This repository was archived by the owner on Jun 28, 2021. It is now read-only.
Update buildroot fork to latest upstream master#8
Open
tmagik wants to merge 10000 commits intosifive:masterfrom
Open
Update buildroot fork to latest upstream master#8tmagik wants to merge 10000 commits intosifive:masterfrom
tmagik wants to merge 10000 commits intosifive:masterfrom
Conversation
According to the official requirements, bindgen needs libclang to parse C/C++ headers. libclang is loaded at runtime by bindgen, which is why we didn't notice any build issue. However, using bindgen on a simple header file blows up: thread 'main' panicked at bindgen/lib.rs:616:27: Unable to find libclang: "couldn't find any valid shared libraries matching: ['libclang.so', 'libclang-*.so', 'libclang.so.*', 'libclang-*.so.*'], s et the `LIBCLANG_PATH` environment variable to a path where one of these files can be found (invalid: [])" note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace So far, bindgen was only used by mesa3d, and it turns out that mesa3d also depends on clang, which pulls in host-clang, so the problem was not visible. However, as we're about to use bindgen for other things (namely Rust support in Linux), this issue needs to be fixed. See: https://rust-lang.github.io/rust-bindgen/requirements.html Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Patch 0001 has the upstream information, just not properly formatted, so we fix this. Signed-off-by: Bernd Kuhls <bernd@kuhls.net> [Thomas: extracted from a bigger patch from Bernd] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Backport two upstream patches to fix build errors introduced by the bump of gcc to 14.x. Fixes: https://autobuild.buildroot.net/results/af6/af65e6386439098ddf706ca43e99320cf5e9fd80/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
https://github.com/rurban/safeclib/blob/v3.9.1/ChangeLog Removed backports from patches 0001 & 0002. Removed patch 0003 which is included in this release. Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
While `docker:docker` is not marked as deprecated by NVD after a scan through the CVEs the last entry for `docker:docker` is CVE-2022-34883 [1]. Replacing this tuple with `mobyproject:moby` that is referenced in the upstream project GHSA [2]. The last entry for this CPE is CVE-2025-54410 [3]. Note: Quoting [4], "Moby is an open framework created by Docker to assemble specialized container systems without reinventing the wheel". The old github URL [5] redirects to [6]. [1] https://nvd.nist.gov//vuln/detail/CVE-2023-5166 [2] https://github.com/moby/moby/security/advisories [3] https://nvd.nist.gov//vuln/detail/CVE-2025-54410 [4] https://mobyproject.org/ [5] https://github.com/docker/docker [6] https://github.com/moby/moby Signed-off-by: Thomas Perale <thomas.perale@mind.be> [Julien: add the note about the Moby project] Signed-off-by: Julien Olivain <ju.o@free.fr>
Add the `podman_project:podman` CPE referenced in the GHSA page [1]. The last entry with this CPE is CVE-2024-3056 [2]. Dropping the `v` prefix from the version to track the CPE version correctly. [1] https://github.com/containers/podman/security [2] https://nvd.nist.gov//vuln/detail/CVE-2024-3056 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>
The CPE `mp4v2:mp4v2` is valid for the package mp4v2. See the latest CVE: CVE-2023-33719 that reference the upstream repository. [1] https://nvd.nist.gov//vuln/detail/CVE-2023-33719 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>
The CPE `openvpn:easy-rsa` is valid for the EasyRsa package. The last CVE is CVE-2024-13454 [1] that is reference in the upstream bug tracker [2]. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-13454 [2] OpenVPN/easy-rsa#1122 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>
The CPE `pali:igmpproxy` is a valid CPE for the package igmpproxy. See the latest CVE: CVE-2025-50681 [1] that reference the upstream repository. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-50681 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>
The CPE `vstakhov:libucl` is a valid CPE for the package libucl. See the latest CVE: CVE-2025-6499 [1] that reference the upstream repository. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-6499 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Peter: Fix flake8 warning, use http.server instead of relying on
connectivity]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit [1] added the "Upstream:" package patch tag, but forgot to
remove the corresponding .checkpackageignore entry.
