[OE-core][scarthgap 00/27] Pull request (cover letter only)

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

* [OE-core][scarthgap 00/27] Pull request (cover letter only)
@ 2026-02-12 13:27 Yoann Congal
  2026-02-13  8:51 ` Paul Barker
  0 siblings, 1 reply; 2+ messages in thread
From: Yoann Congal @ 2026-02-12 13:27 UTC (permalink / raw)
  To: openembedded-core; +Cc: Paul Barker

Those are the patches from the last patch review:
https://lore.kernel.org/openembedded-core/cover.1770626074.git.yoann.congal@smile.fr/T/#t
with the following modification:
* zlib: ignore CVE-2026-22184 was changed to a cherry-pick from master
  and needed commits backported:
  * zlib: cleanup CVE_STATUS[CVE-2023-45853]
  * zlib: Add CVE_PRODUCT to exclude false positives

Passed a-full on autobuilder (with AB-INT):
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3195
* The build qemuarm-oecore failed:
  https://autobuilder.yoctoproject.org/valkyrie/#/builders/40/builds/3140
  This was caused by bug #16143 – AB-INT: do_image_wic: tar command return exit status 2
* The build qemuarm-oecore was succesfully retried:
  https://autobuilder.yoctoproject.org/valkyrie/?#/builders/40/builds/3143

The following changes since commit d50e4680ed6f930582d907b37c9ed545a89f5c27:

  build-appliance-image: Update to scarthgap head revision (2026-01-26 09:50:47 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-next
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-next

for you to fetch changes up to 5f81d44ce98b9bfe905acf162b01b1b80f00ac27:

  libtheora: set CVE_PRODUCT (2026-02-10 16:40:35 +0100)

----------------------------------------------------------------

Adarsh Jagadish Kamini (1):
  python-urllib3: Backport fix for CVE-2026-21441

Amaury Couderc (1):
  curl: patch CVE-2025-14524

Ankur Tyagi (2):
  ffmpeg: upgrade 6.1.3 -> 6.1.4
  ffmpeg: ignore CVE-2025-25469

Benjamin Robin (Schneider Electric) (1):
  meta/classes: fix missing vardeps for CVE status variables

Daniel Turull (1):
  improve_kernel_cve_report: add script for postprocesing of kernel CVE
    data

Fred Bacon (1):
  lighttpd: Fix trailing slash on files in mod_dirlisting

Het Patel (1):
  zlib: Add CVE_PRODUCT to exclude false positives

Hitendra Prajapati (1):
  curl: fix CVE-2025-10148

Hugo SIMELIERE (1):
  libtasn1: Fix CVE-2025-13151

Ken Kurematsu (1):
  libtheora: set CVE_PRODUCT

Khai Dang (1):
  docbook-xml-dtd4: fix the fetching failure

Peter Marko (12):
  expat: patch CVE-2026-24515
  expat: patch CVE-2026-25210
  glib-2.0: patch CVE-2026-0988
  libpng: patch CVE-2026-22695
  libpng: patch CVE-2026-22801
  libxml2: patch CVE-2026-0989
  libxml2: patch CVE-2026-0990
  libxml2: patch CVE-2026-0992
  libxml2: add follow-up patch for CVE-2026-0992
  python3: patch CVE-2025-13837
  zlib: ignore CVE-2026-22184
  glibc: stable 2.39 branch updates

Richard Purdie (1):
  pseudo: Update to 1.9.3 release

Vijay Anusuri (1):
  inetutils: Fix CVE-2026-24061

Yoann Congal (1):
  zlib: cleanup CVE_STATUS[CVE-2023-45853]

 meta/classes/create-spdx-2.2.bbclass          |   1 +
 meta/classes/create-spdx-3.0.bbclass          |   2 +
 meta/classes/cve-check.bbclass                |   1 +
 meta/classes/vex.bbclass                      |   1 +
 .../inetutils/CVE-2026-24061-1.patch          |  41 ++
 .../inetutils/CVE-2026-24061-2.patch          |  85 ++++
 .../inetutils/inetutils_2.5.bb                |   2 +
 .../expat/expat/CVE-2026-24515-01.patch       |  43 ++
 .../expat/expat/CVE-2026-24515-02.patch       | 117 +++++
 .../expat/expat/CVE-2026-25210-01.patch       |  27 +
 .../expat/expat/CVE-2026-25210-02.patch       |  38 ++
 .../expat/expat/CVE-2026-25210-03.patch       |  28 ++
 meta/recipes-core/expat/expat_2.6.4.bb        |   5 +
 .../glib-2.0/glib-2.0/CVE-2026-0988.patch     |  58 +++
 meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb |   1 +
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 meta/recipes-core/glibc/glibc_2.39.bb         |   2 +-
 .../libxml/libxml2/CVE-2026-0989.patch        | 309 ++++++++++++
 .../libxml/libxml2/CVE-2026-0990.patch        |  76 +++
 .../libxml/libxml2/CVE-2026-0992-01.patch     |  49 ++
 .../libxml/libxml2/CVE-2026-0992-02.patch     | 323 ++++++++++++
 .../libxml/libxml2/CVE-2026-0992-03.patch     |  33 ++
 meta/recipes-core/libxml/libxml2_2.12.10.bb   |   5 +
 meta/recipes-core/zlib/zlib_1.3.1.bb          |   6 +-
 .../docbook-xml/docbook-xml-dtd4_4.5.bb       |  10 +-
 meta/recipes-devtools/pseudo/pseudo_git.bb    |   4 +-
 .../python3-urllib3/CVE-2026-21441.patch      | 105 ++++
 .../python/python3-urllib3_2.2.2.bb           |   1 +
 .../python/python3/CVE-2025-13837.patch       | 162 ++++++
 .../python/python3_3.12.12.bb                 |   1 +
 .../lighttpd/0001-mod_dirlisting.patch        |  48 ++
 .../lighttpd/lighttpd_1.4.74.bb               |   1 +
 .../ffmpeg/ffmpeg/CVE-2024-35365.patch        |  62 ---
 .../ffmpeg/ffmpeg/CVE-2024-36618.patch        |  36 --
 .../ffmpeg/ffmpeg/CVE-2025-1594.patch         | 105 ----
 .../{ffmpeg_6.1.3.bb => ffmpeg_6.1.4.bb}      |   7 +-
 .../libpng/files/CVE-2026-22695.patch         |  77 +++
 .../libpng/files/CVE-2026-22801.patch         | 173 +++++++
 .../libpng/libpng_1.6.42.bb                   |   2 +
 .../libtheora/libtheora_1.1.1.bb              |   2 +
 .../curl/curl/CVE-2025-10148.patch            |  57 +++
 .../curl/curl/CVE-2025-14524.patch            |  44 ++
 meta/recipes-support/curl/curl_8.7.1.bb       |   2 +
 .../gnutls/libtasn1/CVE-2025-13151.patch      |  30 ++
 .../recipes-support/gnutls/libtasn1_4.20.0.bb |   1 +
 scripts/contrib/improve_kernel_cve_report.py  | 467 ++++++++++++++++++
 46 files changed, 2434 insertions(+), 218 deletions(-)
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-1.patch
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-2.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-24515-01.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-24515-02.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-01.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-02.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-03.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0989.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-01.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch
 create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2026-21441.patch
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-13837.patch
 create mode 100644 meta/recipes-extended/lighttpd/lighttpd/0001-mod_dirlisting.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch
 rename meta/recipes-multimedia/ffmpeg/{ffmpeg_6.1.3.bb => ffmpeg_6.1.4.bb} (98%)
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-10148.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14524.patch
 create mode 100644 meta/recipes-support/gnutls/libtasn1/CVE-2025-13151.patch
 create mode 100755 scripts/contrib/improve_kernel_cve_report.py



^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [OE-core][scarthgap 00/27] Pull request (cover letter only)
  2026-02-12 13:27 [OE-core][scarthgap 00/27] Pull request (cover letter only) Yoann Congal
@ 2026-02-13  8:51 ` Paul Barker
  0 siblings, 0 replies; 2+ messages in thread
From: Paul Barker @ 2026-02-13  8:51 UTC (permalink / raw)
  To: Yoann Congal, openembedded-core

