From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][whinlatter v2 00/22] Patch review
Date: Tue, 3 Feb 2026 11:16:29 +0100 [thread overview]
Message-ID: <cover.1770109549.git.yoann.congal@smile.fr> (raw)
Hello,
Since I made some mistakes with the previous patch review request and I
got some reviews and new patches. I send this one updated:
v1->v2:
* Dropped "mesa: fix build error with llvmpipe gallium driver"
* Replaced "expat: patch CVE-2026-24515" by
"expat: upgrade 2.7.3 -> 2.7.4"
* Added:
* libxml2: patch CVE-2026-0992
* libxml2: add follow-up patch for CVE-2026-0992
* inetutils: patch CVE-2026-24061
Note that "inetutils: patch CVE-2026-24061" and "libxml2: add follow-up
patch for CVE-2026-0992" have yet to merge on master but I expect that
to happen soon (If that does not, I will exclude those from the merge)
Please review this set of changes for whinlatter and have comments back by
end of day Wednesday, February 4 (shorted than usual but the series has
not changed that much)
Passed a-full on autobuilder with some failures:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3160
* https://autobuilder.yoctoproject.org/valkyrie/?#/builders/8/builds/3155 (qemuarm64-armhost)
was automatically and successfully retried as
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/8/builds/3157
* https://autobuilder.yoctoproject.org/valkyrie/#/builders/41/builds/2964 (meta-intel)
This failure also happens on master, I've pinged the maintainer:
https://lists.yoctoproject.org/g/yocto/message/66209
The following changes since commit fa31089d48cac2aa11279e932a77f4dbdc02c02d:
libarchive: upgrade 3.8.4 -> 3.8.5 (2026-01-26 08:44:38 +0000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/whinlatter-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/whinlatter-nut
for you to fetch changes up to fa3bb54d2423728b6421367c1218003a0765dd22:
inetutils: patch CVE-2026-24061 (2026-02-03 00:09:50 +0100)
Hugo SIMELIERE (1):
libtasn1: Fix CVE-2025-13151
Jiaying Song (1):
grub: fix CVE-2025-54770 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663
CVE-2025-61664
Ken Kurematsu (1):
libtheora: set CVE_PRODUCT
Khai Dang (1):
docbook-xml-dtd4: fix the fetching failure
Mark Hatle (1):
dpkg: Fix ADMINDIR
Mathieu Dubois-Briand (2):
oeqa/gitarchive: Fix git push URL parameter
oeqa/gitarchive: Push tag before copying log files
Peter Marko (13):
go: upgrade 1.25.5 -> 1.25.6
zlib: ignore CVE-2026-22184
python3-urllib3: patch CVE-2026-21441
glibc: stable 2.42 branch updates
dropbear: patch CVE-2025-14282
libpng: upgrade 1.6.53 -> 1.6.54
glib-2.0: patch CVE-2026-0988
libxml2: patch CVE-2026-0989
libxml2: patch CVE-2026-0990
libxml2: patch CVE-2026-0992
libxml2: add follow-up patch for CVE-2026-0992
expat: upgrade 2.7.3 -> 2.7.4
inetutils: patch CVE-2026-24061
Richard Purdie (2):
scripts/oe-git-archive: Ensure new push parameter is specified
pseudo: Update to 1.9.3 release
meta/lib/oe/package_manager/deb/__init__.py | 4 +
.../oeqa/selftest/cases/gitarchivetests.py | 4 +-
meta/lib/oeqa/utils/gitarchive.py | 8 +-
.../grub/files/CVE-2025-54770.patch | 41 +++
.../grub/files/CVE-2025-61661.patch | 40 +++
.../grub/files/CVE-2025-61662.patch | 72 ++++
.../grub/files/CVE-2025-61663_61664.patch | 64 ++++
meta/recipes-bsp/grub/grub2.inc | 4 +
.../inetutils/CVE-2026-24061-01.patch | 38 ++
.../inetutils/CVE-2026-24061-02.patch | 82 +++++
.../inetutils/inetutils_2.6.bb | 2 +
.../dropbear/dropbear/CVE-2025-14282-01.patch | 280 +++++++++++++++
.../dropbear/dropbear/CVE-2025-14282-02.patch | 97 +++++
.../dropbear/dropbear/CVE-2025-14282-03.patch | 282 +++++++++++++++
.../dropbear/dropbear/CVE-2025-14282-04.patch | 72 ++++
.../dropbear/dropbear/CVE-2025-14282-05.patch | 46 +++
.../recipes-core/dropbear/dropbear_2025.88.bb | 5 +
.../expat/{expat_2.7.3.bb => expat_2.7.4.bb} | 2 +-
.../glib-2.0/files/CVE-2026-0988.patch | 58 +++
meta/recipes-core/glib-2.0/glib.inc | 1 +
meta/recipes-core/glibc/glibc-version.inc | 2 +-
meta/recipes-core/glibc/glibc_2.42.bb | 2 +-
.../libxml/libxml2/CVE-2026-0989.patch | 309 ++++++++++++++++
.../libxml/libxml2/CVE-2026-0990.patch | 76 ++++
.../libxml/libxml2/CVE-2026-0992-01.patch | 49 +++
.../libxml/libxml2/CVE-2026-0992-02.patch | 336 ++++++++++++++++++
.../libxml/libxml2/CVE-2026-0992-03.patch | 33 ++
meta/recipes-core/libxml/libxml2_2.14.6.bb | 5 +
meta/recipes-core/zlib/zlib_1.3.1.bb | 2 +
.../docbook-xml/docbook-xml-dtd4_4.5.bb | 10 +-
...-dirs.c-set_rootfs-was-not-checking-.patch | 46 +++
meta/recipes-devtools/dpkg/dpkg_1.22.21.bb | 1 +
.../go/{go-1.25.5.inc => go-1.25.6.inc} | 2 +-
...e_1.25.5.bb => go-binary-native_1.25.6.bb} | 6 +-
..._1.25.5.bb => go-cross-canadian_1.25.6.bb} | 0
...{go-cross_1.25.5.bb => go-cross_1.25.6.bb} | 0
...osssdk_1.25.5.bb => go-crosssdk_1.25.6.bb} | 0
...runtime_1.25.5.bb => go-runtime_1.25.6.bb} | 0
...ent-based-hash-generation-less-pedan.patch | 8 +-
...ng-cgo-on-386-call-C-sigaction-funct.patch | 4 +-
...d-go-make-GOROOT-precious-by-default.patch | 2 +-
