- Keep both the older deprecated debian:apt alias and the active
debian:advanced_package_tool identity in CVE_PRODUCT.
- This preserves completeness and avoids missing CVEs in case older
aliases are still used in NVD records.
Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Wed, 22 Apr 2026 19:44:43 +0000 (20:44 +0100)]
vim: disable GTK+3 UI by default
Disable the GTK+ UI by default. By having vim be always built with GTK+
by default installing vim results in the entire GTK+/X11 stack being
pulled into images, even if they would otherwise be non-graphical.
Also, real vim users run it in a terminal.
The PACKAGECONFIG remains and can be enabled. Maybe a future improvement
would be to split the recipe into non-X vim and GTK+-based gvim recipes.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Franz Schnyder [Wed, 8 Apr 2026 13:05:53 +0000 (15:05 +0200)]
gnutls: Add p11-kit for native builds
U-Boot mkeficapsule host tool now uses pkcs11 related gnutls symbols.
If gnutls-native is built without p11-kit support, linking
mkeficapsule will fail.
Enable p11-kit for gnutls-native.
Signed-off-by: Franz Schnyder <franz.schnyder@toradex.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a new PACKAGECONFIG to give users the choice of whether to
have /etc/profile.d/80-systemd-osc-context.sh file or not.
This is because the /etc/profile.d/80-systemd-osc-context.sh[1] is setting
PS0 with OSC 3008 standard[2]. If a terminal (e.g., minicom) cannot
deal with this OSC 3008 standard, it will just output the whole contents.
This is quite annoying. See example output below:
Below are steps of how to reproduce the issue with qemu:
1. IMAGE_INSTALL:append = " bash"
2. bitbake core-image-minimal
3. runqemu snapshot kvm nographic qemuparams="-serial pty"
4. minicom -D /dev/pts/X -b 115200 (/dev/pts/X is the one printed in the step 3)
5. [In minicom] type any command or just type "Enter" key
A new PR is also created for systemd upstream:
https://github.com/systemd/systemd/pull/41647
If systemd accepts the PR, we can then use the new option. Otherwise, we'll need
to keep the way it is now.
Ross Burton [Tue, 21 Apr 2026 15:12:47 +0000 (16:12 +0100)]
quilt: remove bzip2 RDEPENDS
quilt has support for compressed patches but for some reason we only
listed bzip2 explicitly, despite it also supporting gzip/xz/lzma/lz/zst.
We don't have any recipes that use compressed patches and there's
nothing special about bzip2, so if a recipe does want to use compressed
patches then it can add the required dependency itself.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Barker [Tue, 21 Apr 2026 20:10:20 +0000 (21:10 +0100)]
image_types_wic: Introduce wicenv image type
Now that wic is an external tool, using it outside of the normal Yocto
build workflow will become more common. So, we need a way for users to
specify that they want the .env file used by wic to be placed into
${DEPLOY_DIR_IMAGE}.
With this change, if you intend to use wic externally, you should
specify:
IMAGE_FSTYPES += "wicenv"
As we now have a separate IMAGE_CMD for this, we no longer need to
deploy the .env file in do_rootfs_wicenv.
[YOCTO #16246]
Signed-off-by: Paul Barker <paul@pbarker.dev> Cc: Trevor Woerner <twoerner@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
sbom-cve-check-common: print warnings on unpatched CVEs
The now removed cve-check class used to print warnings when CVEs with
status "Unpatched" were found. Add this feature to the
sbom-cve-check class with the same default value (enabled).
For now it only does so when the cvecheck report type is enabled. It may
be possible to do the same for the SPDX report type.
Sample output:
WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: busybox-1.37.0: Found unpatched CVEs: CVE-2024-58251
WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: expat-2.7.5: Found unpatched CVEs: CVE-2025-66382, CVE-2026-41080
WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: glibc-2.43+git: Found unpatched CVEs: CVE-2010-4756, CVE-2026-4046
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Sunil Dora [Mon, 20 Apr 2026 22:27:42 +0000 (15:27 -0700)]
libcxx: fix libunwind collision with musl builds
Commit 75409c60 (rust: enable fully static linking with TCLIBC=musl)
used install-unwind for musl builds which also installs libunwind.so
and libunwind.h, causing a file collision with the libunwind recipe.
Only libunwind.a is needed for Rust static musl linking. Since no
other recipe in oe-core builds LLVM libunwind, compile it
unconditionally for musl and use do_install to install only the
static library.