[-- Attachment #1: Type: text/plain, Size: 8154 bytes --]

On Thu, 2026-02-12 at 14:27 +0100, Yoann Congal wrote:
> Those are the patches from the last patch review:
> https://lore.kernel.org/openembedded-core/cover.1770626074.git.yoann.congal@smile.fr/T/#t
> with the following modification:
> * zlib: ignore CVE-2026-22184 was changed to a cherry-pick from master
>   and needed commits backported:
>   * zlib: cleanup CVE_STATUS[CVE-2023-45853]
>   * zlib: Add CVE_PRODUCT to exclude false positives
> 
> Passed a-full on autobuilder (with AB-INT):
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3195
> * The build qemuarm-oecore failed:
>   https://autobuilder.yoctoproject.org/valkyrie/#/builders/40/builds/3140
>   This was caused by bug #16143 – AB-INT: do_image_wic: tar command return exit status 2
> * The build qemuarm-oecore was succesfully retried:
>   https://autobuilder.yoctoproject.org/valkyrie/?#/builders/40/builds/3143

Hi Richard, Yoann,

We have an understanding of #16143 now, and this issue happening is not
a regression caused by any of the patches here, so I think this is good
to merge.

The following changes since commit d50e4680ed6f930582d907b37c9ed545a89f5c27:

  build-appliance-image: Update to scarthgap head revision (2026-01-26 09:50:47 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib pbarker/scarthgap

for you to fetch changes up to e86e50b8c5b16065dcb35ebf4b00eff59c5da78c:

  libtheora: set CVE_PRODUCT (2026-02-12 23:44:37 +0000)

----------------------------------------------------------------
Adarsh Jagadish Kamini (1):
      python-urllib3: Backport fix for CVE-2026-21441

Amaury Couderc (1):
      curl: patch CVE-2025-14524

Ankur Tyagi (2):
      ffmpeg: upgrade 6.1.3 -> 6.1.4
      ffmpeg: ignore CVE-2025-25469

Benjamin Robin (Schneider Electric) (1):
      meta/classes: fix missing vardeps for CVE status variables

Daniel Turull (1):
      improve_kernel_cve_report: add script for postprocesing of kernel CVE data

Fred Bacon (1):
      lighttpd: Fix trailing slash on files in mod_dirlisting

Het Patel (1):
      zlib: Add CVE_PRODUCT to exclude false positives

Hitendra Prajapati (1):
      curl: fix CVE-2025-10148

Hugo SIMELIERE (1):
      libtasn1: Fix CVE-2025-13151

Ken Kurematsu (1):
      libtheora: set CVE_PRODUCT

Khai Dang (1):
      docbook-xml-dtd4: fix the fetching failure

Peter Marko (12):
      expat: patch CVE-2026-24515
      expat: patch CVE-2026-25210
      glib-2.0: patch CVE-2026-0988
      libpng: patch CVE-2026-22695
      libpng: patch CVE-2026-22801
      libxml2: patch CVE-2026-0989
      libxml2: patch CVE-2026-0990
      libxml2: patch CVE-2026-0992
      libxml2: add follow-up patch for CVE-2026-0992
      python3: patch CVE-2025-13837
      zlib: ignore CVE-2026-22184
      glibc: stable 2.39 branch updates

Richard Purdie (1):
      pseudo: Update to 1.9.3 release

Vijay Anusuri (1):
      inetutils: Fix CVE-2026-24061

Yoann Congal (1):
      zlib: cleanup CVE_STATUS[CVE-2023-45853]

