this release addressed below CVE:
CVE-2025-41244
Drop 0001-Fix-build-when-compiling-with-std-c23.patch which have been
merged upstream.
Changelog:
https://github.com/vmware/open-vm-tools/releases
Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 3.6.0:
- Build wheels for Python 3.14
- Python free-threading support
- Typing: Use Buffer type stubs
- Deprecate xxhash.VERSION_TUPLE, it will be removed in the next
major release
License-Update: Update years
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop 0001-fix-compiling-on-32-bit-systems.patch, and change to another
patch that solves the same issue in OE, but is more likely to be
adapted by upstream (after discussion with upstream in
https://github.com/pgpool/pgpool2/pull/128)
Shortlog: https://github.com/pgpool/pgpool2/compare/V4_5_5...V4_6_3
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 4.14.2:
- Making ResultSet inherit from MutableSequence still resulted in
too many breaking changes in users of the library, so it was
reverted the ResultSet code back to where it was in 4.13.5 and
added tests of all known breaking behavior. [bug=2125906]
- Version 4.14.0 adds function overloading to the find_* methods to
make it easier to write type-safe Python.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 8.1.4:
Security fixes:
- (CVE-2025-49844) A Lua script may lead to remote code execution
- (CVE-2025-46817) A Lua script may lead to integer overflow and
potential RCE
- (CVE-2025-46818) A Lua script can be executed in the context of
another user
- (CVE-2025-46819) LUA out-of-bound read
Bug fixes:
- Fix accounting for dual channel RDB bytes in replication stats
- Fix EVAL to report unknown error when empty error table is
provided
- Fix use-after-free when active expiration triggers hashtable
to shrink
- Fix MEMORY USAGE to account for embedded keys
- Fix memory leak when shrinking a hashtable without entries
- Prevent potential assertion in active defrag handling large
allocations
- Prevent bad memory access when NOTOUCH client gets unblocked
- Converge divergent shard-id persisted in nodes.conf to primary's
shard id
- Fix client tracking memory overhead calculation
- Fix RDB load per slot memory pre-allocation when loading from RDB
snapshot
- Don't use AVX2 instructions if the CPU doesn't support it
- Fix bug where active defrag may be unable to defrag sparsely
filled pages
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Sometimes ftp.gnu.org might be slow.
Add UPSTREAM_CHECK_URI while here
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Gyorgy Sarvari <skandigraun@gmail.com>
While working on it, also ignore CVE-2025-47711 and CVE-2025-47712.
Both vulnerabilities are fixed already (they were fixed before the
upgrade also, but there is no version-range associated with the CVE report).
CVE-2025-47711: e6f96bd1b7
CVE-2025-47712: a486f88d1e
Shortlog:
Merge branch '2025-optional-qemu-img' into 'master'
build: Check for qemu-img and disable some tests if not present
tests/curl: Skip test if 'disk' was not created
server/public.c: Use common/include parse_bool function
common/include: Extra bool parsing into a mini-library
docs: Shorter title and tweaks to the description
indexed-gzip: Include <stddef.h> to get ptrdiff_t
indexed-gzip: Move variable decl outside for loop
vddk: Sort synopsis into alphabetical order
ext2: Update docs since filter supports concurrent connections
docs: Move --short/--long-options to right place in synopsis
(origin/rhel-10.2) docs: Document how to probe for server command line options
server: Document --long-options and --short-options
docs/nbdkit-probing.pod: Rearrange synopsis to match description
server: Add --name parameter
docs: Fix bolding of --log=/path option
tests/test-python-plugin.py: Remove unused variables
python: Add binding for nbdkit_parse_bool
tests/test-python-plugin.py: Add name of test for test_parse_size
(tag: v1.45.6) Version 1.45.6.
