Please review this set of changes for scarthgap and have comments back by end of day Tuesday, June 9.
Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3933 The following changes since commit ece80784b493c8b7493478fa2ba0dc1d6d80aa79: build-appliance-image: Update to scarthgap head revisions (2026-05-15 13:25:33 +0100) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-review https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-review for you to fetch changes up to e2864ea1ac022e43af92badc701fa1e2a9571f46: pseudo: Upgrade 1.9.6 -> 1.9.7 (2026-06-05 11:02:52 +0200) ---------------------------------------------------------------- Ankur Tyagi (1): tzdata/tzcode-native: upgrade 2026a -> 2026b Benjamin Robin (Schneider Electric) (1): lz4: Remove a reference to the rejected CVE-2025-62813 Changqing Li (1): go.bbclass: change GOTMPDIR to improve reproducibility Guðni Már Gilbert (1): gnupg: upgrade 2.4.8 -> 2.4.9 Hitendra Prajapati (3): libssh2: fix for CVE-2026-7598 libexif: fix for CVE-2026-32775 libexif: fix for CVE-2026-40385, CVE-2026-40386 Hugo SIMELIERE (Schneider Electric) (1): libarchive: Fix CVE-2026-4424 Martin Jansa (1): systemd: update musl specific patch to apply Mathieu Dubois-Briand (1): oeqa: runtime: go: Increase test_go_compile/test_go_module timeout Peter Bergin (1): go.bbclass: disable workspaces Peter Marko (1): cargo: set CVE_PRODUCT Richard Purdie (4): pseudo: Upgrade to 1.9.4 pseudo: Upgrade to 1.9.5 pseudo: Update 1.9.5 -> 1.9.6 pseudo: Upgrade 1.9.6 -> 1.9.7 Ross Burton (3): python3-requests: backport fix for CVE-2026-25645 perl: link to the system zlib instead of a vendored copy classes/base: prefer gnu-prefixed HOSTTOOLS Theo Gaige (Schneider Electric) (3): openssh: patch CVE-2026-35385 openssh: patch CVE-2026-35387 openssh: patch CVE-2026-35388 Trevor Woerner (1): wic: filemap: use separate fd for SEEK_HOLE probes Yoann Congal (2): scripts/install-buildtools: Update to 5.0.18 linux-yocto/6.6: update CVE exclusions (6.6.127) meta/classes-global/base.bbclass | 6 +- meta/classes-recipe/go.bbclass | 3 +- meta/lib/oeqa/runtime/cases/go.py | 4 +- .../openssh/openssh/CVE-2026-35385.patch | 47 + .../openssh/openssh/CVE-2026-35387.patch | 205 ++ .../openssh/openssh/CVE-2026-35388.patch | 47 + .../openssh/openssh_9.6p1.bb | 3 + ...missing.h-check-for-missing-strndupa.patch | 4 +- meta/recipes-devtools/perl/perl_5.38.4.bb | 5 + meta/recipes-devtools/pseudo/pseudo_git.bb | 4 +- .../python3-requests/CVE-2026-25645.patch | 46 + .../python/python3-requests_2.32.4.bb | 7 +- meta/recipes-devtools/rust/cargo_1.75.0.bb | 2 + .../libarchive/CVE-2026-4424-1.patch | 61 + .../libarchive/CVE-2026-4424-2.patch | 28 + .../libarchive/libarchive_3.7.9.bb | 2 + meta/recipes-extended/timezone/timezone.inc | 6 +- .../linux/cve-exclusion_6.6.inc | 2462 +++++++++++++++-- ...erride-init-is-not-needed-with-gcc-9.patch | 7 +- ...-a-custom-value-for-the-location-of-.patch | 5 +- ...use-pkgconfig-instead-of-npth-config.patch | 3 +- ...h-fix-find-version-for-beta-checking.patch | 3 +- .../gnupg/gnupg/CVE-2025-68973.patch | 108 - .../gnupg/gnupg/CVE-2026-24882-0001.patch | 7 +- .../gnupg/gnupg/CVE-2026-24882-0002.patch | 7 +- .../gnupg/gnupg/relocate.patch | 19 +- .../gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} | 3 +- .../libexif/libexif/CVE-2026-32775.patch | 86 + .../libexif/libexif/CVE-2026-40385.patch | 35 + .../libexif/libexif/CVE-2026-40386.patch | 46 + .../recipes-support/libexif/libexif_0.6.24.bb | 3 + .../libssh2/libssh2/CVE-2026-7598.patch | 60 + .../recipes-support/libssh2/libssh2_1.11.1.bb | 1 + ...13.patch => fix-null-error-handling.patch} | 1 - meta/recipes-support/lz4/lz4_1.9.4.bb | 4 +- scripts/install-buildtools | 4 +- scripts/lib/wic/filemap.py | 13 +- 37 files changed, 2938 insertions(+), 419 deletions(-) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2026-35385.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2026-35388.patch create mode 100644 meta/recipes-devtools/python/python3-requests/CVE-2026-25645.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2026-4424-1.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2026-4424-2.patch delete mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2025-68973.patch rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} (96%) create mode 100644 meta/recipes-support/libexif/libexif/CVE-2026-32775.patch create mode 100644 meta/recipes-support/libexif/libexif/CVE-2026-40385.patch create mode 100644 meta/recipes-support/libexif/libexif/CVE-2026-40386.patch create mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2026-7598.patch rename meta/recipes-support/lz4/files/{CVE-2025-62813.patch => fix-null-error-handling.patch} (99%)
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238187): https://lists.openembedded.org/g/openembedded-core/message/238187 Mute This Topic: https://lists.openembedded.org/mt/119670722/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