 meta/classes/create-spdx-2.2.bbclass               |   1 +
 meta/classes/create-spdx-3.0.bbclass               |   2 +
 meta/classes/cve-check.bbclass                     |   1 +
 meta/classes/vex.bbclass                           |   1 +
 .../inetutils/inetutils/CVE-2026-24061-1.patch     |  41 ++
 .../inetutils/inetutils/CVE-2026-24061-2.patch     |  85 ++++
 .../inetutils/inetutils_2.5.bb                     |   2 +
 .../expat/expat/CVE-2026-24515-01.patch            |  43 ++
 .../expat/expat/CVE-2026-24515-02.patch            | 117 ++++++
 .../expat/expat/CVE-2026-25210-01.patch            |  27 ++
 .../expat/expat/CVE-2026-25210-02.patch            |  38 ++
 .../expat/expat/CVE-2026-25210-03.patch            |  28 ++
 meta/recipes-core/expat/expat_2.6.4.bb             |   5 +
 .../glib-2.0/glib-2.0/CVE-2026-0988.patch          |  58 +++
 meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb      |   1 +
 meta/recipes-core/glibc/glibc-version.inc          |   2 +-
 meta/recipes-core/glibc/glibc_2.39.bb              |   2 +-
 .../libxml/libxml2/CVE-2026-0989.patch             | 309 ++++++++++++++
 .../libxml/libxml2/CVE-2026-0990.patch             |  76 ++++
 .../libxml/libxml2/CVE-2026-0992-01.patch          |  49 +++
 .../libxml/libxml2/CVE-2026-0992-02.patch          | 323 ++++++++++++++
 .../libxml/libxml2/CVE-2026-0992-03.patch          |  33 ++
 meta/recipes-core/libxml/libxml2_2.12.10.bb        |   5 +
 meta/recipes-core/zlib/zlib_1.3.1.bb               |   6 +-
 .../docbook-xml/docbook-xml-dtd4_4.5.bb            |  10 +-
 meta/recipes-devtools/pseudo/pseudo_git.bb         |   4 +-
 .../python/python3-urllib3/CVE-2026-21441.patch    | 105 +++++
 .../python/python3-urllib3_2.2.2.bb                |   1 +
 .../python/python3/CVE-2025-13837.patch            | 162 +++++++
 meta/recipes-devtools/python/python3_3.12.12.bb    |   1 +
 .../lighttpd/lighttpd/0001-mod_dirlisting.patch    |  48 +++
 meta/recipes-extended/lighttpd/lighttpd_1.4.74.bb  |   1 +
 .../ffmpeg/ffmpeg/CVE-2024-35365.patch             |  62 ---
 .../ffmpeg/ffmpeg/CVE-2024-36618.patch             |  36 --
 .../ffmpeg/ffmpeg/CVE-2025-1594.patch              | 105 -----
 .../ffmpeg/{ffmpeg_6.1.3.bb => ffmpeg_6.1.4.bb}    |   7 +-
 .../libpng/files/CVE-2026-22695.patch              |  77 ++++
 .../libpng/files/CVE-2026-22801.patch              | 173 ++++++++
 meta/recipes-multimedia/libpng/libpng_1.6.42.bb    |   2 +
 .../libtheora/libtheora_1.1.1.bb                   |   2 +
 .../recipes-support/curl/curl/CVE-2025-10148.patch |  57 +++
 .../recipes-support/curl/curl/CVE-2025-14524.patch |  44 ++
 meta/recipes-support/curl/curl_8.7.1.bb            |   2 +
 .../gnutls/libtasn1/CVE-2025-13151.patch           |  30 ++
 meta/recipes-support/gnutls/libtasn1_4.20.0.bb     |   1 +
 scripts/contrib/improve_kernel_cve_report.py       | 467 +++++++++++++++++++++
 46 files changed, 2434 insertions(+), 218 deletions(-)
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-1.patch
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-2.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-24515-01.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-24515-02.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-01.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-02.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-03.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0989.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-01.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch
 create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2026-21441.patch
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-13837.patch
 create mode 100644 meta/recipes-extended/lighttpd/lighttpd/0001-mod_dirlisting.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch
 rename meta/recipes-multimedia/ffmpeg/{ffmpeg_6.1.3.bb => ffmpeg_6.1.4.bb} (98%)
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-10148.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14524.patch
 create mode 100644 meta/recipes-support/gnutls/libtasn1/CVE-2025-13151.patch
 create mode 100755 scripts/contrib/improve_kernel_cve_report.py

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-02-13  8:51 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-12 13:27 [OE-core][scarthgap 00/27] Pull request (cover letter only) Yoann Congal
2026-02-13  8:51 ` Paul Barker

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox