Changelog [1]:
* Fixes the following CVEs
CVE-2025-59391
CVE-2025-65494
CVE-2025-65495
CVE-2025-65496
CVE-2025-65497
CVE-2025-65498
CVE-2025-65499
CVE-2025-65500
CVE-2025-65501
* CVE-2025-50518 not fixed as user application error.
* Support for Mbed TLS 3.6.3.
* Support for RIOT update changes.
* Fixes for later CI environment builds.
* Critical reported bugs fixed.
Add tag to SRC_URI for hash verification.
License-Update: copyright years refreshed [2]
[1] https://github.com/obgm/libcoap/blob/v4.3.5a/ChangeLog
[2] 993c12ac92
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6a9cc44a92)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Drop 0001-snprintf-Add-math.h-to-ensure-isnan-and-isinf-are-de.patch and
v1-0001-Make-time-calculations-always-long-long.patch as those were merged upstream.
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7fb4910ccb)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Code maintenance / Compat changes
---------------------------------
- adapt to new "encrypt-then-mac" cipher suites in OpenSSL 3.6.0 - these
need special handling which we don't do, so the t_lpback self-test
failed on them. Exclude from list of allowed ciphers, as there is no
strong reason today to make OpenVPN use these.
- fix various compile-time warnings
Documentation updates
---------------------
- fix outdated and non-HTTPS URLs throughout the tree (doxygen, warnings,
manpage, ...)
Bugfixes
--------
- Fix memcmp check for the hmac verification in the 3way handshake.
This bug renders the HMAC based protection against state exhaustion on
receiving spoofed TLS handshake packets in the OpenVPN server inefficient.
CVE: 2025-13086
- fix invalid pointer creation in tls_pre_decrypt() - technically this is
a memory over-read issue, in practice, the compilers optimize it away
so no negative effects could be observed.
- Windows: in the interactive service, fix the "undo DNS config" handling.
- Windows: in the interactive service, disallow using of "stdin" for the
config file, unless the caller is authorized OpenVPN Administrator
- Windows: in the interactive service, change all netsh calls to use
interface index and not interface name - sidesteps all possible attack
avenues with special characters in interface names.
- Windows: in the interactive service, improve error handling in
some "unlikely to happen" paths.
- auth plugin/script handling: properly check for errors in creation on
$auth_failed_reason_file (arf).
- for incoming TCP connections, close-on-exec option was applied to
the wrong socket fd, leaking socket FDs to child processes.
- sitnl: set close-on-exec flag on netlink socket
- ssl_mbedtls: fix missing perf_pop() call (optional performance profiling)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 351ac66213)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Current version is 2.0.3, the lastrelease of libmng is in 2015,
add a patch to fix it
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c91f9c0a4b)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
bpftrace set the version by "git describe --dirty", since we have local
patch for bpftrace, '-dirty' will be added into the version, set
CHECK_VERSION_PV to mute the version mismatch warning
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 219328f37c)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* flite --version return 1 block version output for
check-version-mismatch.bbclass
* even with version output flite-2.2-current, regular version match
regexp cannot match the version
so mute version mismatch warning for flite
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d819512cb3)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
==============
* Removed unintentional copy requiment from some of async functions parameter.
* Fixed Heap-use-after-free during broker shutdown.
* Rifined documents.
* Added TLS Websocket verify none port to broker for browser.
* Added Cerfiticate file's digitalSignature to keyUsage.
* Fixed wss connection from Web Browser handshake failed problem.
* Changed trial broker on `async-mqtt.redboltz.net` ws and wss port.
* ws was 10080 but Chrome block it by default. Updated to 80.
* wss was 10443 but Chrome doesn't block it by default. But for consistency, updated to 443.
