Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For details on this new release which fixes various bugs, see:
https://github.com/bootlin/sbom-cve-check/releases/tag/v1.3.1
Also, update the LICENSE, which is now GPL-2.0-or-later instead of
GPL-2.0-only, to be compatible with the licence dependencies.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Wed, 6 May 2026 21:28:40 +0000 (23:28 +0200)]
ffmpeg: upgrade 8.0.1 -> 8.1.1
Solves CVE-2025-12343, CVE-2025-69693 and CVE-2026-40962.
Remove patches included in this release and refresh remaining patch.
Remove obsolete CVE_STATUS assigments for CVEs no longer reported as
unpatched with this new version.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Thu, 7 May 2026 19:53:38 +0000 (21:53 +0200)]
go: upgrade 1.26.2 -> 1.26.3
Upgrade to latest 1.26.x release [1]:
$ git --no-pager log --oneline go1.26.2..go1.26.3 2dc996f71b (tag: go1.26.3) [release-branch.go1.26] go1.26.3 8282c628a0 [release-branch.go1.26] cmd/go: reject sumdb response lacking module hash 3baf3eec3b [release-branch.go1.26] all: avoid unsafe StringToUTF16Ptr on Windows 0bec63330d [release-branch.go1.26] net/mail: fix quadratic consumePhrase behavior 7136366ebf [release-branch.go1.26] cmd/go: invalidate test cache when -coverpkg dependencies change 722b68ceca [release-branch.go1.26] cmd/compile: keep blank nodes alive in b.loop 3ae315a8cd [release-branch.go1.26] os: avoid panic when RemoveAll fails to remove a symlink c9f97f50c4 [release-branch.go1.26] html/template: fix escaping of URLs in meta content attributes 40fa774fff [release-branch.go1.26] cmd/pack: refuse to extract files with directory components d9389d318b [release-branch.go1.26] net/mail: fix quadratic complexity in consumeComment dd29b59a2b [release-branch.go1.26] cmd/compile: fix loopvar version detection with line directives 18fa391f45 [release-branch.go1.26] crypto/fips140: add package docs e0f5c054cb [release-branch.go1.26] net: avoid double-free of cgo pointer when handling large DNS response 2992086cf8 [release-branch.go1.26] lib/fips140: add certified pointing to v1.0.0-c2097c7c f43caf8712 [release-branch.go1.26] lib/fips140: update inprocess to v1.26.0 19d2ce3401 [release-branch.go1.26] runtime: fix timespec definition on 32bits systems e9df527f06 [release-branch.go1.26] crypto/tls: wrap ML-KEM hybrids in fips140.WithoutEnforcement 73f417a37c [release-branch.go1.26] go/types, types2: handle unconstrained type parameters correctly in a few places 50856a181c [release-branch.go1.26] cmd/go: use MkdirTemp to create temp directory for "go bug" e137885d68 [release-branch.go1.26] cmd/compile/internal/devirtualize: use pointer identity for type comparison c9712872cc [release-branch.go1.26] crypto/internal/fips140/drbg: build tag out entropy generation on Wasm cb994d85ff [release-branch.go1.26] cmd/fix: change -diff to exit 1 if diffs exist 95470667eb [release-branch.go1.26] net/http/httputil: reencode queries with many parameters in proxy 9b01c04815 [release-branch.go1.26] html/template: fix escaper bypass by treating empty script type as JavaScript be12fe151c [release-branch.go1.26] runtime: use uname version check for 64-bit time on 32-bit arch codepaths ec5ebece41 [release-branch.go1.26] all: update x/net to 705de46f 710f29a758 [release-branch.go1.26] runtime: add sysUnreserve to undo sysReserve efdc0fb354 [release-branch.go1.26] cmd/compile: handle min integer step in loop ba4554f03b [release-branch.go1.26] cmd/go: specify full path to go command when running go tool covdata f4e425d342 [release-branch.go1.26] fix incorrect loop trip counts 0b4d5f85e6 [release-branch.go1.26] cmd/link: use bfd ld 2.36+ on linux/arm64 instead of gold
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
features-check.bbclass: add reference to required TUNE_FEATURES
While commit a8ef7339ecb9eee909224e7cf23ccd48ef105d93 added the
string 'TUNE' to add support for checking required TUNE_FEATURES,
the comment was not adjusted appropriately.
