[OE-core][whinlatter 00/15] Patch review

[OE-core][whinlatter 00/15] Patch review

[Yoann Congal]

Please review this set of changes for whinlatter and have comments back by
end of day Thursday, January 22.

This whinlatter patch review request is aimed at getting kirkstone
4.0.33 built on monday:
* Ensuring fixes in kirkstone have their equivalent in more recent
  stable branches.
* pseudo upgrade to fix 16117 – AB-INT: do_package: Error executing a python function in exec_func_python() autogenerated
  https://bugzilla.yoctoproject.org/show_bug.cgi?id=16117
* ffmpeg patches to fix 16000 – AB-INT: ffmpeg build failing
  https://bugzilla.yoctoproject.org/show_bug.cgi?id=16000

Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3092


The following changes since commit dd10706cfafb5574b7cf316fca2300d166ef71b0:

  build-appliance-image: Update to whinlatter head revisions (2026-01-12 10:58:53 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/whinlatter-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/whinlatter-nut

for you to fetch changes up to e7891f39ae90d1c23bfcb59af0064591513a671d:

  libarchive: upgrade 3.8.4 -> 3.8.5 (2026-01-19 23:29:16 +0100)

----------------------------------------------------------------

Alexander Kanavin (3):
  libpng: upgrade 1.6.52 -> 1.6.53
  ffmpeg: add a (possible) build race fix
  ffmpeg: fix a build race, hopefully for real this time

Paul Barker (1):
  selftest: devtool: Set PATH when running pseudo

Peter Marko (9):
  util-linux: patch CVE-2025-14104
  gnupg: patch CVE-2025-68973
  curl: patch CVE-2025-13034
  curl: patch CVE-2025-14017
  curl: patch CVE-2025-14524
  curl: patch CVE-2025-14819
  curl: patch CVE-2025-15079
  curl: patch CVE-2025-15224
  libarchive: upgrade 3.8.4 -> 3.8.5

Richard Purdie (2):
  pseudo: Update to pull in openat2 and efault return code changes
  pseudo: Update to pull in 'makewrappers: Fix EFAULT implementation'

 meta/lib/oeqa/selftest/cases/devtool.py       |   5 +-
 meta/recipes-core/util-linux/util-linux.inc   |   2 +
 .../util-linux/CVE-2025-14104-01.patch        |  33 +++++
 .../util-linux/CVE-2025-14104-02.patch        |  28 +++++
 meta/recipes-devtools/pseudo/pseudo_git.bb    |   2 +-
 ...ibarchive_3.8.4.bb => libarchive_3.8.5.bb} |   2 +-
 ...k-Consolidate-pattern-rules-for-comp.patch | 106 ++++++++++++++++
 ...s-Fix-double-build-by-disabling-.d-f.patch |  78 ++++++++++++
 ...ak-ensure-target-directories-are-cre.patch |  43 +++++++
 meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb  |   6 +-
 .../{libpng_1.6.52.bb => libpng_1.6.53.bb}    |   2 +-
 .../curl/curl/CVE-2025-13034.patch            |  37 ++++++
 .../curl/curl/CVE-2025-14017.patch            | 116 ++++++++++++++++++
 .../curl/curl/CVE-2025-14524.patch            |  40 ++++++
 .../curl/curl/CVE-2025-14819.patch            |  73 +++++++++++
 .../curl/curl/CVE-2025-15079.patch            |  32 +++++
 .../curl/curl/CVE-2025-15224.patch            |  31 +++++
 meta/recipes-support/curl/curl_8.17.0.bb      |   6 +
 .../gnupg/gnupg/CVE-2025-68973.patch          | 108 ++++++++++++++++
 meta/recipes-support/gnupg/gnupg_2.5.11.bb    |   1 +
 20 files changed, 745 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch
 rename meta/recipes-extended/libarchive/{libarchive_3.8.4.bb => libarchive_3.8.5.bb} (96%)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/0001-ffbuild-commonmak-Consolidate-pattern-rules-for-comp.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/0001-fftools-resources-Fix-double-build-by-disabling-.d-f.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/0002-ffbuild-common.mak-ensure-target-directories-are-cre.patch
 rename meta/recipes-multimedia/libpng/{libpng_1.6.52.bb => libpng_1.6.53.bb} (97%)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-13034.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14017.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14524.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14819.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15079.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15224.patch
 create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2025-68973.patch

[OE-core][whinlatter 01/15] util-linux: patch CVE-2025-14104

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

Pick patches per [1].

[1] https://security-tracker.debian.org/tracker/CVE-2025-14104

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-core/util-linux/util-linux.inc   |  2 ++
 .../util-linux/CVE-2025-14104-01.patch        | 33 +++++++++++++++++++
 .../util-linux/CVE-2025-14104-02.patch        | 28 ++++++++++++++++
 3 files changed, 63 insertions(+)
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch

diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index e7a3c5be9f..3135bbb7c6 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -21,6 +21,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
            file://0001-ts-kill-decode-use-RTMIN-from-kill-L-instead-of-hard.patch \
            file://0001-tests-helpers-test_sigstate.c-explicitly-reset-SIGIN.patch \
            file://0001-include-mount-api-utils-avoid-using-sys-mount.h.patch \
+           file://CVE-2025-14104-01.patch \
+           file://CVE-2025-14104-02.patch \
            "
 
 SRC_URI[sha256sum] = "be9ad9a276f4305ab7dd2f5225c8be1ff54352f565ff4dede9628c1aaa7dec57"
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch
new file mode 100644
index 0000000000..23677345c9
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch
@@ -0,0 +1,33 @@
+From aaa9e718c88d6916b003da7ebcfe38a3c88df8e6 Mon Sep 17 00:00:00 2001
+From: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Date: Sat, 24 May 2025 03:16:09 +0100
+Subject: [PATCH] Update setpwnam.c
+
+CVE: CVE-2025-14104
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/aaa9e718c88d6916b003da7ebcfe38a3c88df8e6]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ login-utils/setpwnam.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
+index 3e3c1abde..95e470b5a 100644
+--- a/login-utils/setpwnam.c
++++ b/login-utils/setpwnam.c
+@@ -126,10 +126,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		}
+ 
+ 		/* Is this the username we were sent to change? */
+-		if (!found && linebuf[namelen] == ':' &&
+-		    !strncmp(linebuf, pwd->pw_name, namelen)) {
+-			/* Yes! So go forth in the name of the Lord and
+-			 * change it!  */
++		if (!found &&
++		    strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
++		    strlen(linebuf) > namelen &&
++		    linebuf[namelen] == ':') {
++			/* Yes! But this time let’s not walk past the end of the buffer
++			 * in the name of the Lord, SUID, or anything else. */
+ 			if (putpwent(pwd, fp) < 0)
+ 				goto fail;
+ 			found = 1;
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch
new file mode 100644
index 0000000000..9d21db2743
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch
@@ -0,0 +1,28 @@
+From 9a36d77012c4c771f8d51eba46b6e62c29bf572a Mon Sep 17 00:00:00 2001
+From: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Date: Mon, 26 May 2025 10:06:02 +0100
+Subject: [PATCH] Update bufflen
+
+Update buflen
+
+CVE: CVE-2025-14104
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/9a36d77012c4c771f8d51eba46b6e62c29bf572a]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ login-utils/setpwnam.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
+index 95e470b5a..7778e98f7 100644
+--- a/login-utils/setpwnam.c
++++ b/login-utils/setpwnam.c
+@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		goto fail;
+ 
+ 	namelen = strlen(pwd->pw_name);
+-
++	if (namelen > buflen)
++		buflen += namelen;
+ 	linebuf = malloc(buflen);
+ 	if (!linebuf)
+ 		goto fail;

[OE-core][whinlatter 02/15] gnupg: patch CVE-2025-68973

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

Pick patch from 2.4 branch per [1].
2.5 branch already reworked this and patch from that didn't apply.