Reported-by: Ross Burton <ross.burton@arm.com> Suggested-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Tue, 21 Apr 2026 10:39:05 +0000 (11:39 +0100)]
shadow: Drop 'pointless' patch
As far as I can tell, this patch is a no-op and doens't change the code.
As such, I think it just complicates things and can be removed.
[After testing we found this is working around a pseudo issue where we
were missing an intercept call for __open_2. The correct thing to do is
add that intercept, then we can drop this work around. The workaround
changed the function calls the headers map this into, resulting in ones
pseudo could intercept]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Mon, 20 Apr 2026 22:26:02 +0000 (23:26 +0100)]
pseudo: Upgrade to 1.9.4
Update to pull in a full openat2 wrapper which works on Fedora 44.
This update includes the commits:
* Makefile.in: Bump version to 1.9.4
* test: Add renameat2 test cases
* test: Add openat2 test cases
* makewrappers/openat2: Add preserve_path option
* openat2: Implement openat2 wrapper
* ports/linux/guts/renameat2.c: Add comment why this isn't implemented
* Add b4 configuration
* pseudo_setupenvp: Handle malloc failure safely
* pseudo_setupenvp: Allocate space for new env vars if needed
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ahmad Fatoum [Sun, 19 Apr 2026 20:30:14 +0000 (22:30 +0200)]
barebox: upgrade 2026.03.1 -> 2026.04.0
Main highlight of this release is the new devboot mechanism, which
allows overriding any combination of kernel, device tree and
initramfs in an existing boot flow with network-hosted files,
simplifying iterative development:
This release also restores compatibility with new TF-A versions acting
as SCMI clock provider, after TF-A v2.14 broke the SCMI v2.0 clock
protocol used by earlier barebox (and Linux <= v6.6).
Ross Burton [Mon, 20 Apr 2026 19:07:49 +0000 (20:07 +0100)]
util-linux: fix CVE-2026-27456
Backport a patch from upstream to fix CVE-2026-27456:
Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use)
vulnerability has been identified in the SUID binary /usr/bin/mount
from util-linux. The mount binary, when setting up loop devices,
validates the source file path with user privileges via fork() +
setuid() + realpath(), but subsequently re-canonicalizes and opens it
with root privileges (euid=0) without verifying that the path has not
been replaced between both operations. Neither O_NOFOLLOW, nor inode
comparison, nor post-open fstat() are employed. This allows a local
unprivileged user to replace the source file with a symlink pointing
to any root-owned file or device during the race window, causing the
SUID binary to open and mount it as root. Exploitation requires an
/etc/fstab entry with user,loop options whose path points to a
directory where the attacker has write permission, and that
/usr/bin/mount has the SUID bit set (the default configuration on
virtually all Linux distributions). The impact is unauthorized read
access to root-protected files and block devices, including backup
images, disk volumes, and any file containing a valid filesystem.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Mon, 20 Apr 2026 19:07:48 +0000 (20:07 +0100)]
xz: fix CVE-2026-34743
Backport a fix from upstream to resolve CVE-2026-34743:
Prior to version 5.8.3, if lzma_index_decoder() was used to decode an
Index that contained no Records, the resulting lzma_index was left in
a state where where a subsequent lzma_index_append() would allocate
too little memory, and a buffer overflow would occur.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Mon, 20 Apr 2026 19:07:47 +0000 (20:07 +0100)]
xz: mark several CVEs as fixed
- CVE-2024-47611 was fixed in 5.6.3 and is Windows-specific.
- CVE-2025-31115 was fixed in 5.8.1.
- CVE-2025-58058 is specific to the Go xz module, not this recipe.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Michael Arndt [Fri, 17 Apr 2026 20:07:09 +0000 (22:07 +0200)]
sstate: Fail on file systems without hard link support
The sstate can only work reliably when the file system has support for hard
links. Previously this error was silenced, now the build fails and the user is
informed about the problem.
Signed-off-by: Michael Arndt <michael@rndt.dev> CC: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Peter Marko [Thu, 16 Apr 2026 22:25:26 +0000 (00:25 +0200)]
cve-exclusions: set status for CVE-2025-71145
cvelistV5 tracks hashes instead of versions.
Same hashes are also present in NVD links.
