ftp.gnu.org is the main server of the GNU project, however download speed
can vary greatly based on one's location.
Using ftpmirror.gnu.org should redirect the request to the closest up-to-date mirror,
which should result sometimes in significantly faster download speed, depending
on one's location. This should also distribute the traffic more across the mirrors.
This information was sourced from https://www.gnu.org/prep/ftp.html
(From OE-Core rev: 97939775d2b81af392a2f98c922165763ff0ae5f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
ftp.gnu.org is the main server of the GNU project, however download speed
can vary greatly based on one's location.
Using ftpmirror.gnu.org should redirect the request to the closest up-to-date mirror,
which should result sometimes in significantly faster download speed, depending
on one's location. This should also distribute the traffic more across the mirrors.
This information was sourced from https://www.gnu.org/prep/ftp.html .
(From OE-Core rev: 8418289277056d582d88916b524b920a2e005c75)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d8c6f01d7467e018aa0ed27a87850d9e4434a47a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Disable NLS in the build when USE_NLS is off.
(From OE-Core rev: b94798ecd535956ef4565663710ea9a701ff21ed)
This change corresponds to upstream eeb3974472
from master .
Since the p11-kit version are different between master & kirkstone
applied the patch manually
(From OE-Core rev: c621612a12cdbf5c89279b69e28d0e3a0b5d0a86)
Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: AshishKumar Mishra <emailaddress.ashish@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Do not build translations when NLS is disabled.
(From OE-Core rev: 83795ef6c3fa12a863cd20b7ec1a2607606987b6)
This change corresponds to upstream d848b454e6
from master .
Since the systemd version are different between master & kirkstone
applied the patch manually
(From OE-Core rev: 4b612ae7cbdc8327765c34d0e64fa8e0564891d4)
Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: AshishKumar Mishra <emailaddress.ashish@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update to the 4.0.30 release of the 4.0 series for buildtools
(From OE-Core rev: 237452d023dfc895cd8183e30e781da6f60b2ec5)
Signed-off-by: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If the PATH environment variable contains paths which are executables
(rather than just directories), passing certain strings to LookPath
("", ".", and ".."), can result in the binaries listed in the PATH
being unexpectedly returned.
(From OE-Core rev: c4d81e32ee3fb7d05db2cfbfaaa8081841bc16ce)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Per [1] this CVE is fixed by the same commits as the other 3 CVEs.
[1] https://security-tracker.debian.org/tracker/CVE-2023-6601
(From OE-Core rev: b0542ad422ac1ba05dd5b8003429b8719619d892)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Per [1] this CVE is fixed by [2] which is available in version 5.0, so
version 5.0.3 is not vulnerable anymore.
[1] https://security-tracker.debian.org/tracker/CVE-2023-6603
[2] 28c83584e8
(From OE-Core rev: dcfd5672474f7a9bf7913c0f0e35f7c40bb685c4)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
As per the linked ticket, this issue is related to an Ubuntu-specific
patch that we don't have.
(From OE-Core rev: dc81fdc6bdf8ab39b7f2fd994d50256430c36558)
(From OE-Core rev: 72e63e44a0c6ad5a408c4dc59a24288c36463439)
Rewritten CVE_STATUS to CVE_CHECK_IGNORE.
(From OE-Core rev: 66e45229a9614d33f64167f0259ae1d719839d83)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit mentioned in the NVD report.
(From OE-Core rev: 5109fd6675b6782f10f86f774fe54b6ccecee415)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit mentioned in the NVD report.
(From OE-Core rev: 10a51275bb0f62b018a6182953352ecf7aa3d220)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit mentioned in the NVD report.
(From OE-Core rev: dc65da274b26c1e7f4143154cd7639a93cc658be)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Copy statement from [1] that it is problem of installers (non-Linux).
Also [2] linked in NVD says "Fixed in 1.25.1 Gstreamer Installer".
