Buildroot] [PATCH] pacakge/jq: update CPE vendor

[Thomas Perale via buildroot]

The CPE "cpe:2.3:a:jqlang:jq:*:*:*:*:*:*:*:*" is valid for this package.

See the GHSA [1] and the associated CVE [2].

[1] https://github.com/jqlang/jq/security/advisories/GHSA-rmpv-jgvr-wpr9
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-44777

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/jq/jq.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/jq/jq.mk b/package/jq/jq.mk
index b0776021fc..19a130b694 100644
--- a/package/jq/jq.mk
+++ b/package/jq/jq.mk
@@ -9,7 +9,7 @@ JQ_SITE = https://github.com/jqlang/jq/releases/download/jq-$(JQ_VERSION)
 JQ_LICENSE = MIT (code), ICU (decNumber), CC-BY-3.0 (documentation), \
 	BSD-2-Clause (strptime)
 JQ_LICENSE_FILES = COPYING
-JQ_CPE_ID_VALID = YES
+JQ_CPE_ID_VENDOR = jqlang
 JQ_INSTALL_STAGING = YES
 
 # uses c99 specific features
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH] package/hiredis: update CPE vendor

[Thomas Perale via buildroot]

The CPE "cpe:2.3:a:redis:hiredis:*:*:*:*:*:*:*:*" is valid for this
package.

See the GHSA [1] and the associated CVE [2].

[1] https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2
[2] https://nvd.nist.gov/vuln/detail/CVE-2021-32765

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/hiredis/hiredis.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/hiredis/hiredis.mk b/package/hiredis/hiredis.mk
index f7acb2f131..33a87e7780 100644
--- a/package/hiredis/hiredis.mk
+++ b/package/hiredis/hiredis.mk
@@ -9,7 +9,7 @@ HIREDIS_VERSION = $(HIREDIS_VERSION_MAJOR).0
 HIREDIS_SITE = $(call github,redis,hiredis,v$(HIREDIS_VERSION))
 HIREDIS_LICENSE = BSD-3-Clause
 HIREDIS_LICENSE_FILES = COPYING
-HIREDIS_CPE_ID_VENDOR = redislabs
+HIREDIS_CPE_ID_VENDOR = redis
 HIREDIS_INSTALL_STAGING = YES
 
 # The package is a dependency to ccache so ccache cannot be a dependency
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH] package/redis: update CPE vendor

[Thomas Perale via buildroot]

The CPE "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*" is valid for this
package.

See the GHSA [1] and the associated CVE [2].

[1] https://github.com/redis/redis/security/advisories/GHSA-c8h9-259x-jff4
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-25243

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/redis/redis.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/redis/redis.mk b/package/redis/redis.mk
index 6ce9933029..9db7226675 100644
--- a/package/redis/redis.mk
+++ b/package/redis/redis.mk
@@ -10,7 +10,7 @@ REDIS_LICENSE = \
 	AGPL-3.0 or SSPL-1.0 or RSAL-2.0 (core); \
 	MIT and BSD family licenses (Bundled components)
 REDIS_LICENSE_FILES = LICENSE.txt
-REDIS_CPE_ID_VENDOR = redislabs
+REDIS_CPE_ID_VENDOR = redis
 REDIS_SELINUX_MODULES = redis
 
 define REDIS_USERS
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH] package/cups-filter: update CPE vendor

[Thomas Perale via buildroot]

The CPE "cpe:2.3:a:openprinting:cups-filters:*:*:*:*:*:*:*:*" is valid
for this pacakge.

See the GHSA [1] and the associated CVE [2].

[1] https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-893j-2wr2-wrh9
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-64503

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/cups-filters/cups-filters.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/cups-filters/cups-filters.mk b/package/cups-filters/cups-filters.mk
index dcfb2e9500..f2b85aa9d5 100644
--- a/package/cups-filters/cups-filters.mk
+++ b/package/cups-filters/cups-filters.mk
@@ -8,7 +8,7 @@ CUPS_FILTERS_VERSION = 1.28.17
 CUPS_FILTERS_SITE = https://github.com/OpenPrinting/cups-filters/releases/download/$(CUPS_FILTERS_VERSION)
 CUPS_FILTERS_LICENSE = GPL-2.0, GPL-2.0+, GPL-3.0, GPL-3.0+, LGPL-2, LGPL-2.1+, MIT, BSD-4-Clause
 CUPS_FILTERS_LICENSE_FILES = COPYING
-CUPS_FILTERS_CPE_ID_VENDOR = linuxfoundation
+CUPS_FILTERS_CPE_ID_VENDOR = openprinting
 
 # 0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch
 CUPS_FILTERS_IGNORE_CVES += CVE-2023-24805
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH] package/icu: update CPE vendor

[Thomas Perale via buildroot]

The CPE "cpe:2.3:a:unicode:international_components_for_unicode:*:*:*:*:*:*:*:*"
is valid for this package.