Checking those hashes, fix is already available in linux-yocto.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
devtool-source: set S variable to a sub dir of UNPACKDIR
If a recipe set UNPACKDIR to a directory that is not contained within
WORKDIR, before this modification, this generates the following error:
"S should be set relative to UNPACKDIR."
S should not be updated, otherwise the recipe may not find the extracted
sources. In all recipes, S should reference the UNPACKDIR variable.
There is an exception for the kernel to prevent infinite recursion
when expanding the STAGING_KERNEL_DIR variable.
So, only updates UNPACKDIR to be within the DEVTOOL_TEMPDIR directory.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Peter Marko [Wed, 15 Apr 2026 12:43:06 +0000 (14:43 +0200)]
go: skip recipe instead of throwing fatal error on unknown architectures
Current code means that layer which contains a golang recipe cannot be
even parsed for machine which is not in supported golang architectures.
Skipping the golang recipes instead of throwing fatal error is much
friendlier and let machines without golang support co-exist in a layer
with golang recipes.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Ross Burton [Fri, 17 Apr 2026 16:06:55 +0000 (17:06 +0100)]
python3: prefer valid dists when searching for entry points
When bitbake regenerates a sysroot due to upgrades it will remove any
previously installed files but keep the directories. This can result in
site-packages containing:
setuptools/ <-- the actual Python code
setuptools-82.0.0.dist-info <-- empty metadata directory
setuptools-82.0.1.dist-info <-- populated metadata directory
When importlib_metadata.entry_points() iterates the distributions it
will take the list of dists *in on-disk order* and then remove
duplicates. If the empty directory comes first in the unsorted directory
listing then that is the only one that is returned.
This eventually results in mysterious errors from setuptools:
error: invalid command 'egg_info'
Solve this by sorting the distribution list so that valid dists are
first.
[ YOCTO #16235 ]
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
image_types: catch exception if no CONVERSION_CMD is defined
When new conversion type is defined, BitBake assumes
that CONVERSION_CMD: is defined for the type, so it gets
the variable which returns NoneType if it is not defined.
That generates the following exception which may not be clear
for some:
--
ERROR: /../techleef-image.bb: Error executing a python function in <code>:
The stack trace of python calls that resulted in this exception/failure was:
File: '<code>', lineno: 16, function: <module>
0012:__anon_117__.._recipe_populate_sdk_base_bbclass(d)
0013:__anon_427__.._recipe_populate_sdk_base_bbclass(d)
0014:__anon_131__.._recipe_image_bbclass(d)
0015:__anon_187__.._recipe_image_bbclass(d)
*** 0016:__anon_535__.._recipe_image_bbclass(d)
0017:__anon_44__.._recipe_rootfs_ipk_bbclass(d)
0018:__anon_191__.._recipe_siteinfo_bbclass(d)
0019:__anon_17__.._recipe_license_image_bbclass(d)
0020:__anon_206__.._recipe_image_types_wic_bbclass(d)
File: '/../image.bbclass', lineno: 501, function: __anon_535__.._recipe_image_bbclass
0497: if original_type not in alltypes:
0498: rm_tmp_images.add(localdata.expand("${IMAGE_NAME}.${type}"))
0499:
0500: for bt in basetypes[t]:
*** 0501: gen_conversion_cmds(bt)
0502:
0503: localdata.setVar('type', realt)
0504: if t not in alltypes:
0505: rm_tmp_images.add(localdata.expand("${IMAGE_NAME}.${type}"))
File: '/../image.bbclass', lineno: 490, function: gen_conversion_cmds
0486: type = type[8:]
0487: # Create input image first.
0488: gen_conversion_cmds(type)
0489: localdata.setVar('type', type)
*** 0490: cmd = "\t" + localdata.getVar("CONVERSION_CMD:" + ctype)
0491: if cmd not in cmds:
0492: cmds.append(cmd)
0493: vardeps.add('CONVERSION_CMD:' + ctype)
0494: subimage = type + "." + ctype
Exception: TypeError: can only concatenate str (not "NoneType") to str
ERROR: Parsing halted due to errors, see error messages above
--
Fail with human readable error if no CONVERSION_CMD is defined for
any defined subtype.
Signed-off-by: Talel BELHAJ SALEM <bhstalel@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Fri, 17 Apr 2026 17:28:57 +0000 (19:28 +0200)]
create-spdx-3.0: rerun do_create_recipe_spdx on patch changes
Valkyrie patchmetrics from 2026-04-17 is showing two CVEs where patches
were merged the day before (2026-04-16) - inetutils/CVE-2026-32746 and
re2c/CVE-2026-2903.
Root-cause is that the CVE patches are evaluated in task
do_create_recipe_spdx which does not have any dependency on SRC_URI nor
content of the patches, so it is taken from sstate-cache which contains
old (stale) data.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oe/spdx30_task: Prevent duplication of sources in hasInput rel
If the debug_sources are already inside the build_inputs, we must not
add them again, otherwise, the source files are going to be referenced
multiple times inside the hasInput relationship.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oe/spdx30_task: Add status notes to VEX relationship
Without the status note, we are losing the reason why the CVE is
considered vulnerable or fixed.
The information provided in CVE_STATUS is otherwise lost.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oe/sbom30: Remove unneeded oe.sbom30. to reference local symbol
The class OEDocumentExtension is declared within the sbom30.py file.
There is no need to use its full package path to reference it.
Same for get_element_link_id() function.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Thu, 16 Apr 2026 10:30:57 +0000 (11:30 +0100)]
glib-networking: backport fix for CVE-2026-2574
CVE-2026-2574:
Affected versions of this package are vulnerable to Out-of-bounds Read
via improper handling of certificate authority data in the OpenSSL
backend. An attacker can cause application crashes and potentially
disclose limited heap memory by enticing a client to connect to a
malicious TLS server that advertises a specially crafted client-CA
list.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Jörg Sommer [Thu, 16 Apr 2026 16:38:13 +0000 (18:38 +0200)]
run-postinsts: Replace which by command -v
The command *which* can be provided by the packages which, debianutils,
busybox, or zsh. But if none of these are installed, the call fails. The
POSIX way to check for a command is `command -v` and suppress the output in
case of success.
Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Haiqing Bai [Wed, 15 Apr 2026 06:51:04 +0000 (06:51 +0000)]
libxml-parser-perl: patch CVE-2006-10003
XML::Parser versions through 2.47 for Perl has an off-by-one
heap buffer overflow in st_serial_stack. In the case
(stackptr == stacksize - 1), the stack will NOT be expanded.
Then the new value will be written at location (++stackptr),
which equals stacksize and therefore falls just outside the
allocated buffer. The bug can be observed when parsing an
XML file with very deep element nesting.
oeqa/sdk: Default to https git protocol for YP/OE repos
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
meta/files/layers.example.json: switch to https clone URIs
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oeqa/selftest/devtool-test-git-gitsm: Default to https git protocol for YP/OE repos
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
Use ";protocol=https" for the parent git submodule and, also, update the
SRCREV to point to a commit where submodules are reference through a
https:// URL instead of a git:// one.
Update the expected output of the archiver test.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oeqa/selftest/git-submodule-test: Default to https git protocol for YP/OE repos
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
Use ";protocol=https" for the parent git submodule and, also, update the
SRCREV to point to a commit where submodules are reference through a
https:// URL instead of a git:// one.
Update the expected output of the archiver test.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
scripts: Default to https git protocol for YP/OE repos
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
build-appliance-image: switch SRC_URI to https protocol
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oeqa/selftest/incompatible_lic: add wayland feature check for test needing it
When run with a distro without 'wayland' DISTRO_FEATURES:
2026-04-14 17:42:00,568 - oe-selftest - INFO - FAIL: test_core_image_full_cmdline_weston (incompatible_lic.NoGPL3InImagesTests.test_core_image_full_cmdline_weston)
2026-04-14 17:42:00,568 - oe-selftest - INFO - ----------------------------------------------------------------------
2026-04-14 17:42:00,568 - oe-selftest - INFO - Traceback (most recent call last):
File ".../openembedded-core/meta/lib/oeqa/selftest/cases/incompatible_lic.py", line 153, in test_core_image_full_cmdline_weston
bitbake('core-image-full-cmdline core-image-weston')
~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...
AssertionError: Command 'bitbake core-image-full-cmdline core-image-weston' returned non-zero exit status 1:
...
ERROR: Nothing PROVIDES 'core-image-weston'
core-image-weston was skipped: using DISTRO 'nodistro', which is missing required DISTRO_FEATURES: 'wayland'
This is caused by core-image-weston being skipped because it needs the
wayland DISTRO_FEATURES.
