Changelog:
- Windows/interactive service: fix erroneous exit on error that could
be used by a local Windows users to achieve a local denial-of-service
(CVE-2025-13751)
- Windows/interactive service: improve service pipe robustness against
file access races (uuid) and access by unauthorized processes (ACL).
upgrade bundled build instruction (vcpkg and patch) for pkcs11-helper
to 1.31, fixing a parser bug
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The minio umbrella covers multiple projects. The recipe itself builds
"minio client", which is a set of basic tools to query data from
"minio server" - like ls, mv, find...
The CVEs were files against minio server. Looking at the go mod list,
this recipe doesn't use minio server even as a build dependency - so ignore
the CVEs.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Handles CVE-2025-11677, CVE-2025-11678, CVE-2025-11679 and
CVE-2025-11680.
* drop patches included in this release
* update license
* add packageconfig for examples as those don't build
License-Update: added new license, see:
https://libwebsockets.org/git/libwebsockets/commit?id=e3dca87f23e8f783e1008b54829b39f9d7b083df
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This ends up in the native/nativesdk depchains especially when
building on arm64 build hosts.
Fixes errors e.g.
WARNING: Nothing RPROVIDES 'nativesdk-libopus-dev' (but virtual:nativesdk:/srv/build/yoe/sources/meta-openembedded/meta-oe/recipes-multimedia/libopus/libopus_1.5.2.bb RDEPENDS on or otherwise requires it)
No eligible RPROVIDERs exist for 'nativesdk-libopus-dev'
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changes for 1.5.2 'Sonic':
--------------------------
1.5.2 is a minor release of dav1d, focused on maintenance:
- minor speed improvement in recon
- improvements on loongarch symboles visibility and asm
- mark C globals with small code model
- reduce the code size of the frame header parsing (OBU)
- minor fixes on tools and CI
- fix compilation with nasm 3.00
Copyright year has been changed:
04faac6900
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop memory leak patch which has already been included in this new version.
The new version also includes a fix for CVE 2025-62408.
Changelog: https://github.com/c-ares/c-ares/releases/tag/v1.34.6
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
352
Shown a warning if the last shutdown/reboot was unclean
Bug fixes and translation updates
351
Firewall ports can be deleted individually
350
networking: fix renaming of bridges and other groups (RHEL-117883)
bridge: fix OpenSSH_10.2p1 host key detection
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This reverts commit 1175d5c8c1.
Since this recipe inherits bash-completion, adding
${datadir}/bash-completion to FILES:${PN} should not be needed (in
addition to being the wrong thing to do as the files are expected to be
packaged in the ${PN}-bash-completion package). The reason the problem
addressed in commit 1175d5c8c1 turned up
is due to the recent change to the bash-completion bbclass, where it
started to use PACKAGE_BEFORE_PN. This clashed with the lib_package
bbclass, which used to set rather than add to PACKAGE_BEFORE_PN, and
since it is inherited after bash-completion, it overrid what
bash-completion does.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There are two different types of tags in glslang git repo. One is the
release tag of the project itself: 15.2.0, 14.3.0, etc. The other tag is
for Vulkan SDK: vulkan-sdk-1.4.309, vulkan-sdk-1.4.304.1, etc.
The vulkan sdk tag is used for glslang in openembedded-core because it
needs to update in locksetup with vulkan, which leads to a mismatch
between the runtime version and the build version. Set CHECK_VERSION_PV
for it to skip the version check.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade Vulkan CTS to the point release, fixing several tests. While we
are at it, refresh Vulkan-Video-Samples patches.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This helps tests not hitting timeout (120s default)
especially testmesg_stress test can timeout on slower machines
e.g. fully emulated ( non-kvm ) qemu machines e.g.
qemuarm64 on x86_64 machine.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When OpenCV is being built with the "fastcv" packageconfig, several
OpenCV libs are linked against the libfastcv.a. At runtime this lib will
dlopen(libfastcvopt.so.1), providing a fallback to slow algorithms, etc.
However as it is dlopen() rather than dynamic linking, there is no
runtime dependency.
In Yocto, if we enable a feature, we expect that all runtime
dependencies are pulled in. Utilize the qcom-fastcv-binaries recipe
provided by the meta-qcom layer and pull in libfastcvopt1 package as
required.
Cc: Pulkit Singh Tak <ptak@qti.qualcomm.com>
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The minicoredumper has multiple 2038 year problems where 'long' type
variables and strtol() function calls cause overflow on 32-bit systems
when handling timestamps after 2038-01-19.
This leads to incorrect timestamp formatting in core dump directory
names (e.g., sleep40s.20380119.031407+0000.598).
Fix by changing 'long timestamp' to 'time_t timestamp' and replacing
strtol() with strtoll() to properly handle 64-bit timestamps on
32-bit systems.
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This tweak was specific to clang-16, its no longer needed
moreover, setup.py is no longer there in latest 0.19.x
release
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Relase Overview:
* BFD the ability to listen for specific VRFs only
- Configure which VRFs the BFD daemon will listen to. By default, BFD listens to all VRFs
present in the system, including the default VRF. Default VRF must be specified as `default`.
* BGP SRv6/MPLS coexistence
- Allow MPLS and SRv6 to coexist on the same L3VRF, even for a given prefix. This feature is
important in brown fields where some operators want to migrate from MPLS to SRv6 backbone.
* BGP SRv6 locator per VRF support
- Ability to choose SRv6 locator per VRF.
* BGP Error handling (RFC 7606) for iBGP peers
- Before 10.5.0, once we received a malformed packet between iBGP peers, we always reset the
session, and with this release, we handle malformed packets the same way as for eBGP
(by withdrawing or discarding the malformed packets).
* BGP IPv6 Link-Local Capability is disabled by default
- In 10.4.0, this capability was enabled by default for a “datacenter” profile, but it’s disabled
for 10.5.0 and will be backported to 10.4.2 as well. The problem arises when the receiver has
configured a route-map with `set ipv6 next-hop prefer-global` and we send only an IPv6 Link-Local
address; therefore, it was decided to revert it to be disabled by default.
* BGP BGPID Next-Hop Characteristic
- In some cases, the BGP speaker sending a route might encode only a link-local address and no
global address. To provide uniqueness in this case, it is sufficient to associate the BGP
Identifier and AS Number of the route's sender. The BGP Identifier Characteristic
(BGPID) provides a way to convey this information if required.
* BGP EVPN flooding per VNI support
- Add an ability to adjust BUM flooding per VNI, instead of just globally. E.g., disable flooding
only for an arbitrary VNI.
* BGP RPKI strict mode
- RPKI strict mode prevents BGP from establishing a session if no RPKI cache server
is connected.
* BGP rejects AS_SET by default**
- Until 10.5.0, it was disabled by default, and since RFC 9774 was published, we switched this on
by default (to reject).
* BGP has lots of improvements for Graceful-Restart**
* PIM/PIMv6 route-map support to allow users to filter IGMP/MLD joins using source, group, and
interface combinations
* Support for multiple SRv6 locators
- This extends the SRv6 SID Manager to add support for multiple locators.
* Zebra 16-bit next hop weights support
- The weights used in ECMP’s consistent hashing have been widened from 8 bits to 16 bits since
the 6.12 Linux kernel.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