Also remove the no longer needed "ICU_CPE_ID_VERSION" subst since [1].

The previous CPE hasn't been used since 2020. While the new one got two
CVE assigned since 2020.

[1] 5bf0db998b package/icu: bump version to 78.1
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-5222
[3] https://nvd.nist.gov/vuln/detail/CVE-2020-21913

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/icu/icu.mk | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/package/icu/icu.mk b/package/icu/icu.mk
index 3030e0c71c..ee1ede6f2c 100644
--- a/package/icu/icu.mk
+++ b/package/icu/icu.mk
@@ -13,9 +13,8 @@ ICU_SITE = \
 	https://github.com/unicode-org/icu/releases/download/release-$(ICU_VERSION)
 ICU_LICENSE = ICU License
 ICU_LICENSE_FILES = LICENSE
-ICU_CPE_ID_VENDOR = icu-project
+ICU_CPE_ID_VENDOR = unicode
 ICU_CPE_ID_PRODUCT = international_components_for_unicode
-ICU_CPE_ID_VERSION = $(subst -,.,$(ICU_VERSION))
 
 ICU_DEPENDENCIES = host-icu
 ICU_INSTALL_STAGING = YES
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH] package/libgit2: update CPE vendor

[Thomas Perale via buildroot]

The CPE "cpe:2.3:a:libgit2:libgit2:*:*:*:*:*:*:*:*" is valid for this
package.

The previous CPE hasn't been used since 2016 while the new one has 10
new CVEs assigned to it.

See the GHSA [1] and the associated CVE [2].

[1] https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8
[2] https://nvd.nist.gov/vuln/detail/cve-2024-24577

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/libgit2/libgit2.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/libgit2/libgit2.mk b/package/libgit2/libgit2.mk
index 34cb67929e..02af500a65 100644
--- a/package/libgit2/libgit2.mk
+++ b/package/libgit2/libgit2.mk
@@ -15,7 +15,7 @@ LIBGIT2_LICENSE = \
 	BSD-2-Clause (basename_r), \
 	LGPL-2.1+ (libxdiff)
 LIBGIT2_LICENSE_FILES = COPYING
-LIBGIT2_CPE_ID_VALID = YES
+LIBGIT2_CPE_ID_VENDOR = libgit2
 LIBGIT2_INSTALL_STAGING = YES
 
 LIBGIT2_CONF_OPTS = \
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH] package/gstreamer1: update CPE vendor

[Thomas Perale via buildroot]

The CPE "cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*" is valid for
this package.

The previous vendor `gstreamer_project` has no CVE assigned to it except
"gstreamer_project:gst-rtsp-server" which target another package.

See the CVEs [1][2] ...

[1] https://nvd.nist.gov/vuln/detail/CVE-2026-3085
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-3086

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/gstreamer1/gstreamer1/gstreamer1.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/gstreamer1/gstreamer1/gstreamer1.mk b/package/gstreamer1/gstreamer1/gstreamer1.mk
index e9299e9e93..535272ed25 100644
--- a/package/gstreamer1/gstreamer1/gstreamer1.mk
+++ b/package/gstreamer1/gstreamer1/gstreamer1.mk
@@ -10,7 +10,7 @@ GSTREAMER1_SITE = https://gstreamer.freedesktop.org/src/gstreamer
 GSTREAMER1_INSTALL_STAGING = YES
 GSTREAMER1_LICENSE_FILES = COPYING
 GSTREAMER1_LICENSE = LGPL-2.1+
-GSTREAMER1_CPE_ID_VENDOR = gstreamer_project
+GSTREAMER1_CPE_ID_VENDOR = gstreamer
 GSTREAMER1_CPE_ID_PRODUCT = gstreamer
 
 GSTREAMER1_CONF_OPTS = \
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] pacakge/jq: update CPE vendor

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Perale via buildroot <buildroot@buildroot.org> writes:

 > The CPE "cpe:2.3:a:jqlang:jq:*:*:*:*:*:*:*:*" is valid for this package.
 > See the GHSA [1] and the associated CVE [2].