[1] https://security-tracker.debian.org/tracker/CVE-2025-68973

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../gnupg/gnupg/CVE-2025-68973.patch          | 108 ++++++++++++++++++
 meta/recipes-support/gnupg/gnupg_2.5.11.bb    |   1 +
 2 files changed, 109 insertions(+)
 create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2025-68973.patch

diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2025-68973.patch b/meta/recipes-support/gnupg/gnupg/CVE-2025-68973.patch
new file mode 100644
index 0000000000..1d5225361b
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/CVE-2025-68973.patch
@@ -0,0 +1,108 @@
+From 4ecc5122f20e10c17172ed72f4fa46c784b5fb48 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Thu, 23 Oct 2025 11:36:04 +0200
+Subject: [PATCH] gpg: Fix possible memory corruption in the armor parser.
+
+* g10/armor.c (armor_filter): Fix faulty double increment.
+
+* common/iobuf.c (underflow_target): Assert that the filter
+implementations behave well.
+--
+
+This fixes a bug in a code path which can only be reached with special
+crafted input data and would then error out at an upper layer due to
+corrupt input (every second byte in the buffer is unitialized
+garbage).  No fuzzing has yet hit this case and we don't have a test
+case for this code path.  However memory corruption can never be
+tolerated as it always has the protential for remode code execution.
+
+Reported-by: 8b79fe4dd0581c1cd000e1fbecba9f39e16a396a
+Fixes-commit: c27c7416d5148865a513e007fb6f0a34993a6073
+which fixed
+Fixes-commit: 7d0efec7cf5ae110c99511abc32587ff0c45b14f
+Backported-from-master: 115d138ba599328005c5321c0ef9f00355838ca9
+
+The bug was introduced on 1999-01-07 by me:
+* armor.c: Rewrote large parts.
+which I fixed on 1999-03-02 but missed to fix the other case:
+* armor.c (armor_filter): Fixed armor bypassing.
+
+Below is base64+gzipped test data which can be used with valgrind to
+show access to uninitalized memory in write(2) in the unpatched code.
+
+--8<---------------cut here---------------start------------->8---
+H4sICIDd+WgCA3h4AO3QMQ6CQBCG0djOKbY3G05gscYFSRAJt/AExp6Di0cQG0ze
+a//MV0zOq3Pt+jFN3ZTKfLvP9ZLafqifJUe8juOjeZbVtSkbRPmRgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgMCXF6dYDgAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC7E14AAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwZ94aieId3+8EAA==
+--8<---------------cut here---------------end--------------->8---
+
+CVE: CVE-2025-68973
+Upstream-Status: Backport [https://github.com/gpg/gnupg/commit/4ecc5122f20e10c17172ed72f4fa46c784b5fb48]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ common/iobuf.c | 8 +++++++-
+ g10/armor.c    | 4 ++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/common/iobuf.c b/common/iobuf.c
+index 748e6935d..2497713c1 100644
+--- a/common/iobuf.c
++++ b/common/iobuf.c
+@@ -2041,6 +2041,8 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
+ 	rc = 0;
+       else
+       {
++        size_t tmplen;
++
+ 	/* If no buffered data and drain buffer has been setup, and drain
+ 	 * buffer is largish, read data directly to drain buffer. */
+ 	if (a->d.len == 0
+@@ -2053,8 +2055,10 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
+ 	      log_debug ("iobuf-%d.%d: underflow: A->FILTER (%lu bytes, to external drain)\n",
+ 			 a->no, a->subno, (ulong)len);
+ 
+-	    rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
++            tmplen = len;  /* Used to check for bugs in the filter.  */
++            rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
+ 			    a->e_d.buf, &len);
++            log_assert (len <= tmplen);
+ 	    a->e_d.used = len;
+ 	    len = 0;
+ 	  }
+@@ -2064,8 +2068,10 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
+ 	      log_debug ("iobuf-%d.%d: underflow: A->FILTER (%lu bytes)\n",
+ 			 a->no, a->subno, (ulong)len);
+ 
++            tmplen = len;  /* Used to check for bugs in the filter.  */
+ 	    rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
+ 			    &a->d.buf[a->d.len], &len);
++            log_assert (len <= tmplen);
+ 	  }
+       }
+       a->d.len += len;
+diff --git a/g10/armor.c b/g10/armor.c
+index 81af15339..f8cfa86db 100644
+--- a/g10/armor.c
++++ b/g10/armor.c
+@@ -1312,8 +1312,8 @@ armor_filter( void *opaque, int control,
+ 	n = 0;
+ 	if( afx->buffer_len ) {
+             /* Copy the data from AFX->BUFFER to BUF.  */
+-	    for(; n < size && afx->buffer_pos < afx->buffer_len; n++ )
+-		buf[n++] = afx->buffer[afx->buffer_pos++];
++            for(; n < size && afx->buffer_pos < afx->buffer_len;)
++                buf[n++] = afx->buffer[afx->buffer_pos++];
+ 	    if( afx->buffer_pos >= afx->buffer_len )
+ 		afx->buffer_len = 0;
+ 	}
diff --git a/meta/recipes-support/gnupg/gnupg_2.5.11.bb b/meta/recipes-support/gnupg/gnupg_2.5.11.bb
index 9cc063f837..753eea6276 100644
--- a/meta/recipes-support/gnupg/gnupg_2.5.11.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.5.11.bb
@@ -19,6 +19,7 @@ UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/"
 SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0002-use-pkgconfig-instead-of-npth-config.patch \
            file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \
+           file://CVE-2025-68973.patch \
            "
 SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
                                 file://relocate.patch"

[OE-core][whinlatter 03/15] libpng: upgrade 1.6.52 -> 1.6.53

[Yoann Congal]

From: Alexander Kanavin <alex@linutronix.de>

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../libpng/{libpng_1.6.52.bb => libpng_1.6.53.bb}               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-multimedia/libpng/{libpng_1.6.52.bb => libpng_1.6.53.bb} (97%)

diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.52.bb b/meta/recipes-multimedia/libpng/libpng_1.6.53.bb
similarity index 97%
rename from meta/recipes-multimedia/libpng/libpng_1.6.52.bb
rename to meta/recipes-multimedia/libpng/libpng_1.6.53.bb
index fba6e77b1c..956cd243b1 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.52.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.53.bb
@@ -14,7 +14,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \
            file://run-ptest \
 "
 
-SRC_URI[sha256sum] = "36bd726228ec93a3b6c22fdb49e94a67b16f2fe9b39b78b7cb65772966661ccc"
+SRC_URI[sha256sum] = "1d3fb8ccc2932d04aa3663e22ef5ef490244370f4e568d7850165068778d98d4"
 
 MIRRORS += "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/ ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/"
 

[OE-core][whinlatter 04/15] pseudo: Update to pull in openat2 and efault return code changes

[Yoann Congal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Pulls in the following fixes:

 * makewrappers: Enable a new efault option
 * ports/linux/openat2: Add dummy wrapper
 * test-syscall: Add a syscall test
 * ports/linux/pseudo_wrappers: Avoid openat2 usage via syscall

which should fix issues with the tar CVE fix on Centos/Alma/Rocky 9 distros
that uses openat2 as well as the efault issue breaking rust based uutils.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 51f1388dd1679a28ec3ca468cf16aa0ea32bccf9)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index c18318bd53..a1a00d1a95 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -12,7 +12,7 @@ SRC_URI:append:class-nativesdk = " \
     file://older-glibc-symbols.patch"
 SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
 
-SRCREV = "d1db9c219abf92f15303486a409292237f1fc790"
+SRCREV = "9ce8c09980af23ebd4ebf072010469882d0459a6"
 PV = "1.9.2+git"
 
 # largefile and 64bit time_t support adds these macros via compiler flags globally

[OE-core][whinlatter 05/15] pseudo: Update to pull in 'makewrappers: Fix EFAULT implementation'

[Yoann Congal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

The pseudo update was causing hangs in builds, pull in the fix.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8acdbefd0a148c8b7713f46066ae8489984c5d2d)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index a1a00d1a95..19b0d29b71 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -12,7 +12,7 @@ SRC_URI:append:class-nativesdk = " \
     file://older-glibc-symbols.patch"
 SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
 
-SRCREV = "9ce8c09980af23ebd4ebf072010469882d0459a6"
+SRCREV = "125b020dd2bc46baa37a80784704e382732357b4"
 PV = "1.9.2+git"
 
 # largefile and 64bit time_t support adds these macros via compiler flags globally

[OE-core][whinlatter 06/15] ffmpeg: add a (possible) build race fix

[Yoann Congal]

From: Alexander Kanavin <alex@linutronix.de>

There's been an intermittent build fail that looks like a race:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=16000

While I can't say for sure if this is fixing the issue,
there's no harm in adding a backport that rearranges the
faulty code, and someone can then try to add a real fix on top
of it. Or the race goes away and we're good.