Note that this is not seen in testing because nodistro has wayland
enabled by default since 2e1e7c86064 (bitbake.conf: Enable opengl ptest multiarch wayland vulkan in DISTRO_FEATURES by default, 2026-02-21)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Thu, 16 Apr 2026 10:30:59 +0000 (11:30 +0100)]
libsoup: mark CVEs which have been resolved upstream
These issues have all been fixed in the 3.6.6 release that we have, but
the CPEs are unversioned. I've contacted NIST to update the database but
until that happens we can mark them as fixed.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Thu, 16 Apr 2026 10:30:58 +0000 (11:30 +0100)]
libsoup: actually apply patches for CVE-2025-32049 and CVE-2026-1539
The patches were added to SRC_URI before inheriting gnomebase, which
does SRC_URI = "...". This means the patches were never actually part of
SRC_URI, so never applied.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade the firmware package to latest release. Add qupv3fw
firmware for qcs615 and shikra, add adreno, audio and compute
package for DELL XPS13 9345, add audioreach firmware for Glymur
and arduino monza, add ISH firmware for Intel Wildcat Lake platform,
add lenovo ish firmware for X9-15 2025, X1 Carbon (Gen 14) and
X1 2-in-1 (Gen 11).
oeqa/selftest/sstatetests: add wayland feature check for test needing it
When run with a distro without 'wayland' DISTRO_FEATURES:
2026-04-14 17:42:00,568 - oe-selftest - INFO - FAIL: test_sstate_32_64_same_hash (sstatetests.SStateHashSameSigs.test_sstate_32_64_same_hash)
2026-04-14 17:42:00,568 - oe-selftest - INFO - ----------------------------------------------------------------------
2026-04-14 17:42:00,568 - oe-selftest - INFO - Traceback (most recent call last):
File ".../openembedded-core/meta/lib/oeqa/selftest/cases/sstatetests.py", line 407, in test_sstate_32_64_same_hash
self.sstate_hashtest("i686")
~~~~~~~~~~~~~~~~~~~~^^^^^^^^
File ".../openembedded-core/meta/lib/oeqa/core/decorator/__init__.py", line 35, in wrapped_f
return func(*args, **kwargs)
File ".../openembedded-core/meta/lib/oeqa/selftest/cases/sstatetests.py", line 371, in sstate_hashtest
bitbake("core-image-weston -S none")
~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...
AssertionError: Command 'bitbake core-image-weston -S none' returned non-zero exit status 1:
...
ERROR: Nothing PROVIDES 'core-image-weston'
core-image-weston was skipped: using DISTRO 'nodistro', which is missing required DISTRO_FEATURES: 'wayland'
This is caused by core-image-weston being skipped because it needs the
wayland DISTRO_FEATURES.
Note that this is not seen in testing because nodistro has wayland
enabled by default since 2e1e7c86064 (bitbake.conf: Enable opengl ptest multiarch wayland vulkan in DISTRO_FEATURES by default, 2026-02-21)
Ross Burton [Tue, 14 Apr 2026 16:15:30 +0000 (17:15 +0100)]
glib-networking: backport fixes for CVE-2025-60018 and CVE-2025-60019
CVE-2025-60018:
glib-networking's OpenSSL backend fails to properly check the return
value of a call to BIO_write(), resulting in an out of bounds read.
CVE-2205-60019:
glib-networking's OpenSSL backend fails to properly check the return
value of memory allocation routines. An out of memory condition could
potentially result in writing to an invalid memory location.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
| aarch64-yoe-linux-ld.lld: error: version script assignment of 'NSSMDNS_0' to symbol '_nss_mdns_gethostbyaddr_r' failed: symbol not defined
| aarch64-yoe-linux-ld.lld: error: version script assignment of 'NSSMDNS_0' to symbol '_nss_mdns_gethostbyaddr_r' failed: symbol not defined
| aarch64-yoe-linux-ld.lld: error: version script assignment of 'NSSMDNS_0' to symbol '_nss_mdns4_gethostbyaddr_r' failed: symbol not defined
| aarch64-yoe-linux-ld.lld: error: version script assignment of 'NSSMDNS_0' to symbol '_nss_mdns6_gethostbyaddr_r' failed: symbol not defined
| aarch64-yoe-linux-ld.lld: error: version script assignment of 'NSSMDNS_0' to symbol '_nss_mdns_minimal_gethostbyaddr_r' failed: symbol not defined
weston-init: set require-outputs=none to allow startup without connected display
By default, Weston exits at startup if no output connector is reported
as connected by the DRM subsystem. On platforms where displays are
connected after boot via HPD (Hot Plug Detect), this causes the weston
service to be killed during early boot and remain down until manually
restarted.