This commit fixes that.
Fixes:
package/efl/0001-ecore_fb-fix-build-with-tslib.patch:0: lib_patch.Upstream was expected to fail, did you fix the file and forget to update .checkpackageignore?
[1] https://gitlab.com/buildroot.org/buildroot/-/commit/bac34296bfed5282df07496c845d74924beb5da6
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The dependencies on Boost.System, Boost.Filesystem were removed in v23.0 [0][1] and Boost.Thread in v21.99 [2]. This was never reflected in the Buildroot package so do it now. [0] bitcoin/bitcoin@0726932 [1] bitcoin/bitcoin@b87f9c5 [2] bitcoin/bitcoin@06e1d7d Signed-off-by: Michael Nosthoff <buildroot@heine.tech> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The cpe:2.3:a:containers:aardvark-dns:*:*:*:*:*:*:*:* is valid for this package. See https://nvd.nist.gov/products/cpe/detail/5F79D5CD-D716-4190-BE08-31EB5EEB233F The CPE version strip the 'v' prefix from the version. Signed-off-by: Thomas Perale <thomas.perale@mind.be> Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Backport two security fixes from upstream. They are in newer releases, but to facilitate backporting to our LTS releases, this backports the fixes. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
https://gitlab.com/gpsd/gpsd/-/blob/release-3.27.2/NEWS All patches can be dropped as they are in this upstream release. Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes: https://autobuild.buildroot.net/results/572669fe1f9a77083a361fee7c8acdf38d7375ae/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
LLVM is already implicitly enabled for host-mesa3d when BR2_PACKAGE_MESA3D_NEEDS_PRECOMP_COMPILER is selected. This blind option is automatically enabled when LLVM is required by drivers such as intel-iris, panfrost, imagination, or intel-vulkan. The BR2_PACKAGE_MESA3D_LLVM option also independently selects host-llvm, but this change makes the dependency more explicit for host-mesa3d builds. Note that disabling LLVM is not possible for host-mesa3d, as the build will fail with: ../../../br-test-pkg/bootlin-armv5-uclibc/build/host-mesa3d-25.3.2/meson.build:847:3: ERROR: Feature llvm cannot be disabled: CLC requires LLVM Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com> Signed-off-by: Romain Naour <romain.naour@smile.fr>
Removed patches which are included in this release. License file was renamed upstream: jasper-software/jasper@688601c Added configure option to force builddir: https://github.com/jasper-software/jasper/blob/version-4.2.8/build/cmake/modules/InSourceBuild.cmake Added configure option for JAS_STDC_VERSION: jasper-software/jasper@b8ecbfb This new release also fixes compatibility with CMake 4.x, fixing build issues encountered in the autobuilders. Fixes: https://autobuild.buildroot.net/results/0b12e9428342e551e47e359598eecf18d81249b3/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Moved _SITE to https://git.madhouse-project.org/algernon/riemann-c-client according to collectd/collectd#4021 (comment) (collectd is the only package in buildroot using riemann-c-client) Release notes: https://git.madhouse-project.org/algernon/riemann-c-client/src/tag/riemann-c-client-2.2.2/NEWS.md Updated licenses due to upstream commit https://git.madhouse-project.org/algernon/riemann-c-client/commit/9bada2fabff9124245426baf7beb18e1e9480b17 Added optional dependencies to OpenSSL and wolfSSL. Fixes: https://autobuild.buildroot.net/results/29d/29d03e9ba24ae9d17ff7ad57e4906c30413d8a6e/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
There are multiple defconfig fragments we can select to modify the final tiboot3.bin image to support different boot methods or enable features supported by a board. Allow the ti-k3-r5-loader package to select defconfig gragments during a build Signed-off-by: Bryan Brattlof <bb@ti.com> Signed-off-by: Romain Naour <romain.naour@smile.fr>
When the host system has asciidoctor and po4a/poman installed, util-linux detect them and automatically enable manual pages and their translations. This can significantly increase the package build time (in my case, from 20s to 1m50s). See upstream commit [1] and [2]. Since manual pages are not needed in Buildroot, this commit adds in _CONF_OPTS for host host and target variants the options to always disable the detection of those programs (--disable-asciidoc --disable-poman). This will always disable the generation of manual pages. Note: Buildroot attempts to globally disable documentation for autotools packages by passing various --disable-docs configure options (see [3]), but those are not recognized by util-linux. This commit also reorder the options for UTIL_LINUX_CONF_OPTS. [1] util-linux/util-linux@9acfc34 [2] util-linux/util-linux@236421a [3] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.11/package/pkg-autotools.mk#L184-186 Signed-off-by: Julien Olivain <ju.o@free.fr> Signed-off-by: Romain Naour <romain.naour@smile.fr>
Changelog https://gitlab.com/git-scm/git/-/blob/HEAD/Documentation/RelNotes/2.53.0.adoc Signed-off-by: Pierre-Yves Kerbrat <pyk@foss.peewhy.fr> Signed-off-by: Julien Olivain <ju.o@free.fr>
Add BR2_PACKAGE_DPDK_DRIVERS_LIST to control which DPDK applications are built: - empty : use DPDK defaults - none : disable all drivers (-Ddisable_drivers='*/*') - list : pass to -Denable_drivers= (comma-separated) Signed-off-by: Maxime Leroy <maxime@leroys.fr> [Julien: slightly change the drivers Config.in help text: - rename net/ixgbe to net/intel/ixgbe - change find -maxdepth value to 3 ] Signed-off-by: Julien Olivain <ju.o@free.fr>
Add BR2_PACKAGE_DPDK_LIBS_LIST to control which DPDK libraries are built: - empty : use DPDK defaults - none : disable all libs (-Ddisable_libs='*') - list : pass to -Denable_libs= (comma-separated) Signed-off-by: Maxime Leroy <maxime@leroys.fr> Signed-off-by: Julien Olivain <ju.o@free.fr>
Add BR2_PACKAGE_DPDK_APPS_LIST to control which DPDK applications are built: - empty : use DPDK defaults - none : disable all apps (-Ddisable_apps='*') - list : pass to -Denable_apps= (comma-separated) Signed-off-by: Maxime Leroy <maxime@leroys.fr> Signed-off-by: Julien Olivain <ju.o@free.fr>
The commit adding host-pico-sdk [1] introduced $(HOST_DIR)/usr/share while it should be $(HOST_DIR)/share. Fix the error reported by check-package. [1] ceb800d3c63fe91628f42ce749c211ebef278628 Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/12973112667 Signed-off-by: Romain Naour <romain.naour@smile.fr>
Added upstream patch to fix build error. The build error does not occur with gcc-13.x. The first build error of this kind was recorded 2024-08-23: https://autobuild.buildroot.net/results/492/4927e93e40ec8bcda107f4bc3d8aa83024deb674/ Fixes: https://autobuild.buildroot.net/results/48a/48af80bdda62ca70d73bc01e0939f548c3736c0d/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes: https://autobuild.buildroot.net/results/3b9/3b92d275a32721bd2cbb10e15c392054dfd42c63/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes: https://autobuild.buildroot.net/results/8e8/8e87fc05c41eb420a026a7df86efcd9662b74353/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://lists.freedesktop.org/archives/mesa-announce/2026-February/000840.html Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>
For more information on the version bump, see: - https://www.wireshark.org/docs/relnotes/wireshark-4.4.13.html - https://www.wireshark.org/docs/relnotes/wireshark-4.4.12.html - https://www.wireshark.org/docs/relnotes/wireshark-4.4.11.html - https://www.wireshark.org/docs/relnotes/wireshark-4.4.10.html Fixes the following vulnerabilities: - CVE-2025-11626: MONGO dissector infinite loop in Wireshark 4.4.0 to 4.4.9 and 4.2.0 to 4.2.13 allows denial of service https://www.cve.org/CVERecord?id=CVE-2025-11626 - CVE-2025-13499: Kafka dissector crash in Wireshark 4.6.0 and 4.4.0 to 4.4.10 allows denial of service https://www.cve.org/CVERecord?id=CVE-2025-13499 - CVE-2025-13946: MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0 to 4.4.11 allows denial of service https://www.cve.org/CVERecord?id=CVE-2025-13946 - CVE-2026-0959: IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service https://www.cve.org/CVERecord?id=CVE-2026-0959 - CVE-2026-0960: HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service https://www.cve.org/CVERecord?id=CVE-2026-0960 - CVE-2026-0961: BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service https://www.cve.org/CVERecord?id=CVE-2026-0961 - CVE-2026-0962: SOME/IP-SD protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service https://www.cve.org/CVERecord?id=CVE-2026-0962 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>
