Peter Marko [Fri, 2 Jan 2026 12:34:40 +0000 (13:34 +0100)]
libpcap: upgrade 1.10.5 -> 1.10.6
Solves CVE-2025-11961 and CVE-2025-11964.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Thu, 1 Jan 2026 17:22:35 +0000 (18:22 +0100)]
libxslt: mark CVE-2025-7424 as fixed
NVD DB lists this CVE as version-less (common for Redhat CVEs).
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Release Notes:
* https://github.com/tukaani-project/xz/releases/tag/v5.8.2
* liblzma:
- Fix the build on ARM64 on glibc versions older than
2.24 (2016). They don't have HWCAP_CRC32 in <sys/auxv.h>.
- Disable CLMUL CRC code when building for 32-bit x86 with
old MSVC versions. This avoids a compiler bug. The exact
compiler version in which the issue was fixed is unknown,
but VS 2022 17.13 (MSVC 19.43.34808) is known to work, so
CLMUL CRC on 32-bit x86 is disabled with MSVC versions
older than that.
* xz:
- Add a workaround for Red Hat Enterprise Linux 9 kernel bug
which made xz fail with "xz: Failed to enable the sandbox".
It only occurs with xz 5.8.0 and 5.8.1 binaries built for
other distros. For example, running Debian 13 in a container
on RHEL/CentOS 9 would trigger the issue.
The bug was introduced in RHEL 9 kernel 5.14.0-603.el9
(2025-07-30) and fixed in 5.14.0-648.el9 (2025-12-05).
However, as of writing, the fixed kernel isn't available
to RHEL 9 users yet, so including the workaround in this
xz release seems reasonable. The workaround will be removed
when it's no longer needed.
xzdec was also affected by this issue.
- On AIX, don't use fsync() on directories because it fails.
- Fix the build on Emscripten.
- Fix the build on clang-cl on Windows.
- Take resource limits (RLIMIT_DATA, RLIMIT_AS, and RLIMIT_VMEM)
into account when determining the default memory usage limit
for multithreaded mode. This should prevent xz from failing
when a resource limit has been set to a value that is less
than 1/4 of total RAM. Other memory limits can still trigger
the same issue, for example, Linux cgroup v2 memory.max.
* Build systems:
- When symbol versioning is enabled, pass --undefined-version
to the linker if the option is supported. This fixes the
build when using LLVM's lld and some liblzma features have
been disabled at build time.
- ARM64: Fix autodetection of fast unaligned memory access when
using GCC and -mstrict-align is in effect. Previously the
build systems would incorrectly guess that unaligned access
is fast, which would result in much slower binaries than
needed. The fix is a workaround for GCC bug 111555;
autodetection already worked with Clang.
- LoongArch: Autodetect if fast unaligned memory access is
supported. This can improve compression speed by 15 % (but
not decompression speed).
* Translations:
- Update the Spanish translation.
- Add Swedish man page translations.
- Update Italian, Korean, Romanian, Serbian, and Ukrainian
man page translations.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop patch included in this release and refresh other patches.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Khem Raj [Wed, 31 Dec 2025 23:57:52 +0000 (15:57 -0800)]
libpcre2: Fix linking with LLD linker
version scripts are at odds with LLD at times and its strict about undefined symbols
even though they will be provided by c startup files.
Fixes
| riscv64-yoe-linux-ld.lld: error: version script assignment of 'local' to symbol '_fini' failed: symbol not defined
| riscv64-yoe-linux-ld.lld: error: version script assignment of 'local' to symbol '_init' failed: symbol not defined
| riscv64-yoe-linux-clang: error: linker command failed with exit code 1 (use -v to see invocation)
| make[1]: *** [Makefile:1948: libpcre2-32.la] Error 1
| make[1]: Leaving directory '/mnt/b/yoe/master/build/tmp/work/riscv64imafdc-yoe-linux/libpcre2/10.47/build'
The systemd package contains a symlink to ukify binary under the
libdir/systemd. This symlink forces the systemd -> systemd-ukify
dependency, which also pulls in a set of python packages, which might be
undesirable for the small isntallations. Move the symlink to the
systemd-ukify package, removing this dependency and preventing the
excess growth of the rootfs / initramfst.
Peter Marko [Tue, 30 Dec 2025 15:34:36 +0000 (16:34 +0100)]
python3: upgrade 3.13.9 -> 3.13.11
Handles CVE-2025-6075 (in 3.13.10) and CVE-2025-12084 (in 3.13.11).
Release information:
* https://www.python.org/downloads/release/python-31310/
* Python 3.13.10 is the tenth maintenance release of 3.13, containing
around 300 bugfixes, build improvements and documentation changes
since 3.13.9.