 > [1] https://github.com/jqlang/jq/security/advisories/GHSA-rmpv-jgvr-wpr9
 > [2] https://nvd.nist.gov/vuln/detail/CVE-2026-44777

 > Signed-off-by: Thomas Perale <thomas.perale@mind.be>

NIT: You are adding the vendor, not really updating it. Committed after
fixing that (and the package typo), thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/hiredis: update CPE vendor

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Perale via buildroot <buildroot@buildroot.org> writes:

 > The CPE "cpe:2.3:a:redis:hiredis:*:*:*:*:*:*:*:*" is valid for this
 > package.

 > See the GHSA [1] and the associated CVE [2].

 > [1] https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2
 > [2] https://nvd.nist.gov/vuln/detail/CVE-2021-32765

 > Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/redis: update CPE vendor

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Perale via buildroot <buildroot@buildroot.org> writes:

 > The CPE "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*" is valid for this
 > package.

 > See the GHSA [1] and the associated CVE [2].

 > [1] https://github.com/redis/redis/security/advisories/GHSA-c8h9-259x-jff4
 > [2] https://nvd.nist.gov/vuln/detail/CVE-2026-25243

 > Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/cups-filter: update CPE vendor

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Perale via buildroot <buildroot@buildroot.org> writes:

 > The CPE "cpe:2.3:a:openprinting:cups-filters:*:*:*:*:*:*:*:*" is valid
 > for this pacakge.

s/pacakge/package/.

Committed with that fixed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/libgit2: update CPE vendor

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Perale via buildroot <buildroot@buildroot.org> writes:

 > The CPE "cpe:2.3:a:libgit2:libgit2:*:*:*:*:*:*:*:*" is valid for this
 > package.

 > The previous CPE hasn't been used since 2016 while the new one has 10
 > new CVEs assigned to it.

 > See the GHSA [1] and the associated CVE [2].

 > [1] https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8
 > [2] https://nvd.nist.gov/vuln/detail/cve-2024-24577

 > Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/icu: update CPE vendor

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Perale via buildroot <buildroot@buildroot.org> writes:

 > The CPE "cpe:2.3:a:unicode:international_components_for_unicode:*:*:*:*:*:*:*:*"
 > is valid for this package.

 > Also remove the no longer needed "ICU_CPE_ID_VERSION" subst since [1].

 > The previous CPE hasn't been used since 2020. While the new one got two
 > CVE assigned since 2020.

 > [1] 5bf0db998b package/icu: bump version to 78.1
 > [2] https://nvd.nist.gov/vuln/detail/CVE-2025-5222
 > [3] https://nvd.nist.gov/vuln/detail/CVE-2020-21913

 > Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Committed, thanks.

I think we can also remove the comment about git tags in icu.mk.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/gstreamer1: update CPE vendor

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Perale via buildroot <buildroot@buildroot.org> writes:

 > The CPE "cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*" is valid for
 > this package.

 > The previous vendor `gstreamer_project` has no CVE assigned to it except
 > "gstreamer_project:gst-rtsp-server" which target another package.

 > See the CVEs [1][2] ...

 > [1] https://nvd.nist.gov/vuln/detail/CVE-2026-3085
 > [2] https://nvd.nist.gov/vuln/detail/CVE-2026-3086

 > Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/redis: update CPE vendor

[Titouan Christophe via buildroot]

Hi Thomas, Peter and all,

On 30/05/26 10:56, Peter Korsgaard wrote:
>>>>>> "Thomas" == Thomas Perale via buildroot <buildroot@buildroot.org> writes:
>   > The CPE "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*" is valid for this
>   > package.
Although, the CPE vendor "redislabs" has also been used in other CVEs; 
for example this one https://nvd.nist.gov/vuln/detail/cve-2021-32625. 
Not sure how to properly handle these...


Titouan
>
>   > See the GHSA [1] and the associated CVE [2].
>
>   > [1] https://github.com/redis/redis/security/advisories/GHSA-c8h9-259x-jff4
>   > [2] https://nvd.nist.gov/vuln/detail/CVE-2026-25243
>
>   > Signed-off-by: Thomas Perale <thomas.perale@mind.be>
>
> Committed, thanks.
>

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] pacakge/jq: update CPE vendor

[Thomas Perale via buildroot]