Setting require-outputs=none in the [core] section instructs Weston to
start and remain running even when no connector is active at boot time.
When a display is subsequently hotplugged and HPD is asserted, Weston
automatically picks up the new connector and brings up the output without
requiring a service restart.
kernel-fit-image: Fix support for initramfs multiconfig
In the transition from kernel-fitimage.bbclass a fix for initramfs
multiconfig was partly reverted, maybe because the default value for
INITRAMFS_DEPLOY_DIR_IMAGE is only set in kernel.bbclass and therefore
not accessible in kernel-fit-image.bbclass.
This fix introduces INITRAMFS_DEPLOY_DIR_IMAGE in kernel-fit-image.bbclass,
so initramfs multiconfig works as expected.
LLD is stricter with version scripts
This is a classic LLD vs GNU ld compatibility issue with
version scripts. LLD is stricter than GNU ld — by default
it treats unmatched version script symbols as hard
errors, whereas GNU ld silently ignores them.
What's happening is that the version script
e.g. map.pa, declares symbols like pa_glib_mainloop_new
under PULSE_0, but those symbols aren't being compiled
into the current library target.
Sunil Dora [Mon, 13 Apr 2026 07:04:57 +0000 (00:04 -0700)]
rust: enable fully static linking with TCLIBC=musl
Fixes [YOCTO #16076]
Rust binaries built with TCLIBC=musl and
-C target-feature=+crt-static were still dynamically linked.
Fix this by addressing three issues:
1) Set crt-static-respected in the generated musl target spec
so rustc honors +crt-static. [1]
2) Add the target sysroot library path to the linker flags so
libunwind.a can be found.
3) Use LLVM libunwind for musl:
- GNU libunwind does not provide static libraries in OE
and lacks required _Unwind_* symbols on some architectures [2]
- libgcc_eh depends on pthread and cannot be used for fully
static linking with musl
- LLVM libunwind provides the required symbols without
additional dependencies
Install LLVM libunwind from libcxx and switch libstd-rs
to depend on libcxx for musl.
Also remove the obsolete DEPENDS:remove:riscv32/riscv64 = "libunwind"
lines added in 2021 when riscv musl support was still being patched.
LLVM libunwind supports both riscv32 and riscv64 - verified locally.
riscv32 support was upstreamed at [3].
Add a selftest to verify that produced binaries are statically linked.
Martin Jansa [Fri, 10 Apr 2026 08:26:54 +0000 (10:26 +0200)]
dbus: use ${PN} in pkg_postinst instead of 'dbus'
All pkg_postinst in oe-core where the package name matches the recipe
name use ${PN} already.
We have a bbclass used by some recipes which does:
pkg_postinst:${PN}:append()
which works reasonably well for most of the recipes, except for dbus
where it causes:
oe-pkgdata-util: improve lookup-pkg error for RPROVIDES packages
When a package is not found by 'oe-pkgdata-util lookup-pkg', the error
message provides no guidance on what went wrong or where to look.
Improve the error message by checking the runtime-rprovides directory
for the missing package. If the package exists in RPROVIDES:
- If the provider package was generated, suggest looking up the actual
package name instead.
- If the provider package was not generated (e.g. empty package or
disabled by PACKAGECONFIG), inform the user which recipe provides it
and that it was not generated.
This helps users quickly identify the correct package name or
understand why a package is missing from their build.
Before:
ERROR: The following packages could not be found: eglibc
After:
ERROR: eglibc is in the RPROVIDES of glibc (recipe: glibc), try
looking up 'glibc' instead
Peter Marko [Tue, 14 Apr 2026 14:32:54 +0000 (16:32 +0200)]
mpg123: set status for CVE-2006-3355
This CVE has only cpe version which is considered invalid:
* cpe:2.3:a:mpg123:mpg123:pre0.59s_r11:*:*:*:*:*:*:*
This means that the fixed version is unknown and thus all versions are
considered to be vulnerable.