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Fri, 8 May 2026 06:46:05 +0000 (07:46 +0100)]
utils: Handle unexpanded variables in DISTRO_FEATURES
If you have an unset variable in DISTRO_FEATURES, very strange things appear to
happen. Currently, this shows up as seccomp appearing in PACKAGECONFIG for
gnutls-native which isn't what the user configured.
The issue happens if you have a variable in DISTRO_FEATURES which cannot be
expanded.
Add some code to detect, warn and work around such a thing. Create a function to
allow this to be done in one place.
[YOCTO #16275]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changqing Li [Sat, 9 May 2026 05:01:29 +0000 (13:01 +0800)]
gstreamer1.0-plugins-bad: disble vulkan when x11/wayland not enabled
When vulkan is enabled in DISTRO_FEATURES without x11 or wayland,
do_configure will failed with error:
gst-libs/gst/vulkan/meson.build:311:4: ERROR: Problem encountered: No Windowing system found. vulkansink will not work
disable vulkan from PACKAGECONFIG when x11 and wayland is not enabled
Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Pratik Farkase [Fri, 8 May 2026 14:42:19 +0000 (16:42 +0200)]
go: ptest: fix GOROOT detection and improve cleanup/exit handling
Changes:
- Derive GOROOT dynamically from PTEST_DIR instead of hardcoding
/usr/lib/go, which breaks on distros using lib64.
- Track and clean up VERSION and pkg/include files that were copied
into GOROOT, preventing stale artifacts after ptest runs.
- Track failures with RC variable and exit non-zero when tests fail,
consistent with other ptest scripts.
Richard Purdie [Thu, 7 May 2026 12:16:44 +0000 (13:16 +0100)]
kernel: Disable module deploy tarball by default
These module tarballs were once useful for certain development workflows. They
are not that useful when deployed in CI, taking up space as release artefacts.
Not generating them by default saves time/space and users who need/use them can
enable them, this makes more sense as a modern default.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Sun, 10 May 2026 09:26:34 +0000 (11:26 +0200)]
busybox: patch CVE-2024-58251
Pick patch applied by Debian [1].
I did not find any reference on busybox mailing list that this patch was
submitted. Submitting patch for someone else would be inappropriate,
and busybox is currently known to be very inactive, hence the unwanted
Pending Upstream-Status status.
Also note that the related busybox bugreport [2] is currently not
public, so it is possible that it was submitted there.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Daniel McGregor [Thu, 30 Apr 2026 19:51:20 +0000 (13:51 -0600)]
python3-requests: update to 2.33.1
OE Core includes chardet 6.0, while requests warns for any version
greater than or equal to 6.0. requests > 2.33 support chardet up
to version 8, so import the new release.
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
An empty runtime-provides directory caused lookup-recipe, package-info
and list-pkg-files to skip the runtime-reverse fallback.
Use os.listdir() to ensure the folder is not empty and use
os.path.isdir( to ensure it is not a file.
Signed-off-by: Sam Kent <sam.john.kent@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Tue, 5 May 2026 09:46:01 +0000 (11:46 +0200)]
perf: make libraries for install_headers configurable
Older kernels don't support install_headers for all libraries.
For instance kernel 6.1 fails for two (api and symbol) with:
make: *** No rule to make target 'install_headers'. Stop.
Also sort the list when moving to variable.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Andrew Geissler [Tue, 5 May 2026 14:36:54 +0000 (09:36 -0500)]
efivar: Backport patch to fix -march issue for ppc64le
Backport upstream commit 9711b8aa5acc to fix compilation errors on ppc64le
architecture. The issue occurs because GCC on ppc64le does not recognize the
'-march=native' option and suggests using '-mcpu=native' instead.