Since Yocto builds from sources into our own packages, ignore it.
[1] https://security-tracker.debian.org/tracker/CVE-2025-2759
[2] https://www.zerodayinitiative.com/advisories/ZDI-25-268/
(From OE-Core rev: 99ee1df6bde2ffd4fa2ddea44c0a9b94d9d77bae)
Reworked to CVE_CHECK_IGNORE format.
(From OE-Core rev: 2162bc3b305a0b088018e251baad54c356f7855f)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
All these CVEs were fixed in recent commits.
(From OE-Core rev: 86f48cdb1b26b6e234dde10b1e636e54e8a7e71f)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit mentioning this CVE.
Additionally fix test broken by the CVE fix.
(From OE-Core rev: 137299edbc47e8a57173ef3c22bcb719d48d5302)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There is no single "recipe-sysroots" directory, but rather many
"recipe-sysroot*" directories.
(From yocto-docs rev: eca2cb23eb1fd4186d1f5cadc3280d73e8f52631)
Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit f2d6e228409cb1dd1dbf339c405699ac6d3900be)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add documentation for auto.conf, which is used by external tools for
automatically setting variables.
(From yocto-docs rev: 707b29352838792c635b39c8b5c20c519b10b832)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 134e54a75e0144c4629f702c6f43e92ed1f12dce)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The description of the relation between KBUILD_DEFCONFIG and
SRC_URI is reversed. In fact it is the SRC_URI provided
defconfig which will be dropped by the kernel-yocto class
if both are provided.
(From yocto-docs rev: 6efc3ca5491722072fd394bae92d827791ef6bc3)
Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit a808420655a0976ba08f013f468cf80f379b1d89)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There's no need to differentiate crediting contributors from committing
your changes, so let's simply make it the last step of "Commit your
changes" section.
This simply indents the text so it's now part of "Commit your changes"
list instead of the main list in the "Implement and commit changes"
section. Because of this reorganisation, the instruction to use "git
commit --amend" to add the contributors is moved to a note, and the
first few sentences are reworded to better match the wording of other
items in the "Commit your changes" list of instructions.
(From yocto-docs rev: 5ce7ae8f655f45dec80e68398911f117920f5eb2)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit eff4d14e28d323ebfdaeb0c5c805b5f1e2ad153d)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
... so that it's clear that you need to read and follow each and every
instruction in this list.
(From yocto-docs rev: 4799ffa5170a5f9e12350634bcdfca6f531ea937)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit c628a489f081925fabaabb5acac6752251150269)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This should hopefully make it clearer what is expected from the
contributor.
This follows my understanding of git-commit(1)[1] where the following is
a git commit message:
"""
git commit title
git commit description
"""
I'm putting the "Fixes [YOCTO" line in "body of the commit message" so
it's understood as being different from the git commit description so
that the note admonition allowing us to have an empty commit description
doesn't apply to the "Fixes [YOCTO" line.
[1] https://www.man7.org/linux/man-pages/man1/git-commit.1.html#DISCUSSION
(From yocto-docs rev: f817ef5542adc2ce830e22dd04424b9d5d5ed5c5)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit b84903a760350bd118c56ea9ce4e98039edf6e55)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The kernel docs specifies[1] a Cc: tag and not CC: tag, so let's align
with that.
[1] https://www.kernel.org/doc/html/latest/process/submitting-patches.html#when-to-use-acked-by-cc-and-co-developed-by
(From yocto-docs rev: 87721121d9dc95e2de110cadee4538e2ea4ff7c3)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit f800fef4e9e2c1d3584ac49be8324638d2923b17)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The other tag descriptions have the double colon outside of the
highlight, and start the sentence with a lowercase word, so let's align
the CC tag with those.
(From yocto-docs rev: 9764dc8ff26883684f3e993cfa821116ee2e6d95)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit f116e93fb335e9d0f85891c4cb501bcf55b18ccf)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The example could be understood as the content of the commit message
once the editor (git config core.editor) opens, where the first
line is the actual commit title and not the commit description.