* system_test still uses 10080 and 10443 to avoid conflict.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 43779307f4)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
inherit pkgconfig, and fix install conflict when enable multilib, this
can also improve reproducibility
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a2f2c06ec8)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Fix the following error when using buildtools-extended:
va_server.c:20:10: fatal error: zlib.h: No such file or directory
20 | #include <zlib.h>
| ^~~~~~~~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bd745115de)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Clang needs 64-bit atomics on rv32 here and builtins does
not have them so help it by linking with libatomic
Fixes
riscv32-yoe-linux-musl-ld.lld: error: undefined symbol: __atomic_fetch_add_8
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e3257c3360)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Add bash-completion directory to FILES to resolve the installed-vs-shipped QA error.
Fix:
ERROR: proj-9.7.0-r0 do_package: QA Issue: proj: Files/directories were installed but not shipped in any package:
/usr/share/bash-completion
/usr/share/bash-completion/completions
/usr/share/bash-completion/completions/projinfo
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
proj: 3 installed and not shipped files. [installed-vs-shipped]
ERROR: proj-9.7.0-r0 do_package: Fatal QA errors were found, failing task.
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1175d5c8c1)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
After upgrading hdf5 to 2.0.0, h5cc and h5hlcc will only be generated
when pkg-config is found. With current default config, it will not be
generated, remove related configs to fix do_package failure
| DEBUG: Executing shell function multilibscript_rename
| mv: cannot stat '/tmp/work/cortexa72-wrs-linux/hdf5/2.0.0/package/usr/bin/h5cc': No such file or directory
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 39ccbba725)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
Mostly bugfix release, with most focus on dmeventd, persitent reservations,
lvmdevices, and improvement in tests.
* Improvements in dmeventd thread safety, shutdown times and more.
* Many fixes and improvements for persistent reservations.
* Support output in list mode for all lvmconfig --typeconfig types with --list.
* Fix deadlock in lvmdbusd on SIGINT in lvm shell mode.
* And many more.
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 22af3b81a7)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2014-8241
The vulnerability is about a potential null-pointer dereference, because
of a malloc result is not verified[1].
The vulnerable code has been refactored since completely[2], and the code isn't
present anymore in the codebase.
[1]: https://github.com/TigerVNC/tigervnc/issues/993#issuecomment-612874972 - attachment
[2]: b8a24f055f
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ed8a1038d2)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Remove the 0001-Ensure-compatibility-with-ARMv9-by-updating-.arch-di.patch
patch as its logic included in new version [1].
Release notes: https://mariadb.com/docs/release-notes/community-server/11.4/11.4.9
[1] e8026a5019
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a5ef451fb7)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
From the changelog.md file:
Version 2.8.137 (02/21/2025)
---
- Minor update to improve XML entity parsing within limits.
Version 2.8.136 (01/28/2025)
---
- Updated TLS/SSL demo server and client certificates and keys.
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 49894e57b0)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Both Suse[1] and Debian[2] disputes that this is a vulnerability in libao.
Based on their investigation while an issue exists, it is not in libao, however
higher in the audio-toolchain, most likely in libmad or mpg321. There seem to
be nothing to be fixed about this in libao - ignore this CVE due to this.
[1]: https://bugzilla.suse.com/show_bug.cgi?id=1081767
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870608
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a993eb8b93)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This avoid overridding the original PACKAGE_BEFORE_PN value could be
set in bbclasses.
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
nativesdk-python3-pylddwrap is needed for the dependency tree :
`-> nativesdk-python3-checksec-py
Cc: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
nativesdk-python3-icontract is needed for the dependency tree :
`-> nativesdk-python3-pylddwrap
`-> nativesdk-python3-checksec-py
Cc: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
nativesdk-python3-asttokens is needed for the dependency tree :
`-> nativesdk-python3-icontract
`-> nativesdk-python3-pylddwrap
`-> nativesdk-python3-checksec-py
Cc: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Acked-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to version 3.0.1:
- Fixed compilation error in `type_caster_enum_type` when casting
pointer-to-enum types. Added pointer overload to handle
dereferencing before enum conversion.
