On Thu, 2026-02-12 at 14:27 +0100, Yoann Congal wrote: > Those are the patches from the last patch review: > https://lore.kernel.org/openembedded-core/[email protected]/T/#t > with the following modification: > * zlib: ignore CVE-2026-22184 was changed to a cherry-pick from master > and needed commits backported: > * zlib: cleanup CVE_STATUS[CVE-2023-45853] > * zlib: Add CVE_PRODUCT to exclude false positives > > Passed a-full on autobuilder (with AB-INT): > https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3195 > * The build qemuarm-oecore failed: > https://autobuilder.yoctoproject.org/valkyrie/#/builders/40/builds/3140 > This was caused by bug #16143 – AB-INT: do_image_wic: tar command return > exit status 2 > * The build qemuarm-oecore was succesfully retried: > https://autobuilder.yoctoproject.org/valkyrie/?#/builders/40/builds/3143
Hi Richard, Yoann, We have an understanding of #16143 now, and this issue happening is not a regression caused by any of the patches here, so I think this is good to merge. The following changes since commit d50e4680ed6f930582d907b37c9ed545a89f5c27: build-appliance-image: Update to scarthgap head revision (2026-01-26 09:50:47 +0000) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib pbarker/scarthgap for you to fetch changes up to e86e50b8c5b16065dcb35ebf4b00eff59c5da78c: libtheora: set CVE_PRODUCT (2026-02-12 23:44:37 +0000) ---------------------------------------------------------------- Adarsh Jagadish Kamini (1): python-urllib3: Backport fix for CVE-2026-21441 Amaury Couderc (1): curl: patch CVE-2025-14524 Ankur Tyagi (2): ffmpeg: upgrade 6.1.3 -> 6.1.4 ffmpeg: ignore CVE-2025-25469 Benjamin Robin (Schneider Electric) (1): meta/classes: fix missing vardeps for CVE status variables Daniel Turull (1): improve_kernel_cve_report: add script for postprocesing of kernel CVE data Fred Bacon (1): lighttpd: Fix trailing slash on files in mod_dirlisting Het Patel (1): zlib: Add CVE_PRODUCT to exclude false positives Hitendra Prajapati (1): curl: fix CVE-2025-10148 Hugo SIMELIERE (1): libtasn1: Fix CVE-2025-13151 Ken Kurematsu (1): libtheora: set CVE_PRODUCT Khai Dang (1): docbook-xml-dtd4: fix the fetching failure Peter Marko (12): expat: patch CVE-2026-24515 expat: patch CVE-2026-25210 glib-2.0: patch CVE-2026-0988 libpng: patch CVE-2026-22695 libpng: patch CVE-2026-22801 libxml2: patch CVE-2026-0989 libxml2: patch CVE-2026-0990 libxml2: patch CVE-2026-0992 libxml2: add follow-up patch for CVE-2026-0992 python3: patch CVE-2025-13837 zlib: ignore CVE-2026-22184 glibc: stable 2.39 branch updates Richard Purdie (1): pseudo: Update to 1.9.3 release Vijay Anusuri (1): inetutils: Fix CVE-2026-24061 Yoann Congal (1): zlib: cleanup CVE_STATUS[CVE-2023-45853] meta/classes/create-spdx-2.2.bbclass | 1 + meta/classes/create-spdx-3.0.bbclass | 2 + meta/classes/cve-check.bbclass | 1 + meta/classes/vex.bbclass | 1 + .../inetutils/inetutils/CVE-2026-24061-1.patch | 41 ++ .../inetutils/inetutils/CVE-2026-24061-2.patch | 85 ++++ .../inetutils/inetutils_2.5.bb | 2 + .../expat/expat/CVE-2026-24515-01.patch | 43 ++ .../expat/expat/CVE-2026-24515-02.patch | 117 ++++++ .../expat/expat/CVE-2026-25210-01.patch | 27 ++ .../expat/expat/CVE-2026-25210-02.patch | 38 ++ .../expat/expat/CVE-2026-25210-03.patch | 28 ++ meta/recipes-core/expat/expat_2.6.4.bb | 5 + .../glib-2.0/glib-2.0/CVE-2026-0988.patch | 58 +++ meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 1 + meta/recipes-core/glibc/glibc-version.inc | 2 +- meta/recipes-core/glibc/glibc_2.39.bb | 2 +- .../libxml/libxml2/CVE-2026-0989.patch | 309 ++++++++++++++ .../libxml/libxml2/CVE-2026-0990.patch | 76 ++++ .../libxml/libxml2/CVE-2026-0992-01.patch | 49 +++ .../libxml/libxml2/CVE-2026-0992-02.patch | 323 ++++++++++++++ .../libxml/libxml2/CVE-2026-0992-03.patch | 33 ++ meta/recipes-core/libxml/libxml2_2.12.10.bb | 5 + meta/recipes-core/zlib/zlib_1.3.1.bb | 6 +- .../docbook-xml/docbook-xml-dtd4_4.5.bb | 10 +- meta/recipes-devtools/pseudo/pseudo_git.bb | 4 +- .../python/python3-urllib3/CVE-2026-21441.patch | 105 +++++ .../python/python3-urllib3_2.2.2.bb | 1 + .../python/python3/CVE-2025-13837.patch | 162 +++++++ meta/recipes-devtools/python/python3_3.12.12.bb | 1 + .../lighttpd/lighttpd/0001-mod_dirlisting.patch | 48 +++ meta/recipes-extended/lighttpd/lighttpd_1.4.74.bb | 1 + .../ffmpeg/ffmpeg/CVE-2024-35365.patch | 62 --- .../ffmpeg/ffmpeg/CVE-2024-36618.patch | 36 -- .../ffmpeg/ffmpeg/CVE-2025-1594.patch | 105 ----- .../ffmpeg/{ffmpeg_6.1.3.bb => ffmpeg_6.1.4.bb} | 7 +- .../libpng/files/CVE-2026-22695.patch | 77 ++++ .../libpng/files/CVE-2026-22801.patch | 173 ++++++++ meta/recipes-multimedia/libpng/libpng_1.6.42.bb | 2 + .../libtheora/libtheora_1.1.1.bb | 2 + .../recipes-support/curl/curl/CVE-2025-10148.patch | 57 +++ .../recipes-support/curl/curl/CVE-2025-14524.patch | 44 ++ meta/recipes-support/curl/curl_8.7.1.bb | 2 + .../gnutls/libtasn1/CVE-2025-13151.patch | 30 ++ meta/recipes-support/gnutls/libtasn1_4.20.0.bb | 1 + scripts/contrib/improve_kernel_cve_report.py | 467 +++++++++++++++++++++ 46 files changed, 2434 insertions(+), 218 deletions(-) create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-1.patch create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-2.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-24515-01.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-24515-02.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-01.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-02.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-03.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0989.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-01.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2026-21441.patch create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-13837.patch create mode 100644 meta/recipes-extended/lighttpd/lighttpd/0001-mod_dirlisting.patch delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch rename meta/recipes-multimedia/ffmpeg/{ffmpeg_6.1.3.bb => ffmpeg_6.1.4.bb} (98%) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2025-10148.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14524.patch create mode 100644 meta/recipes-support/gnutls/libtasn1/CVE-2025-13151.patch create mode 100755 scripts/contrib/improve_kernel_cve_report.py Best regards, -- Paul Barker
signature.asc
Description: This is a digitally signed message part
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231104): https://lists.openembedded.org/g/openembedded-core/message/231104 Mute This Topic: https://lists.openembedded.org/mt/117773721/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