For more information on the version bump, see: - https://github.com/ImageMagick/Website/blob/main/ChangeLog.md - ImageMagick/ImageMagick@7.1.2-12...7.1.2-15 Fixes the following vulnerabilities: - CVE-2026-22770: The BilateralBlurImage method will allocate a set of double buffers inside AcquireBilateralTLS. But, in versions prior to 7.1.2-13, the last element in the set is not properly initialized. This will result in a release of an invalid pointer inside DestroyBilateralTLS when the memory allocation fails. https://www.cve.org/CVERecord?id=CVE-2026-22770 - CVE-2026-23874: Versions prior to 7.1.2-13 have a stack overflow via infinite recursion in MSL (Magick Scripting Language) `<write>` command when writing to MSL format. https://www.cve.org/CVERecord?id=CVE-2026-23874 - CVE-2026-23876: Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. https://www.cve.org/CVERecord?id=CVE-2026-23876 - CVE-2026-24481: Prior to versions 7.1.2-15 and 6.9.13-40, a heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image. https://www.cve.org/CVERecord?id=CVE-2026-24481 - CVE-2026-25638: Prior to versions 7.1.2-15 and 6.9.13-40, memory leak exists in `coders/msl.c`. In the `WriteMSLImage` function of the `msl.c` file, resources are allocated. But the function returns early without releasing these allocated resources. https://www.cve.org/CVERecord?id=CVE-2026-25638 - CVE-2026-25794: `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute the pixel buffer size. Prior to version 7.1.2-15, when image dimensions are large, the multiplication overflows 32-bit `int`, causing an undersized heap allocation followed by an out-of-bounds write. This can crash the process or potentially lead to an out of bounds heap write. https://www.cve.org/CVERecord?id=CVE-2026-25794 - CVE-2026-25795: Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSFWImage()` (`coders/sfw.c`), when temporary file creation fails, `read_info` is destroyed before its `filename` member is accessed, causing a NULL pointer dereference and crash. https://www.cve.org/CVERecord?id=CVE-2026-25795 - CVE-2026-25796: Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSTEGANOImage()` (`coders/stegano.c`), the `watermark` Image object is not freed on three early-return paths, resulting in a definite memory leak (~13.5KB+ per invocation) that can be exploited for denial of service. https://www.cve.org/CVERecord?id=CVE-2026-25796 - CVE-2026-25798: Prior to versions 7.1.2-15 and 6.9.13-40, a NULL pointer dereference in ClonePixelCacheRepository allows a remote attacker to crash any application linked against ImageMagick by supplying a crafted image file, resulting in denial of service. https://www.cve.org/CVERecord?id=CVE-2026-25798 - CVE-2026-25799: Prior to versions 7.1.2-15 and 6.9.13-40, a logic error in YUV sampling factor validation allows an invalid sampling factor to bypass checks and trigger a division-by-zero during image loading, resulting in a reliable denial-of-service. https://www.cve.org/CVERecord?id=CVE-2026-25799 - CVE-2026-25897: Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. https://www.cve.org/CVERecord?id=CVE-2026-25897 - CVE-2026-25989: Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file can cause a denial of service. An off-by-one boundary check (`>` instead of `>=`) that allows bypass the guard and reach an undefined `(size_t)` cast. https://www.cve.org/CVERecord?id=CVE-2026-25989 - CVE-2026-26066: Prior to versions 7.1.2-15 and 6.9.13-40, a crafted profile contain invalid IPTC data may cause an infinite loop when writing it with `IPTCTEXT`. https://www.cve.org/CVERecord?id=CVE-2026-26066 - CVE-2026-26283: Prior to versions 7.1.2-15 and 6.9.13-40, a `continue` statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently fails. An attacker can trigger a 100% CPU consumption and process hang (Denial of Service) with a crafted image. https://www.cve.org/CVERecord?id=CVE-2026-26283 - CVE-2026-26284: Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huffman- coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. https://www.cve.org/CVERecord?id=CVE-2026-26284 - CVE-2026-26983: Prior to versions 7.1.2-15 and 6.9.13-40, the MSL interpreter crashes when processing a invalid `<map>` element that causes it to use an image after it has been freed. https://www.cve.org/CVERecord?id=CVE-2026-26983 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>
For more information on the version bump, see: - https://github.com/containerd/containerd/releases/tag/v2.0.7 - https://github.com/containerd/containerd/releases/tag/v2.0.6 - https://github.com/containerd/containerd/releases/tag/v2.0.5 - https://github.com/containerd/containerd/releases/tag/v2.0.4 - https://github.com/containerd/containerd/releases/tag/v2.0.3 Fixes the following vulnerabilities: - CVE-2024-25621: Versions 2.0.0-beta.0 through 2.0.6 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. https://www.cve.org/CVERecord?id=CVE-2024-25621 - CVE-2024-40635: A bug was found in containerd prior to versions 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. https://www.cve.org/CVERecord?id=CVE-2024-40635 - CVE-2025-47291: A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node. https://www.cve.org/CVERecord?id=CVE-2025-47291 - CVE-2025-64329: Versions 2.0.0-beta.0 through 2.0.6 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. https://www.cve.org/CVERecord?id=CVE-2025-64329 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerabilities: - CVE-2018-6952: A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6. For more information, see: - https://www.cve.org/CVERecord?id=CVE-2018-6952 - https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=9c986353e420ead6e706262bf204d6e03322c300 - CVE-2019-20633: GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952. For more information, see: - https://www.cve.org/CVERecord?id=CVE-2019-20633 - https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=15b158db3ae11cb835f2eb8d2eb48e09d1a4af48 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>
This minor release contains a fix for building with host glibc 2.43, which fails otherwise. Signed-off-by: Paul Kocialkowski <paulk@sys-base.io> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For more information on the version bump, see: - https://github.com/OpenPrinting/cups/blob/v2.4.16/CHANGES.md - https://github.com/OpenPrinting/cups/releases/tag/v2.4.16 - https://github.com/OpenPrinting/cups/releases/tag/v2.4.15 Fixes the following vulnerabilities: - CVE-2025-58436: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a client that connects to cupsd but sends slow messages, e.g. only one byte per second, delays cupsd as a whole, such that it becomes unusable by other clients. For more information, see - https://www.cve.org/CVERecord?id=CVE-2025-58436 - OpenPrinting/cups@40008d7 - CVE-2025-61915: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a user in the lpadmin group can use the cups web ui to change the config and insert a malicious line. Then the cupsd process which runs as root will parse the new config and cause an out-of-bound write. For more information, see - https://www.cve.org/CVERecord?id=CVE-2025-61915 - OpenPrinting/cups@db8d560 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerability: - CVE-2025-50681: igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause a denial of service (application crash) via a crafted IGMPv3 membership report packet with a malicious source address. Due to insufficient validation in the `recv_igmp()` function in src/igmpproxy.c, an invalid group record type can trigger a NULL pointer dereference when logging the address using `inet_fmtsrc()`. This vulnerability can be exploited by sending malformed multicast traffic to a host running igmpproxy, leading to a crash. igmpproxy is used in various embedded networking environments and consumer-grade IoT devices (such as home routers and media gateways) to handle multicast traffic for IPTV and other streaming services. Affected devices that rely on unpatched versions of igmpproxy may be vulnerable to remote denial-of-service attacks across a LAN . For more information, see: - https://www.cve.org/CVERecord?id=CVE-2025-50681 - younix/igmpproxy@2b30c36 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability: - CVE-2025-63938: Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. For more information, see: - https://www.cve.org/CVERecord?id=CVE-2025-63938 - tinyproxy/tinyproxy@3c0fde9 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerabilities: - CVE-2024-50382: Botan before 3.6.0, when certain LLVM versions are used, has compiler- induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in GHASH in AES-GCM. There is a branch instead of an XOR with carry. This was observed for Clang in LLVM 15 on RISC-V. For more information, see: - https://www.cve.org/CVERecord?id=CVE-2024-50382 - randombit/botan@53b0cfd - CVE-2024-50383: Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 (used in Chacha-Poly1305 and x25519). An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be affected.) For more information, see: - https://www.cve.org/CVERecord?id=CVE-2024-50383 - randombit/botan@53b0cfd Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>
Various bugfixes: https://gpsd.gitlab.io/gpsd/NEWS Signed-off-by: Mattias Walström <lazzer@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit 0433c8d bumped libinput to version 1.31.0 which causes a build error with wlroot: ../backend/libinput/switch.c: In function ‘handle_switch_toggle’: ../backend/libinput/switch.c:32:9: error: enumeration value ‘LIBINPUT_SWITCH_KEYPAD_SLIDE’ not handled in switch [-Werror=switch] 32 | switch (libinput_event_switch_get_switch(sevent)) { The build error was not yet detected by the autobuilders but can be reproduced using this defconfig: BR2_x86_64=y BR2_TOOLCHAIN_EXTERNAL=y BR2_PER_PACKAGE_DIRECTORIES=y BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y BR2_PACKAGE_MESA3D=y BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SOFTPIPE=y BR2_PACKAGE_MESA3D_OPENGL_GLX=y BR2_PACKAGE_MESA3D_OPENGL_EGL=y BR2_PACKAGE_MESA3D_OPENGL_ES=y BR2_PACKAGE_XORG7=y BR2_PACKAGE_WLROOTS=y Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://gitlab.freedesktop.org/wlroots/wlroots/-/releases/0.19.2 Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes these CVEs: CVE-2026-26103: GHSA-c75h-phf8-ccjm CVE-2026-26104: GHSA-fcvx-497g-6xmw Release notes: https://github.com/storaged-project/udisks/releases/tag/udisks-2.11.1 Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://ftp.isc.org/isc/bind9/9.18.46/doc/arm/html/notes.html Changelog: https://ftp.isc.org/isc/bind9/9.18.46/doc/arm/html/changelog.html Fixes bug: GL #5751 https://gitlab.isc.org/isc-projects/bind9/-/issues/5751 Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Julien Olivain <ju.o@free.fr>
Change summary: https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.11.4 Fixes: CVE-2025-14821: libssh loads configuration files from the C:\etc directory on Windows CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request() CVE-2026-0965: Possible Denial of Service when parsing unexpected configuration files CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input CVE-2026-0967: Specially crafted patterns could cause DoS CVE-2026-0968: OOB Read in sftp_parse_longname() libssh-2026-sftp-extensions: Read buffer overrun when handling SFTP extensions Signed-off-by: Mattias Walström <lazzer@gmail.com> [Julien: - add link to upstream change summary - fix signature link in hash file ] Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability: - CVE-2026-25556: MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller- owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes. For more information, see - https://www.cve.org/CVERecord?id=CVE-2026-25556 - https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability: - CVE-2025-34450: merbanan/rtl_433 versions up to and including 25.02 and prior to commit 25e47f8 contain a stack-based buffer overflow vulnerability in the function parse_rfraw() located in src/rfraw.c. When processing