Ivan Nestlerode [Mon, 4 May 2026 21:28:43 +0000 (17:28 -0400)]
glibc: Fix recipe bug that disabled stack protector
Fixes [YOCTO #16265]
The glibc recipe is supposed to be building with
--enable-stack-protector=strong, but some CACHED_CONFIGVARS values are
actually breaking this, causing glibc to be built with no stack
protector at all.
Remove these CACHED_CONFIGVARS values so that stack protector support is
detected properly in do_configure and then enabled properly during
do_compile.
Full details are here:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=16265
Signed-off-by: Ivan Nestlerode <ivan.nestlerode@sonos.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Pratik Farkase [Wed, 6 May 2026 12:43:29 +0000 (14:43 +0200)]
go: ptest: improvements and multiple fixes in golang ptest
Summary of Changelog:
- run-ptest permanently modified the installed GOROOT by symlinking src/
and copying files without cleanup, corrupting the Go installation
- Sub-package skip regex used exact match (^pkg$) so subpackages like
net/http/httptest and runtime/debug were not skipped and would fail
- Test output was completely suppressed (>/dev/null 2>&1), making
failures impossible to diagnose
- go was missing from RDEPENDS, allowing ptest to be installed without
the toolchain it needs
- bash was in RDEPENDS despite the script using #!/bin/sh with no
bash-isms
- file://run-ptest was in the shared .inc, affecting go-cross and
go-native which don't inherit ptest
- cp pkg/include/* would fail if the directory was empty
Fix by saving/restoring GOROOT/src, using (/|$) in the skip regex,
printing output on failure, correcting RDEPENDS, moving run-ptest to
the target .bb, and guarding the glob.
Tested on qemux86-64: all tests pass, 0 failures (~63 min).
Signed-off-by: Pratik Farkase <pratik.farkase@est.tech> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
u-boot-tools: drop the hardlink workaround in do_compile
This workaround initially considered a host running git < v2.14, which
does not look realistic if we consider the fairly recent distros in
SANITY_TESTED_DISTROS.
Even in older build machines/distros, one can use buildtools to provide git:
$ ./x86_64-buildtools-extended-nativesdk-standalone-5.0.sh
(...)
$ which git
(...)/buildtools/sysroots/x86_64-pokysdk-linux/usr/bin/git
$ git --version
git version 2.44.0
It is harmless, but still a bit outdated, so remove it.
[RP: the earliest git version on our test builders is ~2.33 so no distros
we currently support would run into this]
Signed-off-by: João Marcos Costa <joaomarcos.costa@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Mon, 4 May 2026 19:52:44 +0000 (21:52 +0200)]
libssh2: patch CVE-2026-7598
Pick patch mentioned in both NVD and Debian report.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Mon, 4 May 2026 19:52:43 +0000 (21:52 +0200)]
sudo: patch CVE-2026-35535
Pick patch mentioned in both NVD and Debian report.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Wed, 6 May 2026 15:13:45 +0000 (16:13 +0100)]
harfbuzz: upgrade 12.3.2 -> 14.2.0
Highlights from 13.0.0:
- New public hb-vector API for vector output of glyph outlines. The only
supported output format currently is SVG.
- New public hb-raster API for rasterizing glyphs to A8 / BGRA32 images.
Highlights from 13.1.0:
- The harfbuzz-raster library can now render bitmap color glyph formats
(CBDT and sbix). It now also has an API to serialize / deserialize
images to and from PNGs. This new functionality requires libpng, and
will not be available if HarfBuzz is built without libpng.
- Install hb-raster command line utility.
Highlights from 13.1.1:
- Support gzip-compressed SVG glyphs in harfbuzz-raster
and harfbuzz-vector libraries. This new functionality requires zlib,
and will not be available if HarfBuzz is built without zlib.
Hights from 14.0.0:
- New libharfbuzz-gpu library: GPU text rasterization based on the Slug
algorithm by Eric Lengyel. Encodes glyph outlines on the CPU into
compact blobs that the GPU decodes and rasterizes directly in the
fragment shader, with no intermediate bitmap atlas.
Add PACKAGECONFIGs for the new auxiliary libraries and optional
dependencies. This includes the new option for the subset library, which
is enabled by default to preserve existing behaviour.
Based on work by Wang Mingyu <wangmy@fujitsu.com>.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Wed, 6 May 2026 15:13:44 +0000 (16:13 +0100)]
harfbuzz: improve packaging
Harfbuzz is a core library that has minimal dependencies
(libharfbuzz.so) and a number of auxiliary libraries that perform
specific functions, such as libharfbuzz-subset (generate font subsets)
and libharfbuzz-cairo (Cairo rendering).
Add a missing PACKAGECONFIG for the GObject option and organise the list
of options into logical groups to reflect what they do.
As the number of auxiliary libraries is growing, stop doing the library
packaging by hand and instead simply use do_split_packages to pull every
auxiliary library into its own package. This removes the cairo and
libgobject dependencies from the main package as they're now in separate
packages.
Stop packaging the headers and library symlinks into separate packages
and put them all into harfbuzz-dev. This ensures that if the dev headers
are requested, they are all installed.
Update the homepage and bugtracker links to reflect the current URLs.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Moritz Haase [Thu, 30 Apr 2026 09:26:36 +0000 (11:26 +0200)]
devtool: Disable gpg signing when setting up source tree repos
This stops 'devtool modify foo' from failing with an error message like
ERROR: Execution of 'git -c user.name=\"OpenEmbedded\" -c
user.email=\"oe.patch@oe\" commit -q -m "Initial commit from upstream at
version 1.90.0"' failed with exit code 128:
error: cannot run ssh-keygen: No such file or directory
error:
fatal: failed to write commit object
when GPG signing is enabled in the git configuration.
Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Briefly:
British Columbia moved to permanent -07 on 2026-03-09.
Some more overflow bugs have been fixed in zic.
Changes to future timestamps
British Columbia’s 2026-03-08 spring forward was its last
foreseeable clock change, as it moved to permanent -07 thereafter.
(Thanks to Arthur David Olson.) Although the change to permanent
-07 legally took place on 2026-03-09, temporarily model the change
to occur on 2026-11-01 at 02:00 instead. This works around a
limitation in CLDR v48.2 (2026-03-17). This temporary hack is
planned to be removed after CLDR is fixed.
Changes to code
zic no longer mishandles a last transition to a new time type.
zic no longer overflows a buffer when generating a TZ string like
"PST-167:59:58PDT-167:59:59,M11.5.6/-167:59:59,M12.5.6/-167:59:59",
which can occur with adversarial input. (Thanks to Naveed Khan.)
zic no longer generates a longer TZif file than necessary when
an earlier time zone abbreviation is a suffix of a later one.
As a nice side effect, zic no longer overflows a buffer when given
a long series of abbreviations, each a suffix of the next.
(Buffer overflow reported by Arthur Chan.)
zic no longer overflows an int when processing input like ‘Zone
Ouch 2147483648:00:00 - LMT’. The int overflow can lead to buffer
overflow in adversarial cases. (Thanks to Naveed Khan.)
Instead of returning a dict of key:value pairs, return a dict of key to
list of values and update the callers to take the first element in the
list where a single value is expected (such as the description).
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Wed, 29 Apr 2026 16:48:19 +0000 (17:48 +0100)]
linux-firmware: split out MediaTek mt7996 firmare
The firmware for the MT7996/MT7992/MT7990 devices that use the mt7996e
driver comes to 13MB. Split it out of the -mediatek catch-all as that
accounts for over 20% of the firmware:
linux-firmware: PACKAGES: added "linux-firmware-mt7996"
linux-firmware/linux-firmware-mediatek: PKGSIZE changed from 61848181 to 49149973 (-21%)
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Wed, 29 Apr 2026 16:48:18 +0000 (17:48 +0100)]
linux-firmware: delink some tegra firmware to avoid pulling in full nvidia firmware
Some Nvidia firmware is shared between products but the symlinks cross
product/driver boundaries, resulting in the -nvidia-tegra package
depending on the ~150MB -nvidia-gpu package for a few 10kb files.
If we replace the symlinks with the actual content of the files then this
dependency disappears.
projects / thirdparty / openembedded / openembedded-core-contrib.git / log