- Implement binary version of `make_index_sequence` to reduce
template depth requirements for functions with many parameters.
- Subinterpreter-specific exception handling code was removed to
resolve segfaults.
- Fixed issue that caused ``PYBIND11_MODULE`` code to run again if
the module was re-imported after being deleted from
``sys.modules``.
- Prevent concurrent creation of sub-interpreters as a workaround
for stdlib concurrency issues in Python 3.12.
- Fixed potential crash when using `cpp_function` objects with
sub-interpreters.
- Fixed non-entrant check in `implicitly_convertible()`.
- Support C++20 on platforms that have older c++ runtimes.
- Fix compilation with clang on msys2.
- Avoid `nullptr` dereference warning with GCC 13.3.0 and python
3.11.13.
- Fix potential warning about number of threads being too large.
- Fix gcc 11.4+ warning about serial compilation using CMake.
This work was sponsored by GOVCERT.LU.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 0.17.1:
- Fix missing visibility
- Fix incorrect paging computations that occurred when only a
subset of formats was enabled.
- Fix include issue with the COFF format
This work was sponsored by GOVCERT.LU.
License-Update: Update years
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 1.20.2:
- When opening tiled images, do not check against maximum image size
immediately to allow for tile-based decoding of very large images.
- Several smaller fixes in writing image sequences
- CMake option to disable building of heif-view, which pulls in
dependency on SDL
- Fixes reading/writing of GIMI content IDs
- Some build fixes
This work was sponsored by GOVCERT.LU.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 1.1.1:
- libheif was updated from the 1.20.1 to 1.20.2 version.
- macOS: Wheels now support older macOS versions like Catalina
(x86_64 CPU) or Ventura (ARM CPU)
1.0.0 changelog:
- Support for YCbCr AUX images.
- AVIF support was dropped, as the new upcoming Pillow has
native AVIF support.
- libde265 was updated from the 1.0.15 to 1.0.16 version.
- Removed deprecated PyPy 3.9 wheels & added PyPy 3.11 wheels.
This work was sponsored by GOVCERT.LU.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
They need a cert infrastructure to execute.
Mutual TLS authentication requires client/server certificates
and a proper PKI setup that doesn't exist in the minimal qemu ptest
environment. These are integration tests that need real
certificate infrastructure.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 12.0.0:
- Fix issue with forward references in parent TypedDict classes
- Exclude fields with exclude_if from JSON Schema required fields
- Revert URL percent-encoding of credentials in the build() method
of the AnyUrl and Dsn types
- Add type inference for IP address types
- Avoid getting default values from defaultdict
- Fix issue with field serializers on nested typed dictionaries
This work was sponsored by GOVCERT.LU.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release python3-pydantic:
- Fix issue with forward references in parent TypedDict classes
- Exclude fields with exclude_if from JSON Schema required fields
- Revert URL percent-encoding of credentials in the build() method
of the AnyUrl and Dsn types
- Add type inference for IP address types
- Avoid getting default values from defaultdict
- Fix issue with field serializers on nested typed dictionaries
- Add more pydantic-core builds for the three-threaded version of
Python 3.14
This work was sponsored by GOVCERT.LU
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 2.41.5:
- Correct invalid serialization of date/datetime/time/timedelta
by pulling downcast checks up
- Avoid getting default values from defaultdict
- ci: add more 3.14t builds, delete duplicate linux aarch64 build
- JsonValue: Deduplicate keys before populating Dict
- Fix: only percent-encode characters in the userinfo encode set
- Bump jiter from 0.11.0 to 0.11.1
- Bump regex from 1.11.3 to 1.12.2
- Bump percent-encoding from 2.3.1 to 2.3.2
- Fix issue with field_serializers on nested typed dicts
- Clean up GC traversal for some top-level types
- Add type inference for serializing ip address types
- Revert url credential encoding (to be reintroduced as an option
in future)
- optimizations in URL implementation
This work was sponsored by GOVCERT.LU.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