Merge branch '2025-rounding' into 'master'
server/public.c: Use lrint() instead of implicit conversion to int
indexed-gzip: Fixes for 32-bit support
indexed-gzip: More editorially neutral content
Merge branch 'add-indexed-gzip-filter' into 'master'
Introduce index-gzip filter
Move unmodified index build/extract to ig_zran.h/c
Add serialize/deserialize fn for zran structs
Restructure zran.h, zran.c for use as library
Import zran.c/zran.h v1.6 (2 Aug 2024) from zlib
Merge branch '2025-delay-trigger' into 'master'
delay: Add new delay-trigger option
delay: Rearrange the options in alphabetical order in the documentation
tests/test-map.sh: Fix "nbd_pread: count cannot be 0: Invalid argument"
docs/nbdkit-client.pod: Document attaching NBD devices to QEMU VMs
docs/nbdkit-client.pod: Combine and rename "LIMITATIONS" section
Merge branch '2025-fix-golang-test' into 'master'
tests/test-golang-fork-warning.sh: Fix hanging test
Merge branch '2025-misc-fixes' into 'master'
tests: Use 'define script' in a few more places
tests: Modify make-pki and make-psk scripts to be atomic
tests: Define common functions for requiring TLS certs and PSK
tests/test-tls.sh: Remove unused export of pkidir
tests: Generate make-psk.sh
tests/make-psk.sh: Fix typo "pkstool" -> "psktool"
tests: Fix typo "An good" -> "A good"
map: Implement map-size feature
tests/test-at-file.sh: Fix srcdir != builddir
tests: Work around realpath error on BSDs
Merge branch '2025-eq-file' into 'master'
Merge branch '2025-server-debug' into 'master'
server: Use debug() instead of nbdkit_debug() consistently in the server
map: Refer to @PATH syntax in documentation
server: Add @PATH syntax
server/main.c: Factor out the function that parses key=value
server/main.c: Fix comment
server/main.c: Move key=value parsing to a new function
server/options.h: Reject empty string ("") as a short name
server/options.h: Add comment to is_short_name
server/main.c: Reject empty string as a plugin name or filter name
common: utils: Add const to <vector>_duplicate variable decls
data: Use new vector_append_array in a couple of places
map: Use new vector_append_array function instead of loop
common: utils: vector: Fix vector_uniq prototype and add a test
common: utils: vector: Add range functions for insert, append and remove
common: utils: vector: Prefer vector_reset over free()
Merge branch '2025-map-filter' into 'master'
New filter: map for remapping arbitrary blocks
common: utils: vector: Add new vector_uniq function
tests/functions: Factor out 2^63-1 constant used by a few tests
tests/test-cache-block-size.sh: Remove unused socket
data: Minor revisions to the documentation for clarity
full: Remove reference to equivalence of nbdkit-readonly-filter
tests/test-floppy.sh: Simplify this test
count: Add an example to the documentation
common/include/test-once.c: Further fixes for pthread_barrier_t
common/include/test-once.c: Skip test on macOS which lacks pthread_barrier_t
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
For Samba's Active Directory Domain Controller functionality, it needs
to have python3-markdown listed as an RDEPENDS as well as a DEPENDS.
When trying to provision a domain with samba-tool without this change
then it will error out like:
$ samba-tool domain provision --realm=EXAMPLE.COM --domain=EXAMPLE \
--adminpass='YourPassword123!' --server-role=dc \
--dns-backend=SAMBA_INTERNAL --use-rfc2307
<snip>
Temporarily overriding 'dsdb:schema update allowed' setting
ERROR(<class 'ModuleNotFoundError'>): uncaught exception - No module named 'markdown'
File "/usr/lib/python3.13/site-packages/samba/netcmd/init.py", line 279, in _run
return self.run(*args, **kwargs)
~~~~~~~~^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/samba/netcmd/domain/provision.py", line 343, in run
result = provision(self.logger,
session, smbconf=smbconf, targetdir=targetdir,
...<16 lines>...
backend_store=backend_store,
backend_store_size=backend_store_size)
File "/usr/lib/python3.13/site-packages/samba/provision/init.py", line 2404, in provision
raise e
File "/usr/lib/python3.13/site-packages/samba/provision/init.py", line 2394, in provision
forest = ForestUpdate(samdb, fix=True)
File "/usr/lib/python3.13/site-packages/samba/forest_update.py", line 212, in init
from samba.ms_forest_updates_markdown import read_ms_markdown
File "/usr/lib/python3.13/site-packages/samba/ms_forest_updates_markdown.py", line 27, in <module>
import markdown
Signed-off-by: Andrew Bradford <andrew.bradford@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This upgrade contains a fix for CVE-2024-47175.
Changelog:
2.1.1:
-pdftops: Use Poppler for a few old Epson laser printers This
works around documents being printed off-centre, shifted towards
the top right. Affected are printers using epsoneplijs:
EPL-5700L, EPL-5800L, EPL-5900L, EPL-6100L, EPL-6200L.
-Fixed bugs discovered by static analyzer OpenScanHub Possible
buffer overflows, uninitialized memory, format string issues
and resource leaks, ...
-Fix crash bugs in ppdLoadAttributes() When parsing the
"*cupsFilter(2): ..." lines in the PPD file use memmove() instead
of strcpy() as the latter does not support handling overlapping
memory portions and do not move running pointer beyond the end
of the input string.
2.1.0:
-Prevent PPD generation based on invalid IPP response Overtaken
from CUPS 2.x: Validate IPP attributes in PPD generator, refactor
make-and-model code, PPDize preset and template names, quote PPD
localized strings. Fixes CVE-2024-47175.
2.1b:
-Added support for libcups3 (libcups of CUPS 3.x) With these changes
libcupsfilters can be built either with libcups2 (libcups of CUPS 2.x)
or libcups3 (libcups of CUPS 3.x).
-Prefer PDF again in PPDs for driverless printers PDF works better with
finishing, especially combinations of multiple copies, collation, and
stapling/binding.
-Use 0.5mm as tolerance when comparing page sizes For the PWG two page
sizes are considered the same when the dimensions differ no more than
0.5 mm, libppd used too tight tolerances.
-PPD generator: Check for required attributes when choosing input format
Check for PCLm and PWG the minimum of attributes which we require
during PPD generation.
-ppdLoadAttributes(): Improve check whether parameters are integer
-ppdLoadAttributes(): Fix crash when page size could not get determined
-Fix crash if there is no page size for "Custom"
-Fix crash when incoming *ptr is NULL
-libcups2 compatibility: Use proper CUPS array callback function types
Fixed CUPS array function call in libcups2 compatibility layer
-Build system: Fix failure to correctly link to zlib Look up zlib
properly with pkg-config
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This upgrade contains fixes for the following vulnerabilities:
CVE-2025-43961, CVE-2025-43962, CVE-2025-43963 and CVE-2025-43964
Also drop two old CVE_STATUS entries which are not needed anymore,
because the database has been updated with correct info.
Changelog:
https://github.com/LibRaw/LibRaw/blob/master/Changelog.txt
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
All 3 CVEs are fixed in the currently used revision.
Fixes:
CVE-2024-25176: 343ce0edaf
CVE-2024-25177: 85b4fed0b0
CVE-2024-25178: defe61a567
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2022-3734 only affects Windows.
CVE-2022-0543 affects only packages that were packaged for Debian and
Debian-derivative distros.
Neither of these issues is present in upstream Redis.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The fix has been backported by upstream, and it is included in the used
version: d0eeee6e31
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The fix has been backported to both redis versions by upstream, and
both versions contain it already.
For 6.2.20 [1] contains the backported fix.
For 7.2.11 [2] contains the backported fix.
[1]: 5e93f9cb9d
[2]: 42fb340ce4
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
(CVE-2025-49844) A Lua script may lead to remote code execution
(CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
(CVE-2025-46818) A Lua script can be executed in the context of another user
(CVE-2025-46819) LUA out-of-bound read
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
6.2.19:
(CVE-2025-32023) Fix out-of-bounds write in HyperLogLog commands
(CVE-2025-48367) Retry accepting other connections even if the accepted connection reports an error
6.2.20:
(CVE-2025-49844) A Lua script may lead to remote code execution
(CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
(CVE-2025-46818) A Lua script can be executed in the context of another user
(CVE-2025-46819) LUA out-of-bound read
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Remove obsolete CVE_STATUS variable: CVE-2016-4983 is marked for v2.3.
Drop 0001-not-check-pandoc.patch because it became obsolete, pandoc is
not used anymore.
Drop 1ccd5b54a408d12fce0c94ab0bbaedbb5ef69830.patch, because it is
included in this release.
Add a backported patch to fix compiling with musl.
Changelog:
2.4: https://github.com/dovecot/core/releases/tag/2.4.0
2.4.1: https://github.com/dovecot/core/releases/tag/2.4.1
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This upgrade includes fixes for the following vulnerabilities:
CVE-2025-31176
CVE-2025-31178
CVE-2025-31179
CVE-2025-31180
CVE-2025-31181
This release supports qt4, qt5 and qt6 (the last one is new in this release).
There are 2 qt PACKAGECONFIGs now: qt5 and qt6 - they are mutually exclusive.
Since it is being touched, also fix lua PACKAGECONFIG, which requires lua-native
at build time.
Changelog:
http://gnuplot.info/ReleaseNotes_6_0_3.html
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This upgrade contains fixes for CVE-2025-48174 and CVE-2025-48175.
Changelog: https://github.com/AOMediaCodec/libavif/blob/v1.3.0/CHANGELOG.md
Libyuv support is currently disabled, because its dependency (libyuv) is not provided
by neither oe-core nor meta-oe.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The upgrade contains fixes for the following vulenrabilities:
CVE-2025-8835, CVE-2025-8836, CVE-2025-8837
Changelog:
4.2.8:
Fixed a bug in the JPC decoder that could cause bad memory accesses
if the debug level is set sufficiently high.
4.2.7:
Added some missing range checking on several coding parameters in the
JPC encoder.
4.2.6:
Added a check for a missing color component in the jas_image_chclrspc
function.
Fixed a minor build problem related to the use of -Wstrict-prototypes
with Clang.
4.2.5:
Made a change to a configuration header file in order to avoid
undesirable compiler warnings when JasPer is used in C++ code
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