* https://www.python.org/downloads/release/python-31311/
* Python 3.13.11 is the eleventh maintenance release of 3.13. This is
an expedited release to fix the following regressions:
* gh-142206: Exceptions in multiprocessing in running programs while
upgrading Python.
* gh-142218: Segmentation faults and assertion failures in
insertdict.
* gh-140797: Crash when using multiple capturing groups in re.Scanner
* And these security fixes:
* gh-142145: Remove quadratic behavior in node ID cache clearing
(CVE-2025-12084)
* gh-119451: Fix a potential denial of service in http.client
* gh-119452: Fix a potential virtual memory allocation denial of
service in http.server
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Harish Sadineni [Tue, 30 Dec 2025 14:15:26 +0000 (06:15 -0800)]
bindgen-cli: extend BBCLASSEXTEND to include nativesdk
To support building Rust bindings in the SDK environment, bindgen needs to
be available for the `nativesdk` class as well.
This is required as part of making Rust available, where bindgen is a common
dependency for generating Rust FFI bindings from C headers during cross-compilation.
These tests tend do take a bit of time, and this is probably why they
have been seen failing a few times in the past months. Rising the
timeout from 5 to 10 minutes appears to help.
Fixes [YOCTO #15999]
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
mark.yang [Sun, 28 Dec 2025 03:19:53 +0000 (12:19 +0900)]
package.py: skip dwarfsrcfiles for Clang LTO static libraries
When using Clang toolchain with LTO enabled, static libraries (.a) contain
LLVM bitcode objects instead of ELF objects. dwarfsrcfiles cannot process
these files and fails with "not a valid ELF file" error.
Rather than catching the error message, guard the dwarfsrcfiles call by
checking for the specific conditions: static library (using is_static_lib()
magic check) + clang toolchain + lto in DISTRO_FEATURES. When all conditions
are met, skip the call silently.
Paul Barker [Mon, 22 Dec 2025 15:56:04 +0000 (15:56 +0000)]
selftest: devtool: Set PATH when running pseudo
When running pseudo outside of bitbake, we need to use the same PATH as
we would use if we were running inside bitbake instead of the host
environment's PATH.
This is particularly important on Ubuntu 25.10 where 'ls' on this host's
PATH is provided by uutils and we have setup links in HOSTTOOLS_DIR to
ensure that the gnu coreutils implementation is used instead.
Fixes [YOCTO #16099]
Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adrian Freihofer [Thu, 18 Dec 2025 20:14:03 +0000 (21:14 +0100)]
kernel-fitimage: Add FIT_CONF_MAPPINGS for flexible DTB configuration
Having a 1-1 mapping between DTB names and configuration nodes names in
FIT images does not always work. Make this a bit more flexible by
allowing users to specify mappings to rename configuration nodes or add
extra configuration nodes for existing DTBs.
The new FIT_CONF_MAPPINGS variable accepts a space-separated list of
mapping commands:
- dtb-conf:DTB_NAME:NEW_NAME
Renames the configuration node for a specific DTB.
- dtb-extra-conf:DTB_NAME:EXTRA_NAME
Creates an additional configuration node for an existing DTB.
Example usage:
FIT_CONF_MAPPINGS = "\
dtb-extra-conf:am335x-bonegreen:bonegreen \
dtb-conf:am335x-boneblack:bbblack"
This generates three configuration nodes from two DTBs:
am335x-bonegreen, bonegreen (extra), and bbblack (renamed).
The implementation validates all mappings and ensures they match
existing DTBs, failing with clear error messages for invalid or unused
mappings.
Also removes leftover debug warning that was printing DTB configuration
details during FIT image generation.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Kavinaya S [Thu, 18 Dec 2025 11:30:53 +0000 (17:00 +0530)]
fitimage: Add FIT_MKIMAGE_EXTRA_OPTS for flexible mkimage arguments
Currently, mkimage options in U-Boot recipes are fixed, which limits
flexibility for platforms that require additional mkimage arguments.
Introduce FIT_MKIMAGE_EXTRA_OPTS to allow passing extra options to
mkimage during image generation.
This is a generic need because different SoCs and boot configurations
often require mkimage flags beyond the defaults.
By exposing this variable, we provide a clean and extensible mechanism
for developers to meet hardware-specific and security requirements
without hardcoding options in recipes.
Example:
UBOOT_MKIMAGE_EXTRA_OPTS = "-B 8 -E"
will result in the mkimage command being invoked as:
`mkimage -B 8 -E -f fit-image.its fitImage`
- `-E` enables external data in FIT images, which is essential for
modular boot setups, secure boot workflows, and reducing image size.