In reply of:
> The CPE "cpe:2.3:a:jqlang:jq:*:*:*:*:*:*:*:*" is valid for this package.
> 
> See the GHSA [1] and the associated CVE [2].
> 
> [1] https://github.com/jqlang/jq/security/advisories/GHSA-rmpv-jgvr-wpr9
> [2] https://nvd.nist.gov/vuln/detail/CVE-2026-44777
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  package/jq/jq.mk | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/package/jq/jq.mk b/package/jq/jq.mk
> index b0776021fc..19a130b694 100644
> --- a/package/jq/jq.mk
> +++ b/package/jq/jq.mk
> @@ -9,7 +9,7 @@ JQ_SITE = https://github.com/jqlang/jq/releases/download/jq-$(JQ_VERSION)
>  JQ_LICENSE = MIT (code), ICU (decNumber), CC-BY-3.0 (documentation), \
>  	BSD-2-Clause (strptime)
>  JQ_LICENSE_FILES = COPYING
> -JQ_CPE_ID_VALID = YES
> +JQ_CPE_ID_VENDOR = jqlang
>  JQ_INSTALL_STAGING = YES
>  
>  # uses c99 specific features
> -- 
> 2.54.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/cups-filter: update CPE vendor

[Thomas Perale via buildroot]

In reply of:
> The CPE "cpe:2.3:a:openprinting:cups-filters:*:*:*:*:*:*:*:*" is valid
> for this pacakge.
> 
> See the GHSA [1] and the associated CVE [2].
> 
> [1] https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-893j-2wr2-wrh9
> [2] https://nvd.nist.gov/vuln/detail/CVE-2025-64503
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  package/cups-filters/cups-filters.mk | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/package/cups-filters/cups-filters.mk b/package/cups-filters/cups-filters.mk
> index dcfb2e9500..f2b85aa9d5 100644
> --- a/package/cups-filters/cups-filters.mk
> +++ b/package/cups-filters/cups-filters.mk
> @@ -8,7 +8,7 @@ CUPS_FILTERS_VERSION = 1.28.17
>  CUPS_FILTERS_SITE = https://github.com/OpenPrinting/cups-filters/releases/download/$(CUPS_FILTERS_VERSION)
>  CUPS_FILTERS_LICENSE = GPL-2.0, GPL-2.0+, GPL-3.0, GPL-3.0+, LGPL-2, LGPL-2.1+, MIT, BSD-4-Clause
>  CUPS_FILTERS_LICENSE_FILES = COPYING
> -CUPS_FILTERS_CPE_ID_VENDOR = linuxfoundation
> +CUPS_FILTERS_CPE_ID_VENDOR = openprinting
>  
>  # 0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch
>  CUPS_FILTERS_IGNORE_CVES += CVE-2023-24805
> -- 
> 2.54.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/gstreamer1: update CPE vendor

[Thomas Perale via buildroot]

In reply of:
> The CPE "cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*" is valid for
> this package.
> 
> The previous vendor `gstreamer_project` has no CVE assigned to it except
> "gstreamer_project:gst-rtsp-server" which target another package.
> 
> See the CVEs [1][2] ...
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2026-3085
> [2] https://nvd.nist.gov/vuln/detail/CVE-2026-3086
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  package/gstreamer1/gstreamer1/gstreamer1.mk | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/package/gstreamer1/gstreamer1/gstreamer1.mk b/package/gstreamer1/gstreamer1/gstreamer1.mk
> index e9299e9e93..535272ed25 100644
> --- a/package/gstreamer1/gstreamer1/gstreamer1.mk
> +++ b/package/gstreamer1/gstreamer1/gstreamer1.mk
> @@ -10,7 +10,7 @@ GSTREAMER1_SITE = https://gstreamer.freedesktop.org/src/gstreamer
>  GSTREAMER1_INSTALL_STAGING = YES
>  GSTREAMER1_LICENSE_FILES = COPYING
>  GSTREAMER1_LICENSE = LGPL-2.1+
> -GSTREAMER1_CPE_ID_VENDOR = gstreamer_project
> +GSTREAMER1_CPE_ID_VENDOR = gstreamer
>  GSTREAMER1_CPE_ID_PRODUCT = gstreamer
>  
>  GSTREAMER1_CONF_OPTS = \
> -- 
> 2.54.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/hiredis: update CPE vendor

[Thomas Perale via buildroot]

In reply of:
> The CPE "cpe:2.3:a:redis:hiredis:*:*:*:*:*:*:*:*" is valid for this
> package.
> 
> See the GHSA [1] and the associated CVE [2].
> 
> [1] https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2
> [2] https://nvd.nist.gov/vuln/detail/CVE-2021-32765
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  package/hiredis/hiredis.mk | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/package/hiredis/hiredis.mk b/package/hiredis/hiredis.mk
> index f7acb2f131..33a87e7780 100644
> --- a/package/hiredis/hiredis.mk
> +++ b/package/hiredis/hiredis.mk
> @@ -9,7 +9,7 @@ HIREDIS_VERSION = $(HIREDIS_VERSION_MAJOR).0
>  HIREDIS_SITE = $(call github,redis,hiredis,v$(HIREDIS_VERSION))
>  HIREDIS_LICENSE = BSD-3-Clause
>  HIREDIS_LICENSE_FILES = COPYING
> -HIREDIS_CPE_ID_VENDOR = redislabs
> +HIREDIS_CPE_ID_VENDOR = redis
>  HIREDIS_INSTALL_STAGING = YES
>  
>  # The package is a dependency to ccache so ccache cannot be a dependency
> -- 
> 2.54.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/icu: update CPE vendor

[Thomas Perale via buildroot]

In reply of:
> The CPE "cpe:2.3:a:unicode:international_components_for_unicode:*:*:*:*:*:*:*:*"
> is valid for this package.
> 
> Also remove the no longer needed "ICU_CPE_ID_VERSION" subst since [1].
> 
> The previous CPE hasn't been used since 2020. While the new one got two
> CVE assigned since 2020.
> 
> [1] 5bf0db998b package/icu: bump version to 78.1
> [2] https://nvd.nist.gov/vuln/detail/CVE-2025-5222
> [3] https://nvd.nist.gov/vuln/detail/CVE-2020-21913
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  package/icu/icu.mk | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/package/icu/icu.mk b/package/icu/icu.mk
> index 3030e0c71c..ee1ede6f2c 100644
> --- a/package/icu/icu.mk
> +++ b/package/icu/icu.mk
> @@ -13,9 +13,8 @@ ICU_SITE = \
>  	https://github.com/unicode-org/icu/releases/download/release-$(ICU_VERSION)
>  ICU_LICENSE = ICU License
>  ICU_LICENSE_FILES = LICENSE
> -ICU_CPE_ID_VENDOR = icu-project
> +ICU_CPE_ID_VENDOR = unicode
>  ICU_CPE_ID_PRODUCT = international_components_for_unicode
> -ICU_CPE_ID_VERSION = $(subst -,.,$(ICU_VERSION))
>  
>  ICU_DEPENDENCIES = host-icu
>  ICU_INSTALL_STAGING = YES
> -- 
> 2.54.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/libgit2: update CPE vendor

[Thomas Perale via buildroot]

In reply of:
> The CPE "cpe:2.3:a:libgit2:libgit2:*:*:*:*:*:*:*:*" is valid for this
> package.
> 
> The previous CPE hasn't been used since 2016 while the new one has 10
> new CVEs assigned to it.
> 
> See the GHSA [1] and the associated CVE [2].
> 
> [1] https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8
> [2] https://nvd.nist.gov/vuln/detail/cve-2024-24577
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  package/libgit2/libgit2.mk | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/package/libgit2/libgit2.mk b/package/libgit2/libgit2.mk
> index 34cb67929e..02af500a65 100644
> --- a/package/libgit2/libgit2.mk
> +++ b/package/libgit2/libgit2.mk
> @@ -15,7 +15,7 @@ LIBGIT2_LICENSE = \
>  	BSD-2-Clause (basename_r), \
>  	LGPL-2.1+ (libxdiff)
>  LIBGIT2_LICENSE_FILES = COPYING
> -LIBGIT2_CPE_ID_VALID = YES
> +LIBGIT2_CPE_ID_VENDOR = libgit2
>  LIBGIT2_INSTALL_STAGING = YES
>  
>  LIBGIT2_CONF_OPTS = \
> -- 
> 2.54.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/redis: update CPE vendor

[Thomas Perale via buildroot]

In reply of:
> The CPE "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*" is valid for this
> package.
> 
> See the GHSA [1] and the associated CVE [2].
> 
> [1] https://github.com/redis/redis/security/advisories/GHSA-c8h9-259x-jff4
> [2] https://nvd.nist.gov/vuln/detail/CVE-2026-25243
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  package/redis/redis.mk | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/package/redis/redis.mk b/package/redis/redis.mk
> index 6ce9933029..9db7226675 100644
> --- a/package/redis/redis.mk
> +++ b/package/redis/redis.mk
> @@ -10,7 +10,7 @@ REDIS_LICENSE = \
>  	AGPL-3.0 or SSPL-1.0 or RSAL-2.0 (core); \
>  	MIT and BSD family licenses (Bundled components)
>  REDIS_LICENSE_FILES = LICENSE.txt
> -REDIS_CPE_ID_VENDOR = redislabs
> +REDIS_CPE_ID_VENDOR = redis
>  REDIS_SELINUX_MODULES = redis
>  
>  define REDIS_USERS
> -- 
> 2.54.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot