* [OE-core][kirkstone v2 00/18] Patch review
@ 2026-04-07 7:13 Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 01/18] linux-yocto/5.15: update to v5.15.200 Yoann Congal
` (17 more replies)
0 siblings, 18 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, April 8.
Please note:
- This will be the last review cycle for kirkstone.
- If you expect a patch to get merged and it is not in this series ping
me as soon as possible.
- Some patches look OK to me and are included here but will only be
merged if some patches are sent/fixed in more recent branches:
- Pending an equivalement patch sent for whinlatter:
- libarchive: Fix CVE-2026-4111
v1->v2:
- replaced "python3: Fix CVE-2025-15282" with
"python3: upgrade 3.10.19 -> 3.10.20"
- Those patches are not held anymore since equivalent patches have been
sent to more recent branches:
- curl: patch CVE-2026-3784
- curl: patch CVE-2026-3783
- curl: patch CVE-2026-1965
- vim: Fix CVE-2026-33412
I will try to send a v3 with this last minute patch:
[kirkstone][PATCH] ncurses: fix for CVE-2025-69720
https://lore.kernel.org/openembedded-core/20260407054403.21041-1-hprajapati@mvista.com/T/#m070f1177b6e08d547a9fe91a4546f4b5b8d6dcd3
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3606
(The warning is not related to this series)
The following changes since commit c4194cadb1180da37514c55cd97827eb0269c8e2:
build-appliance-image: Update to kirkstone head revision (2026-03-20 09:58:53 +0000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
for you to fetch changes up to 14ffe9ce3bfb10dc658d3bd648e531c9fadfe20a:
scripts/install-buildtools: Update to 4.0.34 (2026-04-06 23:02:13 +0200)
----------------------------------------------------------------
Bruce Ashfield (2):
linux-yocto/5.15: update to v5.15.200
linux-yocto/5.15: update to v5.15.201
Fabien Thomas (1):
README.OE-Core: update contributor links and add kirkstone prefix
Hitendra Prajapati (1):
vim: Fix CVE-2026-33412
Jinfeng Wang (1):
tzdata/tzcode-native: upgrade 2025c -> 2026a
Paul Barker (1):
create-pull-request: Keep commit hash to be pulled in cover email
Peter Marko (1):
libtheora: mark CVE-2024-56431 as not vulnerable yet
Vijay Anusuri (10):
tzdata,tzcode-native: Upgrade 2025b -> 2025c
python3: upgrade 3.10.19 -> 3.10.20
python3-pyopenssl: Fix CVE-2026-27448
python3-pyopenssl: Fix CVE-2026-27459
libarchive: Fix CVE-2026-4111
sqlite3: Fix CVE-2025-70873
curl: patch CVE-2025-14524
curl: patch CVE-2026-1965
curl: patch CVE-2026-3783
curl: patch CVE-2026-3784
Yoann Congal (1):
scripts/install-buildtools: Update to 4.0.34
README.OE-Core.md | 10 +-
.../python3-pyopenssl/CVE-2026-27448.patch | 125 ++++++
.../python3-pyopenssl/CVE-2026-27459.patch | 106 +++++
.../python/python3-pyopenssl_22.0.0.bb | 5 +
.../python/python3/CVE-2025-12084.patch | 171 --------
.../python/python3/CVE-2025-13836.patch | 163 --------
.../python/python3/CVE-2025-13837.patch | 162 --------
.../python/python3/CVE-2025-6075.patch | 364 ------------------
...{python3_3.10.19.bb => python3_3.10.20.bb} | 6 +-
.../libarchive/CVE-2026-4111-1.patch | 32 ++
.../libarchive/CVE-2026-4111-2.patch | 308 +++++++++++++++
.../libarchive/libarchive_3.6.2.bb | 2 +
meta/recipes-extended/timezone/timezone.inc | 6 +-
.../linux/linux-yocto-rt_5.15.bb | 6 +-
.../linux/linux-yocto-tiny_5.15.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +-
.../libtheora/libtheora_1.1.1.bb | 3 +
.../curl/curl/CVE-2025-14524.patch | 42 ++
.../curl/curl/CVE-2026-1965-1.patch | 98 +++++
.../curl/curl/CVE-2026-1965-2.patch | 29 ++
.../curl/curl/CVE-2026-3783-pre1.patch | 66 ++++
.../curl/curl/CVE-2026-3783.patch | 157 ++++++++
.../curl/curl/CVE-2026-3784.patch | 73 ++++
meta/recipes-support/curl/curl_7.82.0.bb | 6 +
.../sqlite/files/CVE-2025-70873.patch | 33 ++
meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 1 +
.../vim/files/CVE-2026-33412.patch | 61 +++
meta/recipes-support/vim/vim.inc | 1 +
scripts/create-pull-request | 2 +-
scripts/install-buildtools | 4 +-
30 files changed, 1181 insertions(+), 893 deletions(-)
create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2025-12084.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2025-13836.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2025-13837.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2025-6075.patch
rename meta/recipes-devtools/python/{python3_3.10.19.bb => python3_3.10.20.bb} (98%)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14524.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-2.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3783-pre1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3783.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3784.patch
create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-70873.patch
create mode 100644 meta/recipes-support/vim/files/CVE-2026-33412.patch
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 01/18] linux-yocto/5.15: update to v5.15.200
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 02/18] linux-yocto/5.15: update to v5.15.201 Yoann Congal
` (16 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/5.15 to the latest korg -stable release that comprises
the following commits:
e45d5d41c1343 Linux 5.15.200
7ca5540ba6239 riscv: Replace function-like macro by static inline function
cbae610ca9e27 nvmet-tcp: pass iov_len instead of sg->length to bvec_set_page()
6a04dc650cef8 spi: tegra: Fix a memory leak in tegra_slink_probe()
c7a02a814dc51 spi: tegra210-quad: Protect curr_xfer clearing in tegra_qspi_non_combined_seq_xfer
9fa4262a80f75 spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer
55dfe2687a496 spi: tegra210-quad: Protect curr_xfer assignment in tegra_qspi_setup_transfer_one
eebd79beb268c spi: tegra210-quad: Move curr_xfer read inside spinlock
4f9e7de7a6b8f spi: tegra210-quad: Return IRQ_HANDLED when timeout already processed transfer
b34289505180a iommu: disable SVA when CONFIG_X86 is set
1ecf6dc2676ea Bluetooth: hci_event: call disconnect callback before deleting conn
214b85b9b7187 gve: Correct ethtool rx_dropped calculation
9d93332397405 gve: Fix stats report corruption on queue count change
8aa1b0bc65967 tracing: Fix ftrace event field alignments
c3c5cfa3170c0 gfs2: Fix NULL pointer dereference in gfs2_log_flush
343fe375a8dd6 hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
be6d98766ac95 riscv: uprobes: Add missing fence.i after building the XOL buffer
d7ead65126504 ASoC: amd: fix memory leak in acp3x pdm dma ops
42afe8ed8ad2d nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec
4c09184f08ce6 nvmet-tcp: don't map pages which can't come from HIGHMEM
15e329ce1a957 nvmet-tcp: fix regression in data_digest calculation
1a5c3c99efa11 nvmet-tcp: fix memory leak when performing a controller reset
367fd132df419 nvmet-tcp: add an helper to free the cmd buffers
8c760ba4e36c7 netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
166f29d4af575 hwmon: (occ) Mark occ_init_attribute() as __printf
3f531122a5801 tipc: use kfree_sensitive() for session key material
5dae6b36a7cb7 macvlan: fix error recovery in macvlan_common_newlink()
77611cab5bdff dpaa2-switch: add bounds check for if_id in IRQ handler
01fbca1e93ec3 net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup
d86c58eb005eb net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup
c81a8515fb8c8 net: liquidio: Initialize netdev pointer before queue setup
2fcccca88456b dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero
c01cc6fe06cf2 platform/x86: intel_telemetry: Fix PSS event register mask
5bce10f0f9435 platform/x86: toshiba_haps: Fix memory leaks in add/remove routines
193f087207ad8 wifi: mac80211: don't increment crypto_tx_tailroom_needed_cnt twice
8518f072fc929 scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()
fd8b090017330 scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
c85c9de39cd5d wifi: cfg80211: Fix bitrate calculation overflow for HE rates
15e9607df7925 ASoC: tlv320adcx140: Propagate error codes during probe
1525f1068295f ASoC: davinci-evm: Fix reference leak in davinci_evm_probe
536238ba39829 wifi: mac80211: collect station statistics earlier when disconnect
6e4cc9e399952 ring-buffer: Avoid softlockup in ring_buffer_resize() during memory free
16c2ca35257ed HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101)
04485e691d8ca HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list
67e06e8a77c1a netfilter: replace -EEXIST with -EBUSY
e9aefab3b7eb4 ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk
2d8af4db1f209 HID: playstation: Center initial joystick axes to prevent spurious events
d21497331b967 HID: intel-ish-hid: Reset enum_devices_done before enumeration
d5cce2ec0e985 HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL
a2c68e256fb7a smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe()
e5dd6a58a52d5 block,bfq: fix aux stat accumulation destination
64240689acff8 net: usb: sr9700: support devices with virtual driver CD
cd89a4656c03f wifi: wlcore: ensure skb headroom before skb_push
b04c75366a547 wifi: mac80211: ocb: skip rx_no_sta when interface is not joined
9a6cdfd7b6aaa binderfs: fix ida_alloc_max() upper bound
ba43ac025c431 timers: Fix NULL function pointer race in timer_shutdown_sync()
f24f9ea7d69ef Bluetooth: hci_qca: Fix the teardown problem for real
e7f1ca8ea41ab timers: Update the documentation to reflect on the new timer_shutdown() API
36bdfa51a1ad7 timers: Provide timer_shutdown[_sync]()
debbcf812d735 timers: Add shutdown mechanism to the internal functions
21ca3ee3f6faa timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode
a7035e7d720f8 timers: Silently ignore timers with a NULL function
e45a52685b335 Documentation: Replace del_timer/del_timer_sync()
29d5751350cdf timers: Rename del_timer() to timer_delete()
a431c4c27ee05 timers: Replace BUG_ON()s
d2736470196f2 timers: Get rid of del_singleshot_timer_sync()
9b78a3b948bb6 clocksource/drivers/sp804: Do not use timer namespace for timer_shutdown() function
a97b47fed39d9 clocksource/drivers/arm_arch_timer: Do not use timer namespace for timer_shutdown() function
b03eb334c42ea ARM: spear: Do not use timer namespace for timer_shutdown() function
7bcf91585f3b1 Documentation: Remove bogus claim about del_timer_sync()
4abccfb61f422 netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX
d6ae339f18099 mm/kfence: randomize the freelist on initialization
2284bc168b148 KVM: Don't clobber irqfd routing type when deassigning irqfd
a550cc2564cab ARM: 9468/1: fix memset64() on big-endian
5928ca551e361 rbd: check for EOD after exclusive lock is ensured to be held
446d7283cffa5 platform/x86: intel_telemetry: Fix swapped arrays in PSS output
674ebe2d6fe59 x86/kfence: fix booting on 32bit non-PAE systems
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../linux/linux-yocto-rt_5.15.bb | 6 ++---
.../linux/linux-yocto-tiny_5.15.bb | 6 ++---
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +++++++++----------
3 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
index e23c8bf88ab..526f3c64b7d 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "27c8048897d9d7ff1ed6d2643cbc024eb13ae342"
-SRCREV_meta ?= "78eca082b68ad521c3bb9a1f9f0325e044045f18"
+SRCREV_machine ?= "671f06e26c741b7d55d8afcc30e64f1480cec166"
+SRCREV_meta ?= "b75d71b7f2455467f2260d514040ccb44d4bdda5"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.15.199"
+LINUX_VERSION ?= "5.15.200"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
index 21233285b57..1eeda2e22ca 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
@@ -5,7 +5,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.15.199"
+LINUX_VERSION ?= "5.15.200"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -14,8 +14,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "7b20eb2129d25bb2a1cb963d30c2f3adb1e144b3"
-SRCREV_meta ?= "78eca082b68ad521c3bb9a1f9f0325e044045f18"
+SRCREV_machine ?= "0d4112b87ce7dd038dc712ef616c0b6dd333c786"
+SRCREV_meta ?= "b75d71b7f2455467f2260d514040ccb44d4bdda5"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.15.bb b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
index 861af0041af..5f8bfba396e 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
@@ -14,24 +14,24 @@ KBRANCH:qemux86 ?= "v5.15/standard/base"
KBRANCH:qemux86-64 ?= "v5.15/standard/base"
KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64"
-SRCREV_machine:qemuarm ?= "0ea8d4a7d24642475c1d1e0d8be44976600eb630"
-SRCREV_machine:qemuarm64 ?= "33aae9ebda82736fc0246e4d2bd7967bb7ef492a"
-SRCREV_machine:qemumips ?= "0d159686c17443503bc7b59f25b5129c8543193d"
-SRCREV_machine:qemuppc ?= "c8e213f83bae4792c1042bdcedd46fa60963c69b"
-SRCREV_machine:qemuriscv64 ?= "e7bbf58a0f6828ffb92109eb423eb3d1327f091a"
-SRCREV_machine:qemuriscv32 ?= "e7bbf58a0f6828ffb92109eb423eb3d1327f091a"
-SRCREV_machine:qemux86 ?= "e7bbf58a0f6828ffb92109eb423eb3d1327f091a"
-SRCREV_machine:qemux86-64 ?= "e7bbf58a0f6828ffb92109eb423eb3d1327f091a"
-SRCREV_machine:qemumips64 ?= "58c96e47bbd784e078e265426b9276bad2bb7e22"
-SRCREV_machine ?= "e7bbf58a0f6828ffb92109eb423eb3d1327f091a"
-SRCREV_meta ?= "78eca082b68ad521c3bb9a1f9f0325e044045f18"
+SRCREV_machine:qemuarm ?= "44b7b6bdfaab20ab51f175aeb0df8c27791cc40d"
+SRCREV_machine:qemuarm64 ?= "d67ad97cb5d6a51184bd61853e3af7e044c7f1d4"
+SRCREV_machine:qemumips ?= "94fe5264de5b6ba6a5fab53b3f2283e36033e373"
+SRCREV_machine:qemuppc ?= "a065262f1076ca606ea8229f84b23c10be2680e7"
+SRCREV_machine:qemuriscv64 ?= "af4baa923d4f04a259e3199e9e63d9415bdf3e3a"
+SRCREV_machine:qemuriscv32 ?= "af4baa923d4f04a259e3199e9e63d9415bdf3e3a"
+SRCREV_machine:qemux86 ?= "af4baa923d4f04a259e3199e9e63d9415bdf3e3a"
+SRCREV_machine:qemux86-64 ?= "af4baa923d4f04a259e3199e9e63d9415bdf3e3a"
+SRCREV_machine:qemumips64 ?= "00831bab13b4320ee27e4ddc72b55542bfe75ec8"
+SRCREV_machine ?= "af4baa923d4f04a259e3199e9e63d9415bdf3e3a"
+SRCREV_meta ?= "b75d71b7f2455467f2260d514040ccb44d4bdda5"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "7b232985052fcf6a78bf0f965aa4241c0678c2ba"
+SRCREV_machine:class-devupstream ?= "e45d5d41c1343aad8c7587a5b15d58e99aff4c8a"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v5.15/base"
@@ -39,7 +39,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.15.199"
+LINUX_VERSION ?= "5.15.200"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 02/18] linux-yocto/5.15: update to v5.15.201
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 01/18] linux-yocto/5.15: update to v5.15.200 Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 03/18] create-pull-request: Keep commit hash to be pulled in cover email Yoann Congal
` (15 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/5.15 to the latest korg -stable release that comprises
the following commits:
3330a8d33e08 Linux 5.15.201
cfd5eadd051a USB: serial: option: add Telit FN920C04 RNDIS compositions
438a405fbad6 f2fs: fix out-of-bounds access in sysfs attribute read/write
2f67ff1e15a8 f2fs: fix to avoid UAF in f2fs_write_end_io()
6167af934f95 fbdev: smscufx: properly copy ioctl memory to kernelspace
52916878db2b fbdev: rivafb: fix divide error in nv3_arb()
fa9fb38f5fe9 PCI: endpoint: Avoid creating sub-groups asynchronously
7036aff5a5e8 PCI: endpoint: Remove unused field in struct pci_epf_group
8055827352b7 PCI: endpoint: Automatically create a function specific attributes group
b74408de1f22 scsi: qla2xxx: Free sp in error path to fix system crash
794563147038 scsi: qla2xxx: Reduce fabric scan duplicate code
23507a811081 scsi: qla2xxx: Remove dead code (GNN ID)
da9939b1ed8b scsi: qla2xxx: Use named initializers for port_[d]state_str
f2bbb4db0e4a scsi: qla2xxx: Fix bsg_done() causing double free
c71dfb7833db bus: fsl-mc: fix use-after-free in driver_override_show()
38770e103e4e bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions
6dd2645cf080 smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()
dc5f09466448 crypto: virtio - Remove duplicated virtqueue_kick in virtio_crypto_skcipher_crypt_req
338d40bab283 mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
ec7b6a042414 selftests: mptcp: pm: ensure unknown flags are ignored
51df5513cca6 net: dsa: free routing table on probe failure
4a6e4c56721a smb: client: set correct id, uid and cruid for multiuser automounts
b0bb67385480 btrfs: fix racy bitfield write in btrfs_clear_space_info_full()
cfdb22762f90 Revert "wireguard: device: enable threaded NAPI"
20c83788eafe gpiolib: acpi: Fix gpio count with string references
612ffe1f4f04 ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put()
ff96318c22fa platform/x86: panasonic-laptop: Fix sysfs group leak in error path
af673209d43b platform/x86: classmate-laptop: Add missing NULL pointer checks
72f97ee4950d drm/tegra: hdmi: sor: Fix error: variable ‘j’ set but not used
f2521ab1f63a romfs: check sb_set_blocksize() return value
f14e997a372a gpio: sprd: Change sprd_gpio lock to raw_spin_lock
1fe2603fb171 ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU
86588916e188 gpio: omap: do not register driver in probe()
7e0b2cdbe660 scsi: qla2xxx: Query FW again before proceeding with login
891f9969a29e scsi: qla2xxx: Delay module unload while fabric scan in progress
a46f81c1e627 scsi: qla2xxx: Validate sp before freeing associated memory
ba18e5f22f26 nilfs2: Fix potential block overflow that cause system hang
8ee8ccfd60bf crypto: virtio - Add spinlock protection with virtqueue notification
31aff96a41ae crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly
a60b17cedb44 crypto: octeontx - Fix length check to avoid truncation in ucode_load_store
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../linux/linux-yocto-rt_5.15.bb | 4 ++--
.../linux/linux-yocto-tiny_5.15.bb | 4 ++--
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 24 +++++++++----------
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
index 526f3c64b7d..ea763ce9aa1 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "671f06e26c741b7d55d8afcc30e64f1480cec166"
+SRCREV_machine ?= "46e4e1200a4fa889438a2cc62151bb7f1057421a"
SRCREV_meta ?= "b75d71b7f2455467f2260d514040ccb44d4bdda5"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.15.200"
+LINUX_VERSION ?= "5.15.201"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
index 1eeda2e22ca..56853f481fa 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
@@ -5,7 +5,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.15.200"
+LINUX_VERSION ?= "5.15.201"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -14,7 +14,7 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "0d4112b87ce7dd038dc712ef616c0b6dd333c786"
+SRCREV_machine ?= "5ae014d6b48449ae38584cc174ef362f6582a8fc"
SRCREV_meta ?= "b75d71b7f2455467f2260d514040ccb44d4bdda5"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.15.bb b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
index 5f8bfba396e..176d17e5736 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
@@ -14,16 +14,16 @@ KBRANCH:qemux86 ?= "v5.15/standard/base"
KBRANCH:qemux86-64 ?= "v5.15/standard/base"
KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64"
-SRCREV_machine:qemuarm ?= "44b7b6bdfaab20ab51f175aeb0df8c27791cc40d"
-SRCREV_machine:qemuarm64 ?= "d67ad97cb5d6a51184bd61853e3af7e044c7f1d4"
-SRCREV_machine:qemumips ?= "94fe5264de5b6ba6a5fab53b3f2283e36033e373"
-SRCREV_machine:qemuppc ?= "a065262f1076ca606ea8229f84b23c10be2680e7"
-SRCREV_machine:qemuriscv64 ?= "af4baa923d4f04a259e3199e9e63d9415bdf3e3a"
-SRCREV_machine:qemuriscv32 ?= "af4baa923d4f04a259e3199e9e63d9415bdf3e3a"
-SRCREV_machine:qemux86 ?= "af4baa923d4f04a259e3199e9e63d9415bdf3e3a"
-SRCREV_machine:qemux86-64 ?= "af4baa923d4f04a259e3199e9e63d9415bdf3e3a"
-SRCREV_machine:qemumips64 ?= "00831bab13b4320ee27e4ddc72b55542bfe75ec8"
-SRCREV_machine ?= "af4baa923d4f04a259e3199e9e63d9415bdf3e3a"
+SRCREV_machine:qemuarm ?= "9750e854c9e92d55a2cb042c5ce72e712b24217d"
+SRCREV_machine:qemuarm64 ?= "8634ca1dd87be9b55bd383dc8636b73b82a28051"
+SRCREV_machine:qemumips ?= "54eca1788efd507120c9dc08681a6a31038513a1"
+SRCREV_machine:qemuppc ?= "3a3a4ecdcebb4d3deaa8b5c4ec3e167d5f31305c"
+SRCREV_machine:qemuriscv64 ?= "b5ccd2e275c9b68e5dc564b6febeaae8dda42bc5"
+SRCREV_machine:qemuriscv32 ?= "b5ccd2e275c9b68e5dc564b6febeaae8dda42bc5"
+SRCREV_machine:qemux86 ?= "b5ccd2e275c9b68e5dc564b6febeaae8dda42bc5"
+SRCREV_machine:qemux86-64 ?= "b5ccd2e275c9b68e5dc564b6febeaae8dda42bc5"
+SRCREV_machine:qemumips64 ?= "e643e82fef4b4352b8f6ddf802181526edc806ca"
+SRCREV_machine ?= "b5ccd2e275c9b68e5dc564b6febeaae8dda42bc5"
SRCREV_meta ?= "b75d71b7f2455467f2260d514040ccb44d4bdda5"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
@@ -31,7 +31,7 @@ SRCREV_meta ?= "b75d71b7f2455467f2260d514040ccb44d4bdda5"
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "e45d5d41c1343aad8c7587a5b15d58e99aff4c8a"
+SRCREV_machine:class-devupstream ?= "3330a8d33e086f76608bb4e80a3dc569d04a8814"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v5.15/base"
@@ -39,7 +39,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.15.200"
+LINUX_VERSION ?= "5.15.201"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 03/18] create-pull-request: Keep commit hash to be pulled in cover email
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 01/18] linux-yocto/5.15: update to v5.15.200 Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 02/18] linux-yocto/5.15: update to v5.15.201 Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 04/18] README.OE-Core: update contributor links and add kirkstone prefix Yoann Congal
` (14 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Paul Barker <paul@pbarker.dev>
The cover email mangling in create-pull-request was cutting off the
actual commit hash to be pulled, making it difficult to verify that the
changes a maintainer merges exactly match those intended by the pull
request author.
The extra lines we want to include are, for example from a recent
whinlatter stable branch PR:
for you to fetch changes up to 6c4c6d39ea3202d756acc13f8ce81b114a468541:
cups: upgrade from 2.4.14 to 2.4.15 (2025-12-29 09:49:31 -0800)
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c78f5ae4a5ba3675b78cc226feb7b9fbbfd8da19)
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
scripts/create-pull-request | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/create-pull-request b/scripts/create-pull-request
index 885105fab3d..5c4414ecd5f 100755
--- a/scripts/create-pull-request
+++ b/scripts/create-pull-request
@@ -219,7 +219,7 @@ fi
# The cover letter already has a diffstat, remove it from the pull-msg
# before inserting it.
-sed -n "0,\#$REMOTE_URL# p" "$PM" | sed -i "/BLURB HERE/ r /dev/stdin" "$CL"
+sed -n "0,\#^----------------------------------------------------------------# p" "$PM" | sed -i "/BLURB HERE/ r /dev/stdin" "$CL"
rm "$PM"
# If this is an RFC, make that clear in the cover letter
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 04/18] README.OE-Core: update contributor links and add kirkstone prefix
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
` (2 preceding siblings ...)
2026-04-07 7:13 ` [OE-core][kirkstone v2 03/18] create-pull-request: Keep commit hash to be pulled in cover email Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 05/18] libtheora: mark CVE-2024-56431 as not vulnerable yet Yoann Congal
` (13 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Fabien Thomas <fabien.thomas@smile.fr>
The current README points to an old Wiki page. Update this to the
Yocto documentation.
Additionally, add a helper command for git-send-email that includes
the 'kirkstone' subject prefix to ensure patches are correctly
identified by the maintainers and CI.
Suggested-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
README.OE-Core.md | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/README.OE-Core.md b/README.OE-Core.md
index 2f2127fb03a..8a724dd6d0a 100644
--- a/README.OE-Core.md
+++ b/README.OE-Core.md
@@ -16,9 +16,13 @@ which can be found at:
Contributing
------------
-Please refer to
-https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded
-for guidelines on how to submit patches.
+Please refer to our contributor guide here: https://docs.yoctoproject.org/dev/contributor-guide/
+for full details on how to submit changes.
+
+As a quick guide, patches should be sent to openembedded-core@lists.openembedded.org
+The git command to do that would be:
+
+ git send-email -M -1 --to openembedded-core@lists.openembedded.org --subject-prefix='kirkstone][PATCH'
Mailing list:
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 05/18] libtheora: mark CVE-2024-56431 as not vulnerable yet
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
` (3 preceding siblings ...)
2026-04-07 7:13 ` [OE-core][kirkstone v2 04/18] README.OE-Core: update contributor links and add kirkstone prefix Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 06/18] tzdata,tzcode-native: Upgrade 2025b -> 2025c Yoann Congal
` (12 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
CVE patch [1] aplies only on main branch which is base for 1.2.x.
Branch 1.1 has a different initial commit and does not contain
vulnerable code where the CVE patch applies.
Also Debian [2] marked 1.1 as not vulnerable.
[1] https://gitlab.xiph.org/xiph/theora/-/commit/5665f86b8fd8345bb09469990e79221562ac204b
[2] https://security-tracker.debian.org/tracker/CVE-2024-56431
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Picked from scarthgap commit 07f35d022b88ab4d297d0252f9909e252b7e4cfe
Reworked from CVE_STATUS to CVE_CHECK_IGNORE
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-multimedia/libtheora/libtheora_1.1.1.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.1.1.bb b/meta/recipes-multimedia/libtheora/libtheora_1.1.1.bb
index ad0be85559b..4066bb1513b 100644
--- a/meta/recipes-multimedia/libtheora/libtheora_1.1.1.bb
+++ b/meta/recipes-multimedia/libtheora/libtheora_1.1.1.bb
@@ -22,3 +22,6 @@ CVE_PRODUCT = "theora"
inherit autotools pkgconfig
EXTRA_OECONF = "--disable-examples"
+
+# fixed-version:branch 1.1 is not affected, vulnerable code is not present yet
+CVE_CHECK_IGNORE += "CVE-2024-56431"
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 06/18] tzdata,tzcode-native: Upgrade 2025b -> 2025c
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
` (4 preceding siblings ...)
2026-04-07 7:13 ` [OE-core][kirkstone v2 05/18] libtheora: mark CVE-2024-56431 as not vulnerable yet Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 07/18] tzdata/tzcode-native: upgrade 2025c -> 2026a Yoann Congal
` (11 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
This release mostly changes code and commentary. The only changed data
are leap second table expiration and pre-1976 time in Baja California.
Full release notes:
https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/TAGXKYLMAQRZRFTERQ33CEKOW7KRJVAK/
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 452334219309793ad74abd6ff390dcb06cab929b)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-extended/timezone/timezone.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc
index bb81d77ccc5..1c08d4b1023 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -6,7 +6,7 @@ SECTION = "base"
LICENSE = "PD & BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
-PV = "2025b"
+PV = "2025c"
SRC_URI =" https://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode;subdir=tz \
https://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata;subdir=tz \
@@ -16,5 +16,5 @@ S = "${WORKDIR}/tz"
UPSTREAM_CHECK_URI = "https://www.iana.org/time-zones"
-SRC_URI[tzcode.sha256sum] = "05f8fedb3525ee70d49c87d3fae78a8a0dbae4fe87aa565c65cda9948ae135ec"
-SRC_URI[tzdata.sha256sum] = "11810413345fc7805017e27ea9fa4885fd74cd61b2911711ad038f5d28d71474"
+SRC_URI[tzcode.sha256sum] = "697ebe6625444aef5080f58e49d03424bbb52e08bf483d3ddb5acf10cbd15740"
+SRC_URI[tzdata.sha256sum] = "4aa79e4effee53fc4029ffe5f6ebe97937282ebcdf386d5d2da91ce84142f957"
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 07/18] tzdata/tzcode-native: upgrade 2025c -> 2026a
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
` (5 preceding siblings ...)
2026-04-07 7:13 ` [OE-core][kirkstone v2 06/18] tzdata,tzcode-native: Upgrade 2025b -> 2025c Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 08/18] python3: upgrade 3.10.19 -> 3.10.20 Yoann Congal
` (10 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 217ede26d64901d9a38fc119efa684487714c08a)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-extended/timezone/timezone.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc
index 1c08d4b1023..c498c0c9ffa 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -6,7 +6,7 @@ SECTION = "base"
LICENSE = "PD & BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
-PV = "2025c"
+PV = "2026a"
SRC_URI =" https://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode;subdir=tz \
https://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata;subdir=tz \
@@ -16,5 +16,5 @@ S = "${WORKDIR}/tz"
UPSTREAM_CHECK_URI = "https://www.iana.org/time-zones"
-SRC_URI[tzcode.sha256sum] = "697ebe6625444aef5080f58e49d03424bbb52e08bf483d3ddb5acf10cbd15740"
-SRC_URI[tzdata.sha256sum] = "4aa79e4effee53fc4029ffe5f6ebe97937282ebcdf386d5d2da91ce84142f957"
+SRC_URI[tzcode.sha256sum] = "f80a17a2eddd2b54041f9c98d75b0aa8038b016d7c5de72892a146d9938740e1"
+SRC_URI[tzdata.sha256sum] = "77b541725937bb53bd92bd484c0b43bec8545e2d3431ee01f04ef8f2203ba2b7"
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 08/18] python3: upgrade 3.10.19 -> 3.10.20
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
` (6 preceding siblings ...)
2026-04-07 7:13 ` [OE-core][kirkstone v2 07/18] tzdata/tzcode-native: upgrade 2025c -> 2026a Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 09/18] python3-pyopenssl: Fix CVE-2026-27448 Yoann Congal
` (9 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Drop upstreamed patches.
Release information:
* https://www.python.org/downloads/release/python-31020/
* The release you're looking at is Python 3.10.20, a security bugfix release for the legacy 3.10 series.
Handles CVE-2024-6923 CVE-2025-6075 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837
CVE-2025-15282 CVE-2025-59375 CVE-2026-0865 CVE-2026-24515 CVE-2026-25210
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
[YC: rebased on top of kirkstone]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python/python3/CVE-2025-12084.patch | 171 --------
.../python/python3/CVE-2025-13836.patch | 163 --------
.../python/python3/CVE-2025-13837.patch | 162 --------
.../python/python3/CVE-2025-6075.patch | 364 ------------------
...{python3_3.10.19.bb => python3_3.10.20.bb} | 6 +-
5 files changed, 1 insertion(+), 865 deletions(-)
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2025-12084.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2025-13836.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2025-13837.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2025-6075.patch
rename meta/recipes-devtools/python/{python3_3.10.19.bb => python3_3.10.20.bb} (98%)
diff --git a/meta/recipes-devtools/python/python3/CVE-2025-12084.patch b/meta/recipes-devtools/python/python3/CVE-2025-12084.patch
deleted file mode 100644
index 0c9bb435edf..00000000000
--- a/meta/recipes-devtools/python/python3/CVE-2025-12084.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-From c97e87593063d84a2bd9fe7068b30eb44de23dc0 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Sun, 25 Jan 2026 18:10:49 +0100
-Subject: [PATCH] [3.10] gh-142145: Remove quadratic behavior in node ID cache
- clearing (GH-142146) (#142213)
-
-* gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146)
-
-* Remove quadratic behavior in node ID cache clearing
-
-Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
-
-* Add news fragment
-
-CVE: CVE-2025-12084
-Upstream-Status: Backport [https://github.com/python/cpython/commit/c97e87593063d84a2bd9fe7068b30eb44de23dc0]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----------
-(cherry picked from commit 08d8e18ad81cd45bc4a27d6da478b51ea49486e4)
-
-Co-authored-by: Seth Michael Larson <seth@python.org>
-Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
-
-* [3.14] gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794) (#142818)
-
-gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794)
-(cherry picked from commit 1cc7551b3f9f71efbc88d96dce90f82de98b2454)
-
-Co-authored-by: Petr Viktorin <encukou@gmail.com>
-Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
-
-* gh-142145: relax the no-longer-quadratic test timing (GH-143030)
-
-* gh-142145: relax the no-longer-quadratic test timing
-
-* require cpu resource
-(cherry picked from commit 8d2d7bb2e754f8649a68ce4116271a4932f76907)
-
-Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
-
-* merge NEWS entries into one
-
----------
-
-Co-authored-by: Seth Michael Larson <seth@python.org>
-Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
-Co-authored-by: Petr Viktorin <encukou@gmail.com>
-Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
-Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
-Co-authored-by: Gregory P. Smith <greg@krypto.org>
----
- Lib/test/test_minidom.py | 33 ++++++++++++++++++-
- Lib/xml/dom/minidom.py | 11 ++-----
- ...-12-01-09-36-45.gh-issue-142145.tcAUhg.rst | 6 ++++
- 3 files changed, 41 insertions(+), 9 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
-
-diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
-index ef38c36210..c68bd990f7 100644
---- a/Lib/test/test_minidom.py
-+++ b/Lib/test/test_minidom.py
-@@ -2,6 +2,7 @@
-
- import copy
- import pickle
-+import time
- import io
- from test import support
- import unittest
-@@ -9,7 +10,7 @@ import unittest
- import pyexpat
- import xml.dom.minidom
-
--from xml.dom.minidom import parse, Attr, Node, Document, parseString
-+from xml.dom.minidom import parse, Attr, Node, Document, Element, parseString
- from xml.dom.minidom import getDOMImplementation
- from xml.parsers.expat import ExpatError
-
-@@ -177,6 +178,36 @@ class MinidomTest(unittest.TestCase):
- self.confirm(dom.documentElement.childNodes[-1].data == "Hello")
- dom.unlink()
-
-+ @support.requires_resource('cpu')
-+ def testAppendChildNoQuadraticComplexity(self):
-+ impl = getDOMImplementation()
-+
-+ newdoc = impl.createDocument(None, "some_tag", None)
-+ top_element = newdoc.documentElement
-+ children = [newdoc.createElement(f"child-{i}") for i in range(1, 2 ** 15 + 1)]
-+ element = top_element
-+
-+ start = time.monotonic()
-+ for child in children:
-+ element.appendChild(child)
-+ element = child
-+ end = time.monotonic()
-+
-+ # This example used to take at least 30 seconds.
-+ # Conservative assertion due to the wide variety of systems and
-+ # build configs timing based tests wind up run under.
-+ # A --with-address-sanitizer --with-pydebug build on a rpi5 still
-+ # completes this loop in <0.5 seconds.
-+ self.assertLess(end - start, 4)
-+
-+ def testSetAttributeNodeWithoutOwnerDocument(self):
-+ # regression test for gh-142754
-+ elem = Element("test")
-+ attr = Attr("id")
-+ attr.value = "test-id"
-+ elem.setAttributeNode(attr)
-+ self.assertEqual(elem.getAttribute("id"), "test-id")
-+
- def testAppendChildFragment(self):
- dom, orig, c1, c2, c3, frag = self._create_fragment_test_nodes()
- dom.documentElement.appendChild(frag)
-diff --git a/Lib/xml/dom/minidom.py b/Lib/xml/dom/minidom.py
-index ef8a159833..cada981f39 100644
---- a/Lib/xml/dom/minidom.py
-+++ b/Lib/xml/dom/minidom.py
-@@ -292,13 +292,6 @@ def _append_child(self, node):
- childNodes.append(node)
- node.parentNode = self
-
--def _in_document(node):
-- # return True iff node is part of a document tree
-- while node is not None:
-- if node.nodeType == Node.DOCUMENT_NODE:
-- return True
-- node = node.parentNode
-- return False
-
- def _write_data(writer, data):
- "Writes datachars to writer."
-@@ -355,6 +348,7 @@ class Attr(Node):
- def __init__(self, qName, namespaceURI=EMPTY_NAMESPACE, localName=None,
- prefix=None):
- self.ownerElement = None
-+ self.ownerDocument = None
- self._name = qName
- self.namespaceURI = namespaceURI
- self._prefix = prefix
-@@ -680,6 +674,7 @@ class Element(Node):
-
- def __init__(self, tagName, namespaceURI=EMPTY_NAMESPACE, prefix=None,
- localName=None):
-+ self.ownerDocument = None
- self.parentNode = None
- self.tagName = self.nodeName = tagName
- self.prefix = prefix
-@@ -1539,7 +1534,7 @@ def _clear_id_cache(node):
- if node.nodeType == Node.DOCUMENT_NODE:
- node._id_cache.clear()
- node._id_search_stack = None
-- elif _in_document(node):
-+ elif node.ownerDocument:
- node.ownerDocument._id_cache.clear()
- node.ownerDocument._id_search_stack= None
-
-diff --git a/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
-new file mode 100644
-index 0000000000..05c7df35d1
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
-@@ -0,0 +1,6 @@
-+Remove quadratic behavior in ``xml.minidom`` node ID cache clearing. In order
-+to do this without breaking existing users, we also add the *ownerDocument*
-+attribute to :mod:`xml.dom.minidom` elements and attributes created by directly
-+instantiating the ``Element`` or ``Attr`` class. Note that this way of creating
-+nodes is not supported; creator functions like
-+:py:meth:`xml.dom.Document.documentElement` should be used instead.
diff --git a/meta/recipes-devtools/python/python3/CVE-2025-13836.patch b/meta/recipes-devtools/python/python3/CVE-2025-13836.patch
deleted file mode 100644
index c4387b60194..00000000000
--- a/meta/recipes-devtools/python/python3/CVE-2025-13836.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From 289f29b0fe38baf2d7cb5854f4bb573cc34a6a15 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Fri, 5 Dec 2025 16:21:57 +0100
-Subject: [PATCH] [3.13] gh-119451: Fix a potential denial of service in
- http.client (GH-119454) (#142139)
-
-gh-119451: Fix a potential denial of service in http.client (GH-119454)
-
-Reading the whole body of the HTTP response could cause OOM if
-the Content-Length value is too large even if the server does not send
-a large amount of data. Now the HTTP client reads large data by chunks,
-therefore the amount of consumed memory is proportional to the amount
-of sent data.
-(cherry picked from commit 5a4c4a033a4a54481be6870aa1896fad732555b5)
-
-CVE: CVE-2025-13836
-Upstream-Status: Backport [https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15]
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- Lib/http/client.py | 28 ++++++--
- Lib/test/test_httplib.py | 66 +++++++++++++++++++
- ...-05-23-11-47-48.gh-issue-119451.qkJe9-.rst | 5 ++
- 3 files changed, 95 insertions(+), 4 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
-
-diff --git a/Lib/http/client.py b/Lib/http/client.py
-index d1b7b10..c8ab5b7 100644
---- a/Lib/http/client.py
-+++ b/Lib/http/client.py
-@@ -111,6 +111,11 @@ responses = {v: v.phrase for v in http.HTTPStatus.__members__.values()}
- _MAXLINE = 65536
- _MAXHEADERS = 100
-
-+# Data larger than this will be read in chunks, to prevent extreme
-+# overallocation.
-+_MIN_READ_BUF_SIZE = 1 << 20
-+
-+
- # Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2)
- #
- # VCHAR = %x21-7E
-@@ -628,10 +633,25 @@ class HTTPResponse(io.BufferedIOBase):
- reading. If the bytes are truly not available (due to EOF), then the
- IncompleteRead exception can be used to detect the problem.
- """
-- data = self.fp.read(amt)
-- if len(data) < amt:
-- raise IncompleteRead(data, amt-len(data))
-- return data
-+ cursize = min(amt, _MIN_READ_BUF_SIZE)
-+ data = self.fp.read(cursize)
-+ if len(data) >= amt:
-+ return data
-+ if len(data) < cursize:
-+ raise IncompleteRead(data, amt - len(data))
-+
-+ data = io.BytesIO(data)
-+ data.seek(0, 2)
-+ while True:
-+ # This is a geometric increase in read size (never more than
-+ # doubling out the current length of data per loop iteration).