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9dbd2141b52b24421927d64cd74ec43f6085c4f2)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 ...s-Fix-double-build-by-disabling-.d-f.patch | 78 +++++++++++++++++++
 meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb  |  4 +-
 2 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/0001-fftools-resources-Fix-double-build-by-disabling-.d-f.patch

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-fftools-resources-Fix-double-build-by-disabling-.d-f.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-fftools-resources-Fix-double-build-by-disabling-.d-f.patch
new file mode 100644
index 0000000000..20009c1022
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-fftools-resources-Fix-double-build-by-disabling-.d-f.patch
@@ -0,0 +1,78 @@
+From a789ffae9de93eb70c355a81f9dd2ebf5d6b17a7 Mon Sep 17 00:00:00 2001
+From: softworkz <softworkz@hotmail.com>
+Date: Mon, 23 Jun 2025 14:56:19 +0200
+Subject: [PATCH] fftools/resources: Fix double-build by disabling .d file
+ generation
+
+Signed-off-by: softworkz <softworkz@hotmail.com>
+
+Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/f52d9dd8693bc4628520258f18f89b4a3bf85533]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ ffbuild/common.mak         |  6 ++----
+ fftools/Makefile           |  1 +
+ fftools/resources/Makefile | 12 +++++++++---
+ 3 files changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/ffbuild/common.mak b/ffbuild/common.mak
+index ddf4892..81e8a46 100644
+--- a/ffbuild/common.mak
++++ b/ffbuild/common.mak
+@@ -229,11 +229,9 @@ SKIPHEADERS += $(ARCH_HEADERS:%=$(ARCH)/%) $(SKIPHEADERS-)
+ SKIPHEADERS := $(SKIPHEADERS:%=$(SUBDIR)%)
+ HOBJS        = $(filter-out $(SKIPHEADERS:.h=.h.o),$(ALLHEADERS:.h=.h.o))
+ PTXOBJS      = $(filter %.ptx.o,$(OBJS))
+-RESOURCEOBJS = $(filter %.css.o %.html.o,$(OBJS))
+ $(HOBJS):     CCFLAGS += $(CFLAGS_HEADERS)
+ checkheaders: $(HOBJS)
+-.SECONDARY:   $(HOBJS:.o=.c) $(PTXOBJS:.o=.c) $(PTXOBJS:.o=.gz) $(PTXOBJS:.o=) $(RESOURCEOBJS:.o=.c) $(RESOURCEOBJS:%.css.o=%.css.min) $(RESOURCEOBJS:%.css.o=%.css.min.gz) $(RESOURCEOBJS:%.html.o=%.html.gz) $(RESOURCEOBJS:.o=)
+-
++.SECONDARY:   $(HOBJS:.o=.c) $(PTXOBJS:.o=.c) $(PTXOBJS:.o=.gz) $(PTXOBJS:.o=)
+ alltools: $(TOOLS)
+ 
+ $(HOSTOBJS): %.o: %.c
+@@ -252,7 +250,7 @@ $(TOOLOBJS): | tools
+ 
+ OUTDIRS := $(OUTDIRS) $(dir $(OBJS) $(HOBJS) $(HOSTOBJS) $(SHLIBOBJS) $(STLIBOBJS) $(TESTOBJS))
+ 
+-CLEANSUFFIXES     = *.d *.gcda *.gcno *.h.c *.ho *.map *.o *.objs *.pc *.ptx *.ptx.gz *.ptx.c *.ver *.version *.html.gz *.html.c *.css.gz *.css.c  *$(DEFAULT_X86ASMD).asm *~ *.ilk *.pdb
++CLEANSUFFIXES     = *.d *.gcda *.gcno *.h.c *.ho *.map *.o *.objs *.pc *.ptx *.ptx.gz *.ptx.c *.ver *.version *.html.gz *.html.c *.css.min.gz *.css.min *.css.c  *$(DEFAULT_X86ASMD).asm *~ *.ilk *.pdb
+ LIBSUFFIXES       = *.a *.lib *.so *.so.* *.dylib *.dll *.def *.dll.a
+ 
+ define RULES
+diff --git a/fftools/Makefile b/fftools/Makefile
+index b3c08ae..bdb44fc 100644
+--- a/fftools/Makefile
++++ b/fftools/Makefile
+@@ -36,6 +36,7 @@ OBJS-ffmpeg +=                  \
+     fftools/textformat/tw_buffer.o    \
+     fftools/textformat/tw_stdout.o    \
+     $(OBJS-resman)                    \
++    $(RESOBJS)                        \
+ 
+ OBJS-ffprobe +=                       \
+     fftools/textformat/avtextformat.o \
+diff --git a/fftools/resources/Makefile b/fftools/resources/Makefile
+index 8579a52..3c93648 100644
+--- a/fftools/resources/Makefile
++++ b/fftools/resources/Makefile
+@@ -4,10 +4,16 @@ clean::
+ vpath %.html $(SRC_PATH)
+ vpath %.css  $(SRC_PATH)
+ 
+-# Uncomment to prevent deletion during build
+-#.PRECIOUS: %.css.c %.css.min %.css.gz %.css.min.gz %.html.gz %.html.c
+-
+ OBJS-resman +=                     \
+     fftools/resources/resman.o     \
++
++
++RESOBJS +=                         \
+     fftools/resources/graph.html.o \
+     fftools/resources/graph.css.o  \
++
++
++$(RESOBJS): CCDEP       =
++$(RESOBJS): CC_DEPFLAGS =
++
++.SECONDARY: $(RESOBJS:.o=.gz) $(RESOBJS:.o=.c) $(RESOBJS:%.css.o=%.css.min) $(RESOBJS:%.css.o=%.css.min.gz) $(RESOBJS:%.html.o=%.html.gz) $(RESOBJS:.o=)
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb
index ecaced7690..5e8d7bde55 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb
@@ -22,7 +22,9 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
                     file://COPYING.LGPLv3;md5=e6a600fd5e1d9cbde2d983680233ad02 \
                     "
 
-SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz"
+SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
+           file://0001-fftools-resources-Fix-double-build-by-disabling-.d-f.patch \
+           "
 
 SRC_URI[sha256sum] = "b2751fccb6cc4c77708113cd78b561059b6fa904b24162fa0be2d60273d27b8e"
 

[OE-core][whinlatter 07/15] ffmpeg: fix a build race, hopefully for real this time

[Yoann Congal]

From: Alexander Kanavin <alex@linutronix.de>

This should address [YOCTO #16000].

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 86396b85b4e8f6748885710e50428271cd3493a8)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 ...k-Consolidate-pattern-rules-for-comp.patch | 106 ++++++++++++++++++
 ...ak-ensure-target-directories-are-cre.patch |  43 +++++++
 meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb  |   2 +
 3 files changed, 151 insertions(+)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/0001-ffbuild-commonmak-Consolidate-pattern-rules-for-comp.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/0002-ffbuild-common.mak-ensure-target-directories-are-cre.patch