Since the vulnerability was fixed in old version 0.59s_r11, mark it as
fixed.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oeqa/selftest/devtool: add vulkan feature check for test needing it
When run with a distro without 'vulkan' DISTRO_FEATURES:
$ oe-selftest -r devtool.DevtoolUpdateTests.test_devtool_git_submodules
2026-04-14 14:36:57,036 - oe-selftest - INFO - test_devtool_git_submodules (devtool.DevtoolUpdateTests.test_devtool_git_submodules)
vulkan-samples is unavailable:
vulkan-samples was skipped: using DISTRO 'nodistro', which is missing required DISTRO_FEATURES: 'vulkan'
2026-04-14 14:37:13,002 - oe-selftest - INFO - ... ERROR
2026-04-14 14:37:13,002 - oe-selftest - INFO - Traceback (most recent call last):
File "/.../openembedded-core/meta/lib/oeqa/selftest/cases/devtool.py", line 1695, in test_devtool_git_submodules
self.assertIn('gitsm://', src_uri, 'This test expects the %s recipe to be a git recipe with submodules' % recipe)
~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/unittest/case.py", line 1171, in assertIn
if member not in container:
^^^^^^^^^^^^^^^^^^^^^^^
TypeError: argument of type 'NoneType' is not iterable
This is caused by vulkan-samples being skipped because it needs the
vulkan DISTRO_FEATURES.
Note that this is not seen in testing because nodistro has vulkan
enabled by default since 2e1e7c86064 (bitbake.conf: Enable opengl ptest multiarch wayland vulkan in DISTRO_FEATURES by default, 2026-02-21)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Replace patches 0008 and 0033 with a single consolidated patch (0041)
that fixes native build breakage.
The original patches unconditionally changed the runtime library search
base from ResourceDir to SysRoot, which breaks native/standalone builds
where SysRoot is empty (e.g., PGO bootstrap fails to find
libclang_rt.profile.a). The new patch uses SysRoot-based paths only
during cross-compilation and falls back to the upstream default
ResourceDir for native builds.
Signed-off-by: mark.yang <mark.yang@lge.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Mon, 13 Apr 2026 21:14:46 +0000 (23:14 +0200)]
ovmf: set status for CVE-2024-1298
cvelistV5 uses full tag name (edk2-stable202405) while NVD uses only
version (202405).
Since NVD CPE is not yet available, cvelistV5 marks it at not patched
yet because the string sorts after the version.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Wed, 15 Apr 2026 18:09:34 +0000 (20:09 +0200)]
kea: upgrade 3.0.2 -> 3.0.3
Solves CVE-2026-3608.
License-Update: copyright years refreshed
Release notes [1]:
Welcome to Kea 3.0.3, a vulnerability release of the stable 3.0 series.
This supersedes the previous release, version 3.0.2.
1. **Vulnerability**: We addressed an issue, which was assigned
CVE-2026-3608, where a large number of bracket pairs in a JSON payload
directed to any endpoint would result in a stack overflow, due to
recursive calls when parsing the JSON [#4275, #4288, #4387]. Since the
exploit does not require the JSON request to have the full syntax of a
valid command, it bypasses RBAC and the command filters on the
High-Availability endpoints.
2. **Security**: A null dereference is now no longer possible when
configuring the Control Agent with a socket that lacks the mandatory
socket-name entry [#4388, #4365].
3. **Permissions**: UNIX sockets are now created as group-writable
[#4398, #4260]. This allows users belonging to the group to send
commands to the UNIX sockets. In particular, it allows Stork 2.4.0 and
above to detect the Kea daemon.
Ross Burton [Wed, 15 Apr 2026 15:27:41 +0000 (16:27 +0100)]
rsync: always use the system zlib
There's nothing gained by adding an option to use the vendored zlib
apart from the chance of accidentally not using it, so remove the
PACKAGECONFIG and just explicitly depend on zlib.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Wed, 15 Apr 2026 20:14:42 +0000 (22:14 +0200)]
grub: set status for 6 CVEs fixed in 2.14
These CVEs were fixed in 2.14, however Redhat CNA does not fill any
version to CPEs.
References for fixes are in Debian security tracker:
* https://security-tracker.debian.org/tracker/CVE-2025-54770
* https://security-tracker.debian.org/tracker/CVE-2025-54771
* https://security-tracker.debian.org/tracker/CVE-2025-61661
* https://security-tracker.debian.org/tracker/CVE-2025-61662
* https://security-tracker.debian.org/tracker/CVE-2025-61663
* https://security-tracker.debian.org/tracker/CVE-2025-61664
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
projects / thirdparty / openembedded / openembedded-core.git / log