-+ delta = min(cursize, amt - cursize)
-+ data.write(self.fp.read(delta))
-+ if data.tell() >= amt:
-+ return data.getvalue()
-+ cursize += delta
-+ if data.tell() < cursize:
-+ raise IncompleteRead(data.getvalue(), amt - data.tell())
-
- def _safe_readinto(self, b):
- """Same as _safe_read, but for reading into a buffer."""
-diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
-index 77152cf..89ec5f6 100644
---- a/Lib/test/test_httplib.py
-+++ b/Lib/test/test_httplib.py
-@@ -1226,6 +1226,72 @@ class BasicTest(TestCase):
- thread.join()
- self.assertEqual(result, b"proxied data\n")
-
-+ def test_large_content_length(self):
-+ serv = socket.create_server((HOST, 0))
-+ self.addCleanup(serv.close)
-+
-+ def run_server():
-+ [conn, address] = serv.accept()
-+ with conn:
-+ while conn.recv(1024):
-+ conn.sendall(
-+ b"HTTP/1.1 200 Ok\r\n"
-+ b"Content-Length: %d\r\n"
-+ b"\r\n" % size)
-+ conn.sendall(b'A' * (size//3))
-+ conn.sendall(b'B' * (size - size//3))
-+
-+ thread = threading.Thread(target=run_server)
-+ thread.start()
-+ self.addCleanup(thread.join, 1.0)
-+
-+ conn = client.HTTPConnection(*serv.getsockname())
-+ try:
-+ for w in range(15, 27):
-+ size = 1 << w
-+ conn.request("GET", "/")
-+ with conn.getresponse() as response:
-+ self.assertEqual(len(response.read()), size)
-+ finally:
-+ conn.close()
-+ thread.join(1.0)
-+
-+ def test_large_content_length_truncated(self):
-+ serv = socket.create_server((HOST, 0))
-+ self.addCleanup(serv.close)
-+
-+ def run_server():
-+ while True:
-+ [conn, address] = serv.accept()
-+ with conn:
-+ conn.recv(1024)
-+ if not size:
-+ break
-+ conn.sendall(
-+ b"HTTP/1.1 200 Ok\r\n"
-+ b"Content-Length: %d\r\n"
-+ b"\r\n"
-+ b"Text" % size)
-+
-+ thread = threading.Thread(target=run_server)
-+ thread.start()
-+ self.addCleanup(thread.join, 1.0)
-+
-+ conn = client.HTTPConnection(*serv.getsockname())
-+ try:
-+ for w in range(18, 65):
-+ size = 1 << w
-+ conn.request("GET", "/")
-+ with conn.getresponse() as response:
-+ self.assertRaises(client.IncompleteRead, response.read)
-+ conn.close()
-+ finally:
-+ conn.close()
-+ size = 0
-+ conn.request("GET", "/")
-+ conn.close()
-+ thread.join(1.0)
-+
- def test_putrequest_override_domain_validation(self):
- """
- It should be possible to override the default validation
-diff --git a/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst b/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
-new file mode 100644
-index 0000000..6d6f25c
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
-@@ -0,0 +1,5 @@
-+Fix a potential memory denial of service in the :mod:`http.client` module.
-+When connecting to a malicious server, it could cause
-+an arbitrary amount of memory to be allocated.
-+This could have led to symptoms including a :exc:`MemoryError`, swapping, out
-+of memory (OOM) killed processes or containers, or even system crashes.
---
-2.50.1
-
diff --git a/meta/recipes-devtools/python/python3/CVE-2025-13837.patch b/meta/recipes-devtools/python/python3/CVE-2025-13837.patch
deleted file mode 100644
index 36bf75792bb..00000000000
--- a/meta/recipes-devtools/python/python3/CVE-2025-13837.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From 5a8b19677d818fb41ee55f310233772e15aa1a2b Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka <storchaka@gmail.com>
-Date: Mon, 22 Dec 2025 15:49:44 +0200
-Subject: [PATCH] [3.12] gh-119342: Fix a potential denial of service in
- plistlib (GH-119343) (#142149)
-
-Reading a specially prepared small Plist file could cause OOM because file's
-read(n) preallocates a bytes object for reading the specified amount of
-data. Now plistlib reads large data by chunks, therefore the upper limit of
-consumed memory is proportional to the size of the input file.
-(cherry picked from commit 694922cf40aa3a28f898b5f5ee08b71b4922df70)
-
-CVE: CVE-2025-13837
-Upstream-Status: Backport [https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- Lib/plistlib.py | 31 ++++++++++------
- Lib/test/test_plistlib.py | 37 +++++++++++++++++--
- ...-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst | 5 +++
- 3 files changed, 59 insertions(+), 14 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
-
-diff --git a/Lib/plistlib.py b/Lib/plistlib.py
-index 3292c30d5f..c5554ea1f7 100644
---- a/Lib/plistlib.py
-+++ b/Lib/plistlib.py
-@@ -73,6 +73,9 @@ from xml.parsers.expat import ParserCreate
- PlistFormat = enum.Enum('PlistFormat', 'FMT_XML FMT_BINARY', module=__name__)
- globals().update(PlistFormat.__members__)
-
-+# Data larger than this will be read in chunks, to prevent extreme
-+# overallocation.
-+_MIN_READ_BUF_SIZE = 1 << 20
-
- class UID:
- def __init__(self, data):
-@@ -499,12 +502,24 @@ class _BinaryPlistParser:
-
- return tokenL
-
-+ def _read(self, size):
-+ cursize = min(size, _MIN_READ_BUF_SIZE)
-+ data = self._fp.read(cursize)
-+ while True:
-+ if len(data) != cursize:
-+ raise InvalidFileException
-+ if cursize == size:
-+ return data
-+ delta = min(cursize, size - cursize)
-+ data += self._fp.read(delta)
-+ cursize += delta
-+
- def _read_ints(self, n, size):
-- data = self._fp.read(size * n)
-+ data = self._read(size * n)
- if size in _BINARY_FORMAT:
- return struct.unpack(f'>{n}{_BINARY_FORMAT[size]}', data)
- else:
-- if not size or len(data) != size * n:
-+ if not size:
- raise InvalidFileException()
- return tuple(int.from_bytes(data[i: i + size], 'big')
- for i in range(0, size * n, size))
-@@ -561,22 +576,16 @@ class _BinaryPlistParser:
-
- elif tokenH == 0x40: # data
- s = self._get_size(tokenL)
-- result = self._fp.read(s)
-- if len(result) != s:
-- raise InvalidFileException()
-+ result = self._read(s)
-
- elif tokenH == 0x50: # ascii string
- s = self._get_size(tokenL)
-- data = self._fp.read(s)
-- if len(data) != s:
-- raise InvalidFileException()
-+ data = self._read(s)
- result = data.decode('ascii')
-
- elif tokenH == 0x60: # unicode string
- s = self._get_size(tokenL) * 2
-- data = self._fp.read(s)
-- if len(data) != s:
-- raise InvalidFileException()
-+ data = self._read(s)
- result = data.decode('utf-16be')
-
- elif tokenH == 0x80: # UID
-diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py
-index fa46050658..229a5a242e 100644
---- a/Lib/test/test_plistlib.py
-+++ b/Lib/test/test_plistlib.py
-@@ -838,8 +838,7 @@ class TestPlistlib(unittest.TestCase):
-
- class TestBinaryPlistlib(unittest.TestCase):
-
-- @staticmethod
-- def decode(*objects, offset_size=1, ref_size=1):
-+ def build(self, *objects, offset_size=1, ref_size=1):
- data = [b'bplist00']
- offset = 8
- offsets = []
-@@ -851,7 +850,11 @@ class TestBinaryPlistlib(unittest.TestCase):
- len(objects), 0, offset)
- data.extend(offsets)
- data.append(tail)
-- return plistlib.loads(b''.join(data), fmt=plistlib.FMT_BINARY)
-+ return b''.join(data)
-+
-+ def decode(self, *objects, offset_size=1, ref_size=1):
-+ data = self.build(*objects, offset_size=offset_size, ref_size=ref_size)
-+ return plistlib.loads(data, fmt=plistlib.FMT_BINARY)
-
- def test_nonstandard_refs_size(self):
- # Issue #21538: Refs and offsets are 24-bit integers
-@@ -959,6 +962,34 @@ class TestBinaryPlistlib(unittest.TestCase):
- with self.assertRaises(plistlib.InvalidFileException):
- plistlib.loads(b'bplist00' + data, fmt=plistlib.FMT_BINARY)
-
-+ def test_truncated_large_data(self):
-+ self.addCleanup(os_helper.unlink, os_helper.TESTFN)
-+ def check(data):
-+ with open(os_helper.TESTFN, 'wb') as f:
-+ f.write(data)
-+ # buffered file
-+ with open(os_helper.TESTFN, 'rb') as f:
-+ with self.assertRaises(plistlib.InvalidFileException):
-+ plistlib.load(f, fmt=plistlib.FMT_BINARY)
-+ # unbuffered file
-+ with open(os_helper.TESTFN, 'rb', buffering=0) as f:
-+ with self.assertRaises(plistlib.InvalidFileException):
-+ plistlib.load(f, fmt=plistlib.FMT_BINARY)
-+ for w in range(20, 64):
-+ s = 1 << w
-+ # data
-+ check(self.build(b'\x4f\x13' + s.to_bytes(8, 'big')))
-+ # ascii string
-+ check(self.build(b'\x5f\x13' + s.to_bytes(8, 'big')))
-+ # unicode string
-+ check(self.build(b'\x6f\x13' + s.to_bytes(8, 'big')))
-+ # array
-+ check(self.build(b'\xaf\x13' + s.to_bytes(8, 'big')))
-+ # dict
-+ check(self.build(b'\xdf\x13' + s.to_bytes(8, 'big')))
-+ # number of objects
-+ check(b'bplist00' + struct.pack('>6xBBQQQ', 1, 1, s, 0, 8))
-+
-
- class TestKeyedArchive(unittest.TestCase):
- def test_keyed_archive_data(self):
-diff --git a/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
-new file mode 100644
-index 0000000000..04fd8faca4
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
-@@ -0,0 +1,5 @@
-+Fix a potential memory denial of service in the :mod:`plistlib` module.
-+When reading a Plist file received from untrusted source, it could cause
-+an arbitrary amount of memory to be allocated.
-+This could have led to symptoms including a :exc:`MemoryError`, swapping, out
-+of memory (OOM) killed processes or containers, or even system crashes.
diff --git a/meta/recipes-devtools/python/python3/CVE-2025-6075.patch b/meta/recipes-devtools/python/python3/CVE-2025-6075.patch
deleted file mode 100644
index eab5a882a0d..00000000000
--- a/meta/recipes-devtools/python/python3/CVE-2025-6075.patch
+++ /dev/null
@@ -1,364 +0,0 @@
-From 892747b4cf0f95ba8beb51c0d0658bfaa381ebca Mon Sep 17 00:00:00 2001
-From: Łukasz Langa <lukasz@langa.pl>
-Date: Fri, 31 Oct 2025 17:51:32 +0100
-Subject: [PATCH] gh-136065: Fix quadratic complexity in os.path.expandvars()
- (GH-134952) (GH-140851)
-
-(cherry picked from commit f029e8db626ddc6e3a3beea4eff511a71aaceb5c)
-
-Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
-
-CVE: CVE-2025-6075
-
-Upstream-Status: Backport [https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca]
-
-Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
----
- Lib/ntpath.py | 126 ++++++------------
- Lib/posixpath.py | 43 +++---
- Lib/test/test_genericpath.py | 14 ++
- Lib/test/test_ntpath.py | 20 ++-
- ...-05-30-22-33-27.gh-issue-136065.bu337o.rst | 1 +
- 5 files changed, 93 insertions(+), 111 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
-
-diff --git a/Lib/ntpath.py b/Lib/ntpath.py
-index 9b0cca4..bd2b4e2 100644
---- a/Lib/ntpath.py
-+++ b/Lib/ntpath.py
-@@ -374,17 +374,23 @@ def expanduser(path):
- # XXX With COMMAND.COM you can use any characters in a variable name,
- # XXX except '^|<>='.
-
-+_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)"
-+_varsub = None
-+_varsubb = None
-+
- def expandvars(path):
- """Expand shell variables of the forms $var, ${var} and %var%.
-
- Unknown variables are left unchanged."""