This example would make the Fixes line the commit title, which is not
what we want.
In short, according to my understanding of git-commit(1):
The following is a git commit message:
"""
git commit title
git commit description
"""
Reported-by: Barne Carstensen <barne.carstensen@danfoss.com>
(From yocto-docs rev: db54a8bd56f38c532498e0f624fcceb60d2b9ea7)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit a5862406bf3230befe9db9f2539bbbc86c02015d)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
I don't know what was the initial intent but this doesn't seem right, so
let's remove the bold formatting.
Fixes: 4abe87cb20d3 ("contributor-guide: submit-changes: detail commit and patch creation")
Cc: Michael Opdenacker <michael.opdenacker@rootcommit.com>
(From yocto-docs rev: 508a1b7d905dabe8a36361da8e346040db4cca2a)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 6c499b3796a578a0fe4c319c9547b4321b0d41df)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in Libtiff. This vulnerability is a "write-what-where"
condition, triggered when the library processes a specially crafted TIFF
image file.[EOL][EOL]By providing an abnormally large image height value
in the file's metadata, an attacker can trick the library into writing
attacker-controlled color data to an arbitrary memory location. This
memory corruption can be exploited to cause a denial of service (application
crash) or to achieve arbitrary code execution with the permissions of the user.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9900
Upstream patch:
3e0dcf0ec6
(From OE-Core rev: f4e5cdeccee02d3ea78db91d5dfdcfd017c40ee0)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
1, A cookie is set using the secure keyword for https://target
2, curl is redirected to or otherwise made to speak with http://target
(same hostname, but using clear text HTTP) using the same cookie set
3, The same cookie name is set - but with just a slash as path (path="/").
Since this site is not secure, the cookie should just be ignored.
4, A bug in the path comparison logic makes curl read outside a heap buffer boundary
The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of
the secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9086
Upstream patch:
https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6
(From OE-Core rev: dc842a631b178acd9c4f00c4a3b87831baf08ebb)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Cancelling a query (e.g. by cancelling the context passed to one of
the query methods) during a call to the Scan method of the returned
Rows can result in unexpected results if other queries are being made
in parallel. This can result in a race condition that may overwrite
the expected results with those of another query, causing the call to
Scan to return either unexpected results from the other query or an
error.
Made below changes for Go 1.17 backport:
- Replaced `atomic.Pointer[error]` with `atomic.Value`, since
atomic pointers are not supported in Go 1.17.
- Used errp.(*error) to retrieve and dereference
the stored *error, Without this, build fails with:
invalid indirect of errp (type interface{}).
- Replaced Go 1.18 `any` keyword with `interface{}` for backward
compatibility with Go 1.17.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47907
Upstream-patch:
8a924caaf3298fe517a9c23579f031
(From OE-Core rev: af9c43c39764ce9ce37785c44dfb83e25cb24703)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There's a (second) overhead factor applied in images generated with Wic,
and this is already documented in the .wks reference. However, the
IMAGE_OVERHEAD_FACTOR entry does not mention it, and by looking at the
partition sizes (e.g. with parted) one may find it confusing that they
don't match with the expected rootfs size (e.g. in a scenario where the
extra space is "0" and IMAGE_OVERHEAD_FACTOR="1.0").
This second overhead is already documented, though:
https://docs.yoctoproject.org/ref-manual/kickstart.html#command-part-or-partition
Mention the '--overhead-factor' option in the glossary entry and add a
reference to the wks documentation.
(From yocto-docs rev: 71a3933c609ce73ff07e5be48d9e7b03f22ef8d7)
Signed-off-by: Joao Marcos Costa <joaomarcos.costa@bootlin.com>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit b9040e20b015e9b02683ec3014e4ade5eb59d41a)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