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-ffbuild-commonmak-Consolidate-pattern-rules-for-comp.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-ffbuild-commonmak-Consolidate-pattern-rules-for-comp.patch
new file mode 100644
index 0000000000..6af9254d95
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-ffbuild-commonmak-Consolidate-pattern-rules-for-comp.patch
@@ -0,0 +1,106 @@
+From 95f1f05409fceb8b3615fa618554667a238f99a5 Mon Sep 17 00:00:00 2001
+From: softworkz <softworkz@hotmail.com>
+Date: Tue, 27 May 2025 23:24:20 +0200
+Subject: [PATCH] ffbuild/commonmak: Consolidate pattern rules for compression
+
+This commit simplifies and consolidates all the rules around
+ptx and resource file compression.
+
+Signed-off-by: softworkz <softworkz@hotmail.com>
+
+Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/a125f5db03b86c03fffb9598bd6e2026ba2c7a97]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ ffbuild/common.mak | 43 +++++++++++++++++--------------------------
+ 1 file changed, 17 insertions(+), 26 deletions(-)
+
+diff --git a/ffbuild/common.mak b/ffbuild/common.mak
+index 81e8a46..0a60d01 100644
+--- a/ffbuild/common.mak
++++ b/ffbuild/common.mak
+@@ -115,6 +115,12 @@ COMPILE_LASX = $(call COMPILE,CC,LASXFLAGS)
+ $(BIN2CEXE): ffbuild/bin2c_host.o
+ 	$(HOSTLD) $(HOSTLDFLAGS) $(HOSTLD_O) $^ $(HOSTEXTRALIBS)
+ 
++RUN_BIN2C = $(BIN2C) $(patsubst $(SRC_PATH)/%,$(SRC_LINK)/%,$<) $@ $(subst .,_,$(basename $(notdir $@)))
++RUN_GZIP  = $(M)gzip -nc9 $(patsubst $(SRC_PATH)/%,$(SRC_LINK)/%,$<) >$@
++RUN_MINIFY = $(M)sed 's!/\\*.*\\*/!!g' $< | tr '\n' ' ' | tr -s ' ' | sed 's/^ //; s/ $$//' > $@
++%.gz: TAG = GZIP
++%.min: TAG = MINIFY
++
+ %.metal.air: %.metal
+ 	$(METALCC) $< -o $@
+ 
+@@ -122,61 +128,46 @@ $(BIN2CEXE): ffbuild/bin2c_host.o
+ 	$(METALLIB) --split-module-without-linking $< -o $@
+ 
+ %.metallib.c: %.metallib $(BIN2CEXE)
+-	$(BIN2C) $< $@ $(subst .,_,$(basename $(notdir $@)))
++	$(RUN_BIN2C)
+ 
+ %.ptx: %.cu $(SRC_PATH)/compat/cuda/cuda_runtime.h
+ 	$(COMPILE_NVCC)
+ 
+ ifdef CONFIG_PTX_COMPRESSION
+-%.ptx.gz: TAG = GZIP
+ %.ptx.gz: %.ptx
+-	$(M)gzip -nc9 $(patsubst $(SRC_PATH)/%,$(SRC_LINK)/%,$<) >$@
++	$(RUN_GZIP)
+ 
+ %.ptx.c: %.ptx.gz $(BIN2CEXE)
+-	$(BIN2C) $(patsubst $(SRC_PATH)/%,$(SRC_LINK)/%,$<) $@ $(subst .,_,$(basename $(notdir $@)))
++	$(RUN_BIN2C)
+ else
+ %.ptx.c: %.ptx $(BIN2CEXE)
+-	$(BIN2C) $(patsubst $(SRC_PATH)/%,$(SRC_LINK)/%,$<) $@ $(subst .,_,$(basename $(notdir $@)))
++	$(RUN_BIN2C)
+ endif
+ 
+-# 1) Preprocess CSS to a minified version
+-%.css.min: TAG = SED
+ %.css.min: %.css
+-	$(M)sed 's!/\\*.*\\*/!!g' $< \
+-	| tr '\n' ' ' \
+-	| tr -s ' ' \
+-	| sed 's/^ //; s/ $$//' \
+-	> $@
++	$(RUN_MINIFY)
+ 
+ ifdef CONFIG_RESOURCE_COMPRESSION
+ 
+-# 2) Gzip the minified CSS
+-%.css.min.gz: TAG = GZIP
+ %.css.min.gz: %.css.min
+-	$(M)gzip -nc9 $< > $@
++	$(RUN_GZIP)
+ 
+-# 3) Convert the gzipped CSS to a .c array
+ %.css.c: %.css.min.gz $(BIN2CEXE)
+-	$(BIN2C) $< $@ $(subst .,_,$(basename $(notdir $@)))
++	$(RUN_BIN2C)
+ 
+-# 4) Gzip the HTML file (no minification needed)
+-%.html.gz: TAG = GZIP
+ %.html.gz: %.html
+-	$(M)gzip -nc9 $< > $@
++	$(RUN_GZIP)
+ 
+-# 5) Convert the gzipped HTML to a .c array
+ %.html.c: %.html.gz $(BIN2CEXE)
+-	$(BIN2C) $< $@ $(subst .,_,$(basename $(notdir $@)))
++	$(RUN_BIN2C)
+ 
+ else   # NO COMPRESSION
+ 
+-# 2) Convert the minified CSS to a .c array
+ %.css.c: %.css.min $(BIN2CEXE)
+-	$(BIN2C) $< $@ $(subst .,_,$(basename $(notdir $@)))
++	$(RUN_BIN2C)
+ 
+-# 3) Convert the plain HTML to a .c array
+ %.html.c: %.html $(BIN2CEXE)
+-	$(BIN2C) $< $@ $(subst .,_,$(basename $(notdir $@)))
++	$(RUN_BIN2C)
+ endif
+ 
+ clean::
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/0002-ffbuild-common.mak-ensure-target-directories-are-cre.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/0002-ffbuild-common.mak-ensure-target-directories-are-cre.patch
new file mode 100644
index 0000000000..a27e30f710
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/0002-ffbuild-common.mak-ensure-target-directories-are-cre.patch
@@ -0,0 +1,43 @@
+From 6cd4855ea3dd62e6eb36c0796f8cd7bd4aaae05c Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Thu, 11 Dec 2025 19:55:46 +0100
+Subject: [PATCH] ffbuild/common.mak: ensure target directories are created
+ before running shell redirects into them
+
+Otherwise, occasional build races have been observed:
+https://autobuilder.yoctoproject.org/valkyrie/#/builders/37/builds/3001/steps/13/logs/stdio
+
+/bin/sh: 4: cannot create fftools/resources/graph.css.min: Directory nonexistent
+mkdir -p fftools/graph
+/bin/sh: 1: cannot create fftools/resources/graph.html.gz: Directory nonexistent
+make: *** [/srv/pokybuild/.../ffmpeg-8.0.1/ffbuild/common.mak:165: fftools/resources/graph.html.gz] Error 2
+make: *** Waiting for unfinished jobs....
+make: *** [/srv/pokybuild/.../ffmpeg-8.0.1/ffbuild/common.mak:145: fftools/resources/graph.css.min] Error 2
+
+There's a separate rule for making those directories, but unfortunately
+it's racing with the rules that expect the directories to exist. Rather
+than add a Makefile dependency, I've injected the dir creation directly
+in front of commands that can otherwise fail - a proper fix would probably
+add the rule rather.
+
+Upstream-Status: Submitted [by email to ffmpeg-devel@ffmpeg.org,softworkz@hotmail.com,kasper93@gmail.com]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ ffbuild/common.mak | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ffbuild/common.mak b/ffbuild/common.mak
+index 0a60d01..346bb0a 100644
+--- a/ffbuild/common.mak
++++ b/ffbuild/common.mak
+@@ -116,8 +116,8 @@ $(BIN2CEXE): ffbuild/bin2c_host.o
+ 	$(HOSTLD) $(HOSTLDFLAGS) $(HOSTLD_O) $^ $(HOSTEXTRALIBS)
+ 
+ RUN_BIN2C = $(BIN2C) $(patsubst $(SRC_PATH)/%,$(SRC_LINK)/%,$<) $@ $(subst .,_,$(basename $(notdir $@)))
+-RUN_GZIP  = $(M)gzip -nc9 $(patsubst $(SRC_PATH)/%,$(SRC_LINK)/%,$<) >$@
+-RUN_MINIFY = $(M)sed 's!/\\*.*\\*/!!g' $< | tr '\n' ' ' | tr -s ' ' | sed 's/^ //; s/ $$//' > $@
++RUN_GZIP  = mkdir -p $(dir $@) && $(M)gzip -nc9 $(patsubst $(SRC_PATH)/%,$(SRC_LINK)/%,$<) >$@
++RUN_MINIFY = mkdir -p $(dir $@) && $(M)sed 's!/\\*.*\\*/!!g' $< | tr '\n' ' ' | tr -s ' ' | sed 's/^ //; s/ $$//' > $@
+ %.gz: TAG = GZIP
+ %.min: TAG = MINIFY
+ 
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb
index 5e8d7bde55..fdc16598d4 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb
@@ -24,6 +24,8 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 
 SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
            file://0001-fftools-resources-Fix-double-build-by-disabling-.d-f.patch \
+           file://0001-ffbuild-commonmak-Consolidate-pattern-rules-for-comp.patch \
+           file://0002-ffbuild-common.mak-ensure-target-directories-are-cre.patch \
            "
 
 SRC_URI[sha256sum] = "b2751fccb6cc4c77708113cd78b561059b6fa904b24162fa0be2d60273d27b8e"

[OE-core][whinlatter 08/15] selftest: devtool: Set PATH when running pseudo

[Yoann Congal]

From: Paul Barker <paul@pbarker.dev>

When running pseudo outside of bitbake, we need to use the same PATH as
we would use if we were running inside bitbake instead of the host
environment's PATH.

This is particularly important on Ubuntu 25.10 where 'ls' on this host's
PATH is provided by uutils and we have setup links in HOSTTOOLS_DIR to
ensure that the gnu coreutils implementation is used instead.

Fixes [YOCTO #16099]

Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8a264cb75ab456c22568b135c473064553e5321b)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/lib/oeqa/selftest/cases/devtool.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/devtool.py b/meta/lib/oeqa/selftest/cases/devtool.py
index 8d7e984753..c7bd1831a9 100644
--- a/meta/lib/oeqa/selftest/cases/devtool.py
+++ b/meta/lib/oeqa/selftest/cases/devtool.py
@@ -1843,11 +1843,12 @@ class DevtoolDeployTargetTests(DevtoolBase):
                 result = runCmd('ssh %s root@%s %s' % (sshargs, qemu.ip, testcommand))
                 # Check if it deployed all of the files with the right ownership/perms
                 # First look on the host - need to do this under pseudo to get the correct ownership/perms
-                bb_vars = get_bb_vars(['D', 'FAKEROOTENV', 'FAKEROOTCMD'], testrecipe)
+                bb_vars = get_bb_vars(['D', 'FAKEROOTENV', 'FAKEROOTCMD', 'PATH'], testrecipe)
                 installdir = bb_vars['D']
                 fakerootenv = bb_vars['FAKEROOTENV']
                 fakerootcmd = bb_vars['FAKEROOTCMD']
-                result = runCmd('%s %s find . -type f -exec ls -l {} \\;' % (fakerootenv, fakerootcmd), cwd=installdir)
+                path = bb_vars['PATH']
+                result = runCmd('PATH="%s" %s %s find . -type f -exec ls -l {} \\;' % (path, fakerootenv, fakerootcmd), cwd=installdir)
                 filelist1 = self._process_ls_output(result.output)
 
                 # Now look on the target

[OE-core][whinlatter 09/15] curl: patch CVE-2025-13034

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-13034.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../curl/curl/CVE-2025-13034.patch            | 37 +++++++++++++++++++
 meta/recipes-support/curl/curl_8.17.0.bb      |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-13034.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2025-13034.patch b/meta/recipes-support/curl/curl/CVE-2025-13034.patch
new file mode 100644
index 0000000000..0c3fe42509
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-13034.patch
@@ -0,0 +1,37 @@
+From 3d91ca8cdb3b434226e743946d428b4dd3acf2c9 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 14 Nov 2025 16:42:23 +0100
+Subject: [PATCH] vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally
+
+Closes #19531
+
+CVE: CVE-2025-13034
+Upstream-Status: Backport [https://github.com/curl/curl/commit/3d91ca8cdb3b434226e743946d428b4dd3acf2c9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/vquic/vquic-tls.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c
+index f4ef06c33b..46bb4c7d4c 100644
+--- a/lib/vquic/vquic-tls.c
++++ b/lib/vquic/vquic-tls.c
+@@ -168,13 +168,11 @@ CURLcode Curl_vquic_tls_verify_peer(struct curl_tls_ctx *ctx,
+   (void)conn_config;
+   result = Curl_ossl_check_peer_cert(cf, data, &ctx->ossl, peer);
+ #elif defined(USE_GNUTLS)
+-  if(conn_config->verifyhost) {
+-    result = Curl_gtls_verifyserver(cf, data, ctx->gtls.session,
+-                                    conn_config, &data->set.ssl, peer,
+-                                    data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
+-    if(result)
+-      return result;
+-  }
++  result = Curl_gtls_verifyserver(cf, data, ctx->gtls.session,
++                                  conn_config, &data->set.ssl, peer,
++                                  data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
++  if(result)
++    return result;
+ #elif defined(USE_WOLFSSL)
+   (void)data;
+   if(conn_config->verifyhost) {
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb
index 352f407d28..edae6ebb95 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.17.0.bb
@@ -14,6 +14,7 @@ SRC_URI = " \
     file://run-ptest \
     file://disable-tests \
     file://no-test-timeout.patch \
+    file://CVE-2025-13034.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \

[OE-core][whinlatter 10/15] curl: patch CVE-2025-14017

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-14017.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../curl/curl/CVE-2025-14017.patch            | 116 ++++++++++++++++++
 meta/recipes-support/curl/curl_8.17.0.bb      |   1 +
 2 files changed, 117 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14017.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2025-14017.patch b/meta/recipes-support/curl/curl/CVE-2025-14017.patch
new file mode 100644
index 0000000000..79be357ded
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-14017.patch
@@ -0,0 +1,116 @@
+From 39d1976b7f709a516e3243338ebc0443bdd8d56d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 4 Dec 2025 00:14:20 +0100
+Subject: [PATCH] ldap: call ldap_init() before setting the options
+
+Closes #19830
+
+CVE: CVE-2025-14017
+Upstream-Status: Backport [https://github.com/curl/curl/commit/39d1976b7f709a516e3243338ebc0443bdd8d56d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/ldap.c | 50 +++++++++++++++++++-------------------------------
+ 1 file changed, 19 insertions(+), 31 deletions(-)
+
+diff --git a/lib/ldap.c b/lib/ldap.c
+index 63b2cbc414..0911a9239a 100644
+--- a/lib/ldap.c
++++ b/lib/ldap.c
+@@ -382,16 +382,29 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
+     passwd = conn->passwd;
+   }
+ 
++#ifdef USE_WIN32_LDAP
++  if(ldap_ssl)
++    server = ldap_sslinit(host, (curl_ldap_num_t)ipquad.remote_port, 1);
++  else
++#else
++    server = ldap_init(host, (curl_ldap_num_t)ipquad.remote_port);
++#endif
++  if(!server) {
++    failf(data, "LDAP: cannot setup connect to %s:%u",
++          conn->host.dispname, ipquad.remote_port);
++    result = CURLE_COULDNT_CONNECT;
++    goto quit;
++  }
++
+ #ifdef LDAP_OPT_NETWORK_TIMEOUT
+-  ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
++  ldap_set_option(server, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
+ #endif
+-  ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
++  ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
+ 
+   if(ldap_ssl) {
+ #ifdef HAVE_LDAP_SSL
+ #ifdef USE_WIN32_LDAP
+     /* Win32 LDAP SDK does not support insecure mode without CA! */
+-    server = ldap_sslinit(host, (curl_ldap_num_t)ipquad.remote_port, 1);
+     ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON);
+ #else /* !USE_WIN32_LDAP */
+     int ldap_option;
+@@ -411,7 +424,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
+         goto quit;
+       }
+       infof(data, "LDAP local: using PEM CA cert: %s", ldap_ca);
+-      rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
++      rc = ldap_set_option(server, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
+       if(rc != LDAP_SUCCESS) {
+         failf(data, "LDAP local: ERROR setting PEM CA cert: %s",
+               ldap_err2string(rc));
+@@ -423,20 +436,13 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
+     else
+       ldap_option = LDAP_OPT_X_TLS_NEVER;
+ 
+-    rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
++    rc = ldap_set_option(server, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
+     if(rc != LDAP_SUCCESS) {
+       failf(data, "LDAP local: ERROR setting cert verify mode: %s",
+             ldap_err2string(rc));
+       result = CURLE_SSL_CERTPROBLEM;
+       goto quit;
+     }
+-    server = ldap_init(host, ipquad.remote_port);
+-    if(!server) {
+-      failf(data, "LDAP local: Cannot connect to %s:%u",
+-            conn->host.dispname, ipquad.remote_port);
+-      result = CURLE_COULDNT_CONNECT;
+-      goto quit;
+-    }
+     ldap_option = LDAP_OPT_X_TLS_HARD;
+     rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option);
+     if(rc != LDAP_SUCCESS) {
+@@ -445,16 +451,6 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
+       result = CURLE_SSL_CERTPROBLEM;
+       goto quit;
+     }
+-#if 0
+-    rc = ldap_start_tls_s(server, NULL, NULL);
+-    if(rc != LDAP_SUCCESS) {
+-      failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s",
+-            ldap_err2string(rc));
+-      result = CURLE_SSL_CERTPROBLEM;
+-      goto quit;
+-    }
+-#endif
+-
+ #else /* !LDAP_OPT_X_TLS */
+     (void)ldap_option;
+     (void)ldap_ca;
+@@ -473,15 +469,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
+     result = CURLE_NOT_BUILT_IN;
+     goto quit;
+   }
+-  else {
+-    server = ldap_init(host, (curl_ldap_num_t)ipquad.remote_port);
+-    if(!server) {
+-      failf(data, "LDAP local: Cannot connect to %s:%u",
+-            conn->host.dispname, ipquad.remote_port);
+-      result = CURLE_COULDNT_CONNECT;
+-      goto quit;
+-    }
+-  }
++
+ #ifdef USE_WIN32_LDAP
+   ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
+   rc = ldap_win_bind(data, server, user, passwd);
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb
index edae6ebb95..e0a9bae23d 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.17.0.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
     file://disable-tests \
     file://no-test-timeout.patch \
     file://CVE-2025-13034.patch \
+    file://CVE-2025-14017.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \

[OE-core][whinlatter 11/15] curl: patch CVE-2025-14524

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-14524.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../curl/curl/CVE-2025-14524.patch            | 40 +++++++++++++++++++
 meta/recipes-support/curl/curl_8.17.0.bb      |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14524.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2025-14524.patch b/meta/recipes-support/curl/curl/CVE-2025-14524.patch
new file mode 100644
index 0000000000..c70dd0a04d
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-14524.patch
@@ -0,0 +1,40 @@
+From 1a822275d333dc6da6043497160fd04c8fa48640 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 10 Dec 2025 11:40:47 +0100
+Subject: [PATCH] curl_sasl: if redirected, require permission to use bearer
+
+Closes #19933
+
+CVE: CVE-2025-14524
+Upstream-Status: Backport [https://github.com/curl/curl/commit/1a822275d333dc6da6043497160fd04c8fa48640]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/curl_sasl.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
+index 3e4bafc19a..b93bafbefa 100644
+--- a/lib/curl_sasl.c
++++ b/lib/curl_sasl.c
+@@ -456,7 +456,9 @@ static bool sasl_choose_ntlm(struct Curl_easy *data, struct sasl_ctx *sctx)
+ 
+ static bool sasl_choose_oauth(struct Curl_easy *data, struct sasl_ctx *sctx)
+ {
+-  const char *oauth_bearer = data->set.str[STRING_BEARER];
++  const char *oauth_bearer =
++    (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ?
++    data->set.str[STRING_BEARER] : NULL;
+ 
+   if(sctx->user && oauth_bearer &&
+      (sctx->enabledmechs & SASL_MECH_OAUTHBEARER)) {
+@@ -481,7 +483,9 @@ static bool sasl_choose_oauth(struct Curl_easy *data, struct sasl_ctx *sctx)
+ 
+ static bool sasl_choose_oauth2(struct Curl_easy *data, struct sasl_ctx *sctx)
+ {
+-  const char *oauth_bearer = data->set.str[STRING_BEARER];
++  const char *oauth_bearer =
++    (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ?
++    data->set.str[STRING_BEARER] : NULL;
+ 
+   if(sctx->user && oauth_bearer &&
+      (sctx->enabledmechs & SASL_MECH_XOAUTH2)) {
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb
index e0a9bae23d..ad9b7c9ab7 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.17.0.bb
@@ -16,6 +16,7 @@ SRC_URI = " \
     file://no-test-timeout.patch \
     file://CVE-2025-13034.patch \
     file://CVE-2025-14017.patch \
+    file://CVE-2025-14524.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \

[OE-core][whinlatter 12/15] curl: patch CVE-2025-14819

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-14819.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../curl/curl/CVE-2025-14819.patch            | 73 +++++++++++++++++++
 meta/recipes-support/curl/curl_8.17.0.bb      |  1 +
 2 files changed, 74 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14819.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2025-14819.patch b/meta/recipes-support/curl/curl/CVE-2025-14819.patch
new file mode 100644
index 0000000000..204f1d48f4
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-14819.patch
@@ -0,0 +1,73 @@
+From cd046f6c93b39d673a58c18648d8906e954c4f5d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 17 Dec 2025 10:54:16 +0100
+Subject: [PATCH] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a
+ different CA cache
+
+Reported-by: Stanislav Fort
+
+Closes #20009
+
+CVE: CVE-2025-14819
+Upstream-Status: Backport [https://github.com/curl/curl/commit/cd046f6c93b39d673a58c18648d8906e954c4f5d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/vtls/openssl.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index a7f169d641..7563d9a090 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -3560,6 +3560,7 @@ struct ossl_x509_share {
+   X509_STORE *store;    /* cached X509 store or NULL if none */
+   struct curltime time; /* when the cached store was created */
+   BIT(store_is_empty);  /* no certs/paths/blobs are in the store */
++  BIT(no_partialchain); /* keep partial chain state */
+ };
+ 
+ static void oss_x509_share_free(void *key, size_t key_len, void *p)
+@@ -3594,12 +3595,16 @@ ossl_cached_x509_store_expired(const struct Curl_easy *data,
+ 
+ static bool
+ ossl_cached_x509_store_different(struct Curl_cfilter *cf,
++                                             const struct Curl_easy *data,
+                                  const struct ossl_x509_share *mb)
+ {
+   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
++  struct ssl_config_data *ssl_config =
++    Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
++  if(mb->no_partialchain != ssl_config->no_partialchain)
++    return TRUE;
+   if(!mb->CAfile || !conn_config->CAfile)
+     return mb->CAfile != conn_config->CAfile;
+-
+   return strcmp(mb->CAfile, conn_config->CAfile);
+ }
+ 
+@@ -3618,7 +3623,7 @@ static X509_STORE *ossl_get_cached_x509_store(struct Curl_cfilter *cf,
+                                  sizeof(MPROTO_OSSL_X509_KEY)-1) : NULL;
+   if(share && share->store &&
+      !ossl_cached_x509_store_expired(data, share) &&
+-     !ossl_cached_x509_store_different(cf, share)) {
++     !ossl_cached_x509_store_different(cf, data, share)) {
+     store = share->store;
+     *pempty = share->store_is_empty;
+   }
+@@ -3657,6 +3662,8 @@ static void ossl_set_cached_x509_store(struct Curl_cfilter *cf,
+ 
+   if(X509_STORE_up_ref(store)) {
+     char *CAfile = NULL;
++    struct ssl_config_data *ssl_config =
++      Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
+ 
+     if(conn_config->CAfile) {
+       CAfile = strdup(conn_config->CAfile);
+@@ -3675,6 +3682,7 @@ static void ossl_set_cached_x509_store(struct Curl_cfilter *cf,
+     share->store = store;
+     share->store_is_empty = is_empty;
+     share->CAfile = CAfile;
++    share->no_partialchain = ssl_config->no_partialchain;
+   }
+ }
+ 
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb
index ad9b7c9ab7..948769e0fb 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.17.0.bb
@@ -17,6 +17,7 @@ SRC_URI = " \
     file://CVE-2025-13034.patch \
     file://CVE-2025-14017.patch \
     file://CVE-2025-14524.patch \
+    file://CVE-2025-14819.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \

[OE-core][whinlatter 13/15] curl: patch CVE-2025-15079

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-15079.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../curl/curl/CVE-2025-15079.patch            | 32 +++++++++++++++++++
 meta/recipes-support/curl/curl_8.17.0.bb      |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15079.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2025-15079.patch b/meta/recipes-support/curl/curl/CVE-2025-15079.patch
new file mode 100644
index 0000000000..2320e56d68
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-15079.patch
@@ -0,0 +1,32 @@
+From adca486c125d9a6d9565b9607a19dce803a8b479 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 24 Dec 2025 17:47:03 +0100
+Subject: [PATCH] libssh: set both knownhosts options to the same file
+
+Reported-by: Harry Sintonen
+
+Closes #20092
+
+CVE: CVE-2025-15079
+Upstream-Status: Backport [https://github.com/curl/curl/commit/adca486c125d9a6d9565b9607a19dce803a8b479]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/vssh/libssh.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
+index 7d5905c83d..98c109ab59 100644
+--- a/lib/vssh/libssh.c
++++ b/lib/vssh/libssh.c
+@@ -2670,6 +2670,11 @@ static CURLcode myssh_connect(struct Curl_easy *data, bool *done)
+     infof(data, "Known hosts: %s", data->set.str[STRING_SSH_KNOWNHOSTS]);
+     rc = ssh_options_set(sshc->ssh_session, SSH_OPTIONS_KNOWNHOSTS,
+                          data->set.str[STRING_SSH_KNOWNHOSTS]);
++    if(rc == SSH_OK)
++      /* libssh has two separate options for this. Set both to the same file
++         to avoid surprises */
++      rc = ssh_options_set(sshc->ssh_session, SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
++                           data->set.str[STRING_SSH_KNOWNHOSTS]);
+     if(rc != SSH_OK) {
+       failf(data, "Could not set known hosts file path");
+       return CURLE_FAILED_INIT;
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb
index 948769e0fb..a0022f3a3f 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.17.0.bb
@@ -18,6 +18,7 @@ SRC_URI = " \
     file://CVE-2025-14017.patch \
     file://CVE-2025-14524.patch \
     file://CVE-2025-14819.patch \
+    file://CVE-2025-15079.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \

[OE-core][whinlatter 14/15] curl: patch CVE-2025-15224

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-15224.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../curl/curl/CVE-2025-15224.patch            | 31 +++++++++++++++++++
 meta/recipes-support/curl/curl_8.17.0.bb      |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15224.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2025-15224.patch b/meta/recipes-support/curl/curl/CVE-2025-15224.patch
new file mode 100644
index 0000000000..a8308b87a1
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-15224.patch
@@ -0,0 +1,31 @@
+From 16d5f2a5660c61cc27bd5f1c7f512391d1c927aa Mon Sep 17 00:00:00 2001
+From: Harry Sintonen <sintonen@iki.fi>
+Date: Mon, 29 Dec 2025 16:56:39 +0100
+Subject: [PATCH] libssh: require private key or user-agent for public key auth
+
+Closes #20110
+
+CVE: CVE-2025-15224
+Upstream-Status: Backport [https://github.com/curl/curl/commit/16d5f2a5660c61cc27bd5f1c7f512391d1c927aa]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/vssh/libssh.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
+index 5d5125b526..bde6355f73 100644
+--- a/lib/vssh/libssh.c
++++ b/lib/vssh/libssh.c
+@@ -935,7 +935,11 @@ static int myssh_in_AUTHLIST(struct Curl_easy *data,
+           "keyboard-interactive, " : "",
+           sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD ?
+           "password": "");
+-  if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) {
++  /* For public key auth we need either the private key or
++     CURLSSH_AUTH_AGENT. */
++  if((sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) &&
++    (data->set.str[STRING_SSH_PRIVATE_KEY] ||
++     (data->set.ssh_auth_types & CURLSSH_AUTH_AGENT))) {
+     myssh_to(data, sshc, SSH_AUTH_PKEY_INIT);
+     infof(data, "Authentication using SSH public key file");
+   }
diff --git a/meta/recipes-support/curl/curl_8.17.0.bb b/meta/recipes-support/curl/curl_8.17.0.bb
index a0022f3a3f..739838c3e8 100644
--- a/meta/recipes-support/curl/curl_8.17.0.bb
+++ b/meta/recipes-support/curl/curl_8.17.0.bb
@@ -19,6 +19,7 @@ SRC_URI = " \
     file://CVE-2025-14524.patch \
     file://CVE-2025-14819.patch \
     file://CVE-2025-15079.patch \
+    file://CVE-2025-15224.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \

[OE-core][whinlatter 15/15] libarchive: upgrade 3.8.4 -> 3.8.5

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

Fixes regression of fix for CVE-2025-60753

Release notes [1]:
Libarchive 3.8.5 is a bugfix release.
Notable bugxies:
* bsdtar: fix regression from 3.8.4 zero-length pattern issue bugfix (#2809)
* various small bugfixes in code and documentation

[1] https://github.com/libarchive/libarchive/releases/tag/v3.8.5

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../libarchive/{libarchive_3.8.4.bb => libarchive_3.8.5.bb}     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-extended/libarchive/{libarchive_3.8.4.bb => libarchive_3.8.5.bb} (96%)

diff --git a/meta/recipes-extended/libarchive/libarchive_3.8.4.bb b/meta/recipes-extended/libarchive/libarchive_3.8.5.bb
similarity index 96%
rename from meta/recipes-extended/libarchive/libarchive_3.8.4.bb
rename to meta/recipes-extended/libarchive/libarchive_3.8.5.bb
index e89638f5c6..fcfaf5d231 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.8.4.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.8.5.bb
@@ -32,7 +32,7 @@ EXTRA_OECONF += "--enable-largefile --without-iconv"
 SRC_URI = "https://libarchive.org/downloads/libarchive-${PV}.tar.gz"
 UPSTREAM_CHECK_URI = "https://www.libarchive.org/"
 
-SRC_URI[sha256sum] = "b2c75b132a0ec43274d2867221befcb425034cd038e465afbfad09911abb1abb"
+SRC_URI[sha256sum] = "8a60f3a7bfd59c54ce82ae805a93dba65defd04148c3333b7eaa2102f03b7ffd"
 
 inherit autotools update-alternatives pkgconfig
 

Re: [OE-core][whinlatter 00/15] Patch review

[Yoann Congal]

[-- Attachment #1: Type: text/plain, Size: 4988 bytes --]

Le mar. 20 janv. 2026 à 12:24, Yoann Congal <yoann.congal@smile.fr> a
écrit :

> Please review this set of changes for whinlatter and have comments back by
> end of day Thursday, January 22.
>
> This whinlatter patch review request is aimed at getting kirkstone
> 4.0.33 built on monday:
> * Ensuring fixes in kirkstone have their equivalent in more recent
>   stable branches.
> * pseudo upgrade to fix 16117 – AB-INT: do_package: Error executing a
> python function in exec_func_python() autogenerated
>   https://bugzilla.yoctoproject.org/show_bug.cgi?id=16117
> * ffmpeg patches to fix 16000 – AB-INT: ffmpeg build failing
>   https://bugzilla.yoctoproject.org/show_bug.cgi?id=16000
>
> Passed a-full on autobuilder:
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3092
>
>
> The following changes since commit
> dd10706cfafb5574b7cf316fca2300d166ef71b0:
>
>   build-appliance-image: Update to whinlatter head revisions (2026-01-12
> 10:58:53 +0000)
>
> are available in the Git repository at:
>
>   https://git.openembedded.org/openembedded-core-contrib
> stable/whinlatter-nut
>
> https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/whinlatter-nut


That should have been the "stable/whinlatter-next" branch.
I've since pushed these commits on stable/whinlatter-next.
Sorry I got this mixed up.


> for you to fetch changes up to e7891f39ae90d1c23bfcb59af0064591513a671d:
>
>   libarchive: upgrade 3.8.4 -> 3.8.5 (2026-01-19 23:29:16 +0100)
>
> ----------------------------------------------------------------
>
> Alexander Kanavin (3):
>   libpng: upgrade 1.6.52 -> 1.6.53
>   ffmpeg: add a (possible) build race fix
>   ffmpeg: fix a build race, hopefully for real this time
>
> Paul Barker (1):
>   selftest: devtool: Set PATH when running pseudo
>
> Peter Marko (9):
>   util-linux: patch CVE-2025-14104
>   gnupg: patch CVE-2025-68973
>   curl: patch CVE-2025-13034
>   curl: patch CVE-2025-14017
>   curl: patch CVE-2025-14524
>   curl: patch CVE-2025-14819
>   curl: patch CVE-2025-15079
>   curl: patch CVE-2025-15224
>   libarchive: upgrade 3.8.4 -> 3.8.5
>
> Richard Purdie (2):
>   pseudo: Update to pull in openat2 and efault return code changes
>   pseudo: Update to pull in 'makewrappers: Fix EFAULT implementation'
>
>  meta/lib/oeqa/selftest/cases/devtool.py       |   5 +-
>  meta/recipes-core/util-linux/util-linux.inc   |   2 +
>  .../util-linux/CVE-2025-14104-01.patch        |  33 +++++
>  .../util-linux/CVE-2025-14104-02.patch        |  28 +++++
>  meta/recipes-devtools/pseudo/pseudo_git.bb    |   2 +-
>  ...ibarchive_3.8.4.bb => libarchive_3.8.5.bb} |   2 +-
>  ...k-Consolidate-pattern-rules-for-comp.patch | 106 ++++++++++++++++
>  ...s-Fix-double-build-by-disabling-.d-f.patch |  78 ++++++++++++
>  ...ak-ensure-target-directories-are-cre.patch |  43 +++++++
>  meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb  |   6 +-
>  .../{libpng_1.6.52.bb => libpng_1.6.53.bb}    |   2 +-
>  .../curl/curl/CVE-2025-13034.patch            |  37 ++++++
>  .../curl/curl/CVE-2025-14017.patch            | 116 ++++++++++++++++++
>  .../curl/curl/CVE-2025-14524.patch            |  40 ++++++
>  .../curl/curl/CVE-2025-14819.patch            |  73 +++++++++++
>  .../curl/curl/CVE-2025-15079.patch            |  32 +++++
>  .../curl/curl/CVE-2025-15224.patch            |  31 +++++
>  meta/recipes-support/curl/curl_8.17.0.bb      |   6 +
>  .../gnupg/gnupg/CVE-2025-68973.patch          | 108 ++++++++++++++++
>  meta/recipes-support/gnupg/gnupg_2.5.11.bb    |   1 +
>  20 files changed, 745 insertions(+), 6 deletions(-)
>  create mode 100644
> meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch
>  create mode 100644
> meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch
>  rename meta/recipes-extended/libarchive/{libarchive_3.8.4.bb =>
> libarchive_3.8.5.bb} (96%)
>  create mode 100644
> meta/recipes-multimedia/ffmpeg/ffmpeg/0001-ffbuild-commonmak-Consolidate-pattern-rules-for-comp.patch
>  create mode 100644
> meta/recipes-multimedia/ffmpeg/ffmpeg/0001-fftools-resources-Fix-double-build-by-disabling-.d-f.patch
>  create mode 100644
> meta/recipes-multimedia/ffmpeg/ffmpeg/0002-ffbuild-common.mak-ensure-target-directories-are-cre.patch
>  rename meta/recipes-multimedia/libpng/{libpng_1.6.52.bb =>
> libpng_1.6.53.bb} (97%)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2025-13034.patch
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14017.patch
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14524.patch
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14819.patch
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15079.patch
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15224.patch
>  create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2025-68973.patch
>
>

-- 
Yoann Congal
Smile ECS

[-- Attachment #2: Type: text/html, Size: 7475 bytes --]

Re: [OE-core][whinlatter 03/15] libpng: upgrade 1.6.52 -> 1.6.53

[Paul Barker]

[-- Attachment #1: Type: text/plain, Size: 672 bytes --]

On Tue, 2026-01-20 at 12:23 +0100, Yoann Congal via
lists.openembedded.org wrote:
> From: Alexander Kanavin <alex@linutronix.de>
> 
> Signed-off-by: Alexander Kanavin <alex@linutronix.de>
> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>

Is this is a cherry-pick of fa33deb30783 from master?

If so, the commit message should point at the cherry-picked commit.
`git cherry-pick -xs` usually does the right thing.

Best regards,

-- 
Paul Barker



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

RE: [OE-core][whinlatter 03/15] libpng: upgrade 1.6.52 -> 1.6.53

[Marko, Peter]

> -----Original Message-----
> From: Paul Barker <paul@pbarker.dev>
> Sent: Wednesday, January 21, 2026 13:38
> To: yoann.congal@smile.fr; openembedded-core@lists.openembedded.org
> Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Subject: Re: [OE-core][whinlatter 03/15] libpng: upgrade 1.6.52 -> 1.6.53
> 
> On Tue, 2026-01-20 at 12:23 +0100, Yoann Congal via
> lists.openembedded.org wrote:
> > From: Alexander Kanavin <alex@linutronix.de>
> >
> > Signed-off-by: Alexander Kanavin <alex@linutronix.de>
> > Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> 
> Is this is a cherry-pick of fa33deb30783 from master?
> 
> If so, the commit message should point at the cherry-picked commit.
> `git cherry-pick -xs` usually does the right thing.

Yes, it's a cherry-pick of that commit.
I am very spoiled by cherry-picking in poky which had the reference already prepared.
With poky gone it's very easy to forget to add the ref "manually".

Will you add the reference or should I submit a v2?

Peter

> 
> Best regards,
> 
> --
> Paul Barker
> 

Re: [OE-core][whinlatter 03/15] libpng: upgrade 1.6.52 -> 1.6.53

[Paul Barker]

[-- Attachment #1: Type: text/plain, Size: 1613 bytes --]

On Wed, 2026-01-21 at 12:43 +0000, Peter Marko via
lists.openembedded.org wrote:
> 
> > -----Original Message-----
> > From: Paul Barker <paul@pbarker.dev>
> > Sent: Wednesday, January 21, 2026 13:38
> > To: yoann.congal@smile.fr; openembedded-core@lists.openembedded.org
> > Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> > Subject: Re: [OE-core][whinlatter 03/15] libpng: upgrade 1.6.52 -> 1.6.53
> > 
> > On Tue, 2026-01-20 at 12:23 +0100, Yoann Congal via
> > lists.openembedded.org wrote:
> > > From: Alexander Kanavin <alex@linutronix.de>
> > > 
> > > Signed-off-by: Alexander Kanavin <alex@linutronix.de>
> > > Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> > 
> > Is this is a cherry-pick of fa33deb30783 from master?
> > 
> > If so, the commit message should point at the cherry-picked commit.
> > `git cherry-pick -xs` usually does the right thing.
> 
> Yes, it's a cherry-pick of that commit.
> I am very spoiled by cherry-picking in poky which had the reference already prepared.
> With poky gone it's very easy to forget to add the ref "manually".
> 
> Will you add the reference or should I submit a v2?

Hi Peter,

We're all still adapting to the new way of doing things!

I think the reference can easily be added by Yoann or myself before this
set of patches gets merged to whinlatter.

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [OE-core][whinlatter 03/15] libpng: upgrade 1.6.52 -> 1.6.53

[Yoann Congal]

[-- Attachment #1: Type: text/plain, Size: 1905 bytes --]

Le mer. 21 janv. 2026 à 13:50, Paul Barker <paul@pbarker.dev> a écrit :

> On Wed, 2026-01-21 at 12:43 +0000, Peter Marko via
> lists.openembedded.org wrote:
> >
> > > -----Original Message-----
> > > From: Paul Barker <paul@pbarker.dev>
> > > Sent: Wednesday, January 21, 2026 13:38
> > > To: yoann.congal@smile.fr; openembedded-core@lists.openembedded.org
> > > Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> > > Subject: Re: [OE-core][whinlatter 03/15] libpng: upgrade 1.6.52 ->
> 1.6.53
> > >
> > > On Tue, 2026-01-20 at 12:23 +0100, Yoann Congal via
> > > lists.openembedded.org wrote:
> > > > From: Alexander Kanavin <alex@linutronix.de>
> > > >
> > > > Signed-off-by: Alexander Kanavin <alex@linutronix.de>
> > > > Signed-off-by: Mathieu Dubois-Briand <
> mathieu.dubois-briand@bootlin.com>
> > > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > > > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > > Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> > >
> > > Is this is a cherry-pick of fa33deb30783 from master?
> > >
> > > If so, the commit message should point at the cherry-picked commit.
> > > `git cherry-pick -xs` usually does the right thing.
> >
> > Yes, it's a cherry-pick of that commit.
> > I am very spoiled by cherry-picking in poky which had the reference
> already prepared.
> > With poky gone it's very easy to forget to add the ref "manually".
> >
> > Will you add the reference or should I submit a v2?
>
> Hi Peter,
>
> We're all still adapting to the new way of doing things!
>
> I think the reference can easily be added by Yoann or myself before this
> set of patches gets merged to whinlatter.
>

Yes, I will add the reference before sending the pull request.

Thanks Paul, nice catch!


> Best regards,
>
> --
> Paul Barker
>
>

-- 
Yoann Congal
Smile ECS

[-- Attachment #2: Type: text/html, Size: 3745 bytes --]

[OE-core][whinlatter 00/15] Patch review

[Yoann Congal]

Please review this set of changes for whinlatter and have comments back by
end of day Monday, April 6.

Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3571

The following changes since commit f74c948779850a9759d8b24bb83bb661ff85def4:

  curl: patch CVE-2026-3805 (2026-03-25 08:17:01 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/whinlatter-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/whinlatter-nut

for you to fetch changes up to e8a3acb03d4c466cd08e358953df15746cb5aaca:

  vim: Fix CVE-2026-26269 (2026-04-02 00:08:06 +0200)

----------------------------------------------------------------

Andrej Kozemcak (1):
  ca-certificates: upgrade 20250419 -> 20260223

Anil Dongare (2):
  vim: Fix CVE-2026-25749
  vim: Fix CVE-2026-26269

Changqing Li (1):
  libsoup: fix CVE-2025-32049/CVE-2026-1539

Deepak Rathore (3):
  expat: Fix CVE-2026-32776
  expat: Fix CVE-2026-32777
  expat: Fix CVE-2026-32778

Jinfeng Wang (1):
  tzdata/tzcode-native: upgrade 2025c -> 2026a

Logan Gallois (1):
  oe-setup-build: TEMPLATECONF were not applied correctly

Paul Barker (1):
  tzdata,tzcode-native: Upgrade 2025b -> 2025c

Vijay Anusuri (2):
  python3-pyopenssl: Fix CVE-2026-27448
  python3-pyopenssl: Fix CVE-2026-27459

Wang Mingyu (3):
  ccache: upgrade 4.12.2 -> 4.12.3
  libsoup: upgrade 3.6.5 -> 3.6.6
  libxmlb: upgrade 0.3.24 -> 0.3.25

 .../expat/expat/CVE-2026-32776.patch          |  90 ++++++
 .../expat/expat/CVE-2026-32777_p1.patch       |  48 +++
 .../expat/expat/CVE-2026-32777_p2.patch       |  65 ++++
 .../expat/expat/CVE-2026-32778_p1.patch       |  90 ++++++
 .../expat/expat/CVE-2026-32778_p2.patch       |  59 ++++
 meta/recipes-core/expat/expat_2.7.4.bb        |   5 +
 .../{ccache_4.12.2.bb => ccache_4.12.3.bb}    |   4 +-
 .../python3-pyopenssl/CVE-2026-27448.patch    | 125 ++++++++
 .../python3-pyopenssl/CVE-2026-27459.patch    | 109 +++++++
 .../python/python3-pyopenssl_25.1.0.bb        |   5 +
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 .../{libxmlb_0.3.24.bb => libxmlb_0.3.25.bb}  |   2 +-
 ...0250419.bb => ca-certificates_20260223.bb} |   2 +-
 .../libsoup/libsoup/CVE-2025-32049-1.patch    | 229 ++++++++++++++
 .../libsoup/libsoup/CVE-2025-32049-2.patch    |  34 ++
 .../libsoup/libsoup/CVE-2025-32049-3.patch    | 133 ++++++++
 .../libsoup/libsoup/CVE-2025-32049-4.patch    | 291 ++++++++++++++++++
 .../libsoup/libsoup/CVE-2026-1539.patch       |  97 ++++++
 .../{libsoup_3.6.5.bb => libsoup_3.6.6.bb}    |   9 +-
 .../vim/files/CVE-2026-25749.patch            |  64 ++++
 .../vim/files/CVE-2026-26269.patch            | 150 +++++++++
 meta/recipes-support/vim/vim.inc              |   2 +
 scripts/oe-setup-build                        |   2 +-
 23 files changed, 1612 insertions(+), 9 deletions(-)
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32776.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32777_p1.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32777_p2.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32778_p1.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32778_p2.patch
 rename meta/recipes-devtools/ccache/{ccache_4.12.2.bb => ccache_4.12.3.bb} (88%)
 create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
 create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
 rename meta/recipes-gnome/libxmlb/{libxmlb_0.3.24.bb => libxmlb_0.3.25.bb} (93%)
 rename meta/recipes-support/ca-certificates/{ca-certificates_20250419.bb => ca-certificates_20260223.bb} (97%)
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32049-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32049-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32049-3.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32049-4.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2026-1539.patch
 rename meta/recipes-support/libsoup/{libsoup_3.6.5.bb => libsoup_3.6.6.bb} (85%)
 create mode 100644 meta/recipes-support/vim/files/CVE-2026-25749.patch
 create mode 100644 meta/recipes-support/vim/files/CVE-2026-26269.patch