- path = os.fspath(path)
-+ global _varsub, _varsubb
- if isinstance(path, bytes):
- if b'$' not in path and b'%' not in path:
- return path
-- import string
-- varchars = bytes(string.ascii_letters + string.digits + '_-', 'ascii')
-- quote = b'\''
-+ if not _varsubb:
-+ import re
-+ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
-+ sub = _varsubb
- percent = b'%'
- brace = b'{'
- rbrace = b'}'
-@@ -393,94 +399,44 @@ def expandvars(path):
- else:
- if '$' not in path and '%' not in path:
- return path
-- import string
-- varchars = string.ascii_letters + string.digits + '_-'
-- quote = '\''
-+ if not _varsub:
-+ import re
-+ _varsub = re.compile(_varpattern, re.ASCII).sub
-+ sub = _varsub
- percent = '%'
- brace = '{'
- rbrace = '}'
- dollar = '$'
- environ = os.environ
-- res = path[:0]
-- index = 0
-- pathlen = len(path)
-- while index < pathlen:
-- c = path[index:index+1]
-- if c == quote: # no expansion within single quotes
-- path = path[index + 1:]
-- pathlen = len(path)
-- try:
-- index = path.index(c)
-- res += c + path[:index + 1]
-- except ValueError:
-- res += c + path
-- index = pathlen - 1
-- elif c == percent: # variable or '%'
-- if path[index + 1:index + 2] == percent:
-- res += c
-- index += 1
-- else:
-- path = path[index+1:]
-- pathlen = len(path)
-- try:
-- index = path.index(percent)
-- except ValueError:
-- res += percent + path
-- index = pathlen - 1
-- else:
-- var = path[:index]
-- try:
-- if environ is None:
-- value = os.fsencode(os.environ[os.fsdecode(var)])
-- else:
-- value = environ[var]
-- except KeyError:
-- value = percent + var + percent
-- res += value
-- elif c == dollar: # variable or '$$'
-- if path[index + 1:index + 2] == dollar:
-- res += c
-- index += 1
-- elif path[index + 1:index + 2] == brace:
-- path = path[index+2:]
-- pathlen = len(path)
-- try:
-- index = path.index(rbrace)
-- except ValueError:
-- res += dollar + brace + path
-- index = pathlen - 1
-- else:
-- var = path[:index]
-- try:
-- if environ is None:
-- value = os.fsencode(os.environ[os.fsdecode(var)])
-- else:
-- value = environ[var]
-- except KeyError:
-- value = dollar + brace + var + rbrace
-- res += value
-- else:
-- var = path[:0]
-- index += 1
-- c = path[index:index + 1]
-- while c and c in varchars:
-- var += c
-- index += 1
-- c = path[index:index + 1]
-- try:
-- if environ is None:
-- value = os.fsencode(os.environ[os.fsdecode(var)])
-- else:
-- value = environ[var]
-- except KeyError:
-- value = dollar + var
-- res += value
-- if c:
-- index -= 1
-+
-+ def repl(m):
-+ lastindex = m.lastindex
-+ if lastindex is None:
-+ return m[0]
-+ name = m[lastindex]
-+ if lastindex == 1:
-+ if name == percent:
-+ return name
-+ if not name.endswith(percent):
-+ return m[0]
-+ name = name[:-1]
- else:
-- res += c
-- index += 1
-- return res
-+ if name == dollar:
-+ return name
-+ if name.startswith(brace):
-+ if not name.endswith(rbrace):
-+ return m[0]
-+ name = name[1:-1]
-+
-+ try:
-+ if environ is None:
-+ return os.fsencode(os.environ[os.fsdecode(name)])
-+ else:
-+ return environ[name]
-+ except KeyError:
-+ return m[0]
-+
-+ return sub(repl, path)
-
-
- # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B.
-diff --git a/Lib/posixpath.py b/Lib/posixpath.py
-index b8dd563..75020ee 100644
---- a/Lib/posixpath.py
-+++ b/Lib/posixpath.py
-@@ -279,42 +279,41 @@ def expanduser(path):
- # This expands the forms $variable and ${variable} only.
- # Non-existent variables are left unchanged.
-
--_varprog = None
--_varprogb = None
-+_varpattern = r'\$(\w+|\{[^}]*\}?)'
-+_varsub = None
-+_varsubb = None
-
- def expandvars(path):
- """Expand shell variables of form $var and ${var}. Unknown variables
- are left unchanged."""
- path = os.fspath(path)
-- global _varprog, _varprogb
-+ global _varsub, _varsubb
- if isinstance(path, bytes):
- if b'$' not in path:
- return path
-- if not _varprogb:
-+ if not _varsubb:
- import re
-- _varprogb = re.compile(br'\$(\w+|\{[^}]*\})', re.ASCII)
-- search = _varprogb.search
-+ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
-+ sub = _varsubb
- start = b'{'
- end = b'}'
- environ = getattr(os, 'environb', None)
- else:
- if '$' not in path:
- return path
-- if not _varprog:
-+ if not _varsub:
- import re
-- _varprog = re.compile(r'\$(\w+|\{[^}]*\})', re.ASCII)
-- search = _varprog.search
-+ _varsub = re.compile(_varpattern, re.ASCII).sub
-+ sub = _varsub
- start = '{'
- end = '}'
- environ = os.environ
-- i = 0
-- while True:
-- m = search(path, i)
-- if not m:
-- break
-- i, j = m.span(0)
-- name = m.group(1)
-- if name.startswith(start) and name.endswith(end):
-+
-+ def repl(m):
-+ name = m[1]
-+ if name.startswith(start):
-+ if not name.endswith(end):
-+ return m[0]
- name = name[1:-1]
- try:
- if environ is None:
-@@ -322,13 +321,11 @@ def expandvars(path):
- else:
- value = environ[name]
- except KeyError:
-- i = j
-+ return m[0]
- else:
-- tail = path[j:]
-- path = path[:i] + value
-- i = len(path)
-- path += tail
-- return path
-+ return value
-+
-+ return sub(repl, path)
-
-
- # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B.
-diff --git a/Lib/test/test_genericpath.py b/Lib/test/test_genericpath.py
-index 1ff7f75..b0a1326 100644
---- a/Lib/test/test_genericpath.py
-+++ b/Lib/test/test_genericpath.py
-@@ -7,6 +7,7 @@ import os
- import sys
- import unittest
- import warnings
-+from test import support
- from test.support import os_helper
- from test.support import warnings_helper
- from test.support.script_helper import assert_python_ok
-@@ -430,6 +431,19 @@ class CommonTest(GenericTest):
- os.fsencode('$bar%s bar' % nonascii))
- check(b'$spam}bar', os.fsencode('%s}bar' % nonascii))
-
-+ @support.requires_resource('cpu')
-+ def test_expandvars_large(self):
-+ expandvars = self.pathmodule.expandvars
-+ with os_helper.EnvironmentVarGuard() as env:
-+ env.clear()
-+ env["A"] = "B"
-+ n = 100_000
-+ self.assertEqual(expandvars('$A'*n), 'B'*n)
-+ self.assertEqual(expandvars('${A}'*n), 'B'*n)
-+ self.assertEqual(expandvars('$A!'*n), 'B!'*n)
-+ self.assertEqual(expandvars('${A}A'*n), 'BA'*n)
-+ self.assertEqual(expandvars('${'*10*n), '${'*10*n)
-+
- def test_abspath(self):
- self.assertIn("foo", self.pathmodule.abspath("foo"))
- with warnings.catch_warnings():
-diff --git a/Lib/test/test_ntpath.py b/Lib/test/test_ntpath.py
-index f790f77..161e57d 100644
---- a/Lib/test/test_ntpath.py
-+++ b/Lib/test/test_ntpath.py
-@@ -5,8 +5,8 @@ import sys
- import unittest
- import warnings
- from ntpath import ALLOW_MISSING
-+from test import support
- from test.support import os_helper
--from test.support import TestFailed
- from test.support.os_helper import FakePath
- from test import test_genericpath
- from tempfile import TemporaryFile
-@@ -56,7 +56,7 @@ def tester(fn, wantResult):
- fn = fn.replace("\\", "\\\\")
- gotResult = eval(fn)
- if wantResult != gotResult and _norm(wantResult) != _norm(gotResult):
-- raise TestFailed("%s should return: %s but returned: %s" \
-+ raise support.TestFailed("%s should return: %s but returned: %s" \
- %(str(fn), str(wantResult), str(gotResult)))
-
- # then with bytes
-@@ -72,7 +72,7 @@ def tester(fn, wantResult):
- warnings.simplefilter("ignore", DeprecationWarning)
- gotResult = eval(fn)
- if _norm(wantResult) != _norm(gotResult):
-- raise TestFailed("%s should return: %s but returned: %s" \
-+ raise support.TestFailed("%s should return: %s but returned: %s" \
- %(str(fn), str(wantResult), repr(gotResult)))
-
-
-@@ -689,6 +689,19 @@ class TestNtpath(NtpathTestCase):
- check('%spam%bar', '%sbar' % nonascii)
- check('%{}%bar'.format(nonascii), 'ham%sbar' % nonascii)
-
-+ @support.requires_resource('cpu')
-+ def test_expandvars_large(self):
-+ expandvars = ntpath.expandvars
-+ with os_helper.EnvironmentVarGuard() as env:
-+ env.clear()
-+ env["A"] = "B"
-+ n = 100_000
-+ self.assertEqual(expandvars('%A%'*n), 'B'*n)
-+ self.assertEqual(expandvars('%A%A'*n), 'BA'*n)
-+ self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%')
-+ self.assertEqual(expandvars("%%"*n), "%"*n)
-+ self.assertEqual(expandvars("$$"*n), "$"*n)
-+
- def test_expanduser(self):
- tester('ntpath.expanduser("test")', 'test')
-
-@@ -923,6 +936,7 @@ class TestNtpath(NtpathTestCase):
- self.assertIsInstance(b_final_path, bytes)
- self.assertGreater(len(b_final_path), 0)
-
-+
- class NtCommonTest(test_genericpath.CommonTest, unittest.TestCase):
- pathmodule = ntpath
- attributes = ['relpath']
-diff --git a/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
-new file mode 100644
-index 0000000..1d152bb
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
-@@ -0,0 +1 @@
-+Fix quadratic complexity in :func:`os.path.expandvars`.
---
-2.40.0
diff --git a/meta/recipes-devtools/python/python3_3.10.19.bb b/meta/recipes-devtools/python/python3_3.10.20.bb
similarity index 98%
rename from meta/recipes-devtools/python/python3_3.10.19.bb
rename to meta/recipes-devtools/python/python3_3.10.20.bb
index fbb2f80886b..88a57971b95 100644
--- a/meta/recipes-devtools/python/python3_3.10.19.bb
+++ b/meta/recipes-devtools/python/python3_3.10.20.bb
@@ -37,10 +37,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
file://0001-test_storlines-skip-due-to-load-variability.patch \
file://0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch \
- file://CVE-2025-6075.patch \
- file://CVE-2025-13836.patch \
- file://CVE-2025-13837.patch \
- file://CVE-2025-12084.patch \
"
SRC_URI:append:class-native = " \
@@ -49,7 +45,7 @@ SRC_URI:append:class-native = " \
file://12-distutils-prefix-is-inside-staging-area.patch \
file://0001-Don-t-search-system-for-headers-libraries.patch \
"
-SRC_URI[sha256sum] = "c8f4a596572201d81dd7df91f70e177e19a70f1d489968b54b5fbbf29a97c076"
+SRC_URI[sha256sum] = "de6517421601e39a9a3bc3e1bc4c7b2f239297423ee05e282598c83ec0647505"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 09/18] python3-pyopenssl: Fix CVE-2026-27448
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
` (7 preceding siblings ...)
2026-04-07 7:13 ` [OE-core][kirkstone v2 08/18] python3: upgrade 3.10.19 -> 3.10.20 Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 10/18] python3-pyopenssl: Fix CVE-2026-27459 Yoann Congal
` (8 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Pick patch mentioned in NVD
[1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448
[2] https://ubuntu.com/security/CVE-2026-27448
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python3-pyopenssl/CVE-2026-27448.patch | 125 ++++++++++++++++++
.../python/python3-pyopenssl_22.0.0.bb | 4 +
2 files changed, 129 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
new file mode 100644
index 00000000000..4a06e2c0201
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
@@ -0,0 +1,125 @@
+From d41a814759a9fb49584ca8ab3f7295de49a85aa0 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 16 Feb 2026 21:04:37 -0500
+Subject: [PATCH] Handle exceptions in set_tlsext_servername_callback callbacks
+ (#1478)
+
+When the servername callback raises an exception, call sys.excepthook
+with the exception info and return SSL_TLSEXT_ERR_ALERT_FATAL to abort
+the handshake. Previously, exceptions would propagate uncaught through
+the CFFI callback boundary.
+
+https://claude.ai/code/session_01P7y1XmWkdtC5UcmZwGDvGi
+
+Co-authored-by: Claude <noreply@anthropic.com>
+
+Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0]
+CVE: CVE-2026-27448
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ CHANGELOG.rst | 2 ++
+ src/OpenSSL/SSL.py | 7 ++++++-
+ tests/test_ssl.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 58 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG.rst b/CHANGELOG.rst
+index c84b30a..5b6d523 100644
+--- a/CHANGELOG.rst
++++ b/CHANGELOG.rst
+@@ -20,6 +20,8 @@ Deprecations:
+ Changes:
+ ^^^^^^^^
+
++- ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded.
++
+ - Expose wrappers for some `DTLS
+ <https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security>`_
+ primitives. `#1026 <https://github.com/pyca/pyopenssl/pull/1026>`_
+diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
+index 12374b7..6ef44d4 100644
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -1,5 +1,6 @@
+ import os
+ import socket
++import sys
+ from sys import platform
+ from functools import wraps, partial
+ from itertools import count, chain
+@@ -1431,7 +1432,11 @@ class Context(object):
+
+ @wraps(callback)
+ def wrapper(ssl, alert, arg):
+- callback(Connection._reverse_mapping[ssl])
++ try:
++ callback(Connection._reverse_mapping[ssl])
++ except Exception:
++ sys.excepthook(*sys.exc_info())
++ return _lib.SSL_TLSEXT_ERR_ALERT_FATAL
+ return 0
+
+ self._tlsext_servername_callback = _ffi.callback(
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index ccc8a38..77e1876 100644
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -1884,6 +1884,56 @@ class TestServerNameCallback(object):
+
+ assert args == [(server, b"foo1.example.com")]
+
++ def test_servername_callback_exception(
++ self, monkeypatch: pytest.MonkeyPatch
++ ) -> None:
++ """
++ When the callback passed to `Context.set_tlsext_servername_callback`
++ raises an exception, ``sys.excepthook`` is called with the exception
++ and the handshake fails with an ``Error``.