- `-B 8` enforces 8-byte alignment, ensuring compatibility with boot
ROM requirements, improving memory access efficiency, and supporting
predictable offsets for multi-component FIT images.
Signed-off-by: Kavinaya S <kavinaya@qti.qualcomm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We're seeing NFS hangs on the autobuilder in the glibc toolchain tests
when run under qemu system mode. It appears the unfs server
fails and the image than fails trying to access the NFS mount. I can't yet
find a way to see why the unfs3 nfs server fails.
Whilst I don't know for sure this commit is the issue, it does seem likely this
could be the cause, so revert for now to see if the hangs stop.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove a patch as the issue has been fixed upstream.
Backport a couple patches to address ptest issues due to missing
kernel modules (they're not built in standard linux-yocto):
https://github.com/thom311/libnl/issues/448
Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
HemanthKumar M D [Wed, 24 Dec 2025 13:12:03 +0000 (05:12 -0800)]
llvm/clang: Upgrade to 21.1.8 release
Brings following bugfixes on top of 21.1.7
2078da43e25a (HEAD, tag: llvmorg-21.1.8, origin/release/21.x) [Github] Remove use of setup-windows and install-ninja in llvm tests b6360d3bc7a9 [Github] Remove install-ninja/setup-windows 7eb4bfe053d6 [ExtractAPI] Format typedef params correctly (#171516) 51e5074676d4 [compiler-rt][sanitizer] fix i386 build for Haiku (#171075) d2e835bd4638 [SelectOptimize] Fix incorrect -1 immediate for large integers (#170860) 4b24e73d34ca [WebAssembly] Remove FAKE_USEs before ExplicitLocals (#160768) 4582a800c588 release/21.x: [clang-format] Fix a regression in annotating star before lambda (#170969) a5658809ac4a [clang-format] Fix a crash in AlignArrayOfStructures (#167099) 94c40c61c1ce [clang-format] Don't swap `(const override)` with QAS_Right (#167191) b845b4cd771e [rtsan] Handle attributed IR function declarations (#169577) f68f64eb8130 Bump version to 21.1.8
Signed-off-by: Hemanth Kumar M D <hemanth.250302@gmail.com> Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
rust: enable default uwtable and ignore arm no_std test
Rust 1.92.0 adds new test that require unwind table support to be
enabled by default. Set `default-uwtable = true` in the generated
target spec to match upstream behavior.
Note: The increase in ignored tests is not due to any additional ignores added in OE.
These are primarily upstream-defined ignores introduced in Rust 1.92.0, likely due to
architecture-specific constraints or target configuration differences. The only OE-side
ignore added is for the no_std simple-runs test on 32-bit ARM, limited to a known upstream
issue (rust-lang/rust#146996) and can be reverted once the issue is resolved.
Signed-off-by: Hemanth Kumar M D <hemanth.250302@gmail.com> Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
efivarfs: Backport patch to update file variable store on SetVariableRT
Backport upstream commit 68daa04654ac to enable persisting EFI variable
updates when U-Boot provides SetVariableRT support via efivarfs. This
addresses limitations on embedded boards that store EFI variables in a
file on the ESP instead of NVRAM.
Mingli Yu [Mon, 22 Dec 2025 09:38:53 +0000 (17:38 +0800)]
libxslt: Upgrade 1.1.43 -> 1.1.45
* Remove the patch gnome-libxslt-bug-139-apple-fix.diff as the CVE-2025-7424
issue has been fixed in new version.
* Changelog for v1.1.45
Rebuild of v1.1.44
* Changelog for v1.1.44
## Major changes
Libxml2 changed the meta tag information, removed the:
`http-equiv="Content-Type" content="text/html;` attributes leaving
only the `charset` attribute. This caused the tests to fail in the
gitlab pipeline. Updated the test files accordingly.
## Security
- [CVE-2025-9714] Fix: Was a false positive, closed issue #148.
- [CVE-2025-7424] Fix: Type confusion in xmlNode.psvi between stylesheet and source
nodes (Fixed by Apple's engineers)
- [CVE-2025-11731] Fix: End function node ancestor search at document
### Bug fixes
- New maintainer: Iván Chavero
- CMake: cannot configure on MinGW-w64, missing Iconv::Iconv
- Reset context variable when evaluating globals
### Tests
- Update test outputs for new libxml2
- Fixed Windows tests
License-Update: copyright years Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
License-Update: copyright years Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
License-Update: MIT -> MIT no attribution variant Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
projects / thirdparty / openembedded / openembedded-core-contrib.git / log