crafted or excessively large raw RF input data, the application may write beyond the bounds of a stack buffer, resulting in memory corruption or a crash. This vulnerability can be exploited to cause a denial of service and, under certain conditions, may be leveraged for further exploitation depending on the execution environment and available mitigations. For mroe information, see: - https://www.cve.org/CVERecord?id=CVE-2025-34450 - merbanan/rtl_433@25e47f8 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes of this bugfix release: https://www.samba.org/samba/history/samba-4.23.6.html Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 126162b disabled parallel builds in Jan 2017 due to a bug which was fixed upstream in Nov 2017: pocoproject/poco@1724e8b#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52 pocoproject/poco@076dd96 Building with -j100 worked. Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>
Change the mips32r6 into a blanket BR2_mips[el] check to disable the JSC JIT. Upstream removed JIT support for all MIPS processors in January 2024 [0], and the change trickled down to stable releases starting on version 2.44.0 [1]. While at it, change the upstream bug links to point to a more appropriate bug report. [0] https://commits.webkit.org/272866@main [1] https://lists.webkit.org/archives/list/webkit-wpe@lists.webkit.org/thread/JM7GLPPKGAB6DIQ2YDHPEIWNOYSUHBC7/ Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Change the mips32r6 into a blanket BR2_mips[el] check to disable the JSC JIT. Upstream removed JIT support for all MIPS processors in January 2024 [0], and the change trickled down to stable releases starting on version 2.44.0 [1]. While at it, change the upstream bug links to point to a more appropriate bug report. [0] https://commits.webkit.org/272866@main [1] https://lists.webkit.org/archives/list/webkit-wpe@lists.webkit.org/thread/JM7GLPPKGAB6DIQ2YDHPEIWNOYSUHBC7/ Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The original source is offline, switch to forked repo and use the same tree as before to only fix the download error. Fixes: https://autobuild.buildroot.net/results/eec/eecf2cbaafd8a170b5f5c6c24df552280a530204/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For release notes, see: https://github.com/Kludex/python-multipart/releases/tag/0.0.22 Fixes: https://www.cve.org/CVERecord?id=CVE-2026-24486 Signed-off-by: Martin Bachmann <martin.bachmann@designwerk.com> [Julien: reword commit log to mark the commit as a security bump] Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit ed12e2f in 2021 added BR2_PACKAGE_LIBVIRT_LXC which selects BR2_PACKAGE_LXC but did not add the dependency !BR2_TOOLCHAIN_USES_UCLIBC which was added to lxc in 2019 by buildroot commit 63aad8a causing Kconfig warnings: WARNING: unmet direct dependencies detected for BR2_PACKAGE_LXC Depends on [n]: BR2_TOOLCHAIN_HAS_THREADS [=y] && BR2_USE_MMU [=y] && !BR2_STATIC_LIBS [=n] && BR2_TOOLCHAIN_GCC_AT_LEAST_4_7 [=y] && BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_0 [=y] && !BR2_TOOLCHAIN_USES_UCLIBC [=y] Selected by [y]: - BR2_PACKAGE_LIBVIRT_LXC [=y] && BR2_PACKAGE_LIBVIRT [=y] && BR2_PACKAGE_LIBVIRT_DAEMON [=y] && BR2_TOOLCHAIN_GCC_AT_LEAST_4_7 [=y] Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This defconfig can be built without problems: BR2_x86_64=y BR2_GCC_VERSION_15_X=y BR2_PACKAGE_SAFECLIB=y However adding rocketlake as architecture variant BR2_x86_64=y BR2_x86_rocketlake=y BR2_GCC_VERSION_15_X=y BR2_PACKAGE_SAFECLIB=y causes a build error: str/vsnprintf_s.c: In function 'safec_ftoa.isra': str/vsnprintf_s.c:523:24: error: writing 32 bytes into a region of size 31 [-Werror=stringop-overflow=] 523 | buf[len++] = '0'; with gcc 15.x only, gcc =< 14.x is not affected, reason unknown. This commit adds two upstream commits which fix the problem. No autobuilder error was recorded. Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update to buildroot in preparation to switch freedom-u-sdk over to replace riscv-gnu-toolchain with the toolchain supported in buildroot, which builds faster using upstream sources and takes less space.