++ """
++ exc = TypeError("server name callback failed")
++
++ def servername(conn: Connection) -> None:
++ raise exc
++
++ excepthook_calls: list[
++ tuple[type[BaseException], BaseException, object]
++ ] = []
++
++ def custom_excepthook(
++ exc_type: type[BaseException],
++ exc_value: BaseException,
++ exc_tb: object,
++ ) -> None:
++ excepthook_calls.append((exc_type, exc_value, exc_tb))
++
++ context = Context(SSLv23_METHOD)
++ context.set_tlsext_servername_callback(servername)
++
++ # Necessary to actually accept the connection
++ context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
++ context.use_certificate(
++ load_certificate(FILETYPE_PEM, server_cert_pem)
++ )
++
++ # Do a little connection to trigger the logic
++ server = Connection(context, None)
++ server.set_accept_state()
++
++ client = Connection(Context(SSLv23_METHOD), None)
++ client.set_connect_state()
++ client.set_tlsext_host_name(b"foo1.example.com")
++
++ monkeypatch.setattr(sys, "excepthook", custom_excepthook)
++ with pytest.raises(Error):
++ interact_in_memory(server, client)
++
++ assert len(excepthook_calls) == 1
++ assert excepthook_calls[0][0] is TypeError
++ assert excepthook_calls[0][1] is exc
++ assert excepthook_calls[0][2] is not None
++
+
+ class TestApplicationLayerProtoNegotiation(object):
+ """
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/python/python3-pyopenssl_22.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_22.0.0.bb
index db0e809ef54..13d87939b62 100644
--- a/meta/recipes-devtools/python/python3-pyopenssl_22.0.0.bb
+++ b/meta/recipes-devtools/python/python3-pyopenssl_22.0.0.bb
@@ -10,6 +10,10 @@ SRC_URI[sha256sum] = "660b1b1425aac4a1bea1d94168a85d99f0b3144c869dd4390d27629d00
PYPI_PACKAGE = "pyOpenSSL"
inherit pypi setuptools3
+SRC_URI += " \
+ file://CVE-2026-27448.patch \
+"
+
PACKAGES =+ "${PN}-tests"
FILES:${PN}-tests = "${libdir}/${PYTHON_DIR}/site-packages/OpenSSL/test"
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 10/18] python3-pyopenssl: Fix CVE-2026-27459
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
` (8 preceding siblings ...)
2026-04-07 7:13 ` [OE-core][kirkstone v2 09/18] python3-pyopenssl: Fix CVE-2026-27448 Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 11/18] libarchive: Fix CVE-2026-4111 Yoann Congal
` (7 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Pick patch mentioned in NVD
[1] https://nvd.nist.gov/vuln/detail/CVE-2026-27459
[2] https://ubuntu.com/security/CVE-2026-27459
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python3-pyopenssl/CVE-2026-27459.patch | 106 ++++++++++++++++++
.../python/python3-pyopenssl_22.0.0.bb | 1 +
2 files changed, 107 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
new file mode 100644
index 00000000000..b5e37a6900d
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
@@ -0,0 +1,106 @@
+From 57f09bb4bb051d3bc2a1abd36e9525313d5cd408 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Wed, 18 Feb 2026 07:46:15 -0500
+Subject: [PATCH] Fix buffer overflow in DTLS cookie generation callback
+ (#1479)
+
+The cookie generate callback copied user-returned bytes into a
+fixed-size native buffer without enforcing a maximum length. A
+callback returning more than DTLS1_COOKIE_LENGTH bytes would overflow
+the OpenSSL-provided buffer, corrupting adjacent memory.
+
+Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
+
+Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408]
+CVE: CVE-2026-27459
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ CHANGELOG.rst | 1 +
+ src/OpenSSL/SSL.py | 7 +++++++
+ tests/test_ssl.py | 38 ++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+)
+
+diff --git a/CHANGELOG.rst b/CHANGELOG.rst
+index 5b6d523..13d8abd 100644
+--- a/CHANGELOG.rst
++++ b/CHANGELOG.rst
+@@ -20,6 +20,7 @@ Deprecations:
+ Changes:
+ ^^^^^^^^
+
++- Properly raise an error if a DTLS cookie callback returned a cookie longer than ``DTLS1_COOKIE_LENGTH`` bytes. Previously this would result in a buffer-overflow.
+ - ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded.
+
+ - Expose wrappers for some `DTLS
+diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
+index 6ef44d4..fa1b556 100644
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -556,11 +556,18 @@ class _CookieGenerateCallbackHelper(_CallbackExceptionHelper):
+ def __init__(self, callback):
+ _CallbackExceptionHelper.__init__(self)
+
++ max_cookie_len = getattr(_lib, "DTLS1_COOKIE_LENGTH", 255)
++
+ @wraps(callback)
+ def wrapper(ssl, out, outlen):
+ try:
+ conn = Connection._reverse_mapping[ssl]
+ cookie = callback(conn)
++ if len(cookie) > max_cookie_len:
++ raise ValueError(
++ f"Cookie too long (got {len(cookie)} bytes, "
++ f"max {max_cookie_len})"
++ )
+ out[0 : len(cookie)] = cookie
+ outlen[0] = len(cookie)
+ return 1
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index 77e1876..fb77b75 100644
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -4455,3 +4455,41 @@ class TestDTLS(object):
+ assert 0 < c.get_cleartext_mtu() < 500
+ except NotImplementedError: # OpenSSL 1.1.0 and earlier
+ pass
++
++ def test_cookie_generate_too_long(self) -> None:
++ s_ctx = Context(DTLS_METHOD)
++
++ def generate_cookie(ssl: Connection) -> bytes:
++ return b"\x00" * 256
++
++ def verify_cookie(ssl: Connection, cookie: bytes) -> bool:
++ return True
++
++ s_ctx.set_cookie_generate_callback(generate_cookie)
++ s_ctx.set_cookie_verify_callback(verify_cookie)
++ s_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
++ s_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
++ s_ctx.set_options(OP_NO_QUERY_MTU)
++ s = Connection(s_ctx)
++ s.set_accept_state()
++
++ c_ctx = Context(DTLS_METHOD)
++ c_ctx.set_options(OP_NO_QUERY_MTU)
++ c = Connection(c_ctx)
++ c.set_connect_state()
++
++ c.set_ciphertext_mtu(1500)
++ s.set_ciphertext_mtu(1500)
++
++ # Client sends ClientHello
++ try:
++ c.do_handshake()
++ except SSL.WantReadError:
++ pass
++ chunk = c.bio_read(self.LARGE_BUFFER)
++ s.bio_write(chunk)
++
++ # Server tries DTLSv1_listen, which triggers cookie generation.
++ # The oversized cookie should raise ValueError.
++ with pytest.raises(ValueError, match="Cookie too long"):
++ s.DTLSv1_listen()
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/python/python3-pyopenssl_22.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_22.0.0.bb
index 13d87939b62..42de3207b46 100644
--- a/meta/recipes-devtools/python/python3-pyopenssl_22.0.0.bb
+++ b/meta/recipes-devtools/python/python3-pyopenssl_22.0.0.bb
@@ -12,6 +12,7 @@ inherit pypi setuptools3
SRC_URI += " \
file://CVE-2026-27448.patch \
+ file://CVE-2026-27459.patch \
"
PACKAGES =+ "${PN}-tests"
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 11/18] libarchive: Fix CVE-2026-4111
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
` (9 preceding siblings ...)
2026-04-07 7:13 ` [OE-core][kirkstone v2 10/18] python3-pyopenssl: Fix CVE-2026-27459 Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 12/18] vim: Fix CVE-2026-33412 Yoann Congal
` (6 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Pick patch according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-4111
[2] https://github.com/libarchive/libarchive/pull/2877
[3] https://access.redhat.com/errata/RHSA-2026:5080
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../libarchive/CVE-2026-4111-1.patch | 32 ++
.../libarchive/CVE-2026-4111-2.patch | 308 ++++++++++++++++++
.../libarchive/libarchive_3.6.2.bb | 2 +
3 files changed, 342 insertions(+)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch
new file mode 100644
index 00000000000..1f065b13648
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch
@@ -0,0 +1,32 @@
+From 7273d04803a1e5a482f26d8d0fbaf2b204a72168 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sun, 1 Mar 2026 20:24:56 -0800
+Subject: [PATCH] Reject filters when the block length is nonsensical
+
+Credit: Grzegorz Antoniak @antekone
+
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/7273d04803a1e5a482f26d8d0fbaf2b204a72168]
+CVE: CVE-2026-4111
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libarchive/archive_read_support_format_rar5.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar5.c b/libarchive/archive_read_support_format_rar5.c
+index 38979cb..867f0a8 100644
+--- a/libarchive/archive_read_support_format_rar5.c
++++ b/libarchive/archive_read_support_format_rar5.c
+@@ -2914,7 +2914,9 @@ static int parse_filter(struct archive_read* ar, const uint8_t* p) {
+ if(block_length < 4 ||
+ block_length > 0x400000 ||
+ filter_type > FILTER_ARM ||
+- !is_valid_filter_block_start(rar, block_start))
++ !is_valid_filter_block_start(rar, block_start) ||
++ (rar->cstate.window_size > 0 &&
++ (ssize_t)block_length > rar->cstate.window_size >> 1))
+ {
+ archive_set_error(&ar->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ "Invalid filter encountered");
+--
+2.25.1
+
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch
new file mode 100644
index 00000000000..243a03a8e5d
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch
@@ -0,0 +1,308 @@
+From ef53e2023d75a205cf7cbddb5d01c4cc592e9ce4 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sun, 1 Mar 2026 10:04:01 -0800
+Subject: [PATCH] Infinite loop in Rar5 decompression
+
+Found by: Elhanan Haenel
+
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/ef53e2023d75a205cf7cbddb5d01c4cc592e9ce4]
+CVE: CVE-2026-4111
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Makefile.am | 2 +
+ libarchive/test/CMakeLists.txt | 1 +
+ .../test/test_read_format_rar5_loop_bug.c | 53 +++++
+ .../test_read_format_rar5_loop_bug.rar.uu | 189 ++++++++++++++++++
+ 4 files changed, 245 insertions(+)
+ create mode 100644 libarchive/test/test_read_format_rar5_loop_bug.c
+ create mode 100644 libarchive/test/test_read_format_rar5_loop_bug.rar.uu
+
+diff --git a/Makefile.am b/Makefile.am
+index dd1620d..14edb2a 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -507,6 +507,7 @@ libarchive_test_SOURCES= \
+ libarchive/test/test_read_format_rar_invalid1.c \
+ libarchive/test/test_read_format_rar_overflow.c \
+ libarchive/test/test_read_format_rar5.c \
++ libarchive/test/test_read_format_rar5_loop_bug.c \
+ libarchive/test/test_read_format_raw.c \
+ libarchive/test/test_read_format_tar.c \
+ libarchive/test/test_read_format_tar_concatenated.c \
+@@ -869,6 +870,7 @@ libarchive_test_EXTRA_DIST=\
+ libarchive/test/test_read_format_rar5_invalid_dict_reference.rar.uu \
+ libarchive/test/test_read_format_rar5_leftshift1.rar.uu \
+ libarchive/test/test_read_format_rar5_leftshift2.rar.uu \
++ libarchive/test/test_read_format_rar5_loop_bug.rar.uu \
+ libarchive/test/test_read_format_rar5_multiarchive.part01.rar.uu \
+ libarchive/test/test_read_format_rar5_multiarchive.part02.rar.uu \
+ libarchive/test/test_read_format_rar5_multiarchive.part03.rar.uu \
+diff --git a/libarchive/test/CMakeLists.txt b/libarchive/test/CMakeLists.txt
+index 05c6fd7..c8f2e90 100644
+--- a/libarchive/test/CMakeLists.txt
++++ b/libarchive/test/CMakeLists.txt
+@@ -156,6 +156,7 @@ IF(ENABLE_TEST)
+ test_read_format_rar_filter.c
+ test_read_format_rar_overflow.c
+ test_read_format_rar5.c
++ test_read_format_rar5_loop_bug.c
+ test_read_format_raw.c
+ test_read_format_tar.c
+ test_read_format_tar_concatenated.c
+diff --git a/libarchive/test/test_read_format_rar5_loop_bug.c b/libarchive/test/test_read_format_rar5_loop_bug.c
+new file mode 100644
+index 0000000..77dd78c
+--- /dev/null
++++ b/libarchive/test/test_read_format_rar5_loop_bug.c
+@@ -0,0 +1,53 @@
++/*-
++ * Copyright (c) 2026 Tim Kientzle
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++#include "test.h"
++
++DEFINE_TEST(test_read_format_rar5_loop_bug)
++{
++ const char *reffile = "test_read_format_rar5_loop_bug.rar";
++ struct archive_entry *ae;
++ struct archive *a;
++ const void *buf;
++ size_t size;
++ la_int64_t offset;
++
++ extract_reference_file(reffile);
++ assert((a = archive_read_new()) != NULL);
++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a));
++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a));
++ assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, reffile, 10240));
++
++ // This has just one entry
++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae));
++
++ // Read blocks until the end of the entry
++ while (ARCHIVE_OK == archive_read_data_block(a, &buf, &size, &offset)) {
++ }
++
++ assertEqualIntA(a, ARCHIVE_EOF, archive_read_next_header(a, &ae));
++
++ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
++ assertEqualInt(ARCHIVE_OK, archive_free(a));
++}
+diff --git a/libarchive/test/test_read_format_rar5_loop_bug.rar.uu b/libarchive/test/test_read_format_rar5_loop_bug.rar.uu
+new file mode 100644
+index 0000000..3e47004
+--- /dev/null
++++ b/libarchive/test/test_read_format_rar5_loop_bug.rar.uu
+@@ -0,0 +1,189 @@
++begin 644 test_read_format_rar5_loop_bug.rar
++M4F%R(1H'`0#%&C,R`P$``)T-9%L.`@+P0`"`@`P`@`,``6'(WFP@`?\7_U/^
++M8@!.`B`H````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++M````````````````````````````````````````````````````````````
++5```````````````````Y^;*!`@4`
++`
++end
+--
+2.25.1
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
index e74326b40fd..85fe6e5baa2 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -50,6 +50,8 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://0001-Merge-pull-request-2768-from-Commandoss-master.patch \
file://CVE-2025-60753-01.patch \
file://CVE-2025-60753-02.patch \
+ file://CVE-2026-4111-1.patch \
+ file://CVE-2026-4111-2.patch \
"
UPSTREAM_CHECK_URI = "http://libarchive.org/"
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 12/18] vim: Fix CVE-2026-33412
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
` (10 preceding siblings ...)