.../go/{go_1.25.5.bb => go_1.25.6.bb} | 0
meta/recipes-devtools/pseudo/pseudo_git.bb | 4 +-
.../python3-urllib3/CVE-2026-21441.patch | 111 ++++++
.../python/python3-urllib3_2.5.0.bb | 1 +
.../{libpng_1.6.53.bb => libpng_1.6.54.bb} | 4 +-
.../libtheora/libtheora_1.2.0.bb | 2 +
.../gnutls/libtasn1/CVE-2025-13151.patch | 30 ++
.../recipes-support/gnutls/libtasn1_4.20.0.bb | 1 +
scripts/lib/resulttool/store.py | 9 +-
scripts/oe-git-archive | 2 +-
51 files changed, 2228 insertions(+), 31 deletions(-)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54770.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61661.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61662.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61663_61664.patch
create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-01.patch
create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-02.patch
create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-14282-01.patch
create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-14282-02.patch
create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-14282-03.patch
create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-14282-04.patch
create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-14282-05.patch
rename meta/recipes-core/expat/{expat_2.7.3.bb => expat_2.7.4.bb} (92%)
create mode 100644 meta/recipes-core/glib-2.0/files/CVE-2026-0988.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0989.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-01.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch
create mode 100644 meta/recipes-devtools/dpkg/dpkg/0001-lib-dpkg-options-dirs.c-set_rootfs-was-not-checking-.patch
rename meta/recipes-devtools/go/{go-1.25.5.inc => go-1.25.6.inc} (91%)
rename meta/recipes-devtools/go/{go-binary-native_1.25.5.bb => go-binary-native_1.25.6.bb} (79%)
rename meta/recipes-devtools/go/{go-cross-canadian_1.25.5.bb => go-cross-canadian_1.25.6.bb} (100%)
rename meta/recipes-devtools/go/{go-cross_1.25.5.bb => go-cross_1.25.6.bb} (100%)
rename meta/recipes-devtools/go/{go-crosssdk_1.25.5.bb => go-crosssdk_1.25.6.bb} (100%)
rename meta/recipes-devtools/go/{go-runtime_1.25.5.bb => go-runtime_1.25.6.bb} (100%)
rename meta/recipes-devtools/go/{go_1.25.5.bb => go_1.25.6.bb} (100%)
create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2026-21441.patch
rename meta/recipes-multimedia/libpng/{libpng_1.6.53.bb => libpng_1.6.54.bb} (94%)
create mode 100644 meta/recipes-support/gnutls/libtasn1/CVE-2025-13151.patch
next reply other threads:[~2026-02-03 10:19 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-03 10:16 Yoann Congal [this message]
2026-02-03 10:16 ` [OE-core][whinlatter v2 01/22] oeqa/gitarchive: Fix git push URL parameter Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 02/22] oeqa/gitarchive: Push tag before copying log files Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 03/22] scripts/oe-git-archive: Ensure new push parameter is specified Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 04/22] grub: fix CVE-2025-54770 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663 CVE-2025-61664 Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 05/22] go: upgrade 1.25.5 -> 1.25.6 Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 06/22] zlib: ignore CVE-2026-22184 Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 07/22] python3-urllib3: patch CVE-2026-21441 Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 08/22] libtasn1: Fix CVE-2025-13151 Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 09/22] glibc: stable 2.42 branch updates Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 10/22] pseudo: Update to 1.9.3 release Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 11/22] dpkg: Fix ADMINDIR Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 12/22] docbook-xml-dtd4: fix the fetching failure Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 13/22] dropbear: patch CVE-2025-14282 Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 14/22] libtheora: set CVE_PRODUCT Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 15/22] libpng: upgrade 1.6.53 -> 1.6.54 Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 16/22] glib-2.0: patch CVE-2026-0988 Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 17/22] libxml2: patch CVE-2026-0989 Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 18/22] libxml2: patch CVE-2026-0990 Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 19/22] libxml2: patch CVE-2026-0992 Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 20/22] libxml2: add follow-up patch for CVE-2026-0992 Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 21/22] expat: upgrade 2.7.3 -> 2.7.4 Yoann Congal
2026-02-03 10:16 ` [OE-core][whinlatter v2 22/22] inetutils: patch CVE-2026-24061 Yoann Congal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1770109549.git.yoann.congal@smile.fr \
--to=yoann.congal@smile.fr \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox