Re: [OE-core][scarthgap 00/44] Patch review

Wed, 25 Feb 2026 12:00:52 -0800 

Hi,

I am a bit unsure about the openssl patches. I am not questioning them 
technically but if it is the right way to patch openssl 3.2 since it is EOL [1].

Wouldn't it be better, as suggested in [1], to upgrade to either version 3.6.x 
(EOL 1st November 2026) or version 3.5.x (EOL April 2030 -> LTS).

If you agree with that, I would prepare a patch. Just let me know hte preffered 
version, since I am a bit unsure how this is usually handled on a LTS version.  

[1] https://openssl-library.org/post/2025-11-25-eol-32/

Best Regards
Patrick


> Yoann Congal via lists.openembedded.org 
> <[email protected]> hat am 24.02.2026 15:31 CET 
> geschrieben:
> 
>  
> Please review this set of changes for scarthgap and have comments back by
> end of day Thursday, February 26.
> 
> Passed a-full on autobuilder:
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3276
> 
> The following changes since commit a1f4ae4e569bc0e36c27c1e4651e502e54d63b28:
> 
>   build-appliance-image: Update to scarthgap head revision (2026-02-16 
> 09:52:44 +0000)
> 
> are available in the Git repository at:
> 
>   https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
>   
> https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
> 
> for you to fetch changes up to 94a2960e1ae3923599affb6b227ef3f1870f5633:
> 
>   u-boot: move CVE patches out of the common .inc file (2026-02-24 10:34:08 
> +0100)
> 
> ----------------------------------------------------------------
> 
> Aleksandar Nikolic (1):
>   scripts/install-buildtools: Update to 5.0.15
> 
> Amaury Couderc (2):
>   avahi: patch CVE-2025-68468
>   avahi: patch CVE-2025-68471
> 
> Ankur Tyagi (4):
>   avahi: patch CVE-2025-68276
>   avahi: patch CVE-2026-24401
>   mobile-broadband-provider-info: upgrade 20240407 -> 20251101
>   vim: ignore CVE-2025-66476
> 
> Benjamin Robin (Schneider Electric) (1):
>   spdx30_tasks: Exclude 'doc' when exporting PACKAGECONFIG to SPDX
> 
> Bruce Ashfield (7):
>   linux-yocto/6.6: update to v6.6.112
>   linux-yocto/6.6: update to v6.6.114
>   linux-yocto/6.6: update to v6.6.116
>   linux-yocto/6.6: update to v6.6.118
>   linux-yocto/6.6: update to v6.6.119
>   linux-yocto/6.6: update to v6.6.120
>   linux-yocto/6.6: update to v6.6.123
> 
> Daniel Dragomir (1):
>   wic/engine: error on old host debugfs for standalone directory copy
> 
> Deepak Rathore (7):
>   go 1.22.12: Fix CVE-2025-61730
>   go 1.22.12: Fix CVE-2025-61726
>   go 1.22.12: Fix CVE-2025-61728
>   go 1.22.12: Fix CVE-2025-61731
>   go 1.22.12: Fix CVE-2025-68119
>   go 1.22.12: Fix CVE-2025-61732
>   go 1.22.12: Fix CVE-2025-68121
> 
> Dragomir, Daniel (2):
>   wic/engine: fix copying directories into wic image with ext* partition
>   oeqa/selftest/wic: test recursive dir copy on ext partitions
> 
> Fabio Berton (1):
>   classes/buildhistory: Do not sign buildhistory commits
> 
> Hitendra Prajapati (2):
>   openssl: fix CVE-2025-15468
>   openssl: fix CVE-2025-69419
> 
> Ming Liu (1):
>   weston: fix a touch-calibrator issue
> 
> Peter Marko (10):
>   libsndfile1: patch CVE-2025-56226
>   libpng: patch CVE-2026-25646
>   glib-2.0: patch CVE-2026-1484
>   glib-2.0: patch CVE-2026-1485
>   glib-2.0: patch CVE-2026-1489
>   ffmpeg: ignore CVE-2025-1594
>   libtheora: mark CVE-2024-56431 as not vulnerable yet
>   ffmpeg: set status of CVE-2025-25468
>   gnupg: patch CVE-2025-68973
>   alsa-lib: patch CVE-2026-25068
> 
> Pratik Farkase (1):
>   libevent: merge inherit statements
> 
> Richard Purdie (1):
>   go-vendor: Fix absolute paths issue
> 
> Vijay Anusuri (1):
>   bind: Upgrade 9.18.41 -> 9.18.44
> 
> Yoann Congal (2):
>   pseudo: Update to include a fix for systems with kernel <5.6
>   u-boot: move CVE patches out of the common .inc file
> 
>  meta/classes/buildhistory.bbclass             |   2 +-
>  meta/classes/go-vendor.bbclass                |   6 +-
>  meta/lib/oe/spdx30_tasks.py                   |   8 +-
>  meta/lib/oeqa/selftest/cases/wic.py           |  65 ++
>  meta/recipes-bsp/u-boot/u-boot-common.inc     |  12 +-
>  meta/recipes-bsp/u-boot/u-boot_2024.01.bb     |  10 +
>  meta/recipes-connectivity/avahi/avahi_0.8.bb  |   4 +
>  .../avahi/files/CVE-2025-68276.patch          |  65 ++
>  .../avahi/files/CVE-2025-68468.patch          |  32 +
>  .../avahi/files/CVE-2025-68471.patch          |  36 +
>  .../avahi/files/CVE-2026-24401.patch          |  74 ++
>  .../bind/{bind_9.18.41.bb => bind_9.18.44.bb} |   2 +-
>  .../mobile-broadband-provider-info_git.bb     |   4 +-
>  .../openssl/openssl/CVE-2025-15468.patch      |  39 +
>  .../openssl/openssl/CVE-2025-69419.patch      |  61 ++
>  .../openssl/openssl_3.2.6.bb                  |   2 +
>  .../glib-2.0/glib-2.0/CVE-2026-1484-01.patch  |  48 +
>  .../glib-2.0/glib-2.0/CVE-2026-1484-02.patch  |  45 +
>  .../glib-2.0/glib-2.0/CVE-2026-1485.patch     |  44 +
>  .../glib-2.0/glib-2.0/CVE-2026-1489-01.patch  |  42 +
>  .../glib-2.0/glib-2.0/CVE-2026-1489-02.patch  |  30 +
>  .../glib-2.0/glib-2.0/CVE-2026-1489-03.patch  | 290 ++++++
>  .../glib-2.0/glib-2.0/CVE-2026-1489-04.patch  |  68 ++
>  meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb |   7 +
>  meta/recipes-devtools/go/go-1.22.12.inc       |  10 +
>  .../go/go/CVE-2025-61726.patch                | 196 +++++
>  .../go/go/CVE-2025-61728.patch                | 171 ++++
>  .../go/go/CVE-2025-61730.patch                | 460 ++++++++++
>  .../go/go/CVE-2025-61731.patch                |  70 ++
>  .../go/go/CVE-2025-61732.patch                |  53 ++
>  .../go/go/CVE-2025-68119-dependent.patch      | 175 ++++
>  .../go/go/CVE-2025-68119.patch                | 828 ++++++++++++++++++
>  .../go/go/CVE-2025-68121_p1.patch             | 253 ++++++
>  .../go/go/CVE-2025-68121_p2.patch             | 385 ++++++++
>  .../go/go/CVE-2025-68121_p3.patch             |  82 ++
>  meta/recipes-devtools/pseudo/pseudo_git.bb    |   2 +-
>  ...ator-Regularise-surface-view-mapping.patch |  78 ++
>  .../recipes-graphics/wayland/weston_13.0.1.bb |   1 +
>  .../linux/linux-yocto-rt_6.6.bb               |   6 +-
>  .../linux/linux-yocto-tiny_6.6.bb             |   6 +-
>  meta/recipes-kernel/linux/linux-yocto_6.6.bb  |  28 +-
>  .../alsa/alsa-lib/CVE-2026-25068.patch        |  34 +
>  .../alsa/alsa-lib_1.2.11.bb                   |   1 +
>  .../recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb |   3 +-
>  .../libpng/files/CVE-2026-25646.patch         |  61 ++
>  .../libpng/libpng_1.6.42.bb                   |   1 +
>  .../libsndfile1/CVE-2025-56226-01.patch       |  36 +
>  .../libsndfile1/CVE-2025-56226-02.patch       |  43 +
>  .../libsndfile/libsndfile1_1.2.2.bb           |   2 +
>  .../libtheora/libtheora_1.1.1.bb              |   2 +
>  .../gnupg/gnupg/CVE-2025-68973.patch          | 108 +++
>  meta/recipes-support/gnupg/gnupg_2.4.8.bb     |   1 +
>  .../libevent/libevent_2.1.12.bb               |   4 +-
>  meta/recipes-support/vim/vim_9.1.bb           |   2 +
>  scripts/install-buildtools                    |   4 +-
>  scripts/lib/wic/engine.py                     |  92 +-
>  56 files changed, 4132 insertions(+), 62 deletions(-)
>  create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2025-68276.patch
>  create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2025-68468.patch
>  create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2025-68471.patch
>  create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2026-24401.patch
>  rename meta/recipes-connectivity/bind/{bind_9.18.41.bb => bind_9.18.44.bb} 
> (97%)
>  create mode 100644 
> meta/recipes-connectivity/openssl/openssl/CVE-2025-15468.patch
>  create mode 100644 
> meta/recipes-connectivity/openssl/openssl/CVE-2025-69419.patch
>  create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-01.patch
>  create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1484-02.patch
>  create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1485.patch
>  create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-01.patch
>  create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-02.patch
>  create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-03.patch
>  create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-1489-04.patch
>  create mode 100644 meta/recipes-devtools/go/go/CVE-2025-61726.patch
>  create mode 100644 meta/recipes-devtools/go/go/CVE-2025-61728.patch
>  create mode 100644 meta/recipes-devtools/go/go/CVE-2025-61730.patch
>  create mode 100644 meta/recipes-devtools/go/go/CVE-2025-61731.patch
>  create mode 100644 meta/recipes-devtools/go/go/CVE-2025-61732.patch
>  create mode 100644 meta/recipes-devtools/go/go/CVE-2025-68119-dependent.patch
>  create mode 100644 meta/recipes-devtools/go/go/CVE-2025-68119.patch
>  create mode 100644 meta/recipes-devtools/go/go/CVE-2025-68121_p1.patch
>  create mode 100644 meta/recipes-devtools/go/go/CVE-2025-68121_p2.patch
>  create mode 100644 meta/recipes-devtools/go/go/CVE-2025-68121_p3.patch
>  create mode 100644 
> meta/recipes-graphics/wayland/weston/0001-touch-calibrator-Regularise-surface-view-mapping.patch
>  create mode 100644 meta/recipes-multimedia/alsa/alsa-lib/CVE-2026-25068.patch
>  create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch
>  create mode 100644 
> meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2025-56226-01.patch
>  create mode 100644 
> meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2025-56226-02.patch
>  create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2025-68973.patch
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#231978): 
https://lists.openembedded.org/g/openembedded-core/message/231978
Mute This Topic: https://lists.openembedded.org/mt/117976454/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to