2026-04-07 7:13 ` [OE-core][kirkstone v2 11/18] libarchive: Fix CVE-2026-4111 Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 13/18] sqlite3: Fix CVE-2025-70873 Yoann Congal
` (5 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Pick patch from [1] also mentioned in NVD report with [2]
[1] https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-33412
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../vim/files/CVE-2026-33412.patch | 61 +++++++++++++++++++
meta/recipes-support/vim/vim.inc | 1 +
2 files changed, 62 insertions(+)
create mode 100644 meta/recipes-support/vim/files/CVE-2026-33412.patch
diff --git a/meta/recipes-support/vim/files/CVE-2026-33412.patch b/meta/recipes-support/vim/files/CVE-2026-33412.patch
new file mode 100644
index 00000000000..62daa308b58
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2026-33412.patch
@@ -0,0 +1,61 @@
+From 645ed6597d1ea896c712cd7ddbb6edee79577e9a Mon Sep 17 00:00:00 2001
+From: pyllyukko <pyllyukko@maimed.org>
+Date: Thu, 19 Mar 2026 19:58:05 +0000
+Subject: [PATCH] patch 9.2.0202: [security]: command injection via newline in
+ glob()
+
+Problem: The glob() function on Unix-like systems does not escape
+ newline characters when expanding wildcards. A maliciously
+ crafted string containing '\n' can be used as a command
+ separator to execute arbitrary shell commands via
+ mch_expand_wildcards(). This depends on the user's 'shell'
+ setting.
+Solution: Add the newline character ('\n') to the SHELL_SPECIAL
+ definition to ensure it is properly escaped before being
+ passed to the shell (pyllyukko).
+
+closes: #19746
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
+
+Signed-off-by: pyllyukko <pyllyukko@maimed.org>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+CVE: CVE-2026-33412
+Upstream-Status: Backport [https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/os_unix.c | 2 +-
+ src/version.c | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/os_unix.c b/src/os_unix.c
+index cf195e62e1..d767956b1a 100644
+--- a/src/os_unix.c
++++ b/src/os_unix.c
+@@ -7106,7 +7106,7 @@ mch_expandpath(
+ # define SEEK_END 2
+ #endif
+
+-#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|"
++# define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|\n"
+
+ int
+ mch_expand_wildcards(
+diff --git a/src/version.c b/src/version.c
+index 4f3912aedd..712a3e637c 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -724,6 +724,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 1684,
+ /**/
+ 1683,
+ /**/
+--
+2.50.1
+
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 289f31be707..fc9b4db055a 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
file://disable_acl_header_check.patch \
file://0001-src-Makefile-improve-reproducibility.patch \
file://no-path-adjust.patch \
+ file://CVE-2026-33412.patch \
"
PV .= ".1683"
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 13/18] sqlite3: Fix CVE-2025-70873
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
` (11 preceding siblings ...)
2026-04-07 7:13 ` [OE-core][kirkstone v2 12/18] vim: Fix CVE-2026-33412 Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 14/18] curl: patch CVE-2025-14524 Yoann Congal
` (4 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Pick patch as per [1]
[1] https://sqlite.org/src/info/3d459f1fb1bd1b5e
[2] https://sqlite.org/forum/forumpost/761eac3c82
[3] https://gist.github.com/cnwangjihe/f496393f30f5ecec5b18c8f5ab072054
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../sqlite/files/CVE-2025-70873.patch | 33 +++++++++++++++++++
meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 1 +
2 files changed, 34 insertions(+)
create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-70873.patch
diff --git a/meta/recipes-support/sqlite/files/CVE-2025-70873.patch b/meta/recipes-support/sqlite/files/CVE-2025-70873.patch
new file mode 100644
index 00000000000..86004c0b741
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2025-70873.patch
@@ -0,0 +1,33 @@
+From 5a05c59d4d75c03f23d5fb70feac9f789954bf8a Mon Sep 17 00:00:00 2001
+From: drh <>
+Date: Sat, 6 Dec 2025 20:41:24 +0000
+Subject: [PATCH] In the zipfile extension, only return as many bytes as
+ Inflate actually generated. [forum:/forumpost/761eac3c82|Forum post
+ 761eac3c82]. Adjust ./configure so that it builds zipfile into testfixture if
+ ZLIB is available, so that tests get run on unix platforms.
+
+FossilOrigin-Name: 3d459f1fb1bd1b5e723629c463ab392af7b206ece3388bda216c6a4c26160909
+
+Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/5a05c59d4d75c03f23d5fb70feac9f789954bf8a]
+CVE: CVE-2025-70873
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ shell.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shell.c b/shell.c
+index fa45d40..3c4902c 100644
+--- a/shell.c
++++ b/shell.c
+@@ -7668,7 +7668,7 @@ static void zipfileInflate(
+ if( err!=Z_STREAM_END ){
+ zipfileCtxErrorMsg(pCtx, "inflate() failed (%d)", err);
+ }else{
+- sqlite3_result_blob(pCtx, aRes, nOut, zipfileFree);
++ sqlite3_result_blob(pCtx, aRes, (int)str.total_out, zipfileFree);
+ aRes = 0;
+ }
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
index acdd80022e1..9e10caa399a 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \
file://CVE-2023-7104.patch \
file://CVE-2025-29088.patch \
file://CVE-2025-6965.patch \
+ file://CVE-2025-70873.patch \
"
SRC_URI[sha256sum] = "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 14/18] curl: patch CVE-2025-14524
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
` (12 preceding siblings ...)
2026-04-07 7:13 ` [OE-core][kirkstone v2 13/18] sqlite3: Fix CVE-2025-70873 Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 15/18] curl: patch CVE-2026-1965 Yoann Congal
` (3 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Pick commit per [1].
[1] https://curl.se/docs/CVE-2025-14524.html
[2] https://security-tracker.debian.org/tracker/CVE-2025-14524
Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
[YC: cherry-picked from scarthgap commit 951113a6e8185969444b5e28292f23434dba1f6c]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../curl/curl/CVE-2025-14524.patch | 42 +++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
2 files changed, 43 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14524.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2025-14524.patch b/meta/recipes-support/curl/curl/CVE-2025-14524.patch
new file mode 100644
index 00000000000..0ab77ade9d5
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-14524.patch
@@ -0,0 +1,42 @@
+From b3e2318ff3cbe4a9babe5b6875916a429bd584be Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 10 Dec 2025 11:40:47 +0100
+Subject: [PATCH] curl_sasl: if redirected, require permission to use bearer
+
+Closes #19933
+
+CVE: CVE-2025-14524
+Upstream-Status: Backport [https://github.com/curl/curl/commit/1a822275d333dc6da6043497160fd04c8fa48640]
+
+Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
+
+---
+ lib/curl_sasl.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
+index 7e28c92..f0b0341 100644
+--- a/lib/curl_sasl.c
++++ b/lib/curl_sasl.c
+@@ -345,7 +345,9 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data,
+ data->set.str[STRING_SERVICE_NAME] :
+ sasl->params->service;
+ #endif
+- const char *oauth_bearer = data->set.str[STRING_BEARER];
++ const char *oauth_bearer =
++ (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ?
++ data->set.str[STRING_BEARER] : NULL;
+ struct bufref nullmsg;
+
+ Curl_bufref_init(&nullmsg);
+@@ -531,7 +533,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data,
+ data->set.str[STRING_SERVICE_NAME] :
+ sasl->params->service;
+ #endif
+- const char *oauth_bearer = data->set.str[STRING_BEARER];
++ const char *oauth_bearer =
++ (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ?
++ data->set.str[STRING_BEARER] : NULL;
+ struct bufref serverdata;
+
+ Curl_bufref_init(&serverdata);
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 72bd1a20881..b8fa8b5266a 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -70,6 +70,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2025-14017.patch \
file://CVE-2025-15079.patch \
file://CVE-2025-15224.patch \
+ file://CVE-2025-14524.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 15/18] curl: patch CVE-2026-1965
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
` (13 preceding siblings ...)
2026-04-07 7:13 ` [OE-core][kirkstone v2 14/18] curl: patch CVE-2025-14524 Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 16/18] curl: patch CVE-2026-3783 Yoann Congal
` (2 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
pick patches from ubuntu per [1]
[1] https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz
[2] https://ubuntu.com/security/CVE-2026-1965
[3] https://curl.se/docs/CVE-2026-1965.html
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../curl/curl/CVE-2026-1965-1.patch | 98 +++++++++++++++++++
.../curl/curl/CVE-2026-1965-2.patch | 29 ++++++
meta/recipes-support/curl/curl_7.82.0.bb | 2 +
3 files changed, 129 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-1965-2.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch
new file mode 100644
index 00000000000..1d0f5c59e8d
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965-1.patch
@@ -0,0 +1,98 @@
+From 34fa034d9a390c4bd65e2d05262755ec8646ac12 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 5 Feb 2026 08:34:21 +0100
+Subject: [PATCH] url: fix reuse of connections using HTTP Negotiate
+
+Assume Negotiate means connection-based
+
+Reported-by: Zhicheng Chen
+Closes #20534
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/34fa034d9a390c4bd6]
+Backported by Ubuntu team https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz
+
+CVE: CVE-2026-1965
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/url.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 82 insertions(+), 5 deletions(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1145,6 +1145,18 @@ ConnectionExists(struct Curl_easy *data,
+ #endif
+ #endif
+
++#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
++ bool wantNegohttp =
++ (data->state.authhost.want & CURLAUTH_NEGOTIATE) &&
++ (needle->handler->protocol & PROTO_FAMILY_HTTP);
++#ifndef CURL_DISABLE_PROXY
++ bool wantProxyNegohttp =
++ needle->bits.proxy_user_passwd &&
++ (data->state.authproxy.want & CURLAUTH_NEGOTIATE) &&
++ (needle->handler->protocol & PROTO_FAMILY_HTTP);
++#endif
++#endif
++
+ *force_reuse = FALSE;
+ *waitpipe = FALSE;
+
+@@ -1496,6 +1508,57 @@ ConnectionExists(struct Curl_easy *data,
+ continue;
+ }
+ #endif
++
++#ifdef USE_SPNEGO
++ /* If we are looking for an HTTP+Negotiate connection, check if this is
++ already authenticating with the right credentials. If not, keep looking
++ so that we can reuse Negotiate connections if possible. */
++ if(wantNegohttp) {
++ if(Curl_timestrcmp(needle->user, check->user) ||
++ Curl_timestrcmp(needle->passwd, check->passwd))
++ continue;
++ }
++ else if(check->http_negotiate_state != GSS_AUTHNONE) {
++ /* Connection is using Negotiate auth but we do not want Negotiate */
++ continue;
++ }
++
++#ifndef CURL_DISABLE_PROXY
++ /* Same for Proxy Negotiate authentication */
++ if(wantProxyNegohttp) {
++ /* Both check->http_proxy.user and check->http_proxy.passwd can be
++ * NULL */
++ if(!check->http_proxy.user || !check->http_proxy.passwd)
++ continue;
++
++ if(Curl_timestrcmp(needle->http_proxy.user,
++ check->http_proxy.user) ||
++ Curl_timestrcmp(needle->http_proxy.passwd,
++ check->http_proxy.passwd))
++ continue;
++ }
++ else if(check->proxy_negotiate_state != GSS_AUTHNONE) {
++ /* Proxy connection is using Negotiate auth but we do not want Negotiate */
++ continue;
++ }
++#endif
++ if(wantNTLMhttp || wantProxyNTLMhttp) {
++ /* Credentials are already checked, we may use this connection. We MUST
++ * use a connection where it has already been fully negotiated. If it has
++ * not, we keep on looking for a better one. */
++ chosen = check;
++ if((wantNegohttp &&
++ (check->http_negotiate_state != GSS_AUTHNONE)) ||
++ (wantProxyNegohttp &&
++ (check->proxy_negotiate_state != GSS_AUTHNONE))) {
++ /* We must use this connection, no other */
++ *force_reuse = TRUE;
++ break;
++ }
++ continue; /* get another */
++ }
++#endif
++
+ if(canmultiplex) {
+ /* We can multiplex if we want to. Let's continue looking for
+ the optimal connection to use. */
diff --git a/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch b/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch
new file mode 100644
index 00000000000..fa5fefd2517
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-1965-2.patch
@@ -0,0 +1,29 @@
+From f1a39f221d57354990e3eeeddc3404aede2aff70 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 21 Feb 2026 18:11:41 +0100
+Subject: [PATCH] url: fix copy and paste url_match_auth_nego mistake
+
+Follow-up to 34fa034
+Reported-by: dahmono on github
+Closes #20662
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/f1a39f221d57354990]
+Backported by Ubuntu team https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz
+
+CVE: CVE-2026-1965
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1542,7 +1542,7 @@ ConnectionExists(struct Curl_easy *data,
+ continue;
+ }
+ #endif
+- if(wantNTLMhttp || wantProxyNTLMhttp) {
++ if(wantNegohttp || wantProxyNegohttp) {
+ /* Credentials are already checked, we may use this connection. We MUST
+ * use a connection where it has already been fully negotiated. If it has
+ * not, we keep on looking for a better one. */
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index b8fa8b5266a..0e107f1e753 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -71,6 +71,8 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2025-15079.patch \
file://CVE-2025-15224.patch \
file://CVE-2025-14524.patch \
+ file://CVE-2026-1965-1.patch \
+ file://CVE-2026-1965-2.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 16/18] curl: patch CVE-2026-3783
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
` (14 preceding siblings ...)
2026-04-07 7:13 ` [OE-core][kirkstone v2 15/18] curl: patch CVE-2026-1965 Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 17/18] curl: patch CVE-2026-3784 Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 18/18] scripts/install-buildtools: Update to 4.0.34 Yoann Congal
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
CVE-2026-3783-pre1.patch is dependency patch for CVE-2026-3783.patch
cherry picked from upstream commit:
https://github.com/curl/curl/commit/d7b970e46ba29a7e558e21d19f485977ffed6266
https://github.com/curl/curl/commit/e3d7401a32a46516c9e5ee877
Reference: https://curl.se/docs/CVE-2026-3783.html
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../curl/curl/CVE-2026-3783-pre1.patch | 66 ++++++++
.../curl/curl/CVE-2026-3783.patch | 157 ++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 2 +
3 files changed, 225 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3783-pre1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3783.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-3783-pre1.patch b/meta/recipes-support/curl/curl/CVE-2026-3783-pre1.patch
new file mode 100644
index 00000000000..746e5d9ab6c
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-3783-pre1.patch
@@ -0,0 +1,66 @@
+From d7b970e46ba29a7e558e21d19f485977ffed6266 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 29 Apr 2022 22:56:47 +0200
+Subject: [PATCH] http: move Curl_allow_auth_to_host()
+
+It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef
+
+Reported-by: Michael Olbrich
+Fixes #8772
+Closes #8775
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/d7b970e46ba29a7e558e21d19f485977ffed6266]
+CVE: CVE-2026-3783 #Dependency Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/http.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 0d5c449bc72a..b215307dcaaa 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -651,6 +651,21 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data)
+ return result;
+ }
+
++/*
++ * Curl_allow_auth_to_host() tells if authentication, cookies or other
++ * "sensitive data" can (still) be sent to this host.
++ */
++bool Curl_allow_auth_to_host(struct Curl_easy *data)
++{
++ struct connectdata *conn = data->conn;
++ return (!data->state.this_is_a_follow ||
++ data->set.allow_auth_to_other_hosts ||
++ (data->state.first_host &&
++ strcasecompare(data->state.first_host, conn->host.name) &&
++ (data->state.first_remote_port == conn->remote_port) &&
++ (data->state.first_remote_protocol == conn->handler->protocol)));
++}
++
+ #ifndef CURL_DISABLE_HTTP_AUTH
+ /*
+ * Output the correct authentication header depending on the auth type
+@@ -775,21 +790,6 @@ output_auth_headers(struct Curl_easy *data,
+ return CURLE_OK;
+ }
+
+-/*
+- * Curl_allow_auth_to_host() tells if authentication, cookies or other
+- * "sensitive data" can (still) be sent to this host.
+- */
+-bool Curl_allow_auth_to_host(struct Curl_easy *data)
+-{
+- struct connectdata *conn = data->conn;
+- return (!data->state.this_is_a_follow ||
+- data->set.allow_auth_to_other_hosts ||
+- (data->state.first_host &&
+- strcasecompare(data->state.first_host, conn->host.name) &&
+- (data->state.first_remote_port == conn->remote_port) &&
+- (data->state.first_remote_protocol == conn->handler->protocol)));
+-}
+-
+ /**
+ * Curl_http_output_auth() setups the authentication headers for the
+ * host/proxy and the correct authentication
diff --git a/meta/recipes-support/curl/curl/CVE-2026-3783.patch b/meta/recipes-support/curl/curl/CVE-2026-3783.patch
new file mode 100644
index 00000000000..769198d6883
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-3783.patch
@@ -0,0 +1,157 @@
+From e3d7401a32a46516c9e5ee877e613e62ed35bddc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 6 Mar 2026 23:13:07 +0100
+Subject: [PATCH] http: only send bearer if auth is allowed
+
+Verify with test 2006
+
+Closes #20843
+
+Curl_auth_allowed_to_host() function got renamed from
+Curl_allow_auth_to_host() by the commit
+https://github.com/curl/curl/commit/72652c0613d37ce18e99cca17a42887f12ad43da
+
+Current curl version 7.82.0 has function Curl_allow_auth_to_host()
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/e3d7401a32a46516c9e5ee877]
+CVE: CVE-2026-3783
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/http.c | 1 +
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test2006 | 98 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 100 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test2006
+
+diff --git a/lib/http.c b/lib/http.c
+index 691091b..6acd537 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -757,6 +757,7 @@ output_auth_headers(struct Curl_easy *data,
+ if(authstatus->picked == CURLAUTH_BEARER) {
+ /* Bearer */
+ if((!proxy && data->set.str[STRING_BEARER] &&
++ Curl_allow_auth_to_host(data) &&
+ !Curl_checkheaders(data, STRCONST("Authorization")))) {
+ auth = "Bearer";
+ result = http_output_bearer(data);
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index ad41a5e..e641cb8 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -221,7 +221,7 @@ test1916 test1917 test1918 \
+ \
+ test1933 test1934 test1935 test1936 test1937 test1938 test1939 \
+ \
+-test2000 test2001 test2002 test2003 test2004 \
++test2000 test2001 test2002 test2003 test2004 test2006 \
+ \
+ test2023 \
+ test2024 test2025 test2026 test2027 test2028 test2029 test2030 test2031 \
+diff --git a/tests/data/test2006 b/tests/data/test2006
+new file mode 100644
+index 0000000..200d30a
+--- /dev/null
++++ b/tests/data/test2006
+@@ -0,0 +1,98 @@
++<?xml version="1.0" encoding="US-ASCII"?>
++<testcase>
++<info>
++<keywords>
++netrc
++HTTP
++</keywords>
++</info>
++# Server-side
++<reply>
++<data crlf="headers">
++HTTP/1.1 301 Follow this you fool
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Location: http://b.com/%TESTNUMBER0002
++
++-foo-
++</data>
++
++<data2 crlf="headers">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 7
++Connection: close
++
++target
++</data2>
++
++<datacheck crlf="headers">
++HTTP/1.1 301 Follow this you fool
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Location: http://b.com/%TESTNUMBER0002
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 7
++Connection: close
++
++target
++</datacheck>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++<features>
++proxy
++</features>
++<name>
++.netrc default with redirect plus oauth2-bearer
++</name>
++<command>
++--netrc --netrc-file %LOGDIR/netrc%TESTNUMBER --oauth2-bearer SECRET_TOKEN -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/
++</command>
++<file name="%LOGDIR/netrc%TESTNUMBER" >
++default login testuser password testpass
++</file>
++</client>
++
++<verify>
++<protocol crlf="headers">
++GET http://a.com/ HTTP/1.1
++Host: a.com
++Authorization: Bearer SECRET_TOKEN
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://b.com/%TESTNUMBER0002 HTTP/1.1
++Host: b.com
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
+--
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 0e107f1e753..f50af1d4722 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -73,6 +73,8 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2025-14524.patch \
file://CVE-2026-1965-1.patch \
file://CVE-2026-1965-2.patch \
+ file://CVE-2026-3783-pre1.patch \
+ file://CVE-2026-3783.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 17/18] curl: patch CVE-2026-3784
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
` (15 preceding siblings ...)
2026-04-07 7:13 ` [OE-core][kirkstone v2 16/18] curl: patch CVE-2026-3783 Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 18/18] scripts/install-buildtools: Update to 4.0.34 Yoann Congal
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
pick patch from ubuntu per [1]
[1] https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz
[2] https://ubuntu.com/security/CVE-2026-3784
[3] https://curl.se/docs/CVE-2026-3784.html
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../curl/curl/CVE-2026-3784.patch | 73 +++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
2 files changed, 74 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-3784.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-3784.patch b/meta/recipes-support/curl/curl/CVE-2026-3784.patch
new file mode 100644
index 00000000000..95784e47637
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-3784.patch
@@ -0,0 +1,73 @@
+From 5f13a7645e565c5c1a06f3ef86e97afb856fb364 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Fri, 6 Mar 2026 14:54:09 +0100
+Subject: [PATCH] proxy-auth: additional tests
+
+Also eliminate the special handling for socks proxy match.
+
+Closes #20837
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3]
+Backported by Ubuntu team https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.81.0-1ubuntu1.23/curl_7.81.0-1ubuntu1.23.debian.tar.xz
+
+CVE: CVE-2026-3784
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/url.c | 28 +++++++---------------------
+ tests/http/test_13_proxy_auth.py | 20 ++++++++++++++++++++
+ tests/http/testenv/curl.py | 18 +++++++++++++++---
+ 3 files changed, 42 insertions(+), 24 deletions(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -930,33 +930,15 @@ proxy_info_matches(const struct proxy_in
+ {
+ if((data->proxytype == needle->proxytype) &&
+ (data->port == needle->port) &&
+- Curl_safe_strcasecompare(data->host.name, needle->host.name))
+- return TRUE;
++ curl_strequal(data->host.name, needle->host.name)) {
+
++ if(Curl_timestrcmp(data->user, needle->user) ||
++ Curl_timestrcmp(data->passwd, needle->passwd))
++ return FALSE;
++ return TRUE;
++ }
+ return FALSE;
+ }
+-
+-static bool
+-socks_proxy_info_matches(const struct proxy_info *data,
+- const struct proxy_info *needle)
+-{
+- if(!proxy_info_matches(data, needle))
+- return FALSE;
+-
+- /* the user information is case-sensitive
+- or at least it is not defined as case-insensitive
+- see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */
+-
+- /* curl_strequal does a case insentive comparison, so do not use it here! */
+- if(Curl_timestrcmp(data->user, needle->user) ||
+- Curl_timestrcmp(data->passwd, needle->passwd))
+- return FALSE;
+- return TRUE;
+-}
+-#else
+-/* disabled, won't get called */
+-#define proxy_info_matches(x,y) FALSE
+-#define socks_proxy_info_matches(x,y) FALSE
+ #endif
+
+ /* A connection has to have been idle for a shorter time than 'maxage_conn'
+@@ -1282,8 +1264,8 @@ ConnectionExists(struct Curl_easy *data,
+ continue;
+
+ if(needle->bits.socksproxy &&
+- !socks_proxy_info_matches(&needle->socks_proxy,
+- &check->socks_proxy))
++ !proxy_info_matches(&needle->socks_proxy,
++ &check->socks_proxy))
+ continue;
+ #endif
+ if(needle->bits.conn_to_host != check->bits.conn_to_host)
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index f50af1d4722..a2ee5736810 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -75,6 +75,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2026-1965-2.patch \
file://CVE-2026-3783-pre1.patch \
file://CVE-2026-3783.patch \
+ file://CVE-2026-3784.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][kirkstone v2 18/18] scripts/install-buildtools: Update to 4.0.34
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
` (16 preceding siblings ...)
2026-04-07 7:13 ` [OE-core][kirkstone v2 17/18] curl: patch CVE-2026-3784 Yoann Congal
@ 2026-04-07 7:13 ` Yoann Congal
17 siblings, 0 replies; 19+ messages in thread
From: Yoann Congal @ 2026-04-07 7:13 UTC (permalink / raw)
To: openembedded-core
From: Yoann Congal <yoann.congal@smile.fr>
Update to the 4.0.34 release of the 4.0 series for buildtools
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
scripts/install-buildtools | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/install-buildtools b/scripts/install-buildtools
index 6a1762c14b3..8754f2d773e 100755
--- a/scripts/install-buildtools
+++ b/scripts/install-buildtools
@@ -57,8 +57,8 @@ logger = scriptutils.logger_create(PROGNAME, stream=sys.stdout)
DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools')
DEFAULT_BASE_URL = 'https://downloads.yoctoproject.org/releases/yocto'
-DEFAULT_RELEASE = 'yocto-4.0.33'
-DEFAULT_INSTALLER_VERSION = '4.0.33'
+DEFAULT_RELEASE = 'yocto-4.0.34'
+DEFAULT_INSTALLER_VERSION = '4.0.34'
DEFAULT_BUILDDATE = '202110XX'
# Python version sanity check
^ permalink raw reply related [flat|nested] 19+ messages in thread
end of thread, other threads:[~2026-04-07 7:13 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-07 7:13 [OE-core][kirkstone v2 00/18] Patch review Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 01/18] linux-yocto/5.15: update to v5.15.200 Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 02/18] linux-yocto/5.15: update to v5.15.201 Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 03/18] create-pull-request: Keep commit hash to be pulled in cover email Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 04/18] README.OE-Core: update contributor links and add kirkstone prefix Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 05/18] libtheora: mark CVE-2024-56431 as not vulnerable yet Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 06/18] tzdata,tzcode-native: Upgrade 2025b -> 2025c Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 07/18] tzdata/tzcode-native: upgrade 2025c -> 2026a Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 08/18] python3: upgrade 3.10.19 -> 3.10.20 Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 09/18] python3-pyopenssl: Fix CVE-2026-27448 Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 10/18] python3-pyopenssl: Fix CVE-2026-27459 Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 11/18] libarchive: Fix CVE-2026-4111 Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 12/18] vim: Fix CVE-2026-33412 Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 13/18] sqlite3: Fix CVE-2025-70873 Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 14/18] curl: patch CVE-2025-14524 Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 15/18] curl: patch CVE-2026-1965 Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 16/18] curl: patch CVE-2026-3783 Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 17/18] curl: patch CVE-2026-3784 Yoann Congal
2026-04-07 7:13 ` [OE-core][kirkstone v2 18/18] scripts/install-buildtools: Update to 4.0.34 Yoann Congal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox