Since llama.cpp update in Buildroot commit [1], the test_aichat can
fail for several reasons:
The loop checking for the llama-server availability can fail if curl
succeed, but the returned json data is not formatted as expected.
This can happen if the server is ready but the model is not completely
loaded. In that case, the server returns:
{"error":{"message":"Loading model","type":"unavailable_error","code":503}}
This commit ignore Python KeyError exceptions while doing the
server test, to avoid failing if this message is received.
Also, this new llama-server version introduced a prompt caching, which
uses too much memory. This commit completely disable this prompt
caching by adding "--cache-ram 0" in the llama-server options.
[1] 05c36d5d87
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://github.com/ggml-org/llama.cpp/releases
Merge BR2_PACKAGE_LLAMA_CPP_SERVER into BR2_PACKAGE_LLAMA_CPP_TOOLS, as
both of these options must be enabled to build tools like llama-cli and
llama-server. See upstream commit [1].
Since the Buildroot option BR2_PACKAGE_LLAMA_CPP_SERVER is removed, this
commit also removes it from support/testing/tests/package/test_aichat.py
which was using it.
[1] a180ba78c7
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
[Julien:
- reindent options in .mk
- remove BR2_PACKAGE_LLAMA_CPP_SERVER in test_aichat.py
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
drm_info is a small utility to dump info about DRM devices.
Link: https://gitlab.freedesktop.org/emersion/drm_info
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Julien:
- sort selected packages in Config.in alphabetically
- remove comment for license in hash file
- move "v" from _VERSION to _SITE
- switch _SITE to use gitlab release archives and add _SOURCE
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fix a silent build issue with the host-bootgen package if host-flex is already
built. The host-flex package will install a version of the flexlexer.h header
file that is not compatible with the version embedded in bootgen.
While the build will still 'succeed', the binary will not be correct. This
can be seen by just running the binary that is built. By default, running
bootgen without any parameters should print the help menu, but if the wrong
version of flexlexer.h is used, it will print the following instead:
$ output/host/bin/bootgen
****** Bootgen v2025.1-Merged
**** Build date : Mar 18 2026-07:08:01
** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.
** Copyright 2022-2025 Advanced Micro Devices, Inc. All Rights Reserved.
ERROR: syntax error
-h
Add a patch to the bootgen package that corrects the issue.
Upstream: CR to AMD jira
Signed-off-by: Neal Frager <neal.frager@amd.com>
Tested-by: Steven J. Hill <steven.hill@collins.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Backport a patch from Xen 4.21 to fix the following build errors for Arm v7
with gcc-15:
xen-4.14.6/xen/include/asm/platforms/midway.h:1: error: header guard '__ASM_ARM_PLATFORMS_MIDWAY_H' followed by '#define' of a different macro [-Werror=header-guard]
xen-4.14.6/xen/include/asm/platforms/omap5.h:1: error: header guard '__ASM_ARM_PLATFORMS_OMAP5_H' followed by '#define' of a different macro [-Werror=header-guard]
Since the external 32b arm toolchain has been updated to a version based on
gcc-15, the tests.package.test_xen.TestXenArmv7 python test does not build
anymore.
Adding the patch repairs it.
Link: https://gitlab.com/buildroot.org/buildroot/-/jobs/13518318473
Fixes: 86d453a7dc ("toolchain/toolchain-external/toolchain-external-arm-arm: bump to 15.2.rel1")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Alistair Francis <alistair@alistair23.me>
Cc: Dowan Gullient <dowan.gullient@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add myself to packages recently orphaned which I am going to continue.
Signed-off-by: Manuel Diener <manuel.diener@oss.othermo.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Python setuptools has removed the obsolete pkg_resources python module in
v82.0.0. This module is used by the binman command in U-Boot until
v2025.10.
Since the python-setuptools package has been updated to v82.0.0 in
Buildroot, the imxrt1050-evk_defconfig (using U-Boot v2025.07 and
binman) fails to build with the following error [1]:
ModuleNotFoundError: No module named 'pkg_resources'
Update the defconfig to use a more recent U-Boot v2026.01, to fix the
build and at the same time bump Linux to version 6.18.18.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/13476922027
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: fix defconfig name in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- bumps the Linux kernel to 6.18.18
- bumps the U-Boot to 2026.01
- switches to a stable glibc Bootlin external toolchain
- enables force hashes check
- enlarge the rootfs size to 256M
The updated U-Boot should also fix the CI build of the board.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/13458392713
Run-tested on the board.
Signed-off-by: Dong Wang <wangdong115@foxmail.com>
[Julien:
- remove .checkpackageignore entry to fix check-package error
- move uboot.hash in its correct directory
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- bumps the Linux kernel to 6.18.18
- bumps the U-Boot to 2026.01
- switches to a stable glibc Bootlin external toolchain
The updated U-Boot should also fix the CI build of the board.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/13458392712
Run-tested on the board.
Signed-off-by: Dong Wang <wangdong115@foxmail.com>
[Julien: add missing BR2_TARGET_UBOOT_NEEDS_GNUTLS=y]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This feature was made optional in mesa3d 25.2.0 as it is deprecated,
however some packages still require it so lets add a new config
option that those packages can select until they no longer require
this feature.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Add 'source' attribute to each CVE in vulnerabilities node, including NVD
URL reference to enable proper import into Dependency-Track.
Dependency-Track's VEX importer requires the source attribute to
properly process vulnerability entries. Without it, vulnerabilities are
skipped during import with "does not have an ID and / or source" warnings.
Include the full NVD URL following the CycloneDX 1.6 documentation format:
https://nvd.nist.gov/vuln/detail/{CVE-ID}
Test Environment:
- Buildroot: 2025.02.11 (or master)
- Dependency-Track: v4.13.6
Test Results - BEFORE (without source attribute):
apiserver_1 | 2026-02-23 16:05:40,890 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #0 does not have an ID and / or source; Skipping it
apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #1 does not have an ID and / or source; Skipping it
...
apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #19 does not have an ID and / or source; Skipping it
apiserver_1 | 2026-02-23 16:05:40,941 INFO [CycloneDXVexImporter] The uploaded VEX does not contain any applicable vulnerabilities; Skipping VEX import
Test Results - AFTER (with source):
apiserver_1 | 2026-02-23 16:17:13,492 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
apiserver_1 | 2026-02-23 16:17:14,054 INFO [VexUploadProcessingTask] Completed processing of CycloneDX VEX for project: e43fe185-c0a3-4e3a-a908-667344a66a9c
CVEs are correctly imported in Dependency-Track
Signed-off-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
Acked-By: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The 2025.11.x series was dropped with the 2026.02 release, so
(temporarily) re-add it. It will be dropped again with the 2026.02.1
release.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Following changes made it into the release:
Joris van Rantwijk (1):
Fix adjtimex() with TIME64
Waldemar Brodkorb (8):
sys/stat.h: remove _STAT_VER/_MKNOD_VER
fix gettid() declaration
add statx syscall wrapper
sparc: add optimize build support for leon3
sparc: sync with Linux kernel definition, fixes gdb compile
fix compile error on earlier Kernels predating statx
select: fix compilation failure with very old kernel
bump version for 1.0.57 release
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
uclibc 1.0.57 added a statx() syscall wrapper in upstream commit [1].
zfs fail to build with uclibc 1.0.57 (not yet in Buildroot), because:
1. uclibc <fcntl.h> internally includes <sys/stat.h>, and
2. a zfs test redefines a statx() wrapper with a slightly different
prototype.
In that case, zfs fails to compile with error:
tests/zfs-tests/cmd/statx.c:58:1: error: conflicting types for 'statx'; have 'int(int, const char *, int, unsigned int, void *)'
Issue has been reported upstream at [2].
This commit adds a package patch to fix that issue.
[1] d3a819aff2
[2] https://github.com/openzfs/zfs/pull/18316
Signed-off-by: Julien Olivain <ju.o@free.fr>
Python setuptools has removed the obsolete pkg_resources python module in
v82.0.0. This module is used by the binman command in U-Boot until
v2025.10.
Since the python-setuptools package has been updated to v82.0.0 in
Buildroot, the iot-gate-imx8_ebbr_defconfig (using U-Boot v2025.07 and
binman) fails to build with the following error [1]:
ModuleNotFoundError: No module named 'pkg_resources'
Update the defconfig to use a more recent U-Boot v2026.01, to fix the
build.
Link: https://gitlab.com/buildroot.org/buildroot/-/jobs/13476922237 [1]
Fixes: 51365ff063 ("package/python-setuptools: bump to version 82.0.0")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Cc: Julien Olivain <ju.o@free.fr>
[Julien: update custom uboot.hash file]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Python setuptools has removed the obsolete pkg_resources python module in
v82.0.0. This module is used by the binman command in U-Boot until
v2025.10.
Since the python-setuptools package has been updated to v82.0.0 in
Buildroot, the python test tests.boot.test_atf.TestATFAllwinner (using
U-Boot v2023.10 and binman) fails to build with the following error [1]:
ModuleNotFoundError: No module named 'pkg_resources'
Update test_atf to use a more recent U-Boot v2026.01 (and add the
dependency on GNU TLS), to fix the build.
Link: https://gitlab.com/buildroot.org/buildroot/-/jobs/13500946337 [1]
Fixes: 51365ff063 ("package/python-setuptools: bump to version 82.0.0")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Cc: Julien Olivain <ju.o@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Upstream removed the old license file
772c03afe1
and added a new one
5634c661b8
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: remove LICENSE.txt entry in hash file]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the ARM external toolchain to the latest 15.2.rel1
release from ARM.
This involves:
- Updating the version, site URL, and source filename in .mk
- Updating the SHA256 hash in .hash
- Updating the display name and GCC version dependency in Config.in
Verified by booting on a default Qemu configuration.
Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the ARM aarch64-be external toolchains to the latest 15.2.rel1
release from ARM.
This involves:
- Updating the version, site URL, and source filename in .mk
- Updating the SHA256 hash in .hash
- Updating the display name and GCC version dependency in Config.in
Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
[Julien: add newline at end of file to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the ARM aarch64 external toolchain to the latest 15.2.rel1
release from ARM.
This involves:
- Updating the version, site URL, and source filename in .mk
- Updating the SHA256 hash in .hash
- Updating the display name and GCC version dependency in Config.in
Verified by booting on a default Qemu configuration.
Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The host mkfs.xfs is needed to create XFS root filesystems
in Buildroot.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Remove incorrect $BINARIES_DIR reference from the symbolic link creation to
make a relative path and not an absolute path.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Backport upstream patches to fix a silent crash in U-Boot on
STM32MP135F-DK.
Fixes:
799d184e89
Signed-off-by: Thomas Richard <thomas.richard@bootlin.com>
[Romain: add Fixes link]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Specifying a list of br2-external trees is poorly documented, and the
only example uses a colon to separate the br2-external paths.
Adding the support for colon-separated list is the biggest mistake that
was made when introducing support for multiple br2-external [0]. Indeed,
both space and colon can be used to separate entries in the list, and it
is also possible to mix the two. However, internally, the list is stored
as a space-separated list, and all the code will split on spaces.
Besides, all other lists in Buildroot are a space-separated:
BR2_ROOTFS_DEVICE_TABLE
BR2_ROOTFS_STATIC_DEVICE_TABLE
BR2_TARGET_TZ_ZONELIST
BR2_ROOTFS_USERS_TABLES
BR2_ROOTFS_OVERLAY
BR2_ROOTFS_PRE_BUILD_SCRIPT
BR2_ROOTFS_POST_BUILD_SCRIPT
BR2_ROOTFS_POST_FAKEROOT_SCRIPT
BR2_ROOTFS_POST_IMAGE_SCRIPT
...
So, using colons is odd.
The fact that BR2_EXTERNAL is passed on the command line rather than
being a Kconfig item is not a reason enough to justify that it be
colon-separated.
Change the documentation to only mention using a space-separated list.
Of course, for backward compatibility, we keep the code as-is to accept
a colon-separated list, but we just do not advertise it.
Note that keeping the split on colons means that colons are not accepted
in pathnames of br2-external trees; in practice, this is not a new
restriction, or one that could lift as usign colons in Makefiles are
problematic anyway.
[0] in 20cd497387 core: add support for multiple br2-external trees
Reported-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Reported-by: Brandon Maier <Brandon.Maier@collins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Boring changes: either do what shellcheck suggested, or comment why we
don't want to fix the code.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The trap was initially introduced in c5fa9308ea (core/br2-external:
properly report unexpected errors), in 2017, to catch all unexpected
errors, back when a single file was generated, and errors emitted to
stderr.
Since commit d027cd75d0 (core: generate all br2-external files in
one go), in 2019 the single output file 'ofile' is no longer created,
as multiple output files were then introduced, while messages for
*expected errors* were redirected to a Makefile variable assignment
emitted on stdout, at which point the script just exits (in error);
expected failures only occur in do_validate().
Unexpected errors can only occur on failure to create, or write to,
output files, either '.br2-external.mk' in do_validate() or do_mk(),
or any of the kconfig fragments in do_kconfig(). Cause for failure to
create those can only be a no-space-left-on-device condition, as they
are created in a directory that was just created by the script earlier
in main(), and thus has the necessary mode; failure to create that
directory is now caught explicitly.
A trap on ERR is not called when the shell exits explicitly with a call
to 'exit', thus, only failures to create or write to output file would
be caught. In that case, we are better off not trying to write to those
files anyway: failure to create the file would already be reported by
the shell on stderr, while disk-full would not allow to store the output
anyway...
In any case, the script exits in error, which is going to be caught by
the caller, which will terminate.
So, drop the trap altogether.
As a side effect, that squelches a shellcheck error.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
That plugin can be used instead of the builtin support to persist the
mosquitto state across restarts.
Note that this plugin has a dependency, so we don't use the $(if)
one-liner.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Until version 2.0.x, support for using static password or ACL files, was
builtin to the broker. With version 2.1.x, two new plugins have been
introduced to replace the builtin support, which is now deprecated and
will get removed in the next version.
Add two new configuration options for those plugins.
We decided to do a single commit, rather than one per option, because
they are relatively tied together (ACL needs passwords, at least).
We also choose to make those options enabled by default, because the
traditional way to configure mosquitto is to use static files for
authentication and authorization, and the builtin support if now
deprecated in favour for the plugins.
The usual ifeq-else-endif conditional block is a bit verbose when just
setting an option ON or OFF, when no additional dependency is needed.
Instead, use the not-unusual $(if)-inline one-liner. For consistency,
switch the existing dynamic-security plugin to use that one-liner too.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The mosquitto broker (not the library) can have listeners configured to
serve HTTP requests; it can optionally accept (some) HTTP API requests
on such listeners.
Add a new option to enable the availability of http_pi.
Note that we do not just depend on libmicrohttpd to be enabled, because
the HTTP API is a security boundary, and enabling it must be an explicit
decision.
Co-developped-by: Titouan Christophe <titouan.christophe@mind.be>
[yann.morin@orange.com: make it an explicit option]
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Mosquitto 2.1.x adds the possibility to use a builtin websocket
implementation, as an alternative to using libwebsockets.
When using libwebsockets as the implementation, only the broker supports
websockets, and CLI tools do not; only when using the builtin one are
websockets usable with CLI tools (and the broker, of course).
Add a choice to select what type of websockets support to enable, if
any. Since the builtin implementation is still new, we keep the
libwebsockets one available.
Since this inverts the dependency logic to libwebsockets, we can't
provide a backward compatibility with existing (def)config files.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
mosquitto_{ctrl,db_dump,passwd,signal} can be handy to interact with
the mosquitto broker during development, but are usually unnecessary
on the target.
Add an option to enable or disable them. Make that new option enabled
by default when the broker is enabled, to keep backward compatibility
with previous (def)config files.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Fiona Klute <fiona.klute@gmx.de>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
mosquitto_pub/sub/rr can be handy to test a broker from the command
line, but they can get superfluous when only the broker is required
on the target.
Add an option to enable or disable them. Make that new option enabled
by default to keep backward compatibility with previous (def)config
files.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Version 2.1.x has introduced a cmake-based build, and upstream strongly
recomends using it over the legacy Makefiles, which will ultimately be
retired.
So we do the switch, which cause quite some noise in the .mk file, but
at the same time allows for a bit of cleanup in the build process, as we
can now use the cmake-package infra.
Mosquitto now wants to peek into the malloc() internals for memory
tracking, and that only works on systems with an MMU (uClibc-ng does not
expose it for noMMU builds, as it's part of its malloc-standard
implementation).
Static-only builds are broken, even when only building the library. This
seems beyond a simple repair, so just require shared libs now (since
we're requiring an MMU as well, requiring shared libs is not too much of
an additional burden).
cJSON is now a required dependency, used in common parts of the code
(not just for the plugins).
There are a few options that we forcibly disable; they'll get addressed
in followup patches.
There are still a few build failures that are difficult to account for
(except):
$ printf 'BR2_PACKAGE_MOSQUITTO=y\n' >mosq.cfg
$ ./utils/docker-run ./utils/test-pkg -d $(pwd)/run-tests -c mosq.cfg -p mosquitto
br-arm-full-static [5/6]: FAILED
=> old uClibc-ng, would need __GNU_SOURCE (with dunder) to define
getrandom(); no longer needed since uClibc-ng 1.0.50; would need
openssl otherwise
bootlin-aarch64-glibc-old [6/6]: FAILED
=> really old glibc, missing getrandom(); would need openssl
Drop our existing patches, they've either been applied upstream, or are
no longer needed. Add new patches to fix various build issues
(submission upstream pending the signature of the CLA..,).
Thanks a lot to Titouan for providing his initial work on the update!
Some of his findings ended up in this patch. 👍
Note: by lack of a trusted path back to the PGP key that signed the
archive, the comment was dropped, as checking a signature without a
trust-chain does not make much sense...
Co-developped-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
[Romain: remove "mosquitto broker" comment for static builds]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Updating the hash of the WHENCE file, due to firmware additions and
firmware changes, but no changes to the redistribution/licensing
conditions.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://curl.se/ch/8.19.0.htmlhttps://curl.se/docs/security.html
Fixes the following CVEs:
CVE-2026-3805: use after free in SMB connection reuse
CVE-2026-3784: wrong proxy connection reuse with credentials
CVE-2026-3783: token leak with redirect and netrc
CVE-2026-1965: bad reuse of HTTP Negotiate connection
Switch to sha256 tarball hash provided by upstream.
Updated license hash due to copyright year bump:
e83c82f05f
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add back pgp signature info in hash file]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Building Go 1.26 and later requires Go 1.24.6 or later for bootstrap.
To support this we use Go version 1.25.8 as the version for
go-bootstrap-stage5 and have the build for Go 1.26.1 depend on
go-bootstrap-stage5.
Go version 1.25.8 is the latest Go version we can build using
go-bootstrap-stage4.
The package build for go-bootstrap-stage5 is effectively identical to
go-bootstrap-stage4 with only the Go version and stage number changed.
Go 1.28 is expected to require a minor release of Go 1.26 for bootstrap.
Fixes the following security vulnerabilities:
- CVE-2026-25679: net/url: reject IPv6 literal not at start of host
- CVE-2026-27142: html/template: URLs in meta attribute actions not escaped
- CVE-2026-27137: crypto/x509: incorrect enforcement of email constraints
- CVE-2026-27138: crypto/x509: panic in name constraint checking: certificates
- CVE-2026-27139: os: FileInfo can escape from a Root
For full release notes, see:
https://go.dev/doc/devel/release#go1.26.0
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit switches the aarch64_efi_defconfig to an external glibc
stable Bootlin toolchain, to follow recommendation from [1].
Since an external toolchain is used, the linux-headers.hash custom
hash file is no longer needed and is removed.
[1] https://elinux.org/Buildroot:DeveloperDaysELCE2024#Rules_for_defconfigs
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- updates the Kernel from 6.10 to 6.18.16
- updates U-Boot from 2024.07 to 2026.01
- updates arm-trusted-firmware from v2.11 to v2.12 LTS
- switches to Bootlin external glibc stable toolchain
Replace OP-TEE TEE binary file tee-pager_v2.bin by tee-raw.bin using
the new option BR2_TARGET_UBOOT_NEEDS_OPTEE_TEE_RAW_BIN.
Remove unsued linux-headers.hash since we now use a prebuilt toolchain.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Replace OP-TEE TEE binary file tee-pager_v2.bin by tee-raw.bin using
the new option BR2_TARGET_UBOOT_NEEDS_OPTEE_TEE_RAW_BIN.
Remove unsued linux-headers.hash since we use a prebuilt toolchain.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
There was a previous attempt in commit [1] to bump the kernel to 6.18
but the SD card failed at boot. It seems the actual issue is related to
the "cheap" (or fake?) SD card with SD UHS SDR50 speed.
This offending SD card come from a lot recently purchased in order to
fix my “Too many boards, not enough SD cards” issue.
[1] 4abb8a98b2
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The commit [1] update arm-trusted-firmware to v2.12 LTS without
removing the custom file hash.
While at it, remove unused linux-headers.hash since we already use a
prebuilt toolchain.
[1] 4abb8a98b2
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This defconfig use BR2_TARGET_UBOOT_CUSTOM_MAKEOPTS to provide the path
to the TEE in raw binary format but use the legacy file name
"tee-pager_v2.bin" rather than the recommended "tee-raw.bin" [1][2].
Instead of just replacing the file name, use the newly introduced
BR2_TARGET_UBOOT_NEEDS_OPTEE_TEE_RAW_BIN option. Since this option
needs BR2_TARGET_UBOOT_NEEDS_OPTEE_TEE, we now have an explicit
dependency between u-boot and optee-os package.
Previously we had an indirect dependency: optee-os <- ATF <- u-boot
with both BR2_TARGET_ARM_TRUSTED_FIRMWARE_BL32_OPTEE and
BR2_TARGET_UBOOT_NEEDS_ATF_BL31 options enabled at the same time.
[1] 376cb124dd
[2] 4e0b8238ee
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
OP-TEE generates a few binaries that can be used by u-boot on some
platforms (Rockchip, Texas Instruments K3) using TEE variable.
Add a link to the OP-TEE documentation were we can find easily the
desciption for each TEE format that can be used by u-boot.
For convenience, copy tee.elf and tee.bin description in each option
choice help text.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Remove myself from packages that I'm no longer personally interested in.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Subproject tarballs are not provided anymore:
https://discourse.llvm.org/t/llvm-22-1-0-released/89950
"Please note since the last release the subproject tarballs have been
removed"
https://discourse.llvm.org/t/rfc-do-something-with-the-subproject-tarballs-in-the-release-page/75024/14
Used upstream tarball llvm-project-22.1.0.src.tar.xz for all packages
and linked subproject hash files to ../llvm-project.hash.
Removed patches which fix build errors caused by subproject tarballs.
Removed handling of third-party-21.1.8.src.tar.xz which is included in
the monolithic tarball.
Added _SUBDIR variable or updated _INSTALL_CMDS when needed.
For compiler-rt:
Removed both patches, they are not needed anymore.
Added patch to fix aarch64 build.
Added dependency on gcc >= 15.x because libcxx now depends on gcc >=
15.x: https://github.com/llvm/llvm-project/pull/165684
warning "Libc++ only supports GCC 15 and later"
Building with gcc 14.x causes many build errors like
output/build/compiler-rt-22.1.0/compiler-rt/buildroot-build/lib/fuzzer/libcxx_fuzzer_x86_64/build/include/c++/v1/__type_traits/is_array.h:43:68:
error: expected primary-expression before ')' token
output/build/compiler-rt-22.1.0/compiler-rt/buildroot-build/lib/fuzzer/libcxx_fuzzer_x86_64/build/include/c++/v1/__type_traits/is_array.h:43:44:
error: there are no arguments to '__is_unbounded_array' that depend on
a template parameter, so a declaration of '__is_unbounded_array' must
be available [-fpermissive]
output/build/compiler-rt-22.1.0/compiler-rt/buildroot-build/lib/fuzzer/libcxx_fuzzer_x86_64/build/include/c++/v1/__type_traits/decay.h:22:32:
error: expected type-specifier before '__decay'
A corresponding bug report sent upstream
https://github.com/llvm/llvm-project/issues/174203
was answered:
https://github.com/llvm/llvm-project/issues/174203#issuecomment-3711113919
"Our policy is rather clear: Only the latest GCC is supported."
and an update to supported compiler versions was committed:
d1146b1ddd
Updated TestClangCompilerRT to use a gcc 15-based toolchain.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit will also switch to the Bootlin glibc stable toolchain.
Switch to Bootlin glibc stable toolchain as requested by the 2024
Buildroot meeting report:
https://elinux.org/Buildroot:DeveloperDaysELCE2024#Rules_for_defconfigs
Signed-off-by: Scott Fan <fancp2007@gmail.com>
[Julien:
- remove no longer needed linux-headers.hash
- change comment in linux.hash to take hash from upstream
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
FTXUI is a simple cross-platform C++ library for terminal
based user interfaces.
Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
[Julien: remove FTXUI_SOURCE to use the default archive name]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Replaced install_prefix with DESTDIR in _INSTALL_TARGET_OPTS following
changes in upstream Makefiles, for example:
acb9dd88dc (diff-d56275146b88014f5017f78d3eb4ccdb545c8b82d94877b09ef33bac8f228414L13)
Build-tested using this defconfig
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SOFTPIPE=y
BR2_PACKAGE_MESA3D_OPENGL_GLX=y
BR2_PACKAGE_XORG7=y
BR2_PACKAGE_XSCREENSAVER=y
arm-aarch64 [ 1/32]: OK
bootlin-aarch64-glibc [ 2/32]: OK
bootlin-aarch64-glibc-old [ 3/32]: SKIPPED
bootlin-arcle-hs38-uclibc [ 4/32]: OK
bootlin-armv5-uclibc [ 5/32]: OK
bootlin-armv7-glibc [ 6/32]: OK
bootlin-armv7m-uclibc [ 7/32]: SKIPPED
bootlin-armv7-musl [ 8/32]: OK
bootlin-m68k-5208-uclibc [ 9/32]: SKIPPED
bootlin-m68k-68040-uclibc [10/32]: OK
bootlin-microblazeel-uclibc [11/32]: SKIPPED
bootlin-mips64el-glibc [12/32]: OK
bootlin-mipsel32r6-glibc [13/32]: OK
bootlin-mipsel-uclibc [14/32]: OK
bootlin-openrisc-uclibc [15/32]: OK
bootlin-powerpc64le-power8-glibc [16/32]: OK
bootlin-powerpc-e500mc-uclibc [17/32]: OK
bootlin-riscv32-glibc [18/32]: OK
bootlin-riscv64-glibc [19/32]: OK
bootlin-riscv64-musl [20/32]: OK
bootlin-s390x-z13-glibc [21/32]: OK
bootlin-sh4-uclibc [22/32]: OK
bootlin-sparc64-glibc [23/32]: OK
bootlin-sparc-uclibc [24/32]: SKIPPED
bootlin-x86-64-glibc [25/32]: OK
bootlin-x86-64-musl [26/32]: OK
bootlin-x86-64-uclibc [27/32]: OK
bootlin-x86-i686-musl [28/32]: OK
bootlin-xtensa-uclibc [29/32]: OK
br-arm-basic [30/32]: SKIPPED
br-arm-full-nothread [31/32]: SKIPPED
br-arm-full-static [32/32]: SKIPPED
32 builds, 8 skipped, 0 build failed, 0 legal-info failed, 0 show-info failed
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes build error with gcc 9.x:
output/build/libheif-1.21.1/libheif/nclx.h:128:50: error:
'bool nclx_profile::operator==(const nclx_profile&)
const' cannot be defaulted
using this defconfig:
BR2_arm=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y
BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
BR2_TOOLCHAIN_EXTERNAL_URL="http://autobuild.buildroot.org/toolchains/tarballs/br-arm-full-static-2020.11.2.tar.bz2"
BR2_TOOLCHAIN_EXTERNAL_GCC_9=y
BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_4=y
BR2_TOOLCHAIN_EXTERNAL_LOCALE=y
# BR2_TOOLCHAIN_EXTERNAL_HAS_THREADS_DEBUG is not set
BR2_TOOLCHAIN_EXTERNAL_CXX=y
BR2_STATIC_LIBS=y
BR2_PACKAGE_LIBHEIF=y
According to https://github.com/strukturag/libheif/issues/1615#issuecomment-3457979167
gcc >= 10 with support for C++20 is needed for the package.
The failing code was introduced upstream in version 0.21.0 with commit
a62f933e38
which was added to buildroot with commit
a8aed698c7.
Also removed -std=c++11 from CXXFLAGS.
The build error was not yet recorded by the autobuilders.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 72c7d99e22 switched the
build system to meson which causes an error during configure:
output/build/libvips-8.17.2/meson.build:108:4:
ERROR: Problem encountered: GModule is not supported on your system,
please reconfigure with -Dmodules=disabled
using this defconfig:
BR2_arm=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y
BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
BR2_TOOLCHAIN_EXTERNAL_URL="http://autobuild.buildroot.org/toolchains/tarballs/br-arm-full-static-2020.11.2.tar.bz2"
BR2_TOOLCHAIN_EXTERNAL_GCC_9=y
BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_4=y
BR2_TOOLCHAIN_EXTERNAL_LOCALE=y
# BR2_TOOLCHAIN_EXTERNAL_HAS_THREADS_DEBUG is not set
BR2_TOOLCHAIN_EXTERNAL_CXX=y
BR2_STATIC_LIBS=y
BR2_PACKAGE_LIBVIPS=y
Added configure options for -Dmodules to fix the problem which was not
yet caught by the autobuilders.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
These modules were dropped in Python 3.13 as per PEP 594.
The current version in Buildroot is 3.14.3.
- Remove the TODO and related config overrides in python3.mk.
- Remove BR2_PACKAGE_PYTHON3_OSSAUDIODEV from Config.in.
- Add BR2_PACKAGE_PYTHON3_OSSAUDIODEV to Config.in.legacy.
See [1] [2] [3].
[1] https://peps.python.org/pep-0594/
[2] fc07fe4e37
[3] 17e1fe0f9b
Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>
[Julien:
- add links in commit log
- move legacy option in 2026.05 section
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit a035a0f99f bumped the
package to 6.0.2 which includes upstream commit
e806051f40
that adds optional support for libkrb5, enabled by default.
When building without libkrb5 we need to disable its support to avoid
a configure error:
configure: Build with gssapi_krb5 support
checking for gssapi/gssapi.h... no
configure: error: You need gssapi development files to compile libsmb2.
Fixes:
https://autobuild.buildroot.net/results/166/166fb283ef8830930ce191b4418d01e6c82176f5/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Drop no longer required python-pytz runtime dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://codeberg.org/tenacityteam/libid3tag/releases/tag/0.16.4
"We now provide our own source packages instead of using Codeberg's
pre-generated sources, guaranteeing that the hash won't change."
Removed patches which are included in this bump.
Used tarball and its hashes provided by upstream.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
sntp/crypto.c includes sntp/config.h, then sntp/crypto.h which includes
ntp_stdlib.h which in turn includes l_stdlib.h that contains
#ifndef HAVE_MEMCHR
extern void *memchr(const void *s, int c, size_t n);
#endif
and breaks the build with glibc 2.43.
sntp/config.h does not contain any information about memchr() while the
top-level config.h does but this top-level config.h is not included
because sntp/Makefile lacks -I$(top_builddir) so sntp/config.h gets
included which does not define HAVE_MEMCHR although glibc does provide
memchr() but sntp/configure lacks a check for memchr().
This was not a problem with previous glibc versions but due to recent
C23 changes in glibc the ntp build is now broken.
To fix the problem we add a configure check for memchr() to
sntp/configure so HAVE_MEMCHR gets defined in sntp/config.h.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The artifacts URL has been moved to https and domain to .org to
improve security and avoid redirection issues. This ensures that
downloads of kernels and rootfs images during runtime tests are
encrypted and verified.
The change has been tested by running a runtime test, confirming the
correct download and renaming of artifacts from the new URL:
Downloading to .../tmpyotq8uor
Renaming from .../tmpyotq8uor to .../kernel-versatile-5.10.202
Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With U-Boot 2022.04 gnutls is required for building the hostool
mkeficapsule.
mkeficapsule tool is built by default if EFI_LOADER is set since u-boot
2024.10 [1].
Thus the BR2_TARGET_UBOOT_NEEDS_GNUTLS config is needed.
This commit also updates the defconfig to the new convention:
- It adds custom hashes, enable BR2_DOWNLOAD_FORCE_CHECK_HASHES=y and
BR2_GLOBAL_PATCH_DIR="board/khadas/vim3/patches" to store the files.
[1] b7a625b1ce
Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
[Julien:
- squashed linux and u-boot bumps
- change linux.hash comment reuse hashes published upstream
- increase BR2_TARGET_ROOTFS_EXT2_SIZE to 256M
- remove partition size constraint in genimage.cfg
- remove .checkpackageignore entry to fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit [1] was applied without fixing the edk2-platform patch
newlines which are changed by the mailing list. As a result,
the patch fails to apply.
This commit fixes the issue.
[1] 21baec5ef5
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes since edk2-stable202508, see:
https://github.com/tianocore/edk2/releases/tag/edk2-stable202511
This commit also updates the edk2-platforms packages with the last
commit merged at the edk2 release date (2025-11-19), which corresponds
to commit [1].
The edk2-non-osi package is also updated the same way, which
corresponds to commit [2].
This commit also adds an edk2-platforms package patch to fix a Marvell
build failure seen with the SolidRun MacchiatoBin platform.
This commit has been runtime tested with tests using EDK2 package,
with commands:
support/testing/run-tests \
-d dl -o output_folder \
tests.boot.test_edk2 \
tests.boot.test_grub.TestGrubAArch64EFI \
tests.boot.test_grub.TestGrubRiscV64EFI \
tests.boot.test_grub.TestGrubX8664EFI \
tests.package.test_fwts
It has also been runtime tested (by booting in qemu) with defconfigs
using EDK2 package:
qemu_aarch64_sbsa_defconfig
qemu_loongarch64_virt_efi_defconfig
qemu_riscv64_virt_efi_defconfig
qemu_x86_64_efi_defconfig
[1] 1e64c1109a
[2] 94d0489811
Cc: Dick Olsson <hi@senzilla.io>
Cc: Romain Naour <romain.naour@smile.fr>
Cc: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
EDK2 removed OVMF IA32 support in commit [1], which is included in
version edk2-stable202511. This commit removes the test relying on it.
[1] 1fb88ffe28
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
EDK2 removed OVMF IA32 support in commit [1], which is included in
version edk2-stable202511. This commit removes tests relying on it.
[1] 1fb88ffe28
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
While there is only one CVE number assigned (CVE-2025-14523) for one of
the patches included in this release, the bulk of the the changes are
security fixes.
Release notes may be found at:
25eac15300
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-14523
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The zjit option introduces a rust dependency and due to that not
being handled appropriately it can cause build failures if this
feature gets incorrectly autodetected as being available.
This feature was introduced when ruby was bumped to version 4.0.0
in f594f86f9d.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that custom arm-trusted-firmware versions can specify license files, add
license file hashes for the Xilinx custom arm-trusted-firmware version.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that custom Linux versions can specify license files, add license file
hashes for the Xilinx custom Linux version.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 127f36b406 ("package/ruby: bump to version 4.0.1") adjusted
RUBY_VERSION_EXT, but ruby 4.0.1 still installs its extensions into the
4.0.0 subdir:
ls target/usr/lib/ruby/
4.0.0 site_ruby vendor_ruby
So revert the RUBY_VERSION_EXT change to ensure the unneeded extensions are
correctly removed.
Signed-off-by: William Sherrer <william@sherrer.com>
[Peter: significantly extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patches mostly backported with the basis of the work of Ubuntu Security
team. See [1].
Fix the following vulnerabilities:
- CVE-2024-32661:
FreeRDP is a free implementation of the Remote Desktop Protocol.
FreeRDP based clients prior to version 3.5.1 are vulnerable to a
possible `NULL` access and crash. Version 3.5.1 contains a patch for
the issue. No known workarounds are available.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-32661
- CVE-2026-23530:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate
`nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before
RLE decode. A malicious server can trigger a client‑side heap buffer
overflow, causing a crash (DoS) and potential heap corruption with
code‑execution risk depending on allocator behavior and surrounding
heap layout. Version 3.21.0 contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23530
- CVE-2026-23531:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, in ClearCodec, when `glyphData` is present,
`clear_decompress` calls `freerdp_image_copy_no_overlap` without
validating the destination rectangle, allowing an out-of-bounds
read/write via crafted RDPGFX surface updates. A malicious server can
trigger a client‑side heap buffer overflow, causing a crash (DoS) and
potential heap corruption with code‑execution risk depending on
allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23531
- CVE-2026-23532:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, a client-side heap buffer overflow occurs in the
FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between
destination rectangle clamping and the actual copy size. A malicious
server can trigger a client‑side heap buffer overflow, causing a crash
(DoS) and potential heap corruption with code‑execution risk depending
on allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23532
- CVE-2026-23533:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, a client-side heap buffer overflow occurs in the
RDPGFX ClearCodec decode path when maliciously crafted residual data
causes out-of-bounds writes during color output. A malicious server
can trigger a client‑side heap buffer overflow, causing a crash (DoS)
and potential heap corruption with code‑execution risk depending on
allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23533
- CVE-2026-23534:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, a client-side heap buffer overflow occurs in the
ClearCodec bands decode path when crafted band coordinates allow
writes past the end of the destination surface buffer. A malicious
server can trigger a client‑side heap buffer overflow, causing a crash
(DoS) and potential heap corruption with code‑execution risk depending
on allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23534
- CVE-2026-23948:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, a NULL pointer dereference vulnerability in
rdp_write_logon_info_v2() allows a malicious RDP server to crash
FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with
cbDomain=0 or cbUserName=0. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23948
- CVE-2026-24675:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, urb_select_interface can free the device's MS config on
error but later code still dereferences it, leading to a use after
free in libusb_udev_select_interface. This vulnerability is fixed in
3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24675
- CVE-2026-24676:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, AUDIN format renegotiation frees the active format list
while the capture thread continues using audin->format, leading to a
use after free in audio_format_compatible. This vulnerability is fixed
in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24676
- CVE-2026-24679:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, The URBDRC client uses server-supplied interface numbers as
array indices without bounds checks, causing an out-of-bounds read in
libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24679
- CVE-2026-24681:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, aAsynchronous bulk transfer completions can use a freed
channel callback after URBDRC channel close, leading to a use after
free in urb_write_completion. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24681
- CVE-2026-24682:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, audin_server_recv_formats frees an incorrect number of
audio formats on parse failure (i + i), leading to out-of-bounds
access in audio_formats_free. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24682
- CVE-2026-24683:
FreeRDP is a free implementation of the Remote Desktop Protocol.
ainput_send_input_event caches channel_callback in a local variable
and later uses it without synchronization; a concurrent channel close
can free or reinitialize the callback, leading to a use after free.
Prior to 3.22.0, This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24683
[1] https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability:
- CVE-2025-62168:
Squid is a caching proxy for the Web. In Squid versions prior to 7.2,
a failure to redact HTTP authentication credentials in error handling
allows information disclosure. The vulnerability allows a script to
bypass browser security protections and learn the credentials a
trusted client uses to authenticate. This potentially allows a remote
client to identify security tokens or credentials used internally by a
web application using Squid for backend load balancing. These attacks
do not require Squid to be configured with HTTP authentication. The
vulnerability is fixed in version 7.2. As a workaround, disable debug
information in administrator mailto links generated by Squid by
configuring squid.conf with email_err_data off.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-62168
- 0951a06810
The backport has been compared against debian patch [1].
[1] https://sources.debian.org/src/squid/6.13-2%2Bdeb13u1/debian/patches/CVE-2025-62168.patch
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For changes, see:
- https://github.com/vim/vim/compare/v9.1.2017...v9.1.2148
Fixes the following vulnerabilities:
- CVE-2026-25749:
Vim is an open source, command line text editor. Prior to version
9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag
file resolution logic when processing the 'helpfile' option. The
vulnerability is located in the get_tagfname() function in src/tag.c.
When processing help file tags, Vim copies the user-controlled
'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1
bytes (typically 4097 bytes) using an unsafe STRCPY() operation
without any bounds checking. This issue has been patched in version
9.1.2132.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-25749
- 0714b15940
- CVE-2026-26269:
Vim is an open source, command line text editor. Prior to 9.1.2148, a
stack buffer overflow vulnerability exists in Vim's NetBeans
integration when processing the specialKeys command, affecting Vim
builds that enable and use the NetBeans feature. The Stack buffer
overflow exists in special_keys() (in src/netbeans.c). The while
(*tok) loop writes two bytes per iteration into a 64-byte stack buffer
(keybuf) with no bounds check. A malicious NetBeans server can
overflow keybuf with a single specialKeys command. The issue has been
fixed as of Vim patch v9.1.2148.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-26269
- c5f312aad8
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit 3d2141bcee("support/testing/run-tests: specify multiprocessing
method") added a call to multiprocessing.set_start_method('fork') as a
workaround for python 3.14, which changed the default start method to
forkserver - Which is incompatible with the nose2 setup.
multiprocessing.set_start_method() is only supposed to be called a maximum
of 1 time per process and throws a RuntimeError if called more than that
(even with the same arguments):
>>> import multiprocessing
>>> multiprocessing.set_start_method('fork')
>>> multiprocessing.set_start_method('fork')
Traceback (most recent call last):
File "<python-input-2>", line 1, in <module>
multiprocessing.set_start_method('fork')
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
File "/usr/lib/python3.13/multiprocessing/context.py", line 247, in set_start_method
raise RuntimeError('context has already been set')
Debian included a similar patch in python3-nose2 0.51.1-2 (currently in
testing/unstable) which adds its own call to set_start_method():
https://salsa.debian.org/python-team/packages/nose2/-/blob/debian/0.15.1-2/debian/patches/0004-plugins-mp-set-context-to-fork-for-Python-3.14-mp-AP.patch?ref_type=tags
Which comes from:
https://github.com/nose-devs/nose2/pull/644
As discussed in the upstream PR, this is not a correct fix is wrong and
breaks various use cases. An issue has been opened to get this fixed in the
Debian packaging at:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129350
But until that is done, rework the patch to:
- Only override set_start_method() if needed to limit impact
- Monkey patch set_start_method() so additional calls are ignored
To unbreak run-test on affected Debian systems and add some documentation to
make it clear why this is done.
[Peter: use allow_none / force optional arguments as pointed out by Julien]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When the toolchain involved in openscap build does not support C++, the
configure step fails with the following error:
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - failed
-- Check for working CXX compiler: /bin/false
-- Check for working CXX compiler: /bin/false - broken
CMake Error at /usr/share/cmake/Modules/CMakeTestCXXCompiler.cmake:73 (message):
The C++ compiler
"/bin/false"
is not able to compile a simple test program.
It fails with the following output:
Change Dir: '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
Run Build Command(s): /usr/bin/cmake -E env VERBOSE=1 /usr/bin/make -f Makefile cmTC_1834b/fast
make[1]: Entering directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
/usr/bin/make -f CMakeFiles/cmTC_1834b.dir/build.make CMakeFiles/cmTC_1834b.dir/build
make[2]: Entering directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
Building CXX object CMakeFiles/cmTC_1834b.dir/testCXXCompiler.cxx.o /bin/false -o CMakeFiles/cmTC_1834b.dir/testCXXCompiler.cxx.o -c /home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI/testCXXCompiler.cxx
make[2]: *** [CMakeFiles/cmTC_1834b.dir/build.make:81: CMakeFiles/cmTC_1834b.dir/testCXXCompiler.cxx.o] Error 1
make[2]: Leaving directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
make[1]: *** [Makefile:134: cmTC_1834b/fast] Error 2
make[1]: Leaving directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
CMake will not be able to correctly generate this project.
Call Stack (most recent call first):
CMakeLists.txt:11 (project)
-- Configuring incomplete, errors occurred!
make: *** [package/pkg-generic.mk:263: /home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/.stamp_configured] Error 1
make: Leaving directory '/home/autobuild/autobuild/instance-6/buildroot'
The openscap project does not contain any C++ file, and so does not need
a C++ capable compiler. Bring the to-be-integrated-upstream patch
enforcing C language in CMakeLists.txt to prevent this build failure.
Fixes: https://autobuild.buildroot.org/results/1fe550ffa79f0a083a450ae03fe067a8ab7336be
Fixes: https://autobuild.buildroot.org/results/e9d52b52658544916022050c78dcb137ca6c97e0
Fixes: https://autobuild.buildroot.org/results/4a9c21763aaddb217ee5f8bb8947faad9767baa3
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This defconfig can be built without problems:
BR2_x86_64=y
BR2_GCC_VERSION_15_X=y
BR2_PACKAGE_SAFECLIB=y
However adding rocketlake as architecture variant
BR2_x86_64=y
BR2_x86_rocketlake=y
BR2_GCC_VERSION_15_X=y
BR2_PACKAGE_SAFECLIB=y
causes a build error:
str/vsnprintf_s.c: In function 'safec_ftoa.isra':
str/vsnprintf_s.c:523:24: error: writing 32 bytes into a region of size
31 [-Werror=stringop-overflow=]
523 | buf[len++] = '0';
with gcc 15.x only, gcc =< 14.x is not affected, reason unknown.
This commit adds two upstream commits which fix the problem.
No autobuilder error was recorded.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit 101997e334 added binutils
2.46.0 to -next branch causing a build error with shim:
output/per-package/shim/host/bin/x86_64-buildroot-linux-gnu-objcopy:
shimx64.so: file format not recognized
output/per-package/shim/host/bin/x86_64-buildroot-linux-gnu-objcopy:
mmx64.so: file format not recognized
Added an upstream patch to fix the problem.
No backport to buildroot LTS branches necessary.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability:
- CVE-2025-34450:
merbanan/rtl_433 versions up to and including 25.02 and prior to
commit 25e47f8 contain a stack-based buffer overflow vulnerability in
the function parse_rfraw() located in src/rfraw.c. When processing
crafted or excessively large raw RF input data, the application may
write beyond the bounds of a stack buffer, resulting in memory
corruption or a crash. This vulnerability can be exploited to cause a
denial of service and, under certain conditions, may be leveraged for
further exploitation depending on the execution environment and
available mitigations.
For mroe information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-34450
- 25e47f8932
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability:
- CVE-2026-25556:
MuPDF versions 1.23.0 through 1.27.0 contain a double-free
vulnerability in fz_fill_pixmap_from_display_list() when an exception
occurs during display list rendering. The function accepts a caller-
owned fz_pixmap pointer but incorrectly drops the pixmap in its error
handling path before rethrowing the exception. Callers (including the
barcode decoding path in fz_decode_barcode_from_display_list) also
drop the same pixmap in cleanup, resulting in a double-free that can
corrupt the heap and crash the process. This issue affects
applications that enable and use MuPDF barcode decoding and can be
triggered by processing crafted input that causes a rendering-time
error while decoding barcodes.
For more information, see
- https://www.cve.org/CVERecord?id=CVE-2026-25556
- https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
* create a board/freescale/imx6ull-evk folder dedicated to upstream Linux
and U-Boot to ease maintainance.
* clean up both imx6ullevk and imx6ull-evk readme.txt files
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: fix IMX6ULLQSG url in readme.txt]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Removed all patches because they are included in this release.
Added two upstream patches which fix build with glibc 2.43.
Added optional dependency to gnutls introduced by upstream commit
c9215365ef
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes since version 3.12.07-3-g4546973, see:
https://github.com/electronicarts/EASTL/releases
Updated license hash due to upstream commit
c18a037660
Added patch to raise make_minimum_required in subproject EABase that was
added by upstream commit
c530255b69
using FetchContent_Declare which downloads the source during configure
so we do not have a chance to use _POST_EXTRACT_HOOKS to patch the
source code directly.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add comment in commit log about the previous version number]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Which is a 2.5G Ethernet PHY.
Signed-off-by: Mattias Walström <lazzer@gmail.com>
[Julien: add LICENSE.airoha entry in linux-firmware.hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Change summary:
https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.11.4
Fixes:
CVE-2025-14821: libssh loads configuration files from the C:\etc directory
on Windows
CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request()
CVE-2026-0965: Possible Denial of Service when parsing unexpected
configuration files
CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input
CVE-2026-0967: Specially crafted patterns could cause DoS
CVE-2026-0968: OOB Read in sftp_parse_longname()
libssh-2026-sftp-extensions: Read buffer overrun when handling SFTP
extensions
Signed-off-by: Mattias Walström <lazzer@gmail.com>
[Julien:
- add link to upstream change summary
- fix signature link in hash file
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 0433c8d02a bumped
libinput to version 1.31.0 which causes a build error with wlroot:
../backend/libinput/switch.c: In function ‘handle_switch_toggle’:
../backend/libinput/switch.c:32:9: error: enumeration value
‘LIBINPUT_SWITCH_KEYPAD_SLIDE’ not handled in switch [-Werror=switch]
32 | switch (libinput_event_switch_get_switch(sevent)) {
The build error was not yet detected by the autobuilders but can be
reproduced using this defconfig:
BR2_x86_64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PER_PACKAGE_DIRECTORIES=y
BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SOFTPIPE=y
BR2_PACKAGE_MESA3D_OPENGL_GLX=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
BR2_PACKAGE_XORG7=y
BR2_PACKAGE_WLROOTS=y
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerabilities:
- CVE-2024-50382:
Botan before 3.6.0, when certain LLVM versions are used, has compiler-
induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in
GHASH in AES-GCM. There is a branch instead of an XOR with carry. This
was observed for Clang in LLVM 15 on RISC-V.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-50382
- 53b0cfde58
- CVE-2024-50383:
Botan before 3.6.0, when certain GCC versions are used, has a
compiler-induced secret-dependent operation in lib/utils/donna128.h in
donna128 (used in Chacha-Poly1305 and x25519). An addition can be
skipped if a carry is not set. This was observed for GCC 11.3.0 with
-O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be
affected.)
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-50383
- 53b0cfde58
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add configs/versal_vpk120_defconfig to the list of files I maintain.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerability:
- CVE-2025-63938:
Tinyproxy through 1.11.2 contains an integer overflow vulnerability in
the strip_return_port() function within src/reqs.c.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-63938
- 3c0fde9498
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability:
- CVE-2025-50681:
igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause a
denial of service (application crash) via a crafted IGMPv3 membership
report packet with a malicious source address. Due to insufficient
validation in the `recv_igmp()` function in src/igmpproxy.c, an
invalid group record type can trigger a NULL pointer dereference when
logging the address using `inet_fmtsrc()`. This vulnerability can be
exploited by sending malformed multicast traffic to a host running
igmpproxy, leading to a crash. igmpproxy is used in various embedded
networking environments and consumer-grade IoT devices (such as home
routers and media gateways) to handle multicast traffic for IPTV and
other streaming services. Affected devices that rely on unpatched
versions of igmpproxy may be vulnerable to remote denial-of-service
attacks across a LAN .
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-50681
- 2b30c36e6a
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This minor release contains a fix for building with host glibc 2.43,
which fails otherwise.
Signed-off-by: Paul Kocialkowski <paulk@sys-base.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For more information on the version bump, see:
- https://github.com/ImageMagick/Website/blob/main/ChangeLog.md
- https://github.com/ImageMagick/ImageMagick/compare/7.1.2-12...7.1.2-15
Fixes the following vulnerabilities:
- CVE-2026-22770:
The BilateralBlurImage method will allocate a set of double buffers
inside AcquireBilateralTLS. But, in versions prior to 7.1.2-13, the
last element in the set is not properly initialized. This will
result in a release of an invalid pointer inside DestroyBilateralTLS
when the memory allocation fails.
https://www.cve.org/CVERecord?id=CVE-2026-22770
- CVE-2026-23874:
Versions prior to 7.1.2-13 have a stack overflow via infinite
recursion in MSL (Magick Scripting Language) `<write>` command when
writing to MSL format.
https://www.cve.org/CVERecord?id=CVE-2026-23874
- CVE-2026-23876:
Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow
vulnerability in the XBM image decoder (ReadXBMImage) allows an
attacker to write controlled data past the allocated heap buffer
when processing a maliciously crafted image file. Any operation that
reads or identifies an image can trigger the overflow, making it
exploitable via common image upload and processing pipelines.
https://www.cve.org/CVERecord?id=CVE-2026-23876
- CVE-2026-24481:
Prior to versions 7.1.2-15 and 6.9.13-40, a heap information
disclosure vulnerability exists in ImageMagick's PSD (Adobe
Photoshop) format handler. When processing a maliciously crafted PSD
file containing ZIP-compressed layer data that decompresses to less
than the expected size, uninitialized heap memory is leaked into the
output image.
https://www.cve.org/CVERecord?id=CVE-2026-24481
- CVE-2026-25638:
Prior to versions 7.1.2-15 and 6.9.13-40, memory leak exists in
`coders/msl.c`. In the `WriteMSLImage` function of the `msl.c` file,
resources are allocated. But the function returns early without
releasing these allocated resources.
https://www.cve.org/CVERecord?id=CVE-2026-25638
- CVE-2026-25794:
`WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute
the pixel buffer size. Prior to version 7.1.2-15, when image
dimensions are large, the multiplication overflows 32-bit `int`,
causing an undersized heap allocation followed by an out-of-bounds
write. This can crash the process or potentially lead to an out of
bounds heap write.
https://www.cve.org/CVERecord?id=CVE-2026-25794
- CVE-2026-25795:
Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSFWImage()`
(`coders/sfw.c`), when temporary file creation fails, `read_info` is
destroyed before its `filename` member is accessed, causing a NULL
pointer dereference and crash.
https://www.cve.org/CVERecord?id=CVE-2026-25795
- CVE-2026-25796:
Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSTEGANOImage()`
(`coders/stegano.c`), the `watermark` Image object is not freed on
three early-return paths, resulting in a definite memory leak
(~13.5KB+ per invocation) that can be exploited for denial of
service.
https://www.cve.org/CVERecord?id=CVE-2026-25796
- CVE-2026-25798:
Prior to versions 7.1.2-15 and 6.9.13-40, a NULL pointer dereference
in ClonePixelCacheRepository allows a remote attacker to crash any
application linked against ImageMagick by supplying a crafted image
file, resulting in denial of service.
https://www.cve.org/CVERecord?id=CVE-2026-25798
- CVE-2026-25799:
Prior to versions 7.1.2-15 and 6.9.13-40, a logic error in YUV
sampling factor validation allows an invalid sampling factor to
bypass checks and trigger a division-by-zero during image loading,
resulting in a reliable denial-of-service.
https://www.cve.org/CVERecord?id=CVE-2026-25799
- CVE-2026-25897:
Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow
vulnerability exists in the sun decoder. On 32-bit systems/builds, a
carefully crafted image can lead to an out of bounds heap write.
https://www.cve.org/CVERecord?id=CVE-2026-25897
- CVE-2026-25989:
Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file can
cause a denial of service. An off-by-one boundary check (`>` instead
of `>=`) that allows bypass the guard and reach an undefined
`(size_t)` cast.
https://www.cve.org/CVERecord?id=CVE-2026-25989
- CVE-2026-26066:
Prior to versions 7.1.2-15 and 6.9.13-40, a crafted profile contain
invalid IPTC data may cause an infinite loop when writing it with
`IPTCTEXT`.
https://www.cve.org/CVERecord?id=CVE-2026-26066
- CVE-2026-26283:
Prior to versions 7.1.2-15 and 6.9.13-40, a `continue` statement in
the JPEG extent binary search loop in the jpeg encoder causes an
infinite loop when writing persistently fails. An attacker can
trigger a 100% CPU consumption and process hang (Denial of Service)
with a crafted image.
https://www.cve.org/CVERecord?id=CVE-2026-26283
- CVE-2026-26284:
Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper
boundary checking when processing Huffman- coded data from PCD
(Photo CD) files. The decoder contains an function that has an
incorrect initialization that could cause an out of bounds read.
https://www.cve.org/CVERecord?id=CVE-2026-26284
- CVE-2026-26983:
Prior to versions 7.1.2-15 and 6.9.13-40, the MSL interpreter
crashes when processing a invalid `<map>` element that causes it to
use an image after it has been freed.
https://www.cve.org/CVERecord?id=CVE-2026-26983
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 2882cf4ae6 bumped the
package from 2.44.4 to 2.48.3. This bump includes upstream commit
3b54e45d63
which was added to wpewebkit 2.45.1:
https://wpewebkit.org/release/wpewebkit-2.45.1.html
"Use Skia by default instead of Cairo for rendering."
The upstream commit includes dependencies to fontconfig & freetype which
were not added to buildroot and cause build errors with this defconfig:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PER_PACKAGE_DIRECTORIES=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SOFTPIPE=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
BR2_PACKAGE_WPEWEBKIT=y
BR2_PACKAGE_WPEWEBKIT_SANDBOX=y
BR2_PACKAGE_WPEWEBKIT_MULTIMEDIA=y
BR2_PACKAGE_WPEWEBKIT_MEDIA_STREAM=y
BR2_PACKAGE_WPEWEBKIT_WEBDRIVER=y
Reported-by: Julien Olivain <ju.o@free.fr>
[https://patchwork.ozlabs.org/project/buildroot/patch/20251017131035.224739-1-aperez@igalia.com/#3599999]
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For more information about the release, see:
- https://github.com/c-ares/c-ares/releases/tag/v1.34.6
Fixes the following vulnerability:
- CVE-2025-62408:
c-ares is an asynchronous resolver library. Versions 1.32.3 through
1.34.5 terminate a query after maximum attempts when using
read_answer() and process_answer(), which can cause a Denial of
Service. This issue is fixed in version 1.34.6.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-62408
- 714bf5675c
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security vulnerability:
- CVE-2025-68615:
net-snmp is a SNMP application library, tools and daemon. Prior to
versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-
snmp snmptrapd daemon can cause a buffer overflow and the daemon to
crash. This issue has been patched in versions 5.9.5 and 5.10.pre2.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-68615
- b4e6f826d9
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The 2026.02-rc1 release forgot to update the series and date and the
2025.02.11 release forgot to update the data, fix that.
Reported-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that binutils 2.46.0 has been introduced and binutils 2.45.1 made
the default version, drop the oldest supported version, binutils 2.43,
keeping only the 3 last versions supported: 2.44, 2.45.1 and 2.46.0.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Now that support for binutils 2.46.0 has been introduced, we follow our
policy of making binutils 2.45.1 the default version.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://sourceware.org/pipermail/binutils/2026-February/148149.html
" This release contains numerous bug fixes, and also the following new
features:
* Support for new instructions added to AMD, ARM and RISC-V
architectures.
* Support for version 3 of the SFrame standard.
* The readelf program can now display the contents of Global Offset
Tables.
* Improved linker tagging support."
We bring and rebased patches 0001 and 0002 that we carry for binutils
2.45.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Removed patch that fixed building with libseccomp and old kernel headers
as systemd has fixed that upstream now.
Notable changes:
- Add -Dlibmount=enabled to host and target build. Disabling this
option disables building most of systemd's tools apart from
libsystemd.
- remove gcrypt and gnutls from dependencies and build options.
openssl is the only supported crypto library now.
- Disable nspawn build for host variant and add a Config.in option
for the target variant.
- systemd now requires kernel >= 5.4 while the recommended kernel
version moved to >=5.7. This make systemd depend on
BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_4, removing various dependencies
on older kernel header versions from sub options.
- The sha256sum of LICENSES/README.md changed due to various
license clarification, removal of some vendored files as well as
changing some file paths. Licensing did not actually change.
For changelog, see:
https://github.com/systemd/systemd/blob/v258.3/NEWS
Tested with `./support/testing/run-tests tests.init.test_systemd`
All tests passed
One of the tests now needs a bigger rootfs size.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Peter: fix check-package warnings]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When trying to build host-dtc on a host with glibc 2.43, the build fails
on the following error:
libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’
qualifier from pointer target type [-Werror=discarded-qualifiers]
424 | sep = memchr(fixup_str, ':', fixup_len);
| ^
libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’
qualifier from pointer target type [-Werror=discarded-qualifiers]
434 | sep = memchr(name, ':', fixup_len);
| ^
fdtput.c: In function ‘create_node’:
fdtput.c:235:11: error: assignment discards ‘const’ qualifier from
pointer target type [-Werror=discarded-qualifiers]
235 | p = strrchr(node_name, '/');
| ^
cc1: all warnings being treated as errors
make[2]: *** [Makefile:359: fdtput.o] Error 1
make[2]: *** Waiting for unfinished jobs....
cc1: all warnings being treated as errors
make[2]: *** [Makefile:359: libfdt/fdt_overlay.o] Error 1
make[1]: *** [package/pkg-generic.mk:273:
/home/alexis/src/buildroot/dtc/build/host-dtc-1.7.2/.stamp_built] Error 2
make: *** [Makefile:83: _all] Error 2
The issue can be reproduced on master with this minimal defconfig on a
host having glibc 2.43:
BR2_x86_64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_QORIQ_MC_UTILS=y
(QORIQ_MC_UTILS will pull HOST_DTC)
This error is due to some functions prototype update in glibc 2.43 for
ISO C23 (see [1], point 3 in the NEWS list). The corresponding fix has
already been integrated upstream, but it has not been released since
then.
Bring the corresponding upstream patch to allow host-dtc to build on
affected hosts.
[1] https://lists.gnu.org/archive/html/info-gnu/2026-01/msg00005.html
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The used Linux kernel (4.14.336) does not contain the default license files
as those were only added in 4.16 with commit e00a844aca ("LICENSES: Add
Linux syscall note exception"), so specify the correct license file to fix:
make legal-info
..
cp: cannot stat '/path/to/output/build/linux-headers-4.14.336/LICENSES/preferred/GPL-2.0': No such file or directory
And add the sha256sum to the .hash file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien:
- reword commit title
- actually add BR2_LINUX_KERNEL_LICENSE_FILES in defconfig
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The used Linux kernel (4.14.336) does not contain the default license files
as those were only added in 4.16 with commit e00a844aca ("LICENSES: Add
Linux syscall note exception"), so specify the correct license file to fix:
make legal-info
..
cp: cannot stat '/path/to/output/build/linux-headers-4.14.336/LICENSES/preferred/GPL-2.0': No such file or directory
And add the sha256sum to the .hash file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: reword commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit 50958bcdac ("linux: Add support for custom license files") added a
default value for the license files and made the option visible (E.G.
editable) when a custom VCS or tarball version is used, but it is also
needed for users of an older _CUSTOM_VERSION (E.G. mainline release), as
the referenced files were only added in Linux 4.16 with commit e00a844aca
("LICENSES: Add Linux syscall note exception"), so change that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
It was recently announced on the list that Marcus joined the maintainer
team, so add a news entry about it as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When using a specific git repo and version for at91bootstrap3,
BR2_TARGET_AT91BOOTSTRAP3_LICENSE_FILES defaults to "LICENSES/MIT.txt".
However the git version we use (namely v3.10.3) does not provide this
file. Actually, it does not provide a license file at all. This causes
‘make legal-info’ to fail with:
>>> at91bootstrap3 v3.10.3 Collecting legal info
sha256sum: /builds/buildroot.org/buildroot/output/build/at91bootstrap3-v3.10.3/LICENSES/MIT.txt: No such file or directory
ERROR: while checking hashes from boot/at91bootstrap3/at91bootstrap3.hash
ERROR: LICENSES/MIT.txt has wrong sha256 hash:
ERROR: expected: 5a3809b1c2ba13b7242572322951311c584419f1f8516f665d6c06f0668d78de
ERROR: got :
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
Let's be explicit that there is no license file to check.
Fixes:
- https://gitlab.com/buildroot.org/buildroot/-/jobs/12992815386
- https://gitlab.com/buildroot.org/buildroot/-/jobs/12992815390
Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Buildroot commit [1] introduced two small typos, while doing the
updates to announce new releases.
The version 2025.02.10 release date is 2026-01-20 (and not 2022).
See the original announce [2].
The 2025.02.10 archive link in news.html has also a missing dot.
This commit fixes those typo in order to fix the website.
[1] 21dda0665e
[2] https://lore.kernel.org/buildroot/9b9654f8-6cdd-4108-b932-79509e455148@rnout.be/
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libxmslec1 build fails on some configurations with the following build
logs:
CC libxmlsec1_openssl_la-kw_des.lo
kw_des.c:75:8: error: unknown type name 'xmlSecKWDes3Klass'; did you mean 'xmlSecKWAesKlass'?
75 | static xmlSecKWDes3Klass xmlSecOpenSSLKWDes3ImplKlass = {
| ^~~~~~~~~~~~~~~~~
| xmlSecKWAesKlass
kw_des.c:77:5: error: initialization of 'int' from 'int (*)(struct _xmlSecTransform *, xmlSecByte *, size_t, size_t *)' {aka 'int (*)(struct _xmlSecTransform *, unsigned char *, long unsigned int, long unsigned int *)'} makes integer from pointer without a cast [-Wint-conversion]
77 | xmlSecOpenSSLKWDes3GenerateRandom, /* xmlSecKWDes3GenerateRandomMethod generateRandom; */
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
kw_des.c:77:5: note: (near initialization for 'xmlSecOpenSSLKWDes3ImplKlass')
kw_des.c:77:5: error: initializer element is not computable at load time
kw_des.c:77:5: note: (near initialization for 'xmlSecOpenSSLKWDes3ImplKlass')
kw_des.c:78:5: error: excess elements in scalar initializer
78 | xmlSecOpenSSLKWDes3Sha1, /* xmlSecKWDes3Sha1Method sha1; */
| ^~~~~~~~~~~~~~~~~~~~~~~
kw_des.c:78:5: note: (near initialization for 'xmlSecOpenSSLKWDes3ImplKlass')
kw_des.c:79:5: error: excess elements in scalar initializer
79 | xmlSecOpenSSLKWDes3BlockEncrypt, /* xmlSecKWDes3BlockEncryptMethod encrypt; */
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
kw_des.c:79:5: note: (near initialization for 'xmlSecOpenSSLKWDes3ImplKlass')
kw_des.c:80:5: error: excess elements in scalar initializer
80 | xmlSecOpenSSLKWDes3BlockDecrypt, /* xmlSecKWDes3BlockDecryptMethod decrypt; */
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[...]
This build failure is due to those struct definitions being set
conditionally in src/kw_aes_des.h behind a XMLSEC_NO_DES define, and
this define ending up being 1 on some builds. We could assume that the
makefiles in libxmlsec should just not try to build any DES related file
when XMLSEC_NO_DES is set to 1 (and so, in this specific case, not try
to build src/openssl/kw_des.c), but the autotools tooling in the project
is not the one setting XMLSEC_NO_DES: there is a mismatch between
detected features at configure time and build time.
- at build time, the tooling just checks if user has passed
`--enable-des=no`. If so, it sets XMLSEC_NO_DES, otherwise it assumes
that DES support is available.
- at build time, libxmlsec tries to build openssl backend. This backend
checks OpenSSL features, especially whether OPENSSL_NO_DES is set (and
if so, it enforces XMLSEC_NO_DES to 1 as well)
- This OPENSSL_NO_DES comes from libopenssl configuration headers
installed in sysroot. Its presence is driven by the `no-des` option
passed at libopenssl configure time
- This `no-des` flag is driven by buildroot option
BR2_PACKAGE_LIBOPENSSL_ENABLE_DES
There are multiple options to fix this package here:
1. fixing upstream package to make the features detection more robust (eg
check openssl headers at configure time to ensure that DES is
supported)
2. enforce XMLSEC_NO_DES if BR2_PACKAGE_LIBOPENSSL_ENABLE_DES is not set
3. systematically enforce XMLSEC_NO_DES=1
Now:
- 1 may take time, and would then need a temporary patch to live in
buildroot while the fix is accepted upstream and released
- 2 works only for libopenssl, what if libressl is used ?
- DES usage is discouraged anyway, as stated by configure logs:
[...]
checking for DES support... yes (use discouraged)
[...]
As the package has been introduced very recently, there's a very low
chance to break any user use case by completely disabling DES support.
Systematically disable DES support in libxmlsec1 to discourage usage and
fix build failure when the corresponding SSL library does not expose DES
support.
Fixes: https://autobuild.buildroot.org/results/3e15f03dc0211c622125ebb69ff7230ce900029a/
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* bumps ATF to version 2.14.0
* forces check hashes
* switches to extlinux
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
* switches to extlinux
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
* switches to extlinux
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit also updates
olimex_a20_olinuxino_lime_defconfig
olimex_a20_olinuxino_lime2_defconfig
to use this new rootfs_overlay_mali directory.
This is to differentiate for the upcoming patch for
a20_olinuxino_micro_defconfig
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: add extra info in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
* switches to extlinux
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
* switches to extlinux
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien:
- change linux.hash comment to use hash from upstream
- add "_lime" in commit title
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version lf-6.12.49-2.2.0
* bumps U-Boot to version lf-6.12.49-2.2.0
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The `pocoo:jinja2` CPE introduced in commit [1] is not deprecated but is
no longer used. All the security issue on the Github Advisory reference
CVE with the `palletsprojects:jinja` CPE instead (see [2]).
This commit updates the CPE accordingly.
[1] 165f60a092 package/python-jinja2: add CPE variables
[2] https://github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Optional udisks support is useful for mounting USB sticks via
pcmanfm.
gvfs meson.build has recognized this udisks2 option for quite
some time, since upstream commit [1] first included in version
1.35.2 (released on 2017-11-13).
[1] cdc33bf54f
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
[Julien: add comment in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
commit cf686670b9 introduced a patch that
was later included in a release which made the usage of libesmtp
configurable. Later the switch was moved to the main CMakeLists.mk [0].
while the patch introduced the build flag LOG4CXX_ENABLE_ESMTP the
change to the .mk file used LOG4CXX_ENABLE_LIBESMTP.
So correct this.
Fixes:
CMake Warning:
Manually-specified variables were not used by the project:
LOG4CXX_ENABLE_LIBESMTP
[0] https://github.com/apache/logging-log4cxx/blob/rel/v1.3.1/CMakeLists.txt#L93
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit backports an upstream patch fixing CVE-2024-10963. See:
https://github.com/linux-pam/linux-pam/issues/834https://github.com/linux-pam/linux-pam/pull/854
Fixes:
- CVE-2024-10963:
Pam: improper hostname interpretation in pam_access leads to access
control bypass
A flaw was found in pam_access, where certain rules in its
configuration file are mistakenly treated as hostnames. This
vulnerability allows attackers to trick the system by pretending
to be a trusted hostname, gaining unauthorized access. This issue
poses a risk for systems that rely on this feature to control who
can access certain services or terminals.
https://www.cve.org/CVERecord?id=CVE-2024-10963
Signed-off-by: Raphael Pavlidis <raphael.pavlidis@gmail.com>
[Julien:
- fix check-package errors
- add info in commit log
- rebase patch on v1.6.1 to avoid patch offsets
- add "CVE:" tag in patch
- add comment with patch name near _IGNORE_CVES in .mk
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- updates the Kernel from LTS 6.6.30 to 6.12.70
- updates U-Boot from 2024.04 to 2026.01
- updates arm-trusted-firmware from v2.10 to v2.12 LTS
- switches to Bootlin external glibc stable toolchain
Note: Using the kernel 6.18.9, the SD card fail at boot:
mmc1: SDHCI controller on 4fb0000.mmc [4fb0000.mmc] using ADMA 64-bit
Waiting for root device /dev/mmcblk1p2...
mmc1: error -110 whilst initialising SD card
So let's use stable kernel 6.12.y for the time being.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
[Julien: update linux.hash comment to use upstream hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Please note that the fix for CVE-2024-52615 introduces CVE-2025-59529
which is not fixed yet (https://github.com/avahi/avahi/pull/808). You
can mitigate this vulnerability by setting the `enable-wide-area=no`
option.
Patch `0011-properly-randomize-query-id-of-DNS-packets.patch` modify
`configure.ac` and then `AVAHI_AUTORECONF` is set.
This commit fixes the following vulnerabilities:
- CVE-2021-3468:
A flaw was found in avahi in versions 0.6 up to 0.8. The event used to
signal the termination of the client connection on the avahi Unix
socket is not correctly handled in the client_work function, allowing
a local attacker to trigger an infinite loop. The highest threat from
this vulnerability is to the availability of the avahi service, which
becomes unresponsive after this flaw is triggered.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2021-3468
- 447affe299
- CVE-2023-38469:
A vulnerability was found in Avahi, where a reachable assertion exists
in avahi_dns_packet_append_record.
https://www.cve.org/CVERecord?id=CVE-2023-38469
- CVE-2023-38470:
A vulnerability was found in Avahi. A reachable assertion exists in
the avahi_escape_label() function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38470
- a337a1ba7d
- CVE-2023-38471:
A vulnerability was found in Avahi. A reachable assertion exists in
the dbus_set_host_name function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38471
- github.com/avahi/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09
- CVE-2023-38472:
A vulnerability was found in Avahi. A reachable assertion exists in
the avahi_rdata_parse() function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38472
- b024ae5749
- CVE-2023-38473:
A vulnerability was found in Avahi. A reachable assertion exists in
the avahi_alternative_host_name() function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38473
- b448c9f771
- CVE-2024-52615:
A flaw was found in Avahi-daemon, which relies on fixed source ports
for wide-area DNS queries. This issue simplifies attacks where
malicious DNS responses are injected.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-52615
- 4e2e1ea090
- https://github.com/avahi/avahi/issues/810 (introduce regression CVE-2025-59529)
- CVE-2024-52616:
A flaw was found in the Avahi-daemon, where it initializes DNS
transaction IDs randomly only once at startup, incrementing them
sequentially after that. This predictable behavior facilitates DNS
spoofing attacks, allowing attackers to guess transaction IDs.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-52616
- f8710bdc8b
- CVE-2025-68276:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an
unprivileged local users can crash avahi-daemon (with wide-area
disabled) by creating record browsers with the
AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by
either calling the RecordBrowserNew method directly or creating
hostname/address/service resolvers/browsers that create those browsers
internally themselves.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-68276
- 2d48e42d44
- CVE-2025-68468:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier,
avahi-daemon can be crashed by sending unsolicited announcements
containing CNAME resource records pointing it to resource records with
short TTLs. As soon as they expire avahi-daemon crashes.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-68468
- f66be13d7f
- CVE-2025-68471:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier,
avahi-daemon can be crashed by sending 2 unsolicited announcements
with CNAME resource records 2 seconds apart.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-68471
- 9c6eb53bf2
- CVE-2026-24401:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and
below, avahi-daemon can be crashed via a segmentation fault by sending
an unsolicited mDNS response containing a recursive CNAME record,
where the alias and canonical name point to the same domain (e.g.,
"h.local" as a CNAME for "h.local"). This causes unbounded recursion
in the lookup_handle_cname function, leading to stack exhaustion. The
vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST
is set explicitly, which includes record browsers created by resolvers
used by nss-mdns. This issue is patched in commit
78eab31128479f06e30beb8c1cbf99dd921e2524.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24401
- 78eab31128
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The github repository lathiat/avahi now redirect to avahi/avahi.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Introduce the openscap package. openscap is a command line tool allowing
to scan a system configuration to perform security compliance checks.
The tool consumes XCCDF and OVAL files to perform system evaluation
against a list of policies.
The package provides both a target and a host build configuration, as it
is needed on both sides:
- it is needed on the host to allow building the security policy files
to be embedded on the target
- it is needed on the target to actually parse and evaluate those
security policy files.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
[Thomas:
- Drop dependency on openssl, apparently not needed
- Depend on gcrypt if !nss, as either can be used
- Add missing dependency on libxslt]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
libcurl host build support has initially been added with 736e0fc5d6
("libcurl: add host variant") while adding support for host-cargo build,
and reverted with 69e84008ab ("Revert "libcurl: add host variant"")
when standalone cargo build has been removed.
In order to bring in an upcoming commit a new host package that
depends on libcurl, re-enable host-libcurl build support.
This reverts commit w9e84008abf87eaeeb3f2d53c880cf33492a3bf8, with the
exception of the post-patch hook which is no longer needed.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 7eeb574f0e introduced the
libxmlsec1 making libxslt a mandatory dependency, which it isn't.
This commit therefore make libxslt an optional dependency of the
target libxmlsec1 package, and drops the dependency entirely for the
host package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes CVE-2025-14550:
There was a potential DoS vector for users of the
``asgiref.wsgi.WsgiToAsgi`` adapter. Malicious requests, including an
unreasonably large number of values for the same header, could lead to
resource exhaustion when building the WSGI environment.
Changelog: https://github.com/django/asgiref/blob/3.11.1/CHANGELOG.txt
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The CPIO filesystem generated by the test_firewalld test is too
large, and doesn't fit as an initramfs in the 256MB of RAM available
in the versatilepb machine. This causes a "Initramfs unpacking failed:
write error" when booting, and many files being missing from the root
filesystem, ultimately causing the test to fail.
The test_firewalld test initially started to fail following a systemd
update [1][3]:
[BRTEST# systemctl is-active firewalld
failed
But really started to crash at boot following a python 3.14 update
[2][4]:
Run /init as init process
/init: exec: line 15: /sbin/init: not found
Also, update TestFirewalldSysVInit to use ext2 instead of cpio.
[1] 926e0504d0
[2] a0a6abc8b1
Fixes:
[3] https://gitlab.com/buildroot.org/buildroot/-/jobs/12944797059
[4] https://gitlab.com/buildroot.org/buildroot/-/jobs/11856840940
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security issues:
- CVE-2025-13473 (low): Username enumeration through timing difference in mod_wsgi authentication handler
- CVE-2025-14550 (moderate): Potential denial-of-service vulnerability via repeated headers when using ASGI
- CVE-2026-1207 (high): Potential SQL injection via raster lookups on PostGIS
- CVE-2026-1285 (moderate): Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods
- CVE-2026-1287 (high): Potential SQL injection in column aliases via control characters
- CVE-2026-1312 (high): Potential SQL injection via QuerySet.order_by and FilteredRelation
See the release notes here:
https://docs.djangoproject.com/en/dev/releases/6.0.2/
Also includes the bugfixes from version 6.0.1:
https://docs.djangoproject.com/en/dev/releases/6.0.1/
Signed-off-by: Manuel Diener <manuel.diener@othermo.de>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Introduce the libxmlsec1 library package. libxmlsec implements XML
security standards.
The library has only a few mandatory dependencies(libxml2 and libxslt
and a crypto library). It needs one of the following cryptographic
libraries: OpenSSL, NSS, or Gcrypt/GNUTLS. Default to openssl for now to
keep the package simple.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security vulnerabilities:
CVE-2026-1584: libgnutls: Fix NULL pointer dereference in PSK binder
verification
A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello
could lead to a denial of service attack via crashing the server.
The updated code guards against the problematic dereference.
CVE-2025-14831: libgnutls: Fix name constraint processing performance issue
Verifying certificates with pathological amounts of name constraints
could lead to a denial of service attack via resource exhaustion.
Reworked processing algorithms exhibit better performance characteristics.
For more details, see the release notes:
https://lists.gnupg.org/pipermail/gnutls-help/2026-February/004914.html
Drop now upstreamed 0001-audit-crau-fix-compilation-with-gcc-11.patch:
f5666f8f1f
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerabilities:
CVE-2025-61732: cmd/cgo: remove user-content from doc strings in cgo ASTs
A discrepancy between how Go and C/C++ comments were parsed allowed for code
smuggling into the resulting cgo binary.
To prevent this behavior, the cgo compiler will no longer parse
user-provided doc comments.
CVE-2025-68121: crypto/tls: unexpected session resumption when using
Config.GetConfigForClient
Config.GetConfigForClient is documented to use the original Config's session
ticket keys unless explicitly overridden. This can cause unexpected
behavior if the returned Config modifies authentication parameters, like
ClientCAs: a connection initially established with the parent (or a sibling)
Config can be resumed, bypassing the modified authentication requirements.
If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on
the server) or InsecureSkipVerify is false (on the client), crypto/tls now
checks that the root of the previously-verified chain is still in
ClientCAs/RootCAs when resuming a connection.
Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar
issue related to session ticket keys being implicitly shared by
Config.Clone. Since this fix is broader, the Config.Clone behavior change
has been reverted.
Note that VerifyPeerCertificate still behaves as documented: it does not
apply to resumed connections. Applications that use
Config.GetConfigForClient or Config.Clone and do not wish to blindly resume
connections established with the original Config must use VerifyConnection
instead (or SetSessionTicketKeys or SessionTicketsDisabled).
For more details, see the announcement:
https://groups.google.com/g/golang-announce/c/K09ubi9FQFk
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Blake3 unconditionally enables C++ support, which unconditionally
requires C++20 when built with cmake >= 3.12, even when this is not
required.
Fixing this does not look trivial, and rather than botching the build,
just require C++20, available from gcc 8.x onward.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Use of threading requires a C++20 compiler, and the oneTBB
implementation. oneTBB is missing from Buildroot, but a system
one may be used if found.
Even if the default for threading is disabled, explicitly state so,
in case the default changes in the future.
Also disable examples, we don't and won't need them.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Ensure that the SHA_CRYPT option is enabled when the system configuration is
set to SHA256/512, as otherwise passwd complains when a password is changed:
passwd
...
Invalid ENCRYPT_METHOD value: 'SHA512'.
Defaulting to DES.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As described in https://gitlab.com/buildroot.org/buildroot/-/issues/160, the
github mirror is getting shut down - So move to the sourceware.org git repo.
The github mirror was originally used because of performance and reliability
issues with sourceware, but that seems be resolved now after server/RAM
upgrades - E.G. from the sourceware news:
April 22, 2024
server2.sourceware.org now has 512GB RAM, thanks Red Hat.
https://sourceware.org/
So change back to fetch glibc (and localedef) from sourceware.org over git.
Notice: The git archiving leads to slightly different paths and permissions
in the tarball, but the file content is identical:
mkdir a && tar -C a -x --strip-components=1 -f \
path/to/glibc-2.42-51-gcbf39c26b25801e9bc88499b4fd361ac172d4125.tar.gz
mkdir b && tar -C b -x --strip-components=1 -f \
path/to/glibc-2.42-51-gcbf39c26b25801e9bc88499b4fd361ac172d4125-git4.tar.gz
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien:
- add missing SoB line
- fix command lines in commit log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Unfortunately, if all optee-related packages are not updated at the same
time, optee-test will not build. This commit bumps all the optee
components at once.
The version bump is needed since optee-examples and optee-test can no
longer compile (compatibility with CMake < 3.5 has been removed from
CMake).
For release details, see:
https://github.com/OP-TEE/optee_os/blob/4.9.0/CHANGELOG.md#op-tee---version-490-2026-01-16
Signed-off-by: Jakob Kastelic <jkastelic@thinksrs.com>
[Julien: add link to release details]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since commit 0e3ddc9dc8 "{linux,
linux-headers}: split hash file in before and from 6.17" there are two
hash file variants, and symlinks for the individual versions. These
were not updated in 48186093fd "bump
5.{10, 15}.x / 6.{1, 6, 12, 18}.x series".
Fixes: 48186093fd
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Swig has a compiled in absolute path to its data files, which can be
overridden using the SWIG_LIB environment variable:
https://github.com/swig/swig/blob/v4.1.1/Source/Modules/main.cxx#L931-L945
This unfortunately means that host-swig misbehaves when used in the SDK, as
this points to the ${HOST_DIR}/bin of the build, which may not be available
when the SDK is used.
The issue was reported upstream but rejected in
https://github.com/swig/swig/issues/253, so instead add a wrapper script
which calculates a sensible SWIG_LIB relative to the wrapper location unless
SWIG_LIB is set, similar to how we do it for E.G. gcc or pkgconf.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: add quotes to make shellcheck happy]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit [1] introduced a patch to fix CVE-2025-62291. Since [2] the
security patches neeed to reference the vulnerability with the `CVE: `
trailer in the patch header.
[1] b009935e27 package/strongswan: add patch to fix CVE-2025-62291
[2] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
On Buildroot 2025.05.3, Meson's custom LLVM parser uses llvm-config
with a default search path of /usr/bin, causing it to detect the host
system's llvm-config (version 18.1.3) instead of the buildroot-compiled
one. This forces all LLVM-related packages to match version 18.1.3, but
since the host system lacks llvmspirvlib, the build fails. This patch
forces Meson to use the buildroot-compiled llvm-config.
On the master branch, the meson is somehow able to find the right
llvm-config, so reproduction only seems to be possible if the host
machine ships with a newer version as the one buildroot is using.
llvm-config found: YES
([...]/output/host/bin/llvm-config)
21.1.8
Run-time dependency LLVM (modules: bitwriter, core, coverage, engine,
executionengine, instcombine, irreader, libdriver, linker, lto,
mcdisassembler, mcjit, native, option, scalaropts, target,
transformutils, all-targets, coroutines, frontenddriver, frontendhlsl,
lto, windowsdriver) found: YES 21.1.8
Note that LLVM_CONFIG is a CMake option, not a Meson one. This is because
Meson has custom dependency resolution logic for LLVM (see
https://mesonbuild.com/Dependencies.html#llvm). The EXTRA_BINARIES mechanism
cannot be used here, as it only applies to cross-compilation scenarios, which
does not apply to host-mesa3d builds.
Reproduction (On BR2 tag: 2025.05.3):
BR2_x86_64=y
BR2_x86_atom=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_X86_64_GLIBC_STABLE=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.1.24"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/pc/linux.config"
BR2_LINUX_KERNEL_INSTALL_TARGET=y
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
BR2_LINUX_KERNEL_NEEDS_HOST_LIBELF=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_LLVM=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_I915=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_IRIS=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
Fixes:
llvm-config found: YES (/usr/bin/llvm-config-18) 18.1.3
Run-time dependency LLVM (modules: bitwriter, core, coverage, engine, executionengine, instcombine, irreader, libdriver, linker, lto, mcdisassembler, mcjit, native, option, scalaropts, target, transformutils, all-targets, coroutines, frontenddriver, frontendhlsl, lto, windowsdriver) found: YES 18.1.3
Dependency LLVMSPIRVLib found: NO. Found 15.0.0.0 but need: '>= 18.1' ; matched: '>= 15.0.0.0', '< 18.2'
Run-time dependency llvmspirvlib found: NO (tried cmake)
output/build/host-mesa3d-25.0.6/meson.build:1882:21: ERROR: Dependency lookup for LLVMSPIRVLib with method 'pkgconfig' failed: Invalid version, need 'LLVMSPIRVLib' ['>= 18.1'] found '15.0.0.0'.
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
[Romain:
- Update the commit title
- Update commit log about this issue on master branch
https://lore.kernel.org/buildroot/CACXRmJh1-5Cy92kF9TM5nDs_uB90WAe5iOGmNNL2E-cMhJE7GA@mail.gmail.com/
]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Buildroot commit [1] introduced a new Buildroot-Initialize.cmake file,
to mimic the upstream Linux-Initialize.cmake.
However, this upstream file was introduced in commit [2], which was
introduced in CMake 3.27.
When compiling a cmake package on a host with a cmake older than
version 3.27 (for example, the Buildroot Docker reference image has
cmake 3.25), the configuration fails with the error:
CMake Error at /buildroot/output/host/share/buildroot/Platform/Buildroot-Initialize.cmake:1 (include):
include could not find requested file:
Platform/Linux-Initialize
Call Stack (most recent call first):
/usr/share/cmake-3.25/Modules/CMakeSystemSpecificInitialize.cmake:21 (include)
CMakeLists.txt:20 (project)
CMake version < 3.27 is setting its LINUX predefine elsewhere (see
commit log of [1]), so this commit fixes the issue by simply making
the include optional. This will guarante thee cmake predefines will
be present in all the cases.
Fixes:
[1]
[1] ef9f0a07ed
[2] cc737ae829
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The old URL now leads to an HTTP 404 not found error.
Update it to the new one which contains the hashes for the current
release as well as older ones.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The current 'install' target comprises 'install-libs', 'install-apps'
and 'install-docs'.
In our case we don't want to install documentation to the target, so
just run the other two.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
It should be noted that because the python bindings have wrong default
include dirs, they are useless if the includes are not provided
externally.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
When BR2_UCLIBC_INSTALL_UTILS is enabled, utils such as getconf, ldd,
locale get installed to TARGET_DIR. However, they do not get installed
to STAGING_DIR, which is annoying as it means that they are not part
of external toolchains built by Buildroot.
This commit adjusts the uclibc package to make sure those tools also
get installed to STAGING_DIR.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The UCLIBC_INSTALL_UTILS_STAGING is really badly named, as it doesn't
install anything to STAGING_DIR. Instead, it installs the host variant
of ldd and ldconfig into $(HOST_DIR)/bin. Therefore, rename it to
UCLIBC_INSTALL_HOST_UTILS.
This is important as a follow-up commit will re-introduce a
UCLIBC_INSTALL_UTILS_STAGING variable which really installs things
into STAGING_DIR.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream is dead, website unreachable, and the use case in 2026 is
dubious, so drop the package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The ukify tool can be used to create Unified Kernel Images.
Signed-off-by: Bram Vlerick <bram.vlerick@openpixelsystems.org>
[Arnout:
- Remove the target option.
- Use enabled/disabled instead of true/false.
- Always enable for host build.
- Add dependency on host-python-pefile.
]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
When building system binaries you may not even want TCG support if you
are only intending to use KVM. Provide the options so the user can
select only what they need.
With only KVM selected the QEMU build will generally only build the
binary for your target system. We keep TCG support on by default so as
not to break existing defconfigs.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Although it is possible to configure an AArch64 CPU without support
for EL2 in practice all the common AArch64 have supported
virtualisation from the start.
If we really wanted to be strict we could blacklist known non-EL2 CPUs
but AFAICT all the current ones in the config have EL2.
I should also note KVM on Arm is deprecated and was removed from the
kernel in v6.10.
Reviewed-by: Jesse Taube <jesse@rivosinc.com>
Reviewed-by: Thomas Huth <huth@tuxfamily.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The current generated cJSONConfig.cmake holds hard coded path of libraries and makes it impossible to use in SDKs.
Use CMakePackageConfigHelpers and @PACKAGE_INIT@ to make them suit for real environment dynamically.
Signed-off-by: Guillaume Chaye <guillaume.chaye@zeetim.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The .mk file currently states:
If LWS_MAX_SMP=1, then there is no code related to pthreads
compiled in the library. If unset, LWS_MAX_SMP defaults to 32 and a
small amount of pthread mutex code is built into the library.
However, this is incorrect: when unset, LWS_MAX_SMP is actually set to
1, so mutexes aren't built in.
To fix, set it to 32 explicitly when threads are enabled. Why 32?
Because
https://libwebsockets.org/lws-api-doc-master/html/md_README.coding.html
states:
You can control the context basic data allocation for
multithreading from Cmake using -DLWS_MAX_SMP=, if not given it's
set to 32.
Signed-off-by: Bart Van Severen <bart.vanseveren@barco.com>
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When given a certificate directory with --with-ca-path, curl doesn't
list the files in that directory. Instead, it uses the certificate hash
to directly open the requested CA certificate. Therefore, putting a
bundle in that directory and removing all the individual certificates is
not possible.
In order to support use of the bundle, a separate configuration option
--with-ca-bundle is needed. With this option, it is possible to remove
the individual certificates and include just the bundle, which reduces
the size of the root filesystem a bit.
Note that the bundle is generated by the ca-certificates package, which
also installs the individual certificates and the hash symlinks. It
keeps both individual certificates and the bundle in the target.
Signed-off-by: Lance Fredrickson <lancethepants@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Changes:
- Fix memory leak in which() on realloc() failure
- Fix pidfile() to handle missing trailing slash in prefix path
Changes to src/pidfile.c do not affect the licensing terms, but
require updating the hash of this file that is used as one of the
license files.
https://github.com/troglobit/libite/releases/tag/v2.6.2
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Unfortunately, parts of the library is not very no-MMU friendly atm.
The below check fails due to runbg.c requiring fork().
$ ./utils/test-pkg -c libite.config -p libite
bootlin-armv5-uclibc [1/6]: OK
bootlin-armv7-glibc [2/6]: OK
bootlin-armv7m-uclibc [3/6]: FAILED
bootlin-x86-64-musl [4/6]: OK
br-arm-full-static [5/6]: OK
arm-aarch64 [6/6]: OK
The dependency was introduced in libite v2.6.0, so this patch should
be backported to v2025.02.x.
Fixes:
https://autobuild.buildroot.net/results/6c6fd2ae410a82c44da54ee13a09a38a7ab220c1/
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
With the latest U-Boot update, U-Boot now handles this step in the
board setup removing the need to set this from a custom boot script.
Remove redundant fdt set command from boot script.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Bump Linux to latest release tag: linux4microchip+fpga-2025.10. This
includes the latest features and bug fixes. Included is a kernel bump to
v6.12.48.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Bump U-Boot to latest release tag: linux4microchip+fpga-2025.10. This
includes the latest features and bug fixes. Included is a U-Boot version
bump to v2025.07.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Bump Linux to latest release tag linux4microchip+fpga-2025.10. This
includes the latest features and bug fixes. Included is a kernel version
buump to v6.12.48 and a GPIO driver fix.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Bump U-Boot to latest release tag linux4microchip+fpga-2025.10. This
includes the latest features and bug fixes. Included is a U-Boot version
update from v2023.07 to v2025.07.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
There are several use cases for installing additional files in the boot
partition that is read by the RPi firmware.
- autoboot.txt is an optional configuration file for the RPi
firmware [1]. Supporting several autoboot files will enable A/B
setups, as using the renameat2() system call with the RENAME_EXCHANGE
flag will let users atomically replace one autoboot configuration
file with the other. This improves reliability in the case of an
update which could potentially be interrupted.
- Multiple cmdline.txt files are useful in the context of a new
[boot_partition] conditional filter introduced in config.txt in
commit [2]. This is useful for A/B systems to have identical BootFS
partitions on both slots, and not have to edit the kernel command line
to ensure the kernel will load the right rootFS after update of the
BootFS.
- rpi-firmware contains DTB overlays for many "standard" hats, but a
custom hat may require a custom overlay.
Although it is possible to install additional files in the boot
partition in the post-image script, it is very convenient to be able to
use the standard RPi post-image script in
board/raspberrypi/post-image.sh. That script looks in
$BINARIES_DIR/rpi-firmware, so it is convenient to be able to place
additional files there.
Add the option BR2_PACKAGE_RPI_FIRMWARE_EXTRA_FILES which is simply a
list of files to be copied to $BINARIES_DIR/rpi-firmware, which will
eventually end up as the boot partition. Make sure that this is done as
the last step of RPI_FIRMWARE_INSTALL_IMAGES_CMDS, so the files can
override files installed by earlier steps.
[1] https://www.raspberrypi.com/documentation/computers/config_txt.html#autoboot-txt
[2] d50b2b32f1
Signed-off-by: Olivier Benjamin <olivier.benjamin@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
For release notes, see:
https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0
The --without-osmesa configure option was removed upstream, in
commit [1]. This commit removes the options from _CONF_OPTS.
Also, since upstream commit [2], the /usr/bin/wine program became
a "tool". It needs to be enabled when cross-compiling. As suggested
in [3], this commit adds --enable-tools in WINE_CONF_OPTS.
This commit also updates the LICENSE file hash, after year
update in [4].
[1] 370e7d9a50
[2] 6d28db86c9
[3] https://bugs.winehq.org/show_bug.cgi?id=57847
[4] ab59cc16c5
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Adds a new user-configurable string to arch/Config.in.riscv, and in
arch/arch.mk.riscv appends it to GCC_TARGET_ARCH.
This enables custom extensions/combinations to be easily configured.
Signed-off-by: Charlie Jenkins <charlie@rivosinc.com>
Reviewed-by: Jesse Taube <Mr.Bossman075@gmail.com>
[Arnout:
- fix check-package warnings
- introduce ARCH_RISV_ISA_EXTRA to simplify stripping of quotes
]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This commit adds the -N/--needs-update option, disabled by default,
to list only packages with newer upstream versions. All other packages
will be excluded from the HTML or JSON output.
Signed-off-by: Kadambini Nema <kadambini.nema@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Commit 105e4618c5 added a patch to fix
CMake 4 compatibility, but due to line endings issues the patch
doesn't apply properly. This commit fixes the patch so that it does
apply as it should.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Currently, the relocate-sdk.sh script scans the whole extracted SDK tree
to find instances of paths it needs to replace, which can take a
significant amount of time when the SDK is large, particularly relative
to the number of files that actually need to change.
However, the resulting list only depends on the SDK tarball itself, so
we can calculate it at build time and ship it with the tarball so
relocate-sdk.sh can use it directly.
Testing this on my machine with somewhat IOPS-limited rotating media,
the time goes down from:
$ time ./relocate-sdk.sh
Relocating the buildroot SDK from [...] to [...] ...
./relocate-sdk.sh 5.19s user 26.21s system 9% cpu 5:34.40 total
To:
$ time ./relocate-sdk.sh
Relocating the buildroot SDK from [...] to [...] ...
./relocate-sdk.sh 0.49s user 0.29s system 103% cpu 0.749 total
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Commit [1] bumped glibc from 2.42-3-gbc13db739 to 2.42-51-gcbf39c26b
to fix some CVEs, but forgot to add those CVEs to GLIBC_IGNORE_CVES.
This was needed because the GLIBC_CPE_ID_VERSION used for CVE checks
remains to the same value "2.42" which is marked as vulnerable to
those CVEs.
This commit adds those _IGNORE_CVES with the corresponding upstream
commit references, to make sure they will not be reported by the
"make pkg-stats" command.
Fixes:
- [1]
[1] 18de297a5a
Cc: Waldemar Brodkorb <wbx@openadk.org>
Cc: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When running "make pkg-stats" on a host with Python 3.14 (e.g.
Fedora 43 for example), the execution fails with the error:
Checking URL status
Traceback (most recent call last):
File "/buildroot/support/scripts/pkg-stats", line 1387, in <module>
__main__()
~~~~~~~~^^
File "/buildroot/support/scripts/pkg-stats", line 1368, in __main__
loop = asyncio.get_event_loop()
File "/usr/lib64/python3.14/asyncio/events.py", line 715, in get_event_loop
raise RuntimeError('There is no current event loop in thread %r.'
% threading.current_thread().name)
RuntimeError: There is no current event loop in thread 'MainThread'.
This is due to a breaking change introduced in Python 3.14
asyncio.get_event_loop(). See [1]. Before Python 3.14, this call was
creating and setting an event loop if there was none. This situation
is now a runtime error.
In order to fix this issue with newer Python version, while keeping
backward compatibility, this commit replaces the code:
loop = asyncio.get_event_loop()
by an explicit event loop creation:
loop = asyncio.new_event_loop()
asyncio.set_event_loop(loop)
This commit was tested on a Fedora 43 host with Python-3.14.2, and
with the Buildroot Docker image plus the python3-aiohttp package
which is a Debian 12 with Python-3.11.2.
[1] https://docs.python.org/3.14/library/asyncio-eventloop.html#asyncio.get_event_loop
Signed-off-by: Julien Olivain <ju.o@free.fr>
Tested-by: Vincent Fazio <vfazio@xes-inc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commits [1] and [2] are installing host SDK files
"$(HOST_DIR)/usr/share".
check-package (see [3]) reports the error:
package/pico-sdk/pico-sdk.mk:23: install files to $(HOST_DIR)/ instead of $(HOST_DIR)/usr/
package/pico-sdk/pico-sdk.mk:24: install files to $(HOST_DIR)/ instead of $(HOST_DIR)/usr/
package/picotool/picotool.mk:15: install files to $(HOST_DIR)/ instead of $(HOST_DIR)/usr/
This commit installs the host SDK files to "$(HOST_DIR)/share" to fix
this error.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/12970341499
[1] ceb800d3c6
[2] 926381d360
[3] 29a0dd4a30
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Currently, when both libnss and GnuTLS are present, NetworkManager will
get linked to libnss.
The NetworkManager project doesn't recommend one over the other
officially and has supported both from day one back in 2007.
Arguments which one to prefer can be made in either direction:
Points in favor of libnss:
- It's the default value in the NM build system, so it would be the
preferred backend if both are available and we didn't supply any
options to the build process
- It's probably the more mature of the two, given that it's being used
in Mozilla products
Points in favor of GnuTLS:
- While both backends seem feature-equivalent, the
_nm_crypto_verify_pkcs8 function is stubbed out in the libnss
code[1].
- Both Debian and Fedora explicitly select GnuTLS in their packages. At
least in the case of Fedora it seems to have been a conscious
choice[2].
Given what it's actually used for in the code base, the choice does not
matter a lot. However, since it is marginally more feature-complete and
seems to be preferred by other distributions, let's switch to GnuTLS.
[1] 36f8de25c4/src/libnm-crypto/nm-crypto-nss.c (L523-540)
[2] 29a9c41bea
Signed-off-by: Florian Larysch <fl@n621.de>
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
The network-manager package currently pulls in either gnutls or libnss,
neither of which are very common and it might be the only reason why
they are present on a system.
However, most of NetworkManager works just fine without any cryptography
support, it only seems to be used in test cases and 802.1X support code.
Remove the dependency but use a library if it is present.
Note that this changes the default behavior. If network-manager was the
only package pulling in gnutls, it won't do this anymore and use the
"null" backend. Add a note about this to the manual.
Signed-off-by: Florian Larysch <fl@n621.de>
Tested-by: Marcus Hoffmann <buildroot@bubu1.eu>
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Marcus: Change buildroot version to 2026.02 in migrating.adoc]
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Add BR2_PACKAGE_DPDK_APPS_LIST to control which DPDK applications are
built:
- empty : use DPDK defaults
- none : disable all apps (-Ddisable_apps='*')
- list : pass to -Denable_apps= (comma-separated)
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add BR2_PACKAGE_DPDK_LIBS_LIST to control which DPDK libraries are
built:
- empty : use DPDK defaults
- none : disable all libs (-Ddisable_libs='*')
- list : pass to -Denable_libs= (comma-separated)
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add BR2_PACKAGE_DPDK_DRIVERS_LIST to control which DPDK applications are
built:
- empty : use DPDK defaults
- none : disable all drivers (-Ddisable_drivers='*/*')
- list : pass to -Denable_drivers= (comma-separated)
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
[Julien: slightly change the drivers Config.in help text:
- rename net/ixgbe to net/intel/ixgbe
- change find -maxdepth value to 3
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
When the host system has asciidoctor and po4a/poman installed,
util-linux detect them and automatically enable manual pages and
their translations. This can significantly increase the package
build time (in my case, from 20s to 1m50s). See upstream
commit [1] and [2].
Since manual pages are not needed in Buildroot, this commit adds in
_CONF_OPTS for host host and target variants the options to always
disable the detection of those programs (--disable-asciidoc
--disable-poman). This will always disable the generation of manual
pages.
Note: Buildroot attempts to globally disable documentation for
autotools packages by passing various --disable-docs configure
options (see [3]), but those are not recognized by util-linux.
This commit also reorder the options for UTIL_LINUX_CONF_OPTS.
[1] 9acfc349e0
[2] 236421a491
[3] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.11/package/pkg-autotools.mk#L184-186
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
There are multiple defconfig fragments we can select to modify the final
tiboot3.bin image to support different boot methods or enable features
supported by a board. Allow the ti-k3-r5-loader package to select
defconfig gragments during a build
Signed-off-by: Bryan Brattlof <bb@ti.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
LLVM is already implicitly enabled for host-mesa3d when
BR2_PACKAGE_MESA3D_NEEDS_PRECOMP_COMPILER is selected. This blind
option is automatically enabled when LLVM is required by drivers such
as intel-iris, panfrost, imagination, or intel-vulkan.
The BR2_PACKAGE_MESA3D_LLVM option also independently selects host-llvm,
but this change makes the dependency more explicit for host-mesa3d
builds.
Note that disabling LLVM is not possible for host-mesa3d, as the build
will fail with:
../../../br-test-pkg/bootlin-armv5-uclibc/build/host-mesa3d-25.3.2/meson.build:847:3: ERROR: Feature llvm cannot be disabled: CLC requires LLVM
Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Backport two security fixes from upstream. They are in newer releases,
but to facilitate backporting to our LTS releases, this backports the
fixes.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The dependencies on Boost.System, Boost.Filesystem were removed in
v23.0 [0][1] and Boost.Thread in v21.99 [2].
This was never reflected in the Buildroot package so do it now.
[0] 07269321f3
[1] b87f9c5edf
[2] 06e1d7d81d
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit [1] added the "Upstream:" package patch tag, but forgot to
remove the corresponding .checkpackageignore entry.
This commit fixes that.
Fixes:
package/efl/0001-ecore_fb-fix-build-with-tslib.patch:0: lib_patch.Upstream was expected to fail, did you fix the file and forget to update .checkpackageignore?
[1] bac34296bf
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Peter: Fix flake8 warning, use http.server instead of relying on
connectivity]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patch 0001 has the upstream information, just not properly formatted,
so we fix this.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Thomas: extracted from a bigger patch from Bernd]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
According to the official requirements, bindgen needs libclang to
parse C/C++ headers. libclang is loaded at runtime by bindgen, which
is why we didn't notice any build issue. However, using bindgen on a
simple header file blows up:
thread 'main' panicked at bindgen/lib.rs:616:27:
Unable to find libclang: "couldn't find any valid shared libraries matching: ['libclang.so', 'libclang-*.so', 'libclang.so.*', 'libclang-*.so.*'], s
et the `LIBCLANG_PATH` environment variable to a path where one of these files can be found (invalid: [])"
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
So far, bindgen was only used by mesa3d, and it turns out that mesa3d
also depends on clang, which pulls in host-clang, so the problem was
not visible. However, as we're about to use bindgen for other
things (namely Rust support in Linux), this issue needs to be fixed.
See:
https://rust-lang.github.io/rust-bindgen/requirements.html
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
mpg123 supports (and prefers) SDL2 as well for the sdl backends since 1.26.9
with:
792615f651
So support that here as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Arm Trusted Firmware (TF-A) can be used to load U-Boot or another
bootloader, which in turn loads the Linux kernel. However, TF-A is
capable of loading the kernel directly. To this end, we need to define
the BL33 and BL33_CFG compile options containing, respectively, the
zImage and the DTB.
This config introduces a new config option,
BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33, which sets the BL33 and
BL33_CFG parameters, and ensures that the kernel is built before the
TF-A by having linux as a _DEPENDENCY of the TF-A.
Signed-off-by: Jakob Kastelic <kastelic.jakob@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The new target provides a convenient way to run utils/check-package on
any external trees, using .checkpackageignore files from the
respective trees if present.
While .checkpackageignore should be used as little as possible, in a
few cases adding overrides for false-positives to the affected files
is not feasible, a practical example of this is a Markdown file
misidentified as Python by libmagic (likely due to code blocks).
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Arnout: set ${ignore} explicitly to empty, in case it exists in the
environment.]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The test failed in the past, due to kbd build failure. See [1].
This specific issue was fixed by commit [2].
This commit was originally written to workaround this issue, which was
unrelated to the actual package being tested. Since systemd-vconsole
is not needed anyway, this commit removes it from the test config.
[1] https://gitlab.com/buildroot.org/buildroot/-/jobs/12363929666
[2] d98d9ba28f
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Julien: reword the commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Testing with a really old toolchain is helpful to catch issues related
to kernel headers version issues, gcc version issues, etc. We chose a
glibc toolchain though as old musl or uClibc-ng versions tend to lack
a number of features that are needed by modern software.
This toolchain is placed near the top of toolchain-configs.csv, so
that it is used as part of the "base" set of toolchain that test-pkg
uses, even without the -a option.
test-pkg takes the 6 first toolchains of this CSV file for its base
test, and actually the comment in toolchain-configs.csv was wrong
since commit 53a8c5150e, which removed a
toolchain from the base set, but not realizing that test-pkg would
anyway continue to test the first 6 toolchains.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The prebuilt MIPS64 toolchains are very old, causing build issues (for
example recently with the systemd v258 update). Replace them both a
single toolchain configuration that uses one of the mips64el Bootlin
toolchains.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- br-i386-pentium4-full.config as an x86 32-bit toolchain test is
already reasonably covered by bootlin-x86-i686-musl.config
- br-microblazeel-full-internal.config as a Microblaze toolchain test is
already reasonably covered by bootlin-microblazeel-uclibc.config
- br-powerpc-internal-full.config and br-powerpc-603e-basic-cpp.config
as PowerPC 32-bit toolchain tests are already reasonably covered by
bootlin-powerpc-e500mc-uclibc.config
- br-powerpc64-power7-glibc.config as a PowerPC 64-bit toolchain test
is already reasonably covered by
bootlin-powerpc64le-power8-glibc.config
- br-riscv64-full-internal.config as a RISC-V 64-bit toolchain test is
already reasonably covered by bootlin-riscv64-glibc.config and
bootlin-riscv64-musl.config
- br-s390x-z13-internal-glibc.config as a s390 toolchain test is
already reasonably covered by bootlin-s390x-z13-glibc.config
- br-xtensa-full-internal.config as an Xtensa toolchain test is
already reasonably covered by bootlin-xtensa-uclibc.config
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building internal toolchains takes a long time, and since the
differences between the 3 internal ARM toolchains is just the libc,
and we're already testing uclibc/musl with external toolchains, it
doesn't make much sense to build 3 different ARM internal toolchains.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We're already testing the ARC architecture with one Bootlin toolchain,
it doesn't make sense to also test with two Buildroot internal
toolchains the ARC architecture, which is not a primary architecture
for Buildroot.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Added four upstream patches backported from FreeRDP 3.x.
The remaining build error:
/home/bernd/buildroot/output/build/freerdp-2.11.7-18-g0ee17e2f8e49d56ab5b90d5160fa8f87ffc445e0/
channels/client/tables.c:129:22:
error: initialization of ‘UINT (*)(void)’ {aka ‘unsigned int (*)(void)’}
from incompatible pointer type ‘UINT (*)(void *)’ {aka ‘unsigned int (*)(void *)’}
[-Wincompatible-pointer-types]
129 | { "oss", "", oss_freerdp_rdpsnd_client_subsystem_entry },
is fixed by adding -Wno-incompatible-pointer-types to CFLAGS due to
tables.c being dynamically created during the build and backporting the
supposed upstream fix
fe6d861a5c
is too invasive.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
We're about to bump abseil to a version >= 20250512.02, which requires
C++17, meaning that protobuf/grpc will also C++17. This in turn means
that the grpc support in collectd will also need C++17.
So just like our current patch 0002-configure.ac-fix-grpc-build.patch
updates the collectd logic from C++11 to C++14, this new
patch (accepted upstream) updates the collectd logic again from C++14
to C++17.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In linux 6.17, the license file LICENSES/preferred/GPL-2.0 was modified.
As a result, also its hash changed, and the hash was duly updated in
commit d6c0f0015b. Of course, this is only
valid for kernel versions from 6.17 - but at the time, we only set
LINUX_LICENSE_FILES for the latest kernel version, not for any other
kernel versions.
Since commit 305a2d91731fade45f35c259cb012bdf17e8dbeb, we also set
LINUX_LICENSE_FILES for all other versions, including e.g. the CIP
versions. Similarly, we now set LICENSE_FILES for all linux-headers
versions. Thus, the hash check of the license file fails for all older
kernel versions.
Fix this by splitting the hash file in two hash files: before-6.17 and
from-6.17. We keep just two hash file rather than a separate one for
each version to limit the number of files that need to be updated when
bumping kernel versions. Create symlinks for all the CIP version in
linux and for all supported versions in linux-headers.
Include the CIP versions as well for linux-headers. They are used when
the kernel is set to the CIP version and linux-headers to
same-as-kernel.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The linux-headers package was not providing any license file for any
version other than the latest one.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
For the headers-as-kernel case, use LINUX_LICENSE_FILES and disable the
Kconfig option entirely.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The AT91Bootstrap3 package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Note that version 3.X of at91bootstrap didn't have an open source
license and no license file either. Keep that behavior.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The ATF package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The Barebox package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The OpenSBI package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The OP-TEE OS package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The U-Boot package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The Linux package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Building berkeleydb is broken with a non-threaded toolchain with gcc >=
14.x:
../src/rep/rep_method.c:1740:25: error: implicit declaration of function
'__repmgr_get_nsites'; did you mean '__rep_get_nsites'?
[-Wimplicit-function-declaration]
1740 | return (__repmgr_get_nsites(env, n));
According to src/repmgr/repmgr_util.c, line 503+, the function
'__repmgr_get_nsites' mentioned in the gcc error message "may only be
called after threads have been started".
This source file repmgr_util.c belongs to REPMGR_OBJS according to
dist/Makefile.in, line 249+, which is, according to dist/configure.ac,
line 956, only build if thread support is present.
In a non-threaded build '__repmgr_get_nsites' does not exist causing the
build error.
To fix the build error we disable replication for non-threaded
toolchains.
Using gcc 13.x the build error does not occur, tested with this
defconfig:
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_GCC_VERSION_13_X=y
BR2_PACKAGE_BERKELEYDB=y
Using this minimal gcc 14.x-based defconfig
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_PER_PACKAGE_DIRECTORIES=y
BR2_PACKAGE_BERKELEYDB=y
the build error can be reproduced.
The oldest build error of this kind, afaics, dates back to 2024-06-13:
https://autobuild.buildroot.net/results/e0d/e0d6bdbef01bee277b0da83605b2906af876058a/
Fixes:
https://autobuild.buildroot.net/results/792/792ed942d17bb8d00cd321536a102f6dd63b6a8a/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The package imports itself in setup.py to get the package-name and
version number. Dping this during the buildroot build would require
buisling host-python with sqlite support, which we are currently not set
up for. It also seems wasteful for just extracting the version number
and package name, so instead we replace the import by using a hardcoded
package-name and the version number stored in buildroot.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add a defconfig to run Linux on a large range of 32-bit HP PA-RISC 1.1
Workstations, such as the HP 9000 700 and Visualize workstations.
While at it, add this defconfig to myself in DEVELOPERS.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Palo is a PA-RISC/Linux boot loader.
It can be used to make bootable disk images or network bootable images.
While at it, add this boot package to myself in DEVELOPERS.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a defconfig to run Linux on a HP Visualize B160L PA-RISC
Workstation, emulated with Qemu.
While at it, add this defconfig to myself in DEVELOPERS.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Romain Naour <romain.naour@gmail.com>
[Julien: update kernel to 6.18.7 to align with other qemu defconfigs]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add support for the Precision Architecture (a.k.a. PA-RISC),
a 32-bit architecture developed by Hewlett Packard.
While at it, add this arch to myself in DEVELOPERS.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Julien Olivain <ju.o@free.fr>
[Julien: arch "arch/" prefix in commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a host-picotool package to picotool.
This will allow users to build rpi pico applications on the host system.
Signed-off-by: Jesse Taube <Mr.Bossman075@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a host-pico-sdk package to pico-sdk.
This will allow users to build rpi pico applications on the host system.
Signed-off-by: Jesse Taube <Mr.Bossman075@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
pico-sdk and picotool 2.x.x adds support for the rp2350 bump package to
latest version.
picotool needs mbedtls for --hash --sign and --offset.
Clone submodules in pico-sdk to provide the nessasaary files for
picotool to build and link mbedtls and other optional libraries.
Signed-off-by: Jesse Taube <Mr.Bossman075@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See here for changes:
https://nginx.org/en/CHANGES-1.28
Following security related issues are fixed:
*) Security: processing of a specially crafted login/password when using
the "none" authentication method in the ngx_mail_smtp_module might
cause worker process memory disclosure to the authentication server
(CVE-2025-53859).
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash
(CVE-2024-7347).
Thanks to Nils Bars.
*) Security: when using HTTP/3, processing of a specially crafted QUIC
session might cause a worker process crash, worker process memory
disclosure on systems with MTU larger than 4096 bytes, or might have
potential other impact (CVE-2024-32760, CVE-2024-31079,
CVE-2024-35200, CVE-2024-34161).
Thanks to Nils Bars of CISPA.
Update patch 0007, which does not apply cleanly.
License file was changed, year was bumped to 2025.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For change log since 1.9.0, see:
https://codeberg.org/ivarch/pv/src/tag/v1.10.3/docs/NEWS.md
Upstream commit [1], included in version 1.9.42, introduced a use
of fork(). This commit adds this new dependency.
The pgp key ID used to sign the source archive changed. This commit
updates the comment in the hash file.
[1] fb7c05c262
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit 99585db1e8 bumped the
package from version 9.21.4 to 9.33.0.
Upstream added std::atomic to drbdmon with commit
3baf945732
to version 9.25.0 causing build errors:
/home/autobuild/autobuild/instance-2/output-1/per-package/drbd-utils/host/bin/../lib/gcc/microblazeel-buildroot-linux-uclibc/14.3.0/../../../../microblazeel-buildroot-linux-uclibc/bin/ld:
MessageLogNotification.o: in function `MessageLogNotification::query_log_changed()':
(.text+0xe8): undefined reference to `__atomic_exchange_1'
Fixes:
https://autobuild.buildroot.net/results/741/741606000c26bc994f243b0b865d26ff25592caa/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since its introduction in [1], by default the `generate-cyclonedx`
script doesn't include buildroot's virtual packages in its 'components'
list, unless using the `--virtual` argument.
References to virtual packages present in the 'show-info' output are
filtered out in the resulting dependencies.
This patch fix the default CycloneDX dependencies generation
without virtual packages to reference the packages that provide the
virtual package instead of just dropping the virtual package itself.
If we use the package `lbase64` that depends on the virtual package
`luainterpreter` as an example. The 'dependency' entry looks like the
following:
```
{
"ref": "lbase64",
"dependsOn": [
"host-skeleton",
"skeleton-init-common",
"skeleton-init-sysv",
"toolchain-external-bootlin"
]
}
```
The `luainterpreter` dependency is missing.
After applying this patch, package that provides the `luainterpreter` is
present:
```
{
"ref": "lbase64",
"dependsOn": [
"host-skeleton",
"lua",
"skeleton-custom",
"skeleton-init-sysv"
]
}
```
In the case of a virtual package provided by multiple packages all those
packages will be listed. This happens when generating an SBOM on the
entire Buildroot packages.
[1] dbab39e2d9 support/scripts/generate-cyclonedx.py: add script to generate CycloneDX-style SBOM
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since the introduction of the `generate-cyclonedx` script in [1] the
dependencies were 'recursive'. This means that the dependencies of a
package dependency were included.
The CycloneDX spec [2] states that only direct dependencies needs to be
included.
This patch drop the recursive dependencies.
[1] dbab39e2d9 support/scripts/generate-cyclonedx.py: add script to generate CycloneDX-style SBOM
[2] https://cyclonedx.org/docs/1.6/json/#dependencies
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The definition of the project name & version is stored under the
`metadata:component` CycloneDX property.
Since the introduction of the `generate-cyclonedx` script [1] a
'buildroot' dependency entry that depends on every components has been
part of the generated SBOM.
Tools such as 'DependencyTrack' relies on such entry to create graph of
the entire project.
With the commit [2] that introduced the option to pass a custom project
name and version, this dependency reference was not updated to match the
custom 'bom-ref'.
This patch fixes the reference to match the custom project name.
[1] dbab39e2d9 support/scripts/generate-cyclonedx.py: add script to generate CycloneDX-style SBOM
[2] 9cbbc47762 utils/generate-cyclonedx: add project name and version options
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Brings additional optimizations and bugfixes:
Fix to heap buffer overflow in vp9_deblock, vp9_post_proc_frame, and
vp9_pack_bitstream.
Fix to integer overflow in vp9_highbd_post_proc, vp9_rc_regulate_q,
tiny_ssim, and vp9_calc_pframe_target_size_one_pass_cbr.
Fix to use-of-uninitialized-value in vp9_highbd_post_proc, mfqe, and
vp8_datarate_test.
Fix to out-of-bounds in log_tile_cols_from_picsize_level.
Fix to double free on initialization failure in vpx_codec_enc_init_multi.
Fix to division-by-zero crash in vpxenc with 0 FPS numerator input.
Fix to various build failures for Arm/SVE2, macOS cross-compilation, and
Xcode 16.
https://chromium.googlesource.com/webm/libvpx/+/refs/tags/v1.16.0
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch bumps the Linux kernel to version 6.18.8 and U-Boot to version 2026.01.
Tested on FriendlyElec NanoPi R3S.
Signed-off-by: Patrik Olsson <johan.patrik.olsson@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch bumps the Linux kernel to version 6.18.8 and U-Boot to version 2026.01.
Tested on Radxa ROCK 4SE.
Signed-off-by: Patrik Olsson <johan.patrik.olsson@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update all qemu defconfigs to the latest Kernel LTS version.
configs/qemu_ppc_*defconfig now requires host-libelf, so this commit
selects BR2_LINUX_KERNEL_NEEDS_HOST_LIBELF for those.
This commit also enables zstd-compressed modules support in
qemu_loongarch64_virt_efi_defconfig, due to upstream commit [1] which
added CONFIG_MODULE_COMPRESS_ZSTD=y in its arch defconfig.
This commit also updates the custom hash file comment to add the
upstream link.
All updated defconfigs were tested (compiled and booted).
[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3c272a7551af1c10f6dbba0e71add7dccc7733fa
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
https://github.com/nodejs/node/blob/v22.22.0/doc/changelogs/CHANGELOG_V22.md
List of security fixes:
22.22.0:
(CVE-2025-59465) add TLSSocket default error handler
(CVE-2025-55132) disable futimes when permission model is enabled lib,
permission:
(CVE-2025-55130) require full read and write to symlink APIs src:
(CVE-2025-59466) rethrow stack overflow exceptions in async_hooks src,
lib:
(CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill
toggle tls:
(CVE-2026-21637) route callback exceptions through error handlers
22.17.1:
(CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path
Traversal Protection in path.normalize()
Version 22.18.0 includes
a2d2d36bb1
which fixes build errors with python 3.14
"ImportError: cannot import name 'FancyURLopener' from 'urllib.request'"
introduced by buildroot commit a0a6abc8b1.
Updated license hash due to upstream commits:
ec60473ab10b5613f9fe0edf17198f
Switched _SITE to https.
Fixes:
https://autobuild.buildroot.net/results/da8/da82dc03cf0d42463fff1b5d9bf7a3c18cbf44dd/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Move the content referring to the LTS information from the 'support' page
into a dedicated page.
Also add LTS specific information about the sponsoring and the benefits.
This page also contains clarification on the release cycle of the LTS.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Fixes the following vulnerabilities:
CVE-2025-11187 - Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
CVE-2025-15467 - Stack buffer overflow in CMS AuthEnvelopedData parsing.
CVE-2025-15468 - NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.
CVE-2025-15469 - ‘openssl dgst’ one-shot codepath silently truncates inputs >16MB.
CVE-2025-66199 - TLS 1.3 CompressedCertificate excessive memory allocation.
CVE-2025-68160 - Heap out-of-bounds write in BIO_f_linebuffer on short writes.
CVE-2025-69418 - Unauthenticated/unencrypted trailing bytes with low-level OCB function calls
CVE-2025-69419 - Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
CVE-2025-69420 - Missing ASN1_TYPE validation in TS_RESP_verify_response() function.
CVE-2025-69421 - NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function
CVE-2026-22795 - Missing ASN1_TYPE validation in PKCS#12 parsing
CVE-2026-22796 - ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function
For more details, see the announcement:
https://openssl-library.org/post/2026-01-27-release-announcement/
Drop now upstreamed 0004-Scope-aes_cfb128_vaes_encdec_wrapper-to-x64.patch:
f529d26591
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release announce, see:
https://lists.gnupg.org/pipermail/gnupg-announce/2026q1/000501.html
gnupg2 version from 2.5.13 to 2.5.16 (inclusive) are affected by
the following issue:
A crafted CMS (S/MIME) EnvelopedData message carrying an oversized
wrapped session key can cause a stack buffer overflow in gpg-agent
during the PKDECRYPT--kem=CMS handling. This can easily be used for a
DoS but, worse, the memory corruption can very likely also be used to
mount a remote code execution attack. The bug was introduced while
changing an internal API to the FIPS required KEM API.
Fixes:
https://dev.gnupg.org/T8044
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerabilities:
- CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP
archives
archive/zip used a super-linear file name indexing algorithm that is
invoked the first time a file in an archive is opened. This can lead to a
denial of service when consuming a maliciously constructed ZIP archive.
- CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm
When parsing a URL-encoded form net/http may allocate an unexpected amount
of memory when provided a large number of key-value pairs. This can
result in a denial of service due to memory exhaustion.
- CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated
session ticket keys, session resumption does not account for the
expiration of full certificate chain
The Config.Clone methods allows cloning a Config which has already been
passed to a TLS function, allowing it to be mutated and reused.
If Config.SessionTicketKey has not been set, and
Config.SetSessionTicketKeys has not been called, crypto/tls will generate
random session ticket keys and automatically rotate them. Config.Clone
would copy these automatically generated keys into the returned Config,
meaning that the two Configs would share session ticket keys, allowing
sessions created using one Config could be used to resume sessions with
the other Config. This can allow clients to resume sessions even though
the Config may be configured such that they should not be able to do so.
- CVE-2025-61731: cmd/go: unexpected code execution when invoking toolchain
The Go toolchain supports multiple VCS which are used retrieving modules
and embedding build information into binaries.
On systems with Mercurial installed (hg) downloading modules (e.g. via go
get or go mod download) from non-standard sources (e.g. custom domains)
can cause unexpected code execution due to how external VCS commands are
constructed.
On systems with Git installed, downloading and building modules with
malicious version strings could allow an attacker to write to arbitrary
files on the system the user has access to. This can only be triggered by
explicitly providing the malicious version strings to the toolchain, and
does not affect usage of @latest or bare module paths.
The toolchain now uses safer VCS options to prevent misinterpretation of
untrusted inputs. In addition, the toolchain now disallows module version
strings prefixed with a "-" or "/" character.
- CVE-2025-61730: crypto/tls: handshake messages may be processed at the
incorrect encryption level
During the TLS 1.3 handshake if multiple messages are sent in records that
span encryption level boundaries (for instance the Client Hello and
Encrypted Extensions messages), the subsequent messages may be processed
before the encryption level changes. This can cause some minor
information disclosure if a network-local attacker can inject messages
during the handshake.
For details, see the announcement:
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit bf3626002f ("system cfg: remove mkpasswd MD5 format option") dropped
the MD5 option, so stop referring to it from the sha256 one to limit
confusion.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Remove the '-x' option from the shebang, which was a leftover from the
debugging phase and not intended for the final submission.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a missing space in the "Creating SD card" section of the
documentation.
Fixes: 1a1239fd28 ("configs/stm32f769_disco_sd_defconfig: new defconfig")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a missing space in the "Creating SD card" section of the
documentation.
Fixes: 04a0094f0e ("configs/stm32f469_disco: fix kernel bootup")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Version 0.24.7 change log:
* decoder
- ffmpeg: allow seeking only if both AVFormatContext and InputStream allow it
* playlist
- cue: strip UTF-8 byte order marker
* Linux: disable the iowait state for io_uring
* fix GCC 16 compiler warning
* fix spurious linker failures
Signed-off-by: Andreas Ziegler <br025@umbiko.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Depends on python-numpy >= 2.0.0:
https://github.com/scipy/scipy/blob/v1.16.3/pyproject.toml#L41a3e2bb639b
Updated license hash due to copyright year bumps:
https://github.com/scipy/scipy/commits/v1.16.3/LICENSE.txt
qhull license file was moved upstream:
6d699dded496423e5279
Updated numpy path in PYTHON_SCIPY_MESON_EXTRA_PROPERTIES following
upstream commit:
923f219077
Test was successful:
$ utils/docker-run support/testing/run-tests -j33 -k -d dl -o output_folder tests.package.test_python_scipy.TestPythonPy3SciPy
09:59:22 TestPythonPy3SciPy Starting
09:59:23 TestPythonPy3SciPy Building
10:10:09 TestPythonPy3SciPy Building done
Downloading to /home/bernd/buildroot/dl/tmpw1frnmf9
Renaming from /home/bernd/buildroot/dl/tmpw1frnmf9 to /home/bernd/buildroot/dl/kernel-versatile-5.10.202
Downloading to /home/bernd/buildroot/dl/tmpiip1lach
Renaming from /home/bernd/buildroot/dl/tmpiip1lach to /home/bernd/buildroot/dl/versatile-pb-5.10.202.dtb
10:10:24 TestPythonPy3SciPy Cleaning up
.
----------------------------------------------------------------------
Ran 1 test in 661.922s
OK
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://numpy.org/news/
Add new supported architectures.
License hash changed due to date update:
c1ffdbc0c2
We need to build python-numpy with its vendored version of meson as
it currently relies on features that are not yet upstream. To do this
we can simply set the PYTHONPATH with the vendored meson path before
the normal PYTHON3_PATH so that the vendored version will have
precedence. We need to set this for both host and target numpy.
We also need to set the architecture specific longdouble_format
property as numpy is unable to determine the value for this without
being able to execute target binaries.
See:
3e7e5c3cab/doc/source/building/cross_compilation.rst
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Bernd:
Bumped to 2.4.0
Removed patch which is included in this release.
Updated license hashes due to upstream commits:
- copyright year bumps:
https://github.com/numpy/numpy/commits/v2.4.0/LICENSE.txt
- file move
tools/npy_tempita/license.txt -> numpy/_build_utils/tempita/LICENSE.txt
63a1fee8d186940987a9
- directory move core -> _core and various code updates
https://github.com/numpy/numpy/commits/v2.4.0/numpy/_core/src/multiarray/dragon4.c
- directory move core -> _core
https://github.com/numpy/numpy/commits/v2.4.0/numpy/_core/include/numpy/libdivide/LICENSE.txt
Following Romain's review
https://lists.buildroot.org/pipermail/buildroot/2024-November/767739.html
host-python-numpy was switched back to host-python-package to install the
f2py script needed by the upcoming bump of python-scipy. A dependency to
host-python-meson-python is also needed.
Removed PYTHON_NUMPY_LONGDOUBLE_FORMAT configure option for BR2_arceb
after this arch was removed from buildroot.
Changed path in PYTHON_NUMPY_FIXUP_NPY_PKG_CONFIG_FILES following
upstream commit
923f219077
and updated opencv4 as well]
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Python 3.14 (not yet in Buildroot) introduced colors, enabled by
default, when the output is a terminal. This behavior can make the
pexpect pattern matching more difficult in some cases. See:
https://docs.python.org/3.14/using/cmdline.html#controlling-color
This commit globally disables the Python interpreter colors in the base
runtime Python test, by setting the NO_COLOR=1 environment variable.
Signed-off-by: Julien Olivain <ju.o@free.fr>
The --with-system-ffi was removed back in Python-3.12.0, in upstream
commit [1].
From the Python 3.12 release notes:
- gh-100540: Removed the ``--with-system-ffi`` ``configure`` option;
``libffi`` must now always be supplied by the system on all non-Windows
platforms. The option has had no effect on non-Darwin platforms for
several releases, and in 3.11 only had the non-obvious effect of invoking
``pkg-config`` to find ``libffi`` and never setting
``-DUSING_APPLE_OS_LIBFFI``. Now on Darwin platforms ``configure`` will
first check for the OS ``libffi`` and then fall back to the same
processing as other platforms if it is not found.
Buildroot includes such a Python 3.12.x version since commit [2].
When compiling python3 in Buildroot, the package configuration step
reports the warning:
configure: WARNING: unrecognized options: [...] --with-system-ffi
The commit drops the now defunct option.
[1] 25590eb5de
[2] 76cd14167f
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
[Julien: add links in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Support STM32h747i-disco board. It includes an STM32H747XI SoC with the
following resources:
- 2 Mbytes Flash
- 1 Mbyte SRAM
- LCD-TFT controller
- MIPI-DSI interface
- FD-CAN
- USB 2.0 high-speed/full-speed
- Ethernet MAC
- camera interface
Detailed information can be found at:
https://www.st.com/en/evaluation-tools/stm32h747i-disco.html
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Last release dates back to 2007, switch _SITE to active fork:
https://sourceforge.net/p/lmbench/patches/3/#4472
Removed patch 0009 which is included in this bump.
Rebased remaining patches.
Sent some existing patches to new active upstream repo and added
Upstream: tags.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Upstream added fork() to lib/canonicalize.c in version 2.34[1]
e101a9eb0f
but the resulting build errors on non-mmu archs were most likely masked
by previous build errors which are already fixed.
lib/canonicalize.c as part of libcommon is widely used so we need to add
the dependency to many Config.in options.
For an overview about its usage see
output/build/util-linux-2.41.2$ grep -r "LDADD = \$(LDADD) libcommon.la" * | grep Makemodule | cut -d ":" -f 2 | sort
Fixes:
https://autobuild.buildroot.net/results/34b/34b1f733fdfb5c5e30e631576f875398435ad115/
[1] Added to buildroot with commit bb216ed060
in 2019.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- i don't use grpc anymore and updates seem complicate to review,
so drop me from it and its dependency re2
- add packages i'm currently using
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Analysis of https://rg42.org/gitweb/?p=dbustriggerd.git:
last commit: 2014
Musl libc 1.2.5 removed the definition of the basename() function from
string.h and only provides it in libgen.h as the POSIX standard
defines it.
Instead of fixing an unmaintainted package we remove it from buildroot,
no other package depends on it.
Fixes:
https://autobuild.buildroot.net/results/811/81170fe89e1f5b70c63657684de43175e621f762/
dbus-triggerd.c:150:27: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
150 | argv[argc++] = strdup(basename(handler_cmd));
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The CVS project is no longer maintained upstream. It no longer builds
with GCC 14.x, has been failing to build for months in our
autobuilders with nobody caring about it.
We managed to fix the GCC 14.x build issue, then there are GCC 15.x,
some of them fixed by Debian patches, but some not. Overall, this is
too much effort, while upstream is completely dead.
So let's get rid of cvs entirely.
Fixes:
https://autobuild.buildroot.net/results/59f6e77106ac98535688ff5b9392b0b3ad3041ae/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The criu package was added in Nov 2023, and then bumped once in
December 2023. Since then, it has never been bumped again, and all
follow-up fixes were provided by other people than the original
package submitter listed in the DEVELOPERS file.
criu has seen several upstream releases since then, and most notably
is causing a number of build issues in our autobuilders:
https://autobuild.buildroot.net/?reason=criu-3.19
The package was never updated to those newer upstream releases, and
the autobuilder issues have not been addressed.
Therefore, let's drop this package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
gconf has not seen any release since 2013, and the last commit in
https://gitlab.gnome.org/Archive/gconf is from 2015.
The package example application basic-gconf-app fails to build with a
recent compiler such as GCC 14.x:
basic-gconf-app.c:458:60: error: passing argument 1 of ‘gtk_dialog_get_content_area’ from incompatible pointer type [-Wincompatible-pointer-types]
It is not entirely clear since when this breakage takes place, but
most likely since GCC 14.x was introduced. This issue can be
reproduced including on 2025.02.x with the following defconfig:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SWRAST=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
BR2_PACKAGE_LIBGTK3=y
BR2_PACKAGE_GCONF=y
However, for the build issue to happen you need to run:
$ make libgtk3
$ make
So that libgtk3 gets built before gconf. Indeed, there's a hidden
dependency between the two, and the example programs of gconf only get
build if libgtk3 is built before. We've however encountered the
problem in a (real) bigger build where the dependency relationship of
packages have caused libgtk3 to get built before gconf.
Note that we could perhaps have fixed the problem by disabling the
examples, but gconf is anyway so old and deprecated that it isn't
worth the effort.
There are no known autobuilder issues.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This package is no longer maintained, no release since 2005, and it
has build issues as it uses too old XML APIs:
/home/thomas/projets/buildroot/output/host/bin/../aarch64-buildroot-linux-gnu/sysroot/usr/include/libxml2/libxml/SAX.h:18:4: warning: #warning "libxml/SAX.h is deprecated" [-Wcpp]
18 | #warning "libxml/SAX.h is deprecated"
| ^~~~~~~
svgint.h:42:9: error: unknown type name 'xmlParserCtxtPtr'
42 | typedef xmlParserCtxtPtr svg_xml_parser_context_t;
| ^~~~~~~~~~~~~~~~
Fixes:
https://autobuild.buildroot.net/results/895fdba2f3fcaa42aa93946f2532351d39b16647/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This package is no longer maintained, no release since 2005, and its
dependency libsvg has build issues as it uses too old XML APIs:
/home/thomas/projets/buildroot/output/host/bin/../aarch64-buildroot-linux-gnu/sysroot/usr/include/libxml2/libxml/SAX.h:18:4: warning: #warning "libxml/SAX.h is deprecated" [-Wcpp]
18 | #warning "libxml/SAX.h is deprecated"
| ^~~~~~~
svgint.h:42:9: error: unknown type name 'xmlParserCtxtPtr'
42 | typedef xmlParserCtxtPtr svg_xml_parser_context_t;
| ^~~~~~~~~~~~~~~~
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
For release announce, see:
https://lists.gnupg.org/pipermail/gnupg-announce/2025q4/000500.html
Quoting the announce:
"""
Note that the 2.5 series is now declared the stable version of GnuPG.
The oldstable 2.4 series will reach end-of-life in just 6 months.
"""
Also, an important feature in the 2.5 series is the introduction of
Kyber (aka ML-KEM or FIPS-203) as PQC (Post-Quantum Cryptography)
encryption algorithm.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
EDK2 build may include extra options. Those are usually in the form
of "-D SOMEFLAG_ENABLE" and might be specific for a processor
architecture or a platform. For example:
"-D NETWORK_HTTP_BOOT_ENABLE", "-D NETWORK_TLS_ENABLE", ...
Those options are generally documented in their respective packages.
See for example:
https://github.com/tianocore/edk2/blob/master/OvmfPkg/README
This commit adds a new Kconfig string option to let the use define
arbitrary build flags.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In version 2.0.0 Linux support was removed:
https://lists.x.org/archives/xorg-announce/2025-August/003624.html
"This mouse driver is primarily used with BSD, GNU Hurd, illumos, &
Solaris systems. Linux systems should instead use either xf86-input-
libinput or xf86-input-evdev.
While versions 1.9.5 and earlier had rudimentary support for Linux as
well, that has been removed in this release."
Alternative packages can not be selected due to udev dependencies.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add extra info in Config.in.legacy comment]
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://lists.x.org/archives/xorg-announce/2025-December/003649.html
Updated license hashes due to upstream commit:
f717637569
Added dependencies to host-pkgconf to fix a build error which would be
introduced by this bump due to configure being created by autoconf 2.72
instead of 2.71 which was used for xorgproto 2024.1.
The configure script at line 5146 now contains
if test -z "$PKG_CONFIG"; then
as_fn_error $? "pkg-config not found" "$LINENO" 5
fi
where the previous script would continue:
2024.1:
checking pkg-config is at least version 0.9.0... ./configure: line 4796:
/home/bernd/buildroot/output/per-package/xorgproto/host/bin/pkg-config: No such file or directory
no
checking build system type... x86_64-pc-linux-gnu
2025.1:
checking pkg-config is at least version 0.9.0... ./configure: line 5137:
/home/bernd/buildroot/output/per-package/xorgproto/host/bin/pkg-config: No such file or directory
no
configure: error: pkg-config not found
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- updates the Kernel from 6.12.18 to 6.18.4
- updates arm-trusted-firmware from v2.12 to v2.14
- updates optee-os and clients from 4.5.0 to 4.8.0
- updates U-Boot from 2025.01 to 2026.01
- switches to Bootlin external glibc stable toolchain
- removes hash for linux-headers (no longer needed)
Those changes aligns components version of this defconfig
with rockpro64_defconfig.
Tested on board Rockpro64_V2.1 2018-07-02.
Cc: Vincent Stehlé <vincent.stehle@arm.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Tested-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- updates the Kernel from 6.10.14 to 6.18.4
- updates arm-trusted-firmware from v2.11 to v2.14
- updates U-Boot from 2024.10 to 2026.01
- switches to Bootlin external glibc stable toolchain
- removes hash for linux-headers (no longer needed)
In order to reduce the differences with the rockpro64_ebbr_defconfig,
this commit also:
- slightly increases the rootfs size from 120M to 128M,
- unsets the rootfs tar archive which is not needed,
- removes rootfs.tar from board/pine64/rockpro64/readme.txt
Tested on board Rockpro64_V2.1 2018-07-02.
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Tested-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Switch a handful of documentation/website links from http to https.
Signed-off-by: Preyas Sharma <preyas17@zohomail.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For more info on the release, see:
- https://github.com/obgm/libcoap/compare/v4.3.5...v4.3.5a
- https://github.com/obgm/libcoap/blob/release-4.3.5-patches/ChangeLog
Fixes the following vulnerabilities:
- CVE-2025-59391:
A memory disclosure vulnerability exists in libcoap's OSCORE
configuration parser in libcoap before release-4.3.5-patches. An out-
of-bounds read may occur when parsing certain configuration values,
allowing an attacker to infer or read memory beyond string boundaries
in the .rodata section. This could potentially lead to information
disclosure or denial of service.
https://www.cve.org/CVERecord?id=CVE-2025-59391
- CVE-2025-65493:
NULL pointer dereference in src/coap_openssl.c in OISM libcoap 4.3.5
allows remote attackers to cause a denial of service via a crafted
DTLS/TLS connection that triggers BIO_get_data() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65493
- CVE-2025-65494:
NULL pointer dereference in get_san_or_cn_from_cert() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted X.509 certificate that causes
sk_GENERAL_NAME_value() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65494
- CVE-2025-65495:
Integer signedness error in tls_verify_call_back() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted TLS certificate that causes
i2d_X509() to return -1 and be misused as a malloc() size parameter.
https://www.cve.org/CVERecord?id=CVE-2025-65495
- CVE-2025-65496:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65496
- CVE-2025-65497:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65497
- CVE-2025-65498:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65498
- CVE-2025-65499:
Array index error in tls_verify_call_back() in src/coap_openssl.c in
OISM libcoap 4.3.5 allows remote attackers to cause a denial of
service via a crafted DTLS handshake that triggers
SSL_get_ex_data_X509_STORE_CTX_idx() to return -1.
https://www.cve.org/CVERecord?id=CVE-2025-65499
- CVE-2025-65500:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65500
- CVE-2025-65501:
Null pointer dereference in coap_dtls_info_callback() in OISM libcoap
4.3.5 allows remote attackers to cause a denial of service via a DTLS
handshake where SSL_get_app_data() returns NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65501
LICENSE Year updated see [1].
[1] c9135b6b26
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.64 and U-Boot to
version 2026.01.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.64 and U-Boot to
version 2026.01.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.1.159. The size of
xipImage has increased by only 181 bytes (1673625 bytes compared to
1673444 in version 6.1.155).
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit a3a88ff1c8 bumped bitcoin
to version 26.0 which includes upstream commit
b8401c3281
causing an assertion on m68k:
/home/thomas/autobuild/instance-7/output-1/build/bitcoin-30.0/src/support/allocators/pool.h:92:36:
error: static assertion failed: Units of size ELEM_SIZE_ALIGN need to
be able to store a ListNode
92 | static_assert(sizeof(ListNode) <= ELEM_ALIGN_BYTES, "Units
| ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
of size ELEM_SIZE_ALIGN need to be able to store a ListNode");
/home/thomas/autobuild/instance-7/output-1/build/bitcoin-30.0/src/support/allocators/pool.h:92:36:
note: the comparison reduces to '(4 <= 2)'
To fix the problem we disable bitcoin on m68k.
Fixes:
30.0: https://autobuild.buildroot.net/results/268/2688e4a2aa8dc34343f0218fd6727d0ae3adb132/
26.0: https://autobuild.buildroot.net/results/fb0/fb05401c7de289e0f87f5c9e3a7f92f5589b590b/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.197 and, for the SD
configuration, also updates U-Boot to version 2026.01.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.197 and U-Boot to
version 2026.01.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.197 and U-Boot to
version 2026.01.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Enhance the Xen python tests to exercise block devices: this boils down
to switching from ramdisks to disk partitions for the domains rootfs.
(Refer to the comments in the python script for block devices details.)
- Add support for PCI and Xen block to the Linux kernel configurations.
- Add a few commands to list the xvda block device for good measure.
- Generate two partitions with the rootfs in the disk images; we use the
same rootfs contents twice, once for each domain.
- Add a paravirtualized block device to the Xen dom1 configurations and
adjust both domains kernel command lines, to specify the rootfs
locations.
- Build host-qemu for Arm v7, to workaround an issue with 32b Arm and
old Qemu versions, which is what we have on CI currently.
- While at it, bump Linux kernel to 6.18.4 and U-Boot to 2026.01.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Julien Olivain <ju.o@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Xen tools scripts need the stat program from coreutils to work
correctly, and not the one from busybox.
One such example is the /etc/xen/scripts/locking.sh script, which will
cause timeouts for operations such as "xl block-attach", or when
starting a DomU with a disk.
Add the dependency on coreutils to fix this.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Alistair Francis <alistair@alistair23.me>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps:
- U-Boot to version v2026.01
- Linux kernel to version 6.12.63 (LTS)
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.63 and U-Boot to
version 2026.01 for
- stm32mp135f_dk_defconfig
- stm32mp157a_dk1_defconfig
- stm32mp157c_dk2_defconfig
Tested on STM32MP157C-DK2 Discovery Board.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
host-perl-module-build is no longer a dependency
(Build.PL was removed, so Makefile.PL is used)
now, this module has its own LICENSE file
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Now that all Xilinx boards have been bumped to Linux 6.12.60, remove the hash
for the xlnx_rebase_v6.12_LTS_2025.2 release tag.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the versal2 defconfigs to Linux 6.12.60.
Run tested on a versal2 vek385 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Package snort3 requires libtirpc rpcdb option enabled with non-glibc
toolchains since the bump of libtirpc to version 1.3.7 with buildroot
commit 3f3d6e43de which includes upstream
commit:
https://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=7cea8ad66aecc21e6caae330b5d31075af399193
These build errors, caused by the forementioned upstream commit, only
occur with non-glibc toolchains:
https://patchwork.yoctoproject.org/comment/30091/
"but I believe it breaks the build with musl".
The build error during configure stage:
-- Looking for getrpcent - not found
CMake Error at cmake/sanity_checks.cmake:51 (message):
Couldn't find an RPC program number database implementation!
Call Stack (most recent call first):
CMakeLists.txt:31 (include)
was not yet found by the autobuilders but can be reproduced by this
defconfig:
BR2_x86_64=y
BR2_x86_corei7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_X86_64_MUSL_BLEEDING_EDGE=y
BR2_PER_PACKAGE_DIRECTORIES=y
BR2_INIT_NONE=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_SNORT3=y
# BR2_TARGET_ROOTFS_TAR is not set
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Dropping the need for this package to compile any schemas as the
libglib2 package (a dependency) already handles this during target
finalization.
In addition, libglib2 already removes schemas from the target during
target finalization so the gvfs-specific cleanup can be dropped.
Signed-off-by: James Knight <git@jdknight.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Dropping the need for this package to compile any schemas as the
libglib2 package (a dependency) already handles this during target
finalization.
Signed-off-by: James Knight <git@jdknight.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Dropping the need for this package to compile any schemas as the
libglib2 package (a dependency) already handles this during target
finalization.
Signed-off-by: James Knight <git@jdknight.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- suppress S40iwd shellcheck warnings:
In package/iwd/S40iwd line 8:
[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
^--------------------^ SC1090 (warning): ShellCheck can't follow non-constant source. Use a directive to specify location.
In package/iwd/S40iwd line 15:
-- $IWD_ARGS
^-------^ SC2086 (info): Double quote to prevent globbing and word splitting.
- remove package/iwd/S40iwd from .checkpackageignore
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
K3CONF is a Linux user-space standalone application
designed to provide a quick'n easy way to dynamically
diagnose Texas Instruments' K3 architecture based
processors. K3CONF is intended to provide similar
experience to that of OMAPCONF that runs on legacy TI platforms.
K3CONF currently supports Texas Instruments AM654, J721E, J7200,
AM64x,AM62x,J721S2,J784S4,J722S, AM62Ax, AM62Px, and AM62Lx devices.
Along with the BeagleBoard variants of the above mentioned TI SOC's.
Signed-off-by: Mohammed Sadik Shaik <s-sadik@ti.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the versal defconfigs to Linux 6.12.60.
Run tested on a versal vek280 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the zynqmp defconfigs to Linux 6.12.60.
Run tested on a zynqmp zcu102 evaluation board.
Run tested on a kria kv260 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the zynq defconfigs to Linux 6.12.60.
Run-tested on a zc702 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
License hash changed due to addition of base64 license which
is BSD-2-Clause:
8f922b3d87
Add new python-librt build/runtime dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The python-charset-normalizer package specifies an unnecessarily
strict upper version limit for mypy.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
During the build Cython creates C++ source that needs to be
compiled. The missing dependency did not show in the existing runtime
test because the Bootlin stable toolchains include C++ support.
Package was added in c2df8bab97.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This did not show in the runtime test for package/python-memray
because that package already has the dependency, so the Python zlib
module is present in the test.
Package was added in commit 26bc4b51a8.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Switch from the RobertCNelson GitHub mirror to the official TI git
repository and update to version 0x192 (latest release).
The previous installation method used sysfs to load the firmware,
which was specific to old downstream Beaglebone or TI kernels. The
mainline wkup_m3_ipc driver now expects am335x-pm-firmware.elf and
*-scale-data.bin files to be installed in /lib/firmware, making the
sysfs init script obsolete.
Changes:
- Switch repository from github.com/RobertCNelson to git.ti.com
- Update version from 11107db (v05.00.00.02) to fb484c5 (v0x192)
- Refresh all patches to apply cleanly on new version
- Install .elf and scale-data files instead of .bin
- Remove obsolete S93-am335x-pm-firmware-load init script
- Update .checkpackageignore to reflect changes
Signed-off-by: Kory Maincent (TI.com) <kory.maincent@bootlin.com>
[Julien: update .checkpackageignore to fix check-package errors]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add the am335x-bonegreen-eco device tree to enable support for the
BeagleBone Green Eco variant. This ensures the device tree is built
from the Linux kernel sources and included in the boot partition.
Tested-by: Mohammed Sadik Shaik <s-sadik@ti.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Kory Maincent (TI.com) <kory.maincent@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Bumps the Linux kernel to the latest 6.18.1 mainline version.
Tested on BeagleBone Black.
Signed-off-by: Kory Maincent (TI.com) <kory.maincent@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In commit
1abaf013de ("package/shairport-sync: add
support for AirPlay2"), a new option was added, selecting various
packages, without properly propagating their dependencies, causing
Config.in warnings such as:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_LIBGCRYPT
Depends on [n]: BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS [=n]
Selected by [y]:
- BR2_PACKAGE_SHAIRPORT_SYNC_AIRPLAY2 [=y] && BR2_PACKAGE_SHAIRPORT_SYNC [=y]
This commit fixes this mistake.
Fixes: 1abaf013de ("package/shairport-sync: add support for AirPlay2")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since commit 8708f3a23a ("package/mysql:
drop virtual package"), we no longer have mysql as a virtual package,
and therefore perl-dbd-mysql directly selects mariadb. However,
mariadb as stricter dependencies than what the mysql virtual package
had, and this commit forgot to properly propagate those dependencies,
causing a Config.in warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_MARIADB
Depends on [n]: BR2_INSTALL_LIBSTDCPP [=y] && !BR2_STATIC_LIBS [=n] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y] && (BR2_TOOLCHAIN_HAS_ATOMIC [=y] || BR2_TOOLCHAIN_HAS_SYNC_8 [=n]) && BR2_USE_WCHAR [=n]
Selected by [y]:
- BR2_PACKAGE_PERL_DBD_MYSQL [=y] && BR2_PACKAGE_PERL [=y] && !BR2_STATIC_LIBS [=n] && BR2_INSTALL_LIBSTDCPP [=y] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y]
Fixes: 8708f3a23a ("package/mysql: drop virtual package")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since commit 8708f3a23a ("package/mysql:
drop virtual package"), we no longer have mysql as a virtual package,
and therefore perl-dbd-mysql directly selects mariadb. As part of
that, the comments related to the dependencies have not been updated
accordingly. Fix that up.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Back when the libgtk4 package was introduced in commit
faf2a1d2ab, its
BR2_PACKAGE_LIBGTK4_GSTREAMER option did not properly propagate the
dependencies of BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL, causing the
following Config.in warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL
Depends on [n]: BR2_PACKAGE_GSTREAMER1 [=y] && BR2_PACKAGE_GST1_PLUGINS_BASE [=y] && (BR2_PACKAGE_HAS_LIBGL [=n] || BR2_PACKAGE_HAS_LIBGLES [=n])
Selected by [y]:
- BR2_PACKAGE_LIBGTK4_GSTREAMER [=y] && BR2_PACKAGE_LIBGTK4 [=y]
Fix that by properly propagating the dependency.
Fixes: faf2a1d2ab ("package/libgtk4: new package")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since this option was introduced in commit
a474642fdc ("package/mender-update-modules:
new package"), its dependencies have been incorrect. It selects
BR2_PACKAGE_PYTHON3 without replicating all its dependencies, so we
fix that.
Also, it did have the !BR2_STATIC_LIBS dependency propagated, but not
mentioned in the Config.in comment, so we fix that as well.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit
5f446a8d6d ("package/python-pillow: bump
to version 12.0.0") added a select BR2_PACKAGE_PYTHON_PYBIND to
python-pillow without propagating the C++ dependency, causing:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_PYTHON_PYBIND
Depends on [n]: BR2_PACKAGE_PYTHON3 [=y] && BR2_INSTALL_LIBSTDCPP [=n]
Selected by [y]:
- BR2_PACKAGE_PYTHON_PILLOW [=y] && BR2_PACKAGE_PYTHON3 [=y]
Fix this by propagating the dependency to python-pillow, and in turn
to python-pillow reverse dependencies.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The recent changes in freeswitch following the removal of OpenCV 3.x
in commit
a6db6af9ff ("package/freeswitch: remove
optional dependency to opencv3") caused some invalid dependencies.
Indeed, the new logic selects BR2_PACKAGE_OPENCV4_LIB_OBJDETECT as
soon as BR2_PACKAGE_OPENCV4 is enabled, without worrying about the
dependencies of BR2_PACKAGE_OPENCV4_LIB_OBJDETECT.
This causes the following Kconfig warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_OPENCV4_LIB_OBJDETECT
Depends on [n]: BR2_PACKAGE_OPENCV4 [=y] && !BR2_TOOLCHAIN_USES_UCLIBC [=n] && BR2_PACKAGE_PROTOBUF_ARCH_SUPPORTS [=y] && BR2_TOOLCHAIN_GCC_AT_LEAST_8 [=n]
Selected by [y]:
- BR2_PACKAGE_FREESWITCH [=y] && BR2_INSTALL_LIBSTDCPP [=y] && !BR2_STATIC_LIBS [=n] && BR2_TOOLCHAIN_HAS_THREADS [=y] && BR2_USE_MMU [=y] && BR2_USE_WCHAR [=y] && BR2_PACKAGE_OPENCV4 [=y]
Since freeswitch as no visible sub-options to select extra features
and we wanted to keep it this way, we introduce a hidden sub-option
that informs freeswitch.mk whether OpenCV 4 support is usable. It
makes it easier to express the dependencies that are needed for this
OpenCV 4 to be usable.
Fixes: a6db6af9ff ("package/freeswitch: remove optional dependency to opencv3")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit
75ab6cf93a ("package/{python-}protobuf:
bump to version 28.1") added a whole bunch of gcc >= 8 dependencies to
opencv4 options, but forgot to create or update appropriate Config.in
comments for several options:
BR2_PACKAGE_OPENCV4_LIB_OBJDETECT
BR2_PACKAGE_OPENCV4_LIB_STITCHING
BR2_PACKAGE_OPENCV4_WITH_PROTOBUF
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The comments saying that dnn_objdetect and dnn_superres need a glibc
or musl toolchain should be shown when a uClibc toolchain is selected,
not when a toolchain NOT using uClibc is selected (as this is exactly
what's needed).
Fixes: a2e01b23fc ("package/opencv-contrib: propagate opencv4 dependencies")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes, see:
https://opus-codec.org/release/stable/2025/12/15/libopus-1_6.html
opus 1.6 introduced optimization for Arm using Neon intrinsics.
Those are not available in soft-float ABI. This commit disables the
usage of intrinsics in that case.
This commit also adds an upstream patch to the libopusenc package.
It is because libopusenc is using internal functions of opus, which
were renamed in upstream commit [1]. Without this patch, the
opus-tools package fail to compile with error:
src/opusenc.c: In function ‘main’:
/.../sysroot/usr/include/opus/opusenc.h:134:63: error: implicit declaration of function ‘__opus_check_int’; did you mean ‘opus_check_int’? [-Wimplicit-function-declaration]
[1] 7817df7908
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit dcee99507c bumped icu
from version 73-2 to 77-1.
Upstream raised the minimum C++ requirement to C++17 in version 75-1:
https://github.com/unicode-org/icu/releases/tag/release-75-1https://icu.unicode.org/download/75
"C++ code now requires C++17 [...]"
Consequently, this commit switches the minimum gcc version needed by
package/icu to 7, and propagates this to icu's reverse dependencies.
No autobuilder errors were recorded since we don't test toolchains as
old as gcc 6.x
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
License hash changed due to move to license file autogeneration:
9a81db3c77d2b8d7750f
Add new python-coherent-licensed build dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
fb5235239aad ("env: Rename DEFAULT_ENV_FILE to
ENV_DEFAULT_ENV_TEXT_FILE") renamed the Kconfig symbols and thus we need
to adapt the U-Boot package in Buildroot to support it.
Fixes: 128c26f287 ("boot/uboot: bump to version 2025.10")
Reported-by: Ozan Durgut <ozandurgut.2001@hotmail.com>
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In Buildroot, we don't use the official SPDX code GPL-2.0-or-later,
but GPL-2.0+.
Fixes: 2a972212b4 package/qoriq-restool: new package
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Introduce a package for the restool program, which permits the user to
modify the network configuration of the DPAA2 subsystem and create one
that is adequate to their use case.
We integrate the master branch, which is effectively the
lf-6.12.20-2.0.0 release tag, plus some extra fixups specifically made
for the Buildroot integration:
- commit b44748ed0bb3 ("Avoid use of non-portable __WORDSIZE when
defining BITS_PER_LONG")
- commit b4a734f3512b ("restool: fix format string for 64 bit time_t in
parse_obj_command()")
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
Reviewed-by: Vincent Jardin <vjardin@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Migrate from setuptools cython based build to setuptools-rust.
Add new python-typing-extensions runtime dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
CVE-2024-46948 only affects the device management and update server part
of Mender, and not the client running on the devices
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit [1] restricted spice compilation to x86 only.
As the log of this commit mention, this was because at that time,
spice 0.12.0 was generating an error on untested cpu architectures.
See [2] (we can also see that armv6+ platforms was apparently
supported).
Spice commit [3] (first included in spice v0.12.6) relaxed this error
to a warning. The reason was that big endian support was improved,
and also there was an intent to make testing easier.
[1] 4f452a86b8
[2] https://gitlab.freedesktop.org/spice/spice/-/blob/v0.12.0/configure.ac#L60
[3] f80eef8f9c
Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Vincent Jardin <vjardin@free.fr>
[Thomas: reduced commit to just re-enabling on all CPU architectures,
created separate commits for the BR2_USE_MMU and gcc >= 6 fixes]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
spice selects libglib2, but forgot to propagate the BR2_USE_MMU
dependency. There is no practical implication at the moment as spice
is only available for i386 and x86-64, and both always have MMU. But
as we're about to relax this architecture dependency, it makes sense
to fix the propagation of BR2_USE_MMU.
Signed-off-by: Julien Olivain <ju.o@free.fr>
[Thomas: patch extracted from
https://patchwork.ozlabs.org/project/buildroot/patch/20241122213809.176709-1-ju.o@free.fr/]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 3dd73c3 "package/openjdk: allow compiling without X11 support",
dropped the need for X11, so drop it from TestOpenJdk.
Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When building the arm-trusted-firmware, if the host environment has a value
configured in the BL31 variable such as the following:
export BL31=/tmp/bl31.elf
This will cause the build of the bl31.elf to be skipped leading to the
following build error:
make[1]: Nothing to be done for 'bl31'.
And then:
readelf: Error: './output/build/arm-trusted-firmware-custom/build/versal/release/bl31/bl31.elf': No such file
To fix this, clear the BL31 variable in the MAKE_OPTS, so that building the
arm-trusted-firmware will build regardless of the host environment.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Boost.System is a header only library since Boost 1.69.0 [0].
A Stub Library remained for backward compatibility. This
mainly affects CMake Packages that use FindPackage and
explicitly list 'system'.
For Boost internal modules this is not the case so remove this
dependency.
Buildroot packages should select BR2_PACKAGE_BOOST_SYSTEM explicitly
if needed and not rely on a proxy dependency from other boost packages.
[0] https://github.com/boostorg/system/blob/develop/doc/system/changes.adoc#changes-in-boost-169
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
libcpprestsdk searches for the Boost.System module in its
CMakeLists. Hence it should be selected as a dependency.
This does not fix any build failure, as boost-system was implicitly
selected by one of the other boost-* options that this package
selects, but an upcoming commit is going to change how boost-system is
selected by other boost-* modules, making this preparation change
necessary.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This does not make debug info available, but allows building programs
that link against libdebuginfod.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
On Debian 13 doc generation fails. Disable it like for
the target.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
With the introduction of the production silicon Icicle Kit comes the
need to support multiple board device trees. The HSS puts a minimal dtb
in it's payload's ancillary-data immediately after U-Boot in memory.
CONFIG_OF_BOARD will use this dtb that the HSS carries with the bare
minimum of nodes enabled. It allows for firmware to provide the address
of the devicetree in memory using the `a1` register.
Use the device tree compatible from the hart software services to
essentially "detect" which board is in use and therefore select the
appropiate device tree for the board.
Add a fdt production node to the .its referencing the production Icicle
Kit DTB with appropriate attributes. Introduce matching configuration
entries to enable selection of the production Icicle kit FDT blob for
the MPFS Icicle Production Silicon board.
Update the configuration names to match the device tree compatibles for
each board configuration. With these updates, change image node and
configuration node names with more appropriate names.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Following Microchip's Linux 2025.07 release, update the assets to the
latest versions, this includes a Linux version bump and addditional
U-Boot drivers and functionality. Update the Linux headers to support
the updated v6.12 kernel. Update the corresponding package hashes.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit d6c3257e93 bumped the
package from 0.21 to 0.23. Upstream release 0.22 includes commit
d7c7c53c06
which uses CLOCK_MONOTONIC without including time.h.
Fixes:
https://autobuild.buildroot.net/results/41b/41b25ee8e66e34323eca011e4b5fe479ece9ed76/
Two minimal defconfigs to reproduce the build error:
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_TOOLCHAIN_BUILDROOT_CXX=y
BR2_PACKAGE_ATF=y
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_GCC_VERSION_13_X=y
BR2_TOOLCHAIN_BUILDROOT_CXX=y
BR2_PACKAGE_ATF=y
All defconfigs of the build errors recorded by the buildroot autobuilders
contain BR2_PTHREADS_NONE=y.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Update to the latest version of the gcnano-binaries blobs, which are
compatible with the last v6.6-stm32mp-r2 kernel from the
STMicroelectronics BSP.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The Vulkan option was appended to QT6BASE_CONFIGURE_OPTS instead of
QT6BASE_CONF_OPTS, which is the variable actually used during CMake
configuration. This prevented the feature from being enabled/disabled
as expected.
Fixes: 1c27f3a12d ("package/qt6base: add vulkan option")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit adds "kibi" a configurable text editor with UTF-8 support,
incremental search, syntax highlighting, line numbers and more, written
in less than 1024 lines of Rust with minimal dependencies.
https://github.com/ilai-deutel/kibi
Signed-off-by: Alexander Shirokov <shirokovalexs@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since the introduction of duktape in [1]. This package has been present
under the "JavaScript" sub-menu.
This sub-menu was mostly used for JS libraries and programs so duktape
should have been under the "Interpreter languages and scripting"
submenu.
Since duktape is now the only entry in the JavaScript submenu, move this
package to a better suited place and remove the JavaScript submenu.
[1] 387ff26b6d duktape: new package
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch adds information on how to provides static JS libraries in
Buildroot with the release of the 2025.08.x version.
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Due to the increasing number of patches applied for this package and the
lack of updates to fix the build issues as well as updating the version
to newer release. This patch removes softether from buildroot package
list.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch add several upstream patches that fix build error we are
experiencing on the autobuilder related to host-gcc15 and gcc14.
- 0010-use-bool-from-stdbool.patch
Fix a host-gcc15 error with C23 bool reserved keyword when building
host-softether package. This appeared on the autobuilder.
```
from Cfg.c:116:
../../src/Mayaqua/MayaType.h:257:33: error: 'bool' cannot be defined via 'typedef'
257 | typedef unsigned int bool;
| ^~~~
../../src/Mayaqua/MayaType.h:257:33: note: 'bool' is a keyword with '-std=c23' onwards
../../src/Mayaqua/MayaType.h:257:1: warning: useless type name in empty declaration
257 | typedef unsigned int bool;
| ^~~~~~~
```
- 0011-fix-implicit-declaration-of-function-getch.patch
Fix an implicit function declaration.
- 0012-vlanunix-fix-implicit-declaration-of-function-freetap.patch
Fix an implicit function declaration.
- 0013-fix-build-on-freebsd-version-140091.patch
Incompatible pointer type which appeared on the autobuilder as well:
```
Unix.c: In function 'UnixIgnoreSignalForThread':
Unix.c:324:25: error: assignment to 'void (*)(int, siginfo_t *, void *)' from incompatible pointer type 'void * (*)(int, siginfo_t *, void *)' [-Wincompatible-pointer-types]
324 | sa.sa_sigaction = signal_received_for_ignore;
| ^
```
- 0014-cedar-hub-properly-set-value-for-hub-admin-options.patch
Fix an incompatible pointer type error.
- 0015-adjust-types-of-variables.patch
Fix an incompatible pointer type error which appeared on the autobuilder as
well.
```
Secure.c: In function 'OpenSec':
Secure.c:1829:56: error: passing argument 3 of 'sec->Api->C_GetSlotList' from incompatible pointer type [-Wincompatible-pointer-types]
1829 | if ((err = sec->Api->C_GetSlotList(true, NULL, &sec->NumSlot)) != CKR_OK || sec->NumSlot == 0)
| ^~~~~~~~~~~~~
| |
| UINT * {aka unsigned int *}
```
- 0016-Cedar-Proto_IKE-fix-too-many-arguments-to-function-N.patch
Fix a function call.
Fixes: https://autobuild.buildroot.org/results/c43/c43a9a221896d37ee8a9d34c5b8e2725351c6eb5
Fixes: https://autobuild.buildroot.org/results/751/7517bb4d32c38d475d901769b0b2fd2c2f3dd543
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Acked-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
An advanced terminal multiplexer with batteries included. Supports
layouts, floating and stacked panes, plugins, and customization.
Provides rich functionality out of the box.
Zellij is aimed at developers, operations-oriented users, and anyone who
loves the terminal.
https://github.com/zellij-org/zellij
Signed-off-by: Alexander Shirokov <shirokovalexs@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The license is actually LGPL-2.1+.
Fixes: 006aab8d64 ("package/libplacebo: add libplacebo package")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch adds libplacebo package that is used
by mpv player.
libplacebo is the core rendering algorithms and
ideas of mpv rewritten as an independent library
and contains a large assortment of video processing
shaders, focusing on both quality and performance.
Signed-off-by: Javad Rahimipetroudi <javad.rahimipetroudi@mind.be>
Tested-by: Sen Hastings <sen@hastings.org>
[Bernd:
- bumped to v7.351.0
- moved Kconfig option to Multimedia (Sen)
- rebased patch 0001 after version bump
- added project URL to Config.in helptext
- removed redundancy in Config.in comment
- added comment to hash file
- switched _SITE to official repo
- added patch to fix build error with latest python3]
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
lttng-modules fails to build in master and in our LTS branch
2025.02.x. Indeed, our LTS branch uses the 6.12 kernel as the latest
LTS, and lttng-modules in version 2.13.10 don't build with the 6.12
kernel:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y
BR2_PACKAGE_LTTNG_MODULES=y
fails to build with 2025.02.x.
To fix this, let's bump to the latest point release in the 2.13.x
branch, which mostly contains fixes needed for the 2.13.x releases to
work with newer kernels. This is considered a reasonable bump for our
2025.02 LTS.
The hash of the license file is updated as the list of files under
each license has changed a bit, but that doesn't change the overall
list of licenses.
Fixes:
https://autobuild.buildroot.net/results/78d05ded97877f866d2bd7aa600a2dafa01bb364/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Added patches (17.0.12+7 and 21.0.4+7) to allow compilation
without X11 support.
0003-autoconf-libraries-drop-the-need-for-X11-in-headless.patch
is only needed for 21.0.4+7, 17.0.12+7 already has this commit:
f97ec359ec
Next to that, add a new option BR2_PACKAGE_OPENJDK_X11,
to allow compilation with both head and headless support.
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
[Thomas: split into two commits]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit fixes the wrong patch folders which should have been fixed
in commit 475c79d ("package/openjdk{-bin}: bump versions to 17.0.12+7
and 21.0.4+7")
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The `utils/brmake` tool runs `make all` with logs put into `br.log`.
That file is therefore the result of a build and committing it never
makes sense, neither upstream nor on any other remote/branch.
⟩ git status --short
⟩ make beaglebone_defconfig
⟩ ./utils/brmake
⟩ git status --short
?? br.log
Add a new `/br.log` entry in the root `.gitignore` file.
Append to the end because no ordering logic was found.
Signed-off-by: Théo Lebrun <theo.lebrun@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This makes it more obvious which service the PID file belongs to, and
thanks to the /var/run -> /run symlink fixes the check-package
warning.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This brings the script in line with current standards, except the
expected PIDFILE value because changing the PID file path would
require changing build options.
The stop action now uses the PID file instead of "killall", and reload
is supported using SIGHUP (with limitations described in D-Bus
documentation). "--syslog" is added to the dbus-daemon arguments to
ensure log messages will be available, otherwise log messages after
fork may be lost.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The "servicename" environment variable was never set, so the condition
in the "condrestart" case would always evaluate to false. Nobody seems
to have noticed since it was introduced with commit
ceb2859765 in 2007, so simply remove it.
Likewise, the comment in the stop function that mentions $servicename
is incorrect, there is no safety check to the "killall" call.
With those, remove the /var/lock/subsys/dbus-daemon file that was
created but never used.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
We need to set -Dprotobuf_BUILD_LIBUPB=ON for host-protobuf now
as some libupb headers now appear to be required.
Also set the new -Dprotobuf_LOCAL_DEPENDENCIES_ONLY=ON option
to ensure cmake doesn't try to download dependencies.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* Wait for process to stop before deleting PID file, instead of fixed
wait during restart
* Use long form options
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
libxshmfence has multiple paths available for the shared memory
directory, as some distros [0] opt to mount their tmpfs in a
non-standard location such as /run/shm rather than /dev/shm.
The default value of 'auto' will set this path to whatever the host is
using, leaking host configuration into the target. See [1].
With X configurations that depend on shared memory files for futexes,
(muvm [2] is a notable example), this results in applications silently
breaking during presentation with a blank window, as the configured
path doesn't have the required tmpfs mount.
Set this path explicitly to avoid situations where the host context
leaks into the package build, causing feature breakage.
[0] https://wiki.ubuntu.com/OneiricOcelot/ReleaseNotes?action=show&redirect=OneiricOcelot%2FTechnicalOverview#Upgrades
[1] https://gitlab.freedesktop.org/xorg/lib/libxshmfence/-/blob/libxshmfence-1.3.3/configure.ac#L144
[2] https://github.com/AsahiLinux/muvm
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
[Julien:
- add link to shared memory dir detection code in commit log
- replace "+=" by "=" in _CONF_OPTS
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that the package is removed, having a trace of it in a comment is
no longer very useful.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The rpi-userland package no longer builds with CMake >= 4. While
fixing it is probably not too difficult,
https://github.com/raspberrypi/userland tells us:
"""
This repo is ancient and deprecated.
It largely contains code using proprietary APIs to interface to the
VideoCore firmware. We have since move to standard linux APIs.
V4L2, DRM/KMS and Mesa are the APIs you should be using.
The few useful tools from here (dtoverlay, dtmerge, vcmailbox,
vcgencmd) have been moved to the raspberrypi/utils repo.
Code from here is no longer installed on latest RPiOS Bookworm images.
If you are using code from here you should rethink your solution.
Consider this repo closed.
"""
Hence it is time to drop this package from Buildroot.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/tvheadend.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/sdl2.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/mpv.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop the special
tweak for it from package/libwpe.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/libcec.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/libcamera-apps.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/gstreamer/gst1-plugins-base.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/glslsandbox-player.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/ffmpeg.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, remove the only
defconfig that uses it. This defconfig is according to our DEVELOPERS
file, unmaintained.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This tool has been removed from upstream rpi-firmware, so drop the
corresponding option and logic in rpi-firmware.mk.
The tool has been removed by upstream commit
d1fcc26038186aecc1501a0b749833300afba801 ("opt: Remove builds of
deprectated userland tools").
It is Buildorot commit
28e6953ba8 ("package/rpi-firmware: bump
version to 5476720") that did a bump to a version of rpi-firmware that
no longer provided vcdbg.
Cc: Köry Maincent <kory.maincent@bootlin.com>
Cc: Gaël PORTAY <gael.portay@rtone.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Due to issues in the installation of qt5webkit, building the
corresponding Python binding fails:
Project ERROR: Unknown module(s) in QT: webkit
Error: /home/thomas/buildroot/br/output-all/host/bin/qmake failed to create a
makefile from PyQt5.pro.
make[1]: *** [package/pkg-generic.mk:263: /home/thomas/buildroot/br/output-all/build/python-pyqt5-5.15.6/.stamp_configured] Error 1
make: *** [Makefile:83: _all] Error 2
https://lore.kernel.org/buildroot/20220929181350.1026033-1-thomas.ballasi@savoirfairelinux.com/
was an attempt at fixing it, but this patch doesn't work and looks
weird.
So for the time being, disable the Webkit module in python-pyqt5. This
issue has indeed been around for as far as 2022.
Fixes:
https://autobuild.buildroot.net/results/b9d69d21e734aa62a6e0b4d4124c2bcfc027ebe4/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add another patch from Fedora, also used in Arch Linux to fix a gcc >=
14.x build issue:
build/qt5webkit-5.212.0-alpha4/Source/WebCore/page/csp/ContentSecurityPolicy.cpp:235:56: required from here
235 | if ((policy.get()->*allowed)(std::make_pair(algorithm, digest)))
| ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
host/opt/ext-toolchain/aarch64-buildroot-linux-gnu/include/c++/14.3.0/type_traits:1246:52: error: non-constant
condition for static assertion
1246 | static_assert(std::__is_complete_or_unbounded(__type_identity<_Tp>{}),
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
It is not clear which change introduce this breakage, but we suspect
it is related to GCC 14.x. In any case, the fix does no harm and is
good to backport to 2025.02.x.
Fixes:
/home/thomas/buildroot/br/output-all/build/qt5webkit-5.212.0-alpha4/Source/ThirdParty/ANGLE/src/common/mathutil.h:575:8: error: ‘uint32_t’ does not name a type
575 | inline uint32_t RotL(uint32_t x, int8_t r)
| ^~~~~~~~
/home/thomas/buildroot/br/output-all/build/qt5webkit-5.212.0-alpha4/Source/ThirdParty/ANGLE/src/common/mathutil.h:19:1: note: ‘uint32_t’ is defined in header ‘<cstdint>’; this is probably fixable by adding ‘#include <cstdint>’
18 | #include <stdlib.h>
+++ |+#include <cstdint>
19 |
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since the bump of ICU from ICU 73 to ICU 77 in commit
dcee99507c, the build of qt5webkit fails
with:
/home/thomas/buildroot/br/output-all/host/aarch64-buildroot-linux-gnu/sysroot/usr/include/unicode/char16ptr.h:271:38: error: ‘enable_if_t’ in namespace ‘std’ does not name a template type
271 | template<typename T, typename = std::enable_if_t<std::is_same_v<T, UChar>>>
| ^~~~~~~~~~~
We taken two patches from Arch Linux, one which is a partial upstream
backport, and another which was submitted upstream, to address this
build issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Rasdaemon was added in previous patch.
Add a test_rasdaemon that allows to test it.
Test is done on x86. It first checks the daemon's version, then mounts
debugfs and finally ensures that the init script allows to
start/restart/stop the daemon.
Signed-off-by: Bastien Curutchet <bastien.curutchet@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Rasdaemon is a tool that aims at replacing edac-tool and provide a way
to collect all hardware error events reported by the Linux kernel in a
common framework.
This commit adds a new package to support rasdaemon in the 'Hardware
handling' section. It depends on libtraceevent to detect the ftrace
events generated by the kernel. There is currently a build issue when
sqlite isn't availaible while it's supposed to be an optional
dependency. This build issue is fixed by patch 0001 (which has been
also submitted to the rasdaemon project itself).
Support for the PCIe AER events is optionnal and implies a dependency on
pciutils so also add a dedicated 'sub-option' to enable it.
Add a SYSV init script to start / stop the daemon
Add myself to the DEVELOPERS file.
Reviewed-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Bastien Curutchet <bastien.curutchet@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Libfreeimage is not a mandatory dependency of ogre.
Due to the upcoming removal of libfreeimage due to security reasons from
buildroot we do not transform libfreeimage into an optional dependency:
https://github.com/OGRECave/ogre/issues/3069
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
OpenCV3 is unmaintained and will be removed from buildroot.
The package does not support OpenCV4:
216c090707
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
OpenCV3 is unmaintained and will be removed from buildroot.
Select needed OpenCV4 modules in Config.in and adjust freeswitch.mk.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
6d188cb199
"This project is archived. QJson was originally created when Qt3 and Qt4
lacked robust JSON support.
Since Qt5, JSON support is included in the native Qt library SDK, making
this project obsolete."
The package is broken with cmake 4 and no other package depends on it.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Cc: Zoltan Gyarmati <mr.zoltan.gyarmati@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
mod_md allows Apache httpd to automatically provision certificates for
HTTPS via the ACME protocol (e.g. from Let's Encrypt), if configured
to do so. The additional dependencies are non-obvious, so add a config
option instead of only enabling the module if dependencies are met.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add libavif support.
Add new python-pybind build dependency.
Set --skip-dependency-check since pybind isn't detected properly by
the pep517 build frontend.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop PYTHON_CRYPTOGRAPHY_CARGO_MANIFEST_PATH as package now provides
manifest in default path.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Migrate from setuptools to hatch build backend.
License hash changed due to formatting changes:
83d985db64
Drop no longer supported AUTOBAHN_STRIP_XBR env variable.
Add host-python-setuptools build dependency.
Add new python-base58 encryption dependency.
Add new python-ecdsa encryption dependency.
Serialization dependencies moved to mandatory dependencies.
Propagate new C++ reverse dependency.
Add new python-brotli compression dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit dc55e7eb51 added this
package as copy from the taglib package but forgot to change all taglib-
related comments.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Suggested by Gerbera:
fcf3147223
CMake Warning at CMakeLists.txt:583 (message):
!! It is strongly recommended to build libupnp with --disable-blocking-tcp-connections !!
Without this option non-responsive control points can cause libupnp to hang.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
These IGNORE_CVES entry introduced in [2] is then no longer matched to
the cmake package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 5ce1e773b9 package/cmake: ignore CVE-2016-10642
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
These IGNORE_CVES entry introduced in [2] is then no longer matched to
the dovecot package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 948e71689a package/dovecot: ignore CVE-2016-4983
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The IGNORE_CVES entries introduced in [1] no longer match to the glibc
package following the bump to v2.42 in [2]. The version boundaries
specified on the NVD DB are specific to 2.40 & 2.41.
The CVE-2025-8058 though don't have any information available on the NVD
DB and will remain on the IGNORE_CVES then.
[1] feaf53585a package/glibc: security bump to version 2.41-70
[2] fb6256c0ef package/{glibc, localdef}: bump to version 2.42
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
These IGNORE_CVES entries introduced in [2] are then no longer matched to
the glibc package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] adaae82c58 package/glibc: ignore CVEs not considered as security issues by upstream
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The IGNORE_CVES entries introduced in [2][3][4] are then no longer
matched to the grub2 package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 2495630383 boot/grub2: ignore CVE-2024-1048
[3] e2f46ed03d boot/grub2: ignore CVE-2023-4001
[4] a490687571 boot/grub2: ignore the last 3 remaining CVEs
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2024-32928 introduced in [2] is then no longer matched to the
libcurl package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 7e739d49b2 package/libcurl: ignore CVE-2024-32928
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The entry was added in commit [1]. But since then the NVD database
updated the version end specifier.
This IGNORE_CVES entry is then no longer needed.
[1] 51b1e1daf5 package/libssh: ignore CVE-2025-5318
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2023-37769 is then no longer matched to the pixman package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2017-8806 is then no longer matched to the postgresql package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Reviewed-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2015-3243 is then no longer matched to the rsyslog package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patches header as well
as the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Disabled vulkan tests added by upstream commit:
2519c330fb
Added X11-related configure options due to upstream commit:
d958b70d1f
Added configure options to fix build errors without libdrm and with
libegl/libgles enabled but without X11.
These build errors were not seen before due to other build errors
unfixed since the bump of python3 to 3.10 with buildroot commit
25b1fc2898:
https://patchwork.ozlabs.org/project/buildroot/patch/20230723074303.603364-1-bernd@kuhls.net/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- add back commit log comments from v2 patch
- add git commit id in commit log title
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For kernel patched with 440cf77625e3 ("perf: build: Setup
PKG_CONFIG_LIBDIR for cross compilation"), if neither PKG_CONFIG_LIBDIR,
PKG_CONFIG_PATH nor PKG_CONFIG_SYSROOT_DIR are provided, the perf
Makefile while try to set some default value for PKG_CONFIG_LIBDIR,
which will not point correctly to buildroot staging directory. This
issue will lead for example to a failure to find libtraceevent even
if it is correctly enabled and installed in the staging dir, and so it
will make perf fail to build.
Make sure to call the perf make command with PKG_CONFIG_LIBDIR variable
set and pointing to buildroot staging area to make sure to properly
detect perf dependencies.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
When trying to perform a custom uprobe recording on a target with perf
built by buildroot, the recording step fails as perf can not record
uprobes without libtraceevent support:
$ perf probe -x linked_list insert_name index
Target program is compiled without optimization. Skipping prologue.
Probe on address 0x808 to force probing at the function entry.
Added new event:
probe_linked_list:insert_name (on insert_name in /root/gdb/linked_list with index)
perf is not linked with libtraceevent, to use the new probe you can use tracefs:
cd /sys/kernel/tracing/
echo 1 > events/probe_linked_list/insert_name/enable
echo 1 > tracing_on
cat trace_pipe
Before removing the probe, echo 0 > events/probe_linked_list/insert_name/enable
$ perf record -e probe_linked_list:insert_name ./linked_list
event syntax error: 'probe_linked_list:insert_name'
\___ unsupported tracepoint
libtraceevent is necessary for tracepoint support
Run 'perf list' for a list of valid events
Usage: perf record [<options>] [<command>]
or: perf record [<options>] -- <command> [<options>]
-e, --event <event> event selector. use 'perf list' to list available events
libtraceevent support for perf has been disabled with commit
b4ab45a5c1 ("package/linux-tools: disable libtracevent detection")
because there was no libtraceevent package in buildroot to replace the
former libtraceevent removed from the kernel sources. Since then, commit
1474f1b34b ("package/libtraceevent: new package") has introduced a
libtraceevent package. We can then expose again the possibility to build
perf with libtraceevent support.
Make buildroot perf makefile detect if libtraceevent package has been
enabled, and if so, allow to build perf with libtraceevent support.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With the removal of the roseapplepi defconfig in commit 56091a5818
("configs/roseapplepi: remove defconfig, broken") there are no (in-tree)
users of the s500-bootloader binary blob package, so drop it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Running in S99 makes it impossible to start any service that uses iiod
after it, at least by numerical ordering only. Move it forward to
change that.
There are two dependencies of iiod:
1. The IIO devices that it should expose must be available.
2. Network must be up, which means firewall at least should be.
The former may be covered by loading modules, e.g. using S11modules
from package/initscripts. There are different ways to handle network
setup, but with SysV init scripts they generally run before S50.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* Fix check-package issues and remove .checkpackageignore entry
* Remove fixed wait in "restart", wait for process termination in
"stop" instead
* Print standard starting/stopping messages
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit [1] removed the IGNORE_CVES entries for
CVE-2024-24258 & CVE-2024-24259 because they referenced a patches no
longer existing.
Those IGNORE_CVES entries are still required because the CVEs reference
the exact mupdf version Buildroot is using.
Re-introduce those IGNORE_CVES entries with an updated comment instead.
[1] f2e442a14d package/mupdf: remove stale IGNORE_CVES
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the
`0001-Disable-tests.patch` patch reference
was removed in favour of a build argument that disable the tests.
This update the reference in IGNORE_CVES accordingly.
[1] ba2fb599cd package/pixman: bump to version 0.44.2
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the
`0003-SDL_x11yuv.c-fix-possible-use-after-free.patch` patch reference
was renamed.
This update the reference in IGNORE_CVES accordingly.
[1] 9fab7bb79d package/sdl: drop directfb support
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patches header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
AIChat helps seamlessly integrate different LLM models, providing access
via the CLI and network. It can serve as a gateway to heterogeneous and
distributed LLMs.
Handy features like roles, macros, and sessions help simplify repetitive
tasks and reuse of existing solutions. Features like playgrounds and
arenas help to explore and compare models.
https://github.com/sigoden/AIChat
Signed-off-by: Alexander Shirokov <shirokovalexs@gmail.com>
[Julien:
- select BR2_PACKAGE_HOST_RUSTC instead of "depends on"
- add Apache-2.0 license (package is dual licensed)
- add LICENSE-APACHE license hash
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes:
CMake Error at CMakeLists.txt:4 (cmake_minimum_required):
Compatibility with CMake < 3.5 has been removed from CMake.
Update the VERSION argument <min> value. Or, use the <min>...<max> syntax
to tell CMake that the project requires at least <min> but has been updated
to work with policies introduced by <max> or earlier.
Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
Fixes:
https://autobuild.buildroot.net/results/074098fef4f8a5e89a4f04efbdd1f545f4616772/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In commit 67e84345c1 ("package/vim: fix
reinstallation"), we fixed the reinstallation of vim for the target
package by removing symlinks before calling "make installlinks".
However, this didn't fix the same problem for the host-vim package.
So instead, this commit adds a patch, accepted upstream, that uses "ln
-sf" instead of "ln -s" to create the symlinks, allowing them to be
overwriten on reinstallation.
Fixes:
ln: failed to create symbolic link 'view': File exists
on reinstallation of host-vim.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit [1] "kvmtool: bump to f77d646ba0" removed the
definition of KVMTOOL_EXTRA_LDFLAGS but forgot to remove its usage
in KVMTOOL_MAKE_OPTS.
This commit removes it since it is no longer needed.
[1] f20615b53e
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The run log of this ltp-testsuite test shows:
INFO: runltp script is deprecated, try kirk
https://github.com/linux-test-project/kirk
This commit updates this test to replace this deprecated runltp
shell script with the newer kirk Python script.
The logic of this runtime test remains the same: it runs a small number
of 'read' system call tests, and checks there is no failures and at
least one test succeed.
Cc: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Acked-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit [1] (package/tio: bump to 3.5) added the libglib2 in
the .mk file without selecting it in Config.in.
This commit fixes that.
[1] 3d85e9df43
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch fixes the information to the patch header to have a single
vulnerability per line.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The fixes for the CVE-2024-24258 & CVE-2024-24259 were introduced in [1]
and targeted the package libfreeglut.
The patches that fixed CVE-2024-24258 & CVE-2024-24259 in libfreeglut
were removed in Buildroot commit [2]. With this bump the IGNORE_CVES
entries for mupdf were not removed.
[1] 0f4fef076f package/libfreeglut: add upstream security fix for CVE-2024-2425{8, 9}
[2] b1c77090ef package/libfreeglut: bump version to 3.6.0
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit [1] removed the stale cpp-httplib patched but the
IGNORE_CVES entry wasn't removed.
[1] 8988278241 package/cpp-httplib: remove stale patch
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When the ncurses UI code in irqbalance is enabled, the build fails
with gcc >= 15.x, for example with:
BR2_arm=y
BR2_cortex_a53=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_NCURSES=y
BR2_PACKAGE_NCURSES_WCHAR=y
BR2_PACKAGE_IRQBALANCE=y
Backport two upstream patches that fix those issues.
Fixes:
https://autobuild.buildroot.net/results/3b609fe191e03330480f647b09dd06916da13317/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add a Buildroot package for sysrepo-cpp, providing modern C++ RAII
bindings for the sysrepo YANG datastore library.
Signed-off-by: Vincent Jardin <vjardin@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The ddresue runtime test is using the `dmsetup` command provided by the
dmraid package. This package is outdated and will be removed. This
command is also provided by the lvm2 package, which is still maintained.
This commit replaces the dmraid package by lvm2 in the test config.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes:
mb-applet-launcher.c: In function ‘get_launch_window’:
mb-applet-launcher.c:269:18: error: implicit declaration of function ‘time’ [-Wimplicit-function-declaration]
269 | time_t stime = time(NULL);
| ^~~~
No autobuilder failures, it was hidden by other failures.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Switched _SOURCE to .gz, upstream does not provide bz2 tarballs
anymore. This means in fact _SOURCE can be dropped, as it's now the
default value.
No autobuild errors recorded due to previous download error with
matchbox-lib.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Switched _SOURCE to .gz, upstream does not provide bz2 tarballs anymore.
No autobuild errors recorded due to previous download error with
matchbox-lib.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add new runtime test for python-varlink.
As always when we need to start a separate server process inside a test
case this gets slightly fiddly.
We override the test_run() function to first start the varlink example server,
then call the packages cli interface to do a varlink call against the
server. The cli defaults to pretty printing the result, which makes it
more annoying to compare to the expected result in the test case, so we
un-prettyprint it with python's builtin json.tool module.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
There are currently problems in updating the pypi.org release[1], so we
pull the package from the github generated tarball instead. This in turn
then requires manually setting the version for setuptools_scm in the
environment.
[1] https://github.com/varlink/python/issues/81
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This maintenance release introduces support for newer versions of the
Mesa library. Release notes:
https://wpewebkit.org/release/wpebackend-fdo-1.16.1.html
Also imports an upstream patch that is needed at least to successfully
build when using the Musl libc.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Dependency was made optional in 4.6.0 release here:
6058ab9dfe
python-can has a lot of optional dependencies, most of which are not
represented in buildroot. As msgpack is used for the virtual multicast
udp can interface[1], which does seem like a bit of a niche usecase,
just drop the mandatory dependency without introducing a user-visible
config option to enable it.
[1] https://python-can.readthedocs.io/en/4.0.0/interfaces/udp_multicast.html
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Libiio python bindings use ctypes and specifically the find_library()
function from there to load the libiio.so shared library. This is not
working unless glibc utils (specifically ldconfig) is installed to the
target (alternatively the target would need gcc or binutils, for objdump
or ld).
The easy fix here is to just bypass the find_library() machinery
altogether as it's not needed on a buildroot system.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Tested-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In commit a68899d49e ("package/python3:
work around GCC bug 121567"), we introduced a work around for a gcc
bug, by reducing to -O1 the optimization level on SuperH.
However, it turns out that this is not sufficient, as the build will
only succeeded at -O0.
Fixes:
https://autobuild.buildroot.net/results/31f/31f34a983036b4135c12e5797b5c2258ab33e6c2/
Which is a config with BR2_OPTIMIZE_2=y, which means
BR2_TOOLCHAIN_HAS_GCC_BUG_121567=y, and therefore -O1 is passed, but
still the build fails. At -O0 the build doesn't fail.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The test to enable NEON on AArch64 is as following:
ifeq ($(BR2_aarch64)$(BR2_ARM_CPU_HAS_NEON),yy)
It cannot be to true as $(BR2_aarch64) and $(BR2_ARM_CPU_HAS_NEON) are
mutually exclusive. NEON is compulsory on AArch64 so remove
$(BR2_ARM_CPU_HAS_NEON) from the test.
Fixes: ba2fb599cd ("package/pixman: bump to version 0.44.2")
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since the bump of pip to version 25.3 in commit
285097051d, the build of the Python
bindings of libselinux is broken for both the host and target
variants.
For the host variant, because "pip install" no longer finds the
system-provided setuptools and tries to download setuptools by itself,
causing build issues because our host-python doesn't have SSL support:
Could not fetch URL https://pypi.org/simple/setuptools/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/setuptools/ (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.")) - skipping
For the target variant, because "pip install" no longer finds the
sysconfigdata package:
ModuleNotFoundError: No module named '_sysconfigdata__linux_sparc64-linux-gnu'
[end of output]
We fix this by taking a patch from Debian, which is slightly tweaked
to also cover our host package (the original Debian patch was passing
--no-build-isolation only when DESTDIR was not empty, but in Buildroot
host packages are built with DESTDIR empty, and we do need
--no-build-isolation).
Fixes:
https://autobuild.buildroot.net/results/0e9de0c0d8b6ec57eea9f8834f02076b296ba4f1/ (host-libselinux)
https://autobuild.buildroot.org/results/1b87c659f1901b0bf33fa4a2ff0ed40b13114bba/ (libselinux)
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Co-Authored-By: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This reverts commit fd991649d3, which
isn't the correct fix: indeed, host-libselinux can be built without
BR2_PACKAGE_PYTHON3 being enabled. And also having to use the network
during the build is anyway not correct.
A follow-up commit will fix this issue in a proper way.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The CPE 'cpe:2.3:a:antirez:linenoise:1.0:*:*:*:*:*:*:*' is valid for the
package linenoise [1].
Since the latest version is '1.0' since 2015 the CPE_ID_VERSION is set
to that version.
The CVE that applies on version 1.0 were checked with the 'cve-check'
script:
```
echo '{"components": [{"bom-ref": "linenoise", "name": "linenoise", "version": "1.0", "cpe": "cpe:2.3:a:antirez:linenoise:1.0:-:*:*:*:*:*:*"}]}' | support/scripts/cve-check | jq -r '.vulnerabilities[].id'
```
Only the CVE-2025-9810 exists and that was fixed in [2].
[1] https://nvd.nist.gov/products/cpe/detail/10423C23-6AAA-439E-B723-1FCDEB3A769F
[2] 3c7cbf97d7 package/linenoise: security bump to version e26268de5e
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
opencv3's code is not compatible with newer versions of ffmpeg, and
opencv3 is no longer maintained, so we have no choice but to disable
its ffmpeg support.
Fixes:
https://autobuild.buildroot.net/results/9ae3911583cccb6362f33cd82e5eaafb059fdc76/
It's not clear which ffmpeg version bump broken the build exactly, but
this issue is definitely present in 2025.02.x as the following
defconfig fails to build in a similar way on 2025.02.x:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_PACKAGE_FFMPEG_NONFREE=y
# BR2_PACKAGE_FFMPEG_FFMPEG is not set
# BR2_PACKAGE_FFMPEG_INDEVS is not set
# BR2_PACKAGE_FFMPEG_OUTDEVS is not set
BR2_PACKAGE_OPENCV3=y
BR2_PACKAGE_OPENCV3_LIB_VIDEOIO=y
BR2_PACKAGE_OPENCV3_BUILD_PERF_TESTS=y
BR2_PACKAGE_OPENCV3_WITH_FFMPEG=y
BR2_PACKAGE_OPENCV3_INSTALL_DATA=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The protobuf support breaks the build, as protobuf includes
libabseil-cpp headers, which now require C++14. opencv3 doesn't have
any ENABLE_CXX14 option, so for the time being, disable protobuf
support until someone bothers enough to fix this up.
While we suspect a libabseil-cpp version bump to be responsible for
the issue, we are not 100% sure. However, the issue is definitely
present in Buildroot 2025.02.x, as it can be reproduced using the
following defconfig:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_OPENCV3=y
BR2_PACKAGE_OPENCV3_LIB_SHAPE=y
BR2_PACKAGE_OPENCV3_LIB_STITCHING=y
BR2_PACKAGE_OPENCV3_LIB_SUPERRES=y
BR2_PACKAGE_OPENCV3_LIB_TS=y
BR2_PACKAGE_OPENCV3_LIB_VIDEOSTAB=y
BR2_PACKAGE_OPENCV3_WITH_PROTOBUF=y
Fixes:
https://autobuild.buildroot.net/results/39432e7746e6bc5224592a7d2f744ca992bd529a/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a small patch to fix CMake 4 build issues. Unfortunately, while
cmake/OpenCVMinDepVersions.cmake provides a MIN_VER_CMAKE that we
could pass on the command line, cmake/OpenCVGenPkgconfig.cmake doesn't
use it, so we anyway have to patch the package.
Since opencv3 is basically unmaintained, there is no point sending
this patch upstream.
Fixes:
https://autobuild.buildroot.net/results/cc857993920607958dd817c6a877ed9386c05738/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
cppcms.com now points to a Github page at
https://github.com/artyom-beilis/cppcms which has a 2.0.1 version, so
let's use that. The number of differences to 2.0.0.beta2 is very
small:
$ git log --online v2.0.0.beta2..v2.0.1
b872972 (tag: v2.0.1, origin/master, origin/HEAD, master) Version to 2.0.1
a1914f7 (tag: v2.0.0) Replaced system category with one from predating C++11 (v1.2) because std::system_category does not translate WSAGetLastError results
c4febcc Merge pull request #104 from dreaming-augustin/upstream
922cd49 Python 3.12 compatibility: wrap regex in r''.
a11e9d4 Merge branch 'cpp11'
3000bc6 (origin/1.2_updates) Merge pull request #99 from dreaming-augustin/master
44e24c7 [#89] cppcms_error fix typo + consistent messages
a6d5575 (origin/cpp11) Added backtrace to system error
b3aef3b Fixed missing include for stripped down build
463a9a6 Removed IPV6 due to travis limitations
f8163c6 Merges from cpp11
31d4fe7 Added verbose log on failure
90bc996 Added Linux to build matrix - so I have fallback if normal build environment fails
f78ee39 Added Readme for github
a737d5d Merged python3 compatibility from master
0c67544 Support of python 2.7 and python 3
0d121a7 Python3 compatibility
2fc7e38 Python3 compatibility
d745869 python3 fix for tmp_cc
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since Buildroot commit dcee99507c that
bumped package/icu to version 77-1, the build of cppcms with ICU
support enabled fails.
Indeed, ICU now requires C++17, and while cppcms.mk has some logic to
get C++ flags using icu-config, the -std=c++17 gets ultimately
overridden by the built-in -std=c++11 flag encoded in cppcms
CMakeLists.txt.
To fix this, we have submitted a patch upstream that ensures the
CMAKE_CXX_FLAGS passed on the command line take precedence over the
built-in flags defined in cppcms CMakeLists.txt.
Fixes:
https://autobuild.buildroot.net/results/9c34a08ea02499b28093ad3fa184cee10b2883ac/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes:
CMake Error at CMakeLists.txt:1 (cmake_minimum_required):
Compatibility with CMake < 3.5 has been removed from CMake.
Update the VERSION argument <min> value. Or, use the <min>...<max> syntax
to tell CMake that the project requires at least <min> but has been updated
to work with policies introduced by <max> or earlier.
Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
Fixes:
https://autobuild.buildroot.net/results/30c1645d04b9d2b581aa7a866aa19c4001538e17/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes:
CMake Error at CMakeLists.txt:1 (cmake_minimum_required):
Compatibility with CMake < 3.5 has been removed from CMake.
Update the VERSION argument <min> value. Or, use the <min>...<max> syntax
to tell CMake that the project requires at least <min> but has been updated
to work with policies introduced by <max> or earlier.
Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
We didn't submit the patch upstream, because contrary to cppcms, cppdb
seems completely dead. Last commit is from 2012 at
https://sourceforge.net/p/cppcms/code/HEAD/tree/cppdb/.
There are no known autobuilder failures for this issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
No autobuilder issues, as this problem was hidden by the libcuefile
CMake 4 build issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch adds the dependencies necessary to enable the newer version
of shairplay-sync support for the AirPlay2 protocol.
Signed-off-by: Trammell Hudson <hudson@trmm.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This is the Not Quite PTP timing library necessary for
AirPlay2 support with shairport-sync.
Signed-off-by: Trammell Hudson <hudson@trmm.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since the bump of bpftrace to version 0.24.2 in Buildroot commit
97e2f63bdf, the build of bpftrace fails
with:
CMake Error at cmake/Embed.cmake:3 (find_program):
Could not find XXD using the following names: xxd
Call Stack (most recent call first):
src/stdlib/CMakeLists.txt:1 (include)
This is due to upstream commit
df21d917d9cced77ebde1202c1b3508a169f46a0, which was merged in 0.24.0.
There are no autobuilder failures for this issue at this point, but
the following defconfig exhibits the issue (of course on a host where
xxd is not installed system-wide):
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_PACKAGE_BPFTRACE=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Switched _SITE to github, old project site is down.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: change _VERSION to use 'git describe --abbrev=40' format]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Removed patch which is included in this release.
Backported bump to fix cmake 4 compatibility.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Drop now upstreamed patch 0001:
84d68c6285
And rename remaining patches.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The VIM_REMOVE_DOCS variable is currently a post install target hook,
but it can just as well be done inside VIM_INSTALL_TARGET_CMDS
directly.
The hook was registered conditionally based on BR2_PACKAGE_VIM_RUNTIME
because prior to commit f7a07f42f7, the
hook's logic was:
find $(TARGET_DIR)/usr/share/vim -type f -name "*.txt" -delete
which was failing if BR2_PACKAGE_VIM_RUNTIME was not enabled, as
$(TARGET_DIR)/usr/share/vim would not exist.
But since this commit, the hook logic is:
$(RM) -rf $(TARGET_DIR)/usr/share/vim/vim*/doc/
which obviously won't fail if $(TARGET_DIR)/usr/share/vim doesn't
exist.
So let's simplify the whole logic.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Instead of calling $(MAKE) multiple times, let's call it once, with
all installation targets needed. We introduce a VIM_INSTALL_TARGETS
variable to collect the list of make install targets that need to be
invoked.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In Buildroot, we more commonly do:
$(MAKE) -C $(@D)/src
than:
cd $(@D)/src; $(MAKE)
so let's adopt this more conventional style.
This coding style in vim.mk dates from when the package was introduced
by Peter Korsgaard back in 2010.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
While not very common, it is nice when package re-installation
works. Unfortunately the "installlinks" target of vim installs links
with "ln -s", causing a package reinstallation to fail with:
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim ex
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim view
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim rvim
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim rview
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim vimdiff
ln: failed to create symbolic link 'ex': File exists
ln: failed to create symbolic link 'view': File exists
make[2]: *** [Makefile:2749: /home/thomas/buildroot/br/output-all/target/usr/bin/ex] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: *** [Makefile:2752: /home/thomas/buildroot/br/output-all/target/usr/bin/view] Error 1
ln: failed to create symbolic link 'rvim': File exists
ln: failed to create symbolic link 'rview': File exists
To fix this, we remove the target links before proceeding with the
installation.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release Notes: https://docs.djangoproject.com/en/6.0/releases/6.0/
A few changes in the license files and an actual (sub)-license update:
* django/contrib/gis/measure.py -> formatting change
* django/contrib/admin/static/admin/img -> svg files got uupdated and
the new ones are licensed under CC-BY-4.0; separate LICENSE file got
removed, License is now mentioned in the readme
* django/utils/archive.py -> File got updated, license (which is only
the header) did not change.
Remove the comment about django site having an inconvenient download
URL. We download pretty much all python package from pypi.org, so doing
that for django shouldn't need a separate comment.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes:
- Add watchdogctl list-clients command to display currently subscribed
clients to the process supervisor. Outputs to stdout in either table
format (default) with colored headers, or JSON format with -j/--json
- New global -j, --json option for machine-readable output, currently
supported by list-clients and status commands
- New API: wdog_clients() returns array of wdog_client_t structs for
programmatic access to subscribed clients. See API documentation at
https://codedocs.xyz/troglobit/watchdogd/wdog_8h.html
- Enhance watchdogctl status command to display formatted output by
default, with device information, capabilities, and reset history in
a human-readable table format. Use -j/--json for JSON output
Fixes:
- Generic scripts running more than 1 second would fail with false
"critical error" reports and cause unwanted system reboots due
to uninitialized exit status variable
- watchdogctl reload with tempmon crashes watchdogd
- Issue causing unwanted reboot when watchdogctl reload was called
while a generic monitor script was running
- Fix memory leak in generic monitor with optional script path, would
be triggered on watchdogctl reload
The first of the fixes means we can now drop the backported patch.
Also, the test mode has been dropped from public use, hence it being
removed as well in this commit.
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog:
https://github.com/linux-test-project/ltp/releases/tag/20250930
Remove patches backported from this release.
Remove LTP_TESTSUITE_AUTORECONF (patch, which required it was backported
from this release).
Require kernel headers for uclibc >= 4.5 for uclibc due F_GETOWN_EX from <fcntl.h>.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 285097051d bumped
python-pip to version 25.3, causing build errors when host-python3 was
built without SSL support:
WARNING: pip is configured with locations that require TLS/SSL,
however the ssl module in Python is not available.
[...]
Could not fetch URL https://pypi.org/simple/setuptools/:
There was a problem confirming the ssl certificate:
HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded
with url: /simple/setuptools/ (Caused by SSLError("Can't connect to
HTTPS URL because the SSL module is not available.")) - skipping
ERROR: Could not find a version that satisfies the requirement setuptools>=40.8.0 (from versions: none)
Reverting the python-pip bump reveals the true cause of the build error
by showing these messages:
WARNING: pip is configured with locations that require TLS/SSL,
however the ssl module in Python is not available.
[...]
DEPRECATION: Building 'selinux' using the legacy setup.py bdist_wheel
mechanism, which will be removed in a future version. pip 25.3 will
enforce this behaviour change. A possible replacement is to use the
standardized build interface by setting the `--use-pep517` option,
(possibly combined with `--no-build-isolation`), or adding a
`pyproject.toml` file to the source tree of 'selinux'.
Discussion can be found at https://github.com/pypa/pip/issues/6334
Selecting BR2_PACKAGE_HOST_PYTHON3_SSL fixes the problem.
Criu, the only other buildroot package using host-python-pip as
dependency, already selects BR2_PACKAGE_HOST_PYTHON3_SSL.
Fixes:
https://autobuild.buildroot.net/results/fd6/fd6d3edd5f74d094621ac9fdb93db24520b7a6e3/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The tests check if all supported hash algorithms are usable in
mkimage, for both host and target packages. Additionally, as a
necessary tool, it verifies the previous fix for FIT output from
dumpimage.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: use builtin kernel for faster testing]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Some host commands need to call other host commands: For example,
"mkimage" from host-uboot-tools needs to run "dtc". This would fail or
call system commands without adding the host bin dir to PATH.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: use python functions/constants to build path]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Otherwise "dumpimage -l" produces only a newline when processing a FIT
image.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Also update the device tree: since Linux v6.15-rc1 (510a6190cf5e "ARM:
dts: microchip: fix faulty ohci/ehci node names"), the USB nodes are
named "usb" instead of "ohci" or "ehci".
Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
[Julien: update linux.hash comment to take hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes:
- Add support for Porkbun DDNS provider
- Add support for domene.shop (Norwegian DDNS provider)
- Add support for round-robin records to Cloudflare
- Add example config for DuckDNS IPv6
- Cloudflare: omit proxy setting if unset in config
- Cloudflare: omit TTL update if unset in config
- Simply.com provider fixed and re-enabled
- Support for long ddns-path requests (increased buffer size)
Fixes:
- Do not use an IP resolution method different than the one
specified in configuration
- Fix support for Namecheap
- Fix Dynu IPv6 issue
- Default value -1 not used for ttl setting
- Fix IPv6 detection for providers with "v6" in their name,
e.g., ipv64.net and dynv6.com
- Fix dnspod error: "Communication with checkip server failed"
- Fix cache directory creation on --help or --check-config
- Fix cache directory not writeable and no $HOME
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The build of the following basic configuration enabling the
imagination Vulkan driver
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_VULKAN_DRIVER_IMAGINATION=y
fails with:
meson.build:847:3: ERROR: Feature llvm cannot be disabled: CLC requires LLVM
Adding just LLVM as a dependency is not enough, as then libclc is
needed, then LLVMSPIRVLib, then clangBasic, then the pco_clc tool.
In fact, like the Panfrost driver, building the Imagination driver
requires building host tools using host-mesa3d. To fix this we:
- Make the BR2_PACKAGE_MESA3D_OPENCL option selectable
- Make sure that BR2_PACKAGE_MESA3D_VULKAN_DRIVER_IMAGINATION depends
on BR2_PACKAGE_MESA3D_LLVM and select
BR2_PACKAGE_MESA3D_NEEDS_PRECOMP_COMPILER (the latter being needed to
build host-mesa3d)
- Make sure the host-mesa3d builds imagination
tools (-Dtools=imagination) and install
pco_clc (HOST_MESA3D_INSTALL_PCO_CLC). This requires introducing
HOST_MESA3D_TOOLS as a list of tools to build, which then gets used
to construct the -Dtools argument, as we can now have both
"panfrost" and "imagination" in this list.
With all this, the defconfig above builds successfully.
This has been broken since Buildroot commit
5e818c16a3, which introduced the vulkan
driver support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since upstream commit 6e189ba6c17a2ab9b60e6fd65fc6a44a17dc9e8f, merged
in mesa-25.3.0, the imagination Vulkan driver is no longer
experimental.
Therefore, since Buildroot commit
3e296a1511, which bumped mesa3d to
version 25.3.0, the build of a configuration such as:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_VULKAN_DRIVER_IMAGINATION=y
fails with:
build/mesa3d-25.3.1/meson.build:4:0: ERROR: Value "imagination-experimental" for option "vulkan-drivers" is not in allowed choices: "auto, amd, broadcom, freedreno, intel, intel_hasvk, panfrost, swrast, virtio, imagination, microsoft-experimental, nouveau, asahi, gfxstream, all"
Fix this by using the proper Vulkan driver name.
There are no autobuilder failures for this issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
No changes to hashes, only comments in hash files computed by our
utils/scanpypi script are updated by this patch.
During future mass package updates this patch will reduce the number of
changes created by scanpypi to be reviewed.
Please note that an updated version of scanpypi was used:
https://patchwork.ozlabs.org/project/buildroot/patch/20251001002004.3178942-1-james.hilliard1@gmail.com/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Peter: drop packages not downloaded from pypi or where rust vendoring is
used]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit b243b77ebe added this
package including a hash file containing a typo of the tarball filename
for the md5 hash. Updated comment as computed by scanpypi.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes, see:
https://perldoc.perl.org/5.42.0/perl5420delta
Note: the release notes mention fixed CVE. Those were already fixed in
Buildroot commit [1] and [2]. Therefore, this update is not marked as a
security fix.
This commit also updates the `utils/scancpan` script, in order to
update the messages about the host-perl version.
[1] 61f5e2efca
[2] 164c84ee9b
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Julien: add commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The 6.17.x series is now EOL upstream, so drop the linux-headers
option and add legacy handling for it.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
cmocka tries to find the Doxygen binary by default and if successful,
it tries to download style sheets and breaks with the following message:
CMake Error at
doxygen-awesome-css-subbuild/doxygen-awesome-css-populate-prefix/src/doxygen-awesome-css-populate-stamp/download-doxygen-awesome-css-populate.cmake:163
(message):
Each download failed!
error: downloading
'https://github.com/jothepro/doxygen-awesome-css/archive/refs/tags/v2.4.1.tar.gz'
failed
status_code: 1
status_string: "Unsupported protocol"
log:
--- LOG BEGIN ---
Protocol "https" not supported
closing connection #-1
Disable the Doxygen package search entirely.
Fixes:
https://autobuild.buildroot.org/results/e6a04cee8bc3028bd8a1a535c2852e60f362c4ba/
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By doing so we can also drop the patches for musl which have now been
merged upstream.
Reviewed-by: Jesse Taube <jesse@rivosinc.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This bump includes a patch which adds cmake4 compatibility.
Rebased patch 0001.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
the CSharp Extension was removed in grcp 1.47.0 [0] and the option in
the CMakeLists was dropped in 1.58.0 [1], which means that it is no
longer relevant since Buildroot commit
91d1207de0, which bumped grpc from
1.51.1 to 1.66.1.
So remove this option for host-grpc as well.
Fixes:
CMake Warning:
Manually-specified variables were not used by the project:
gRPC_BUILD_CSHARP_EXT
[0] https://github.com/grpc/grpc/releases/tag/v1.47.0
[1] 3a2bd221ef
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add a simple test ensuring that
- libldns is correctly built and installed
- drill is correctly built and installed
- drill is able to execute on the target
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The libldns library also comes with a CLI tool named drill, allowing to
perform DNS requests. Drill build is currently disabled by default.
Add a KConfig option to allow building and installing drill tool. Set
the default value to n to preserve the current behavior. Similarly to
linktest (see the comment in the .mk), drill fails to build correctly as
a static binary, so make the new option depend on non-static build.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This version allows to build with Linux 6.18.
Fixes:
In file included from core/crypto/sha256.c:11:
core/crypto/sha256.h:16:5: error: conflicting types for 'hmac_sha256'; have 'int(const u8 *, size_t, const u8 *, size_t, u8 *)' {aka 'int(const unsigned char *, long unsigned int, const unsigned char *, long unsigned int, unsigned char *)'}
Build failure still not occured in autobuilders.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: add details about the error being fixed]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Alexey Brodkin from Synopsys says in [1]:
I think indeed, we may remove all the big-endian support for ARC.
Reasons are since introduction of ARC HS4x processors we no longer
support big-endian in any new processor IP, and even for older IP
which used to support big-endian it was rarely used... so basically
there's no good justification to spend any cycles on big-endian
support looking forward in this project. I.e. BE support in uClibc
could also be removed if it makes any difference.
Therefore, let's removed support for ARC big-endian.
[1] https://lore.kernel.org/buildroot/SJ2PR12MB818487232470DA4456967C73A1A3A@SJ2PR12MB8184.namprd12.prod.outlook.com/
Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: ARC Maintainers <arc-buildroot@synopsys.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Maxim Kochetkov <fido_max@inbox.ru>
[Julien:
- move legacy option to 2026.02 section
- add link to mailing list
- remove BR2_arceb from pkg-meson.mk to fix check-symbols error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Adds documentation about adding a patch that address a vulnerability.
The patch-policy file now explain mention that patches that address a
vulnerability needs to include a `CVE:` trailer with the reference of
that vulnerability.
Until now only adding the reference to the `_IGNORE_CVES` variable was
necessary, so the documentation of this entry is modified as well to
point to the patch policy.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The CycloneDX specification for vulnerabilities defines four analysis
states ([1]) for cases where a vulnerability does not affect a component:
* resolved
* resolved_with_pedigree
* not_affected
* false_positive
Currently, the metadatas present in Buildroot does not allow an accurate
mapping of ignored CVEs to the appropriate CycloneDX vulnerability
categories. As a result, all ignored CVEs are currently marked as
'in_triage' by default.
This default analysis was established during the introduction of the
'generate-cyclonedx' script. The reasoning at the time was that SBOM
consumers might want to re-evaluate ignored vulnerabilities, as the
Buildroot infrastructure could not reliably determine their actual
state.
This patch adds support for automatically marking vulnerabilities as
'resolved_with_pedigree' when a Buildroot patch includes a 'CVE:''
tag in its header referencing the CVE identifier.
The 'CVE:' tag appears alongside the already required 'Upstream:', if
the patch address a security vulnerability and may be repeated if a
patch addresses multiple vulnerabilities.
If a vulnerability is addressed by multiple patches, each patch will need to
reference the vulnerability identifier.
For details on how CycloneDX handles 'resolved_with_pedigree', see
[1][2].
As an example, the CVE-2025-3198 from the binutils package will result
in the following pedigree for the binutils component:
```
{
"type": "unofficial",
"diff": {
"text": {
"content": "..."
}
},
"resolves": [
{
"type": "security",
"name": "CVE-2025-3198"
}
]
},
```
The `resolves` property is an array of issue the pedigree resolves. If
multiple are addressed by the same patch, then multiple identifier will be
present in this array.
In the listed vulnerabilities the entry for the CVE-2025-3198 looks like
this:
```
{
"id": "CVE-2025-3198",
"analysis": {
"state": "resolved_with_pedigree",
"detail": "The CVE 'CVE-2025-3198' has been marked as ignored by Buildroot"
},
"affects": [
{
"ref": "binutils"
}
]
}
```
[1] https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_analysis_state
[2] https://cyclonedx.org/docs/1.6/json/#components_items_pedigree_patches_items_resolves
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://github.com/google/brotli/blob/v1.2.0/CHANGELOG.md
Adds the following security hardening:
python: added Decompressor::can_accept_more_data method and optional
output_buffer_limit argument Decompressor::process; that allows mitigation
of unexpectedly large output
Which is needed to complete the security fixes in python-urllib3 2.6.0.
Added dependency to host-python-pkgconfig to fix build error which would
be introduced by this bump.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Peter: mark as security bump, describe the relation with urllib3]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix two vulnerabilities related to SSH support:
* The external SSH execution code lacked shell quoting on repositories
name, resulting in arbitrary command execution.
* SSH public keys were zeroed by calling memset with the wrong length,
resulting in either buffer overflow or incomplete zeroing.
Release notes:
https://github.com/libgit2/libgit2/releases/tag/v1.9.2
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add the reference command line tools for interacting with Sigsum
signature transparency logs.
Signed-off-by: Florian Larysch <fl@n621.de>
[Julien:
- select sigsum-verify if all other tools are deselected
- split and sort HOST_SIGSUM_GO_BUILD_TARGETS
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Prefer HTTPS for source downloads.
No functional change; hashes unchanged.
Align comment in .hash and Config.in.
Signed-off-by: Preyas <preyas17@zohomail.in>
[Julien: also update Config.in package home page]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes of this bugfix release:
https://sqlite.org/releaselog/3_51_1.html
"Changes in this specific patch release, version 3.51.1 (2025-11-28):
Fix incorrect results from nested EXISTS queries caused by the
optimization in item 6b in the 3.51.0 release.
Fix a latent bug in fts5vocab virtual table, exposed by new
optimizations in the 3.51.0 release"
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This bump includes patches which add cmake4 compatibility.
Instead of adding patches for
https://github.com/greatscottgadgets/hackrf/commits/main/host/CMakeLists.txt
to the latest release from Februar 2024 we bump the package to the latest
commit from November 2025.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: change _VERSION to use "git describe --abbrev=40" format]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Last release dates back to 2020 with > 120 commits since then, including
fixes for cmake 4 compatibility.
Instead of backporting several patches we bump the package to the latest
commit which allows to remove patch 0001.
Updated license hash due to upstream commit
f9dad5a35e
For list of changes, see:
142e1bda34
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- add link to change list
- change _VERSION to use "git describe --abbrev=40" format
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Last release dates back to 2021 with > 50 commits since then, including
fixes for cmake 4 compatibility.
Instead of backporting several patches we bump the package to the latest
commit.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: change _VERSION to use "git describe --abbrev=40" format]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes 1.3.6..1.3.7:
f138e68e7ffefa3f4d71857ddb137fff877fd1d0 getnetconfig.c: free linep to avoid memory leakage
eea92ef0bf2f3f0e337cfd074ebc34d91945f19b Revert "getnetconfig.c: free linep to avoid memory leakage"
d473f1e1f6ba80bfaee4daa058da159305167323 Update declarations to allow compile with gcc-15
240ee6c774729c9c24812aa8912f1fcf8996b162 update signal and key_call declarations to allow compile with gcc-15
07e45147b877c63a1d3dd1f5ae6070543b1d93cf Convert old-style function definitions into modern-style definitions
2cfe608550dbe44ac8fc6c26216f529565713fc4 Convert old-style function definitions into modern-style definitions
581152976f093f31957c48567278535ef54f6b3c Convert old-style function definitions into modern-style definitions
2832da026b0812a23e65773b313b048c68147b09 Convert old-style function definitions into modern-style definitions
d3ff4c39bbcf22e3ff736261b66a9f6c6a6bf4ca Convert old-style function definitions into modern-style definitions
791063e55d9739fa8c7c1a0d4ac1c4f8023a2843 Convert old-style function definitions into modern-style definitions
23b0aa66a34fc6de16d285fbeb60b0fd68fa40d5 Convert old-style function definitions into modern-style definitions
2c9ed28d9c364c6e7c29d9b5b740893a8baea014 Convert old-style function definitions into modern-style definitions
41cb38e2dfdc7053ebcbd777cf868f8fcbcfcf23 Convert old-style function definitions into modern-style definitions
b73283a6982f83974b48d1858735649d6acf6398 Convert old-style function definitions into modern-style definitions
c717a52ed169701b2907ac8eb8678ca41b1533ba Convert old-style function definitions into modern-style definitions
4eeb59a8dbcc6b4d3db1b81a00615f6e7832a97c Convert old-style function definitions into modern-style definitions
7cea8ad66aecc21e6caae330b5d31075af399193 Add conditional version script support
5bd87617e4b3129e76e79847c95bdea4b1290d9f Release 1.3.7
Our two patches are upstream as of
d473f1e1f6ba80bfaee4daa058da159305167323 and
240ee6c774729c9c24812aa8912f1fcf8996b162 respectively.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes between 2.4 and 2.5:
- snagrecover:
add support for bcm2711/12 platforms
add support for several AMLogic platforms
add support for AM654x platforms
confirm Allwinner A133 support
- snagfactory:
allow changing target device mid-pipeline
tone down UI colors, increase button sizes
No changes affect the packaging or dependencies.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 930660890b bumped kbd to
version 2.9.0 which includes optional support for various compression
libraries. This commit adds the corresponding configure options and a
fix for build errors caused by zlib.
The build error was happening when a zlib was compiled before kbd.
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_KBD=y
BR2_PACKAGE_ZLIB=y
EOF
make olddefconfig
make zlib
make kbd
The compilation fails with the erro:
kbdfile-zlib.c: In function 'dlopen_note':
elf-note.h:27:30: error: 'sym_gzopen' undeclared (first use in this function); did you mean 'sym_gzopen64'?
27 | #define DLSYM_ARG(symbol__) &sym_##symbol__, STRINGIFY(symbol__),
| ^~~~
Fixes:
https://autobuild.buildroot.net/results/8ff/8ff6c3d940b68069f748f12646f7516ec86172c1/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- add commands to reproduce the issue
- update patch "Upstream:" link to upstream commit
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
- Bump Linux kernel to 6.18.
- Bump U-Boot to 2025.10. Add the dependency on GNU TLS. Refresh the
config fragment: add smc & poweroff commands, add ESRT and dummy
capsule update, add SMCCC features discovery.
- Bump OP-TEE to 4.8.0. Add the dependency on python-cryptography. Lock
optee-client version to be the same as optee-os. Add a patch to output
logs to the same UART as all the other components and increase log
level. Remove the unnecessary dependency on dtc.
- Bump TF-A to v2.14.0.
- Bump FVP to 11.30_27. Disable terminal 1, now that all the logs go to
a single terminal. Enable virtio network. Rate limit the simulation
by default, for convenience at U-Boot and GRUB countdown, and for more
realistic delays inside the simulation.
- Switch to Bootlin pre-built toolchain.
- Add more modules to GRUB, to have more commands available: efi
commands, plus reboot & halt.
- Add eudev to probe Linux modules during boot, for LCD support.
- Configure eth0 with DHCP automatically during boot.
- Refresh the documentation.
This configuration has been tested on an x86 and on an AArch64 machine.
The firmware and FVP of this configuration have also been tested
successfully with other OSes: Debian Live, openSUSE Tumbleweed, Yocto,
OpenWrt, Buildroot AArch64 EFI and FreeBSD.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://github.com/strace/strace/blob/v6.18/NEWS
Buildroot commit a06d79862a bumped the
linux kernel to version 6.18 which broke the build of strace.
The issue can be reproduced with commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_PACKAGE_STRACE=y
EOF
make olddefconfig
make strace
The build is failing with error:
listmount.c: In function 'print_mnt_id_req':
listmount.c:39:16: error: 'struct mnt_id_req' has no member named 'spare'
39 | if (req.spare) {
| ^
Fixes:
https://autobuild.buildroot.org/results/8e3de892a1c4aa176a8b3a5defba48aa9830bc89/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- update pgp key comment in hash file
- add commands to reproduce the issue and error log
- add autobuilder failure log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit a06d79862a bumped the
linux kernel to version 6.18 which broke the build of cryptodev-linux.
Added upstream patch to fix the problem.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since we bumped to glibc 2.42, the build of Python 3 is failing on
Sparc64 due to the removal of the "struct termio" definition from
glibc. Since this only affects a small number of termio operations, we
simply drop support for them, since they basically can't be used
anymore (and we don't really care that much about those specific
operations that only exist on Sparc64).
Fixes:
https://autobuild.buildroot.net/results/28fee0f8368ae3dc1d607ebad4881b736e360f07/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The NVD database has CVE entries that are not present but may be
referenced in other security trackers.
For instance the CVE-2024-12455 is documented in the Debian security
tracker [1]. However, the NVD page is empty [2] and this entry is not
present in the NVD database mirror.
The following command would make the script fail:
```
echo '{
"vulnerabilities": [
{
"id": "CVE-2024-12455"
}
]
}' | support/scripts/cve-check --enrich-only
```
No CVEs present in Buildroot ignored CVEs are affected. But when
enriching an SBOM with legitimate CVE not present on NVD, the script
will fail.
This patch change the behavior to just log to stderr unknown CVEs
instead of making the script fail.
[1] https://security-tracker.debian.org/tracker/CVE-2024-12455
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-12455
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Peter: Tweak warning message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building a simple configuration such as:
BR2_aarch64=y
BR2_FORCE_HOST_BUILD=y
Under our reference Docker container, as an out-of-tree build:
./utils/docker-run make O=output-test
will fail during the glibc staging installation step with:
/usr/bin/install -c -m 644 /home/thomas/buildroot/br/output-glibc/build/glibc-2.42-3-gbc13db73937730401d592b33092db6df806d193e/build/libc.a /usr/lib64/libc.a
/usr/bin/install: cannot create regular file '/usr/lib64/libc.a': Permission denied
The problem being that the install_root variable is for some reason
lost along the way. We definitely pass it during the staging
installation step, but then glibc calls a sub-make and in that
submake, install_root is empty.
Observations:
- Building the same configuration inside the Docker container, but
in-tree, doesn't exhibit the problem.
- Building outside of the Docker container, but with the same make
version as the one we build due to BR2_FORCE_HOST_BUILD=y doesn't
exhibit the problem.
However, it turns out that glibc sets install_root to $(DESTDIR). And
passing DESTDIR just works. So we drop our custom
GLIBC_INSTALL_STAGING_OPTS to rely on the default one, and this fixes
the problem. It's not extremely satisfying to not fully understand
what's going on, but after spending quite some time on this, and
having a trivial and actually pretty nice workaround, we simply
propose to use this solution.
There is no autobuilder issue as we're not using our Docker container
to do autobuild builds.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When browsing the available Database packages, libdbi appears in the
menuconfig as "lidbi".
Fix the menuconfig entry by updating the relevant boolean name.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The http link is broken:
Connecting to people.redhat.com (people.redhat.com)|209.132.178.26|:80...
failed: No route to host.
No autobuilder error recorded.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The http link is broken:
Connecting to people.redhat.com (people.redhat.com)|209.132.178.26|:80...
failed: No route to host.
No autobuilder error recorded.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Original site is down, unchanged tarball can be downloaded from github.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Prabhu's e-mail address at Collins is bouncing, so let's drop this stale
entry:
<prabhu.sannachi@collins.com>: host
mxb-00105402.gslb.gpphosted.com[67.231.147.145] said: 550 5.1.1 User
Unknown (in reply to RCPT TO command)
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
unzip currently fails to build with GCC 15.x. We're already fetching
from Debian, using patchlevel -27, and it turns out that Debian
patchlevel -29 has the GCC 15.x fix, and very few other fixes:
unzip (6.0-29) unstable; urgency=medium
* Ignore invalid "Total number of disks" field on Microsoft ZIP64 files.
Closes: #661956, #1064000.
* Drop conflicting declarations of gmtime() and localtime().
Should fix build with gcc-15. Closes: #1098043.
* Fix zipgrep handling of escapes. Closes: #1054628.
* Stop using update-mime. Closes: #1072396.
* Add debian/source/lintian-overrides for *.a files.
* Do not trim Debian changelog.
* Add debian/salsa-ci.yml.
* Add Vcs-Git and Vcs-Browser fields.
* Update Standards-Version.
unzip (6.0-28) unstable; urgency=medium
* Drop debian/source/lintian-overrides, obsolete since version 6.0-18.
* Update URI for Info-ZIP license in copyright file.
* Update standards version to 4.6.2.
* Run wrap-and-sort.
* Update Homepage.
So let's just bump to this patchlevel version.
Note that the .dsc file link in the .hash file was wrong, it was still
referring to patchlevel -26.
Fixes:
https://autobuild.buildroot.net/results/d81cb9d7c9e87dd233dde350d15cb03427ba2036/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Bernd:
Updated _SITE from /debian-debug/ to /debian/ (Baruch)
Updated comment of UNZIP_IGNORE_CVES to reflect bump.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The current upstream repo shows this note:
"This repository was archived by the owner on May 27, 2024. It is now
read-only."
Switched to fork whose only difference is a commit fixing build errors
with cmake 4:
4674816f56
Since this commit changes _SITE, the package homepage url is also update
to the same location.
Fixes:
https://autobuild.buildroot.net/results/130/13084ca4df5ae91d72f46ef51873676b05398ec9/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: change homepage url in Config.in and add commit log comment]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The 5.4.x series is now EOL upstream, so drop the linux-headers
option and add legacy handling for it.
Bump kernel version in test_zfs.py.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 95c385e2d6 in -next
branch bumped libcamera to version 0.6.0 which breaks the build:
../core/options.cpp:405:44: error: conversion from
'std::basic_string_view<char>' to non-scalar type
'const std::string' {aka 'const std::__cxx11::basic_string<char>'}
requested
405 | const std::string cam_id =
*cameras[camera]->properties().get(libcamera::properties::Model);
Added upstream patch, included since version 1.10.0, to fix the problem.
Please note that since version 1.9.1 this package is incompatible with
the current version of ffmpeg used in buildroot so bumping it is not an
option atm:
cbe9921eed
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: fix Buildroot commit id of libcamera bump]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security issues:
1) CVE-2025-62229: Use-after-free in XPresentNotify structures creation
Using the X11 Present extension, when processing and adding the
notifications after presenting a pixmap, if an error occurs, a dangling
pointer may be left in the error code path of the function causing a
use-after-free when eventually destroying the notification structures
later.
Introduced in: Xorg 1.15
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b1
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
2) CVE-2025-62230: Use-after-free in Xkb client resource removal
When removing the Xkb resources for a client, the function
XkbRemoveResourceClient() will free the XkbInterest data associated
with the device, but not the resource associated with it.
As a result, when the client terminates, the resource delete function
triggers a use-after-free.
Introduced in: X11R6
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/99790a2chttps://gitlab.freedesktop.org/xorg/xserver/-/commit/10c94238
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
3) CVE-2025-62231: Value overflow in Xkb extension XkbSetCompatMap()
The XkbCompatMap structure stores some of its values using an unsigned
short, but fails to check whether the sum of the input data might
overflow the maximum unsigned short value.
Introduced in: X11R6
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/475d9f49
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
https://lists.x.org/archives/xorg-announce/2025-October/003635.html
Changelog:
https://lists.x.org/archives/xorg/2025-October/062148.html
Also update the COPYING hash for a change of copyright year.
Signed-off-by: Raphael Pavlidis <raphael.pavlidis@gmail.com>
[Peter: Mark as security bump, extend commit message, fix COPYING hash]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 00230e7 "package/pkg-golang: catch use of legacy FOO_INSTALL_BINS"
introduced a small typo, fixing that.
Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add optee_os to the default configuration for versal2 devices including an
example with the versal2_vek385_defconfig.
Since not all versal2 optee_os features are upstream, use the downstream
Xilinx release tag xlnx_rebase_v4.5.0_2025.2 for version xilinx_v2025.2
which is based on optee_os v4.5.0.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Most of the time, users will be running Vivado on their local host machine,
and will generate a XSA (Xilinx Shell Archive) locally.
Instead of requiring users to create a URL location for their XSA file,
this patch improves ease of use by allowing users to work directly with
just a path on the local host machine.
BR2_TARGET_XILINX_PREBUILT_VERSAL_XSA_LOCATION can thus be defined as either
a simple local location or a URL location for the XSA file.
In either case, a hash for the XSA file needs to be added to the
boot/xilinx-prebuilt/xilinx-prebuilt.hash when using this option.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://lwn.net/Articles/1049060/
"This is the LAST 5.4.y release. It is now end-of-life and should not be
used by anyone, anymore. As of this point in time, there are 1539
documented unfixed CVEs for this kernel branch, and that number will
only increase over time as more CVEs get assigned for kernel bugs."
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As requested by the gnu.org admins:
"
Since August 2024, we've been under DDoS attacks from common command line
tools.
To fix this, we would need to change the user-agent from "Python/3.11
aiohttp/3.8.4" to "buildroot.org pkg-stats" instead.
"
It indeed probably makes sense to use an unique user-agent string, so rework
the script to do that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since libcap has been updated to version 2.77 in Buildroot commit
42f2b480a5, the build fails for
statically-linked configurations when the host system doesn't have a
static version of libc installed:
/usr/bin/ld: cannot find -lc: No such file or directory
/usr/bin/ld: have you installed the static version of the c library ?
This is because the -static flag that is supposed to be used when
building target code also gets passed to the host compiler... which is
obviously incorrect and leads to the build failure.
This issue was introduced by upstream commit
c3ddf45d9afaab85d3b7db0dc7bfd1aafb8fde50, which was reverted right
after the 2.77 release in commit
542d7d86ecd2129dd5fe7e5b31ba307304f5b319, which we are simply
backporting here.
Fixes:
https://autobuild.buildroot.net/results/f6d/f6dc61a9d57e282691b87a3a8fadcb5d5ea8fd8b/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add an example config for the Versal2 VEK385 evaluation board. This board has
the superset 2VE3858 device of the Versal AI Edge Gen 2 family with
8 Cortex-A78AE cores, 10 Cortex-R52 cores, 144 AIE-ML tiles and over 500k LUTs.
With this patch, Buildroot is capable to build a full image for the VEK385
evaluation board along with all the necessary firmware components.
More information about the VEK385 evaluation board can be found here:
https://www.amd.com/en/products/adaptive-socs-and-fpgas/evaluation-boards/vek385.html
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add support for Xilinx versal2 devices which include two new applications
for the xilinx-embeddedsw package.
BR2_TARGET_XILINX_EMBEDDEDSW_VERSAL2_PLM
There is a new PLM (platform loader and manager) application for versal2
devices. The purpose of the PLM is to act as the bootloader for loading the
boot.pdi to configure the DDR memory and then loading arm-trusted-firmware and
u-boot on the Cortex-A78 core 0.
BR2_TARGET_XILINX_EMBEDDEDSW_VERSAL2_ASUFW
Included with versal2 devices is a risc-v based security accelerator called
the ASU (application security unit). The ASUFW is the open-source application
which runs on the ASU.
Versal2 devices simplified the boot process by getting rid of the second
microblaze core called the PSM (processor system manager). There is thus no
longer a need for a separate psmfw application like with the original versal
devices, as this functionality is now fully included in the new PLM for
versal2.
For more information about the Xilinx Versal Gen2 series:
https://www.amd.com/en/products/adaptive-socs-and-fpgas/versal/gen2/ai-edge-series.htmlhttps://www.amd.com/en/products/adaptive-socs-and-fpgas/versal/gen2/prime-series.html
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The gnu.org admins have been blocking the IP address of machines running
pkg-stats as the GET requests for the (many) packages with gnu.org URLs are
seen as abusive.
The resource body is not used, so use a HTTP HEAD request instead of a GET
to limit server load and bandwidth use.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
- Update the kernel, U-Boot, ATF tags and readme.txt.
- Increase the rootfs size to 200M.
Signed-off-by: Akhilesh Nema <nemaakhilesh@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since FRR 10.5, header files can be properly installed [1]. Enable their
installation in Buildroot so that packages depending on FRR’s headers
can build against them.
With these headers available, the Grout package can build its zebra
dplane plugin, which allows FRR to configure the Grout router instead of
the kernel for packet processing.
[1] https://github.com/FRRouting/frr/pull/19351
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
[Julien:
- move FRR_INSTALL_STAGING up
- add "package/" in commit title
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
When using a custom skeleton where the merged symlinks are missing,
the build fails with errors like:
support/scripts/check-merged -t skeleton -u -b /usr/src/simplek8s/rootfs-skeleton
The skeleton in -t is not properly setup:
- /usr/bin should exist, be a directory, and not be a symlink
- /usr/lib should exist, be a directory, and not be a symlink
The skeleton in skeleton is not properly setup:
- /usr/bin should exist, be a directory, and not be a symlink
- /usr/lib should exist, be a directory, and not be a symlink
[...]
Commit 793ebd5d28 (support/scripts/check-merged: use getopts instead of
getopt) intoduced a flawed use of getopts: unlike getopt, getopts does not
conume the positional arguments. This causes the check for directory
validity to also check each option as if they were directories.
For overlays, this is transparently ignored, because the checks are only lax
for overlays (missing symlinks are OK).
However, for skeletons, the checks are strict. Because of that, a missing
symlink is considered an error, when it should be considered as being OK.
The fix is to actually consume the positional args to only keep the list of
directories to validate, like is done for example in
support/download/dl-wrapper.
Fixes: 793ebd5d28
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: José Luis Salvador Rufo <salvador.joseluis@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Package tmux fails to build with:
compat/utf8proc.c: In function 'utf8proc_mbtowc':
compat/utf8proc.c:51:39: error: passing argument 3 of 'utf8proc_iterate' from incompatible pointer type [-Wincompatible-pointer-types]
51 | slen = utf8proc_iterate(s, n, pwc);
| ^~~
| |
| wchar_t * {aka long int *}
Add local patch already committed upstream to fix it.
Fixes:
https://autobuild.buildroot.net/results/651/6510cfb16d0c3f3772918cd3bde0542d0b59a230/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The starfive-spltool host package was added to Buildroot to create a
bootable image for the Starfive JH7110 SoC.
Mainline U-Boot can now build an image without it so it is not required
anymore.
Signed-off-by: Thomas Bonnefille <thomas.bonnefille@bootlin.com>
[Julien: remove DEVELOPERS entry]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since Buildroot commit [1] "package/gcc: switch to GCC 14.x as the
default", pine64_star64_defconfig compilation is failing in
u-boot with error:
drivers/video/dw_hdmi.c: In function 'dw_hdmi_write':
drivers/video/dw_hdmi.c:81:42: error: passing argument 2 of 'writeb' makes pointer from integer without a cast [-Wint-conversion]
See build failure [2].
Upstream U-Boot includes a support for this board since commit [3],
first included in v2024.07.
Upstream Kernel includes a support for this board since commit [4],
first included in v6.11.
This commit switches uboot and linux from the repository
https://github.com/Fishwaldo
to their respective upstream sources.
U-Boot is updated from the fork from a v2021.10 base to v2025.10.
The Linux Kernel is updated from the fork from a v5.15.131 base
to v6.12.56.
While at it, this commit updates the defconfig to the new convention:
- It adds custom hashes and enables BR2_DOWNLOAD_FORCE_CHECK_HASHES=y
- It switches to a glibc stable bootlin external toolchain
Note that the upstream uboot defconfig name for the pine64 star64
board is starfive_visionfive2 (which is in fact another, but very
similar board). The detection of the board is made inside the SPL.
See [5].
Finally, switching to upstream uboot and kernel required few
adjustments:
- The genimage.cfg is updated to use the "u-boot.itb" file produced by
U-Boot,
- In genimage.cfg, the uboot partition-type-uuid is changed to
xbootldr (the genimage human readable name), to follow the
recommendation of the UUID to use from [5],
- In extlinux.conf, rootwait is added in kernel arguments,
- The post-build.sh script and the star64-uboot-fit-image.its file
are removed: they are no longer needed, since U-Boot and Binman
are managing everything,
- BR2_TARGET_UBOOT_SPL_NAME is updated in the defconfig, to reflect
the file name generated by U-Boot,
- BR2_PACKAGE_HOST_STARFIVE_SPLTOOL is removed from the defconfig,
it is no longer needed, since upstream U-Boot produces the file
at the correct format,
- BR2_PACKAGE_HOST_UBOOT_TOOLS is also removed from the defconfig,
it is no longer needed since U-Boot uses Binman,
- the defconfig is updated to include the new uboot requirements
(BR2_TARGET_UBOOT_{NEEDS,USE}_*),
- the pine64_star64_defconfig entry is removed from .checkpackageignore
it is no longer needed.
This patch was tested on a Pine64 Star64 board V1.1,
PCB revision: 0xc1, BOM revision: A.
Fixes:
- [2]
[1] 1e1fafa1f0
[2] https://gitlab.com/buildroot.org/buildroot/-/jobs/11916952973
[3] 7ebf7e77c0
[4] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2606bf583b9623694b864c220fd6b3d2ed13ba13
[5] https://source.denx.de/u-boot/u-boot/-/blob/v2025.10/doc/board/starfive/pine64_star64.rst
Reviewed-by: Thomas Bonnefille <thomas.bonnefille@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that all Xilinx board configs have been bumped to xilinx_v2025.2, bump the
default version of xilinx-prebuilt to xilinx_v2025.2.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that all Xilinx board configs have been bumped to xilinx_v2025.2, bump the
default version of xilinx-embeddedsw to xilinx_v2025.2.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that all Xilinx board configs have been bumped to xilinx_v2025.2, remove
the xilinx_v2025.1 hashes which are no longer needed.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump versal defconfigs to xilinx_v2025.2.
xilinx_v2025.2 includes the following software versions:
arm-trusted-firmware v2.12
linux v6.12.40
plm xilinx_v2025.2
psmfw xilinx_v2025.2
uboot v2025.01
with all Xilinx downstream commits included with xilinx_v2025.2.
xilinx_v2025.2 was run tested on a vek280 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add hash for xilinx_v2025.2 version, so that example defconfigs can be
bumped to the latest version individually.
Since the license.txt changes with each release, move the hashes to version
specific directories instead of having a generic hash file.
xilinx_v2025.1 hash is moved to boot/xilinx-prebuilt/xilinx_v2025.1_update1
xilinx_v2025.2 hash is added to boot/xilinx-prebuilt/xilinx_v2025.2
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump zynqmp_kria defconfigs to xilinx_v2025.2.
xilinx_v2025.2 includes the following software versions:
arm-trusted-firmware v2.12
linux v6.12.40
pmufw xilinx_v2025.2
uboot v2025.01
with all Xilinx downstream commits included with xilinx_v2025.2.
xilinx_v2025.2 was run tested on a kv260 starter kit.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump zynqmp defconfigs to xilinx_v2025.2.
xilinx_v2025.2 includes the following software versions:
arm-trusted-firmware v2.12
linux v6.12.40
pmufw xilinx_v2025.2
uboot v2025.01
with all Xilinx downstream commits included with xilinx_v2025.2.
xilinx_v2025.2 was run tested on a zcu102 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump zynq defconfigs to xilinx_v2025.2.
xilinx_v2025.2 includes the following software versions:
linux v6.12.40
uboot v2025.01
with all Xilinx downstream commits included with xilinx_v2025.2.
xilinx_v2025.2 was run tested on a zc702 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add hash for xilinx_v2025.2 version, so that example defconfigs can be
bumped to the latest version individually.
Since the license.txt changes with each release, move the hashes to version
specific directories instead of having a generic hash file.
xilinx_v2025.1 hash is moved to boot/xilinx-embeddedsw/xilinx_v2025.1
xilinx_v2025.2 hash is added to boot/xilinx-embeddedsw/xilinx_v2025.2
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add hashes for xilinx_v2025.2 release tags which include the following:
arm-trusted-firmware v2.12
linux v6.12.40
uboot v2025.01
with all Xilinx downstream commits included with xilinx_v2025.2.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump bootgen to xilinx_v2025.2 version.
The 0001-bisonflex-Fix-build-on-machines-with-modern-flex.patch is no longer
needed because it has been committed upstream and included with the
xilinx_v2025.2 version.
0471f084b0
The 0001-lms-hash-sigs-hss_param.c-add-stdio.h-include.patch has now been
added to the package to fix the following potential build error:
The lms-hash-sigs/hss_param.c is missing an include of stdio.h. Without it,
the following build error can occur:
hss_param.c: In function ‘hss_get_parameter_set’:
hss_param.c:157:13: error: implicit declaration of function ‘printf’ [-Wimplicit-function-declaration]
157 | printf("Private key expired\n");
| ^~~~~~
hss_param.c:7:1: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’
6 | #include "lm_common.h"
+++ |+#include <stdio.h>
7 |
hss_param.c:157:13: warning: incompatible implicit declaration of built-in function ‘printf’ [-Wbuiltin-declaration-mismatch]
157 | printf("Private key expired\n");
| ^~~~~~
hss_param.c:157:13: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’
make[3]: *** [Makefile:38: hss_param.o] Error 1
make[3]: *** Waiting for unfinished jobs....
make[2]: *** [Makefile:84: build/bin/bootgen] Error 2
The above error was reported on Debian 13 / gcc 14.2.0.
Reported-by: Peter Korsgaard <peter@korsgaard.com>
Upstream: submitted to Xilinx bootgen repo with CR-1256741
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since Buildroot commit [1] (package/gnutls: security bump to
version 3.8.11), gnutls fails to build with gcc or host-gcc
version < 11, with error:
In file included from audit.h:22,
from audit.c:26:
crau/crau.h:255:23: error: missing binary operator before token "("
__has_c_attribute (__maybe_unused__)
This commit adds a patch fixing the issue.
[1] 81dbfe1c2a
Reported-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Neal Frager <neal.frager@amd.com>
Tested-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As of Buildroot commit [1] which updated
the python-httplib2 package from 0.22.0 to 0.31.0, gclient.py has
been broken due to the internal socks.py file being removed from
the httplib directory (in upstream commit [2]).
As the depot-tools package doesn't have a build step, and is only
used when generating a flutter-engine tarball, no autobuild failures
have occured.
Add a simple patch that changes `import httplib2.socks` to
`import socks` and depend on the host-python-pysocks package.
[1] 55a80f89d7
[2] 1a6ff78179
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/12188741354
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[Julien:
- change commit id to urls
- add "Fixes:" link
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The host-depot-tools package now requires a host variant of the
python-pysocks package due to the python-httplib2 update on
commit [1].
Httplib2 removed the internal socks.py file on commit [2].
[1] 55a80f89d7
[2] 1a6ff78179
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[Julien: change commit id to urls]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The bump of e2fsprogs to 1.47.3 in Buildroot commit
bb004ddba2 causes the package to fail
building when the kernel headers are >= 5.10 but < 5.12.
Indeed the new version of e2fsprogs detects the presence of
<linux/fsverity.h> (which occurred in 5.10), and when it's available,
enables some fsverity functionality, which uses an ioctl() that was
only introduced in 5.12. This causes some build breakage if the
headers used are 5.10 or 5.11.
We fix this by introducing a patch, submitted upstream, that not only
verifies the availability of the header file, but also the
availability of the ioctl().
Fixes:
https://autobuild.buildroot.net/results/c573233b1f871c61f916eda9c402c84070902432/ (host-e2fsprogs)
https://autobuild.buildroot.net/results/0ed16cad1d1f500d0e577d03166c06381be73ffc/ (e2fsprogs)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For a list of changes, see:
b147624d48...0.4.1
Removed patches which are included in this release.
Also, since Buildroot commit [1] (package/php: bump version to 8.4.13)
php-pecl-dbus is failing to build with error:
/builds/buildroot.org/buildroot/test-output/TestPhpPeclDbus/build/php-pecl-dbus-b147624d480c3353e6c700e9a2d0c6f14d853941/php_dbus.h:52:9: error: implicit declaration of function 'rebuild_object_properties'; did you mean 'rebuild_object_properties_internal'? [-Wimplicit-function-declaration]
This commits fixes the issue.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/12184413758
[1] a9e5cf6ac2
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add commit log info about build failure]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog: https://pecl.php.net/package-changelog.php?package=yaml
Since Buildroot commit [1] (package/php: bump version to 8.4.13)
php-yaml is failing to build with errors such as:
/buildroot/output/build/php-yaml-2.2.3/parse.c: In function ‘handle_sequence’:
/buildroot/output/build/php-yaml-2.2.3/parse.c:534:39: error: passing argument 1 of ‘zval_ptr_dtor’ from incompatible pointer type [-Wincompatible-pointer-types]
This commits fixes the issue.
[1] a9e5cf6ac2
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add commit log info about build failure]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog: https://xdebug.org/updates#x_3_4_7
Since Buildroot commit [1] (package/php: bump version to 8.4.13)
php-xdebug is failing to build with error:
/buildroot/output/build/php-xdebug-3.3.1/src/coverage/code_coverage.c: In function ‘xdebug_find_jumps’:
/buildroot/output/build/php-xdebug-3.3.1/src/coverage/code_coverage.c:349:34: error: ‘ZEND_EXIT’ undeclared (first use in this function); did you mean ‘ZEND_GINIT’?
This commits fixes the issue.
[1] a9e5cf6ac2
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add commit log info about build failure]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 2ecb2d2847 removed the
dependency to BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS while still
selecting packages which depend on it:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_PYTHON_JSONSCHEMA
Depends on [n]: BR2_PACKAGE_PYTHON3 [=y] && BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS [=n]
Selected by [y]:
- BR2_PACKAGE_PYTHON_FLASK_RESTX [=y] && BR2_PACKAGE_PYTHON3 [=y]
WARNING: unmet direct dependencies detected for BR2_PACKAGE_PYTHON_REFERENCING
Depends on [n]: BR2_PACKAGE_PYTHON3 [=y] && BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS [=n]
Selected by [y]:
- BR2_PACKAGE_PYTHON_FLASK_RESTX [=y] && BR2_PACKAGE_PYTHON3 [=y]
Seen with defconfig:
https://autobuild.buildroot.org/results/ebf9a81f7e225ecdab20bbad8ad8daa136fddb46/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This adds the python bindings of libgpiod for version 2+.
While the python bindings for v1 were optionally built and
installed as part of the main libgpiod build, for v2 they have now been
published to pypi.org for easier consumption in the general python
ecosystem.
We need to set LINK_SYSTEM_LIBGPIOD=1 to actually build against the
system version of libgpiod which we install and not use a separate
bundled copy.
The package is licensed as libgpiod, but as published to pypi doesn't
include the LICENSE file that's part of upstream repository.
Reference pyproject.toml as that has the license identifier as a
workaround.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit 1187c34d88 (support/scripts: move merged-usr errors message
into check-merged-usr.sh) introduced the use of getopt to parse its
options; doing so allowed to use long option (with two leading dashes),
which is more descriptive than the usual one-character options.
However, getopt is part of util-linux; it is not a shell built-in.
util-linux is not a prerequisite of Buildroot, so we may end up running
on a system where it is missing.
We could add host-util-linux as a dependency when the system does not
provide getopt, but that's not very nice; even though host-skeleton does
not need to check for merged-bin for now, it does not need getopt, and
thus we could add host-util-linux (which depends on host-skeleton) as a
dependency of skeleton-custom. But that will not be tenable over the
long run, especially if/when we do a merged-bin in host dir.
Requiring that util-linux be installed system-wide is not nice either;
it's an additional requirement on the host.
We can do like we do in the oter scripts, though: use the shell built-in
getopts. Its usage is slightly different, and does not support long
options. As it's just for use in an internal script, we can live with
the less descriptive options, though.
Switch to using getopts, it removes the need for a new host dependency.
Fixes: 1187c34d88
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The bump of netsnmp to version 5.9.4 with buildroot commit
1799cfebfd broke musl builds:
../include/net-snmp/net-snmp-config.h:1614:30: error: unknown type name 'unknown'; did you mean 'union'?
due to broken detection of __fd_mask introduced in 5.9.4 by upstream
commit 97df191ff8
Added two upstream patches for __fd_mask detection to fix musl builds.
Fixes:
https://autobuild.buildroot.net/results/9d7/9d75061ca917689381c3b32f3e01640701d833a7/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that binutils 2.45 has been introduced and binutils 2.44 made the
default version, drop the oldest supported version, binutils 2.42,
keeping only the 3 last versions supported: 2.43, 2.44 and 2.45.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that support for binutils 2.45 has been introduced, we follow our
policy of making binutils 2.44 the default version.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
We bring patches 0001 and 0002 that we carry for binutils 2.44. Patch
0002 requires a small update as a nearby configure option has been
removed between 2.44 and 2.45. Patch 0003 that we have for binutils
2.44 is not needed as it is part of the 2.45 release.
Changes in 2.45:
* New versioned release of libsframe: libsframe.so.2. This release introduces
versioned symbols with version node name LIBSFRAME_2.0. Some new symbols
have been added to support the new flag SFRAME_F_FDE_FUNC_START_PCREL and
retrieving flags from SFrame decoder and encoder objects:
- Addition of sframe_decoder_get_flags,
sframe_decoder_get_offsetof_fde_start_addr, sframe_encoder_get_flags,
sframe_encoder_get_offsetof_fde_start_addr.
This release also includes backward-incompatible ABI changes:
- Removal of sframe_get_funcdesc_with_addr.
- Change in the behavior of sframe_decoder_get_funcdesc_v2,
sframe_encoder_add_funcdesc_v2 and sframe_encoder_write.
* On s390 64-bit (s390x), gas, ld, objdump, and readelf now support generating
and processing SFrame V2 stack trace information (.sframe). The assembler
generates SFrame info from CFI directives with option "--gsframe". The
linker generates SFrame info for the linker-generated .plt section and merges
all .sframe sections. Both objdump and readelf dump SFrame info with option
"--sframe[=<section-name>]".
* For SFrame stack trace format, the function start address in each SFrame
FDE has a changed encoding: The 32-bit signed integer now holds the offset
of the start PC of the associated function from the sfde_func_start_address
field itself (instead of the earlier where it was the offset from the start
of the SFrame section itself). All SFrame sections generated by gas and ld
now default to this new encoding, setting the (new)
SFRAME_F_FDE_FUNC_START_PCREL flag.
Relocatable SFrame links are now fixed.
* Readelf now recognizes RISC-V GNU_PROPERTY_RISCV_FEATURE_1_CFI_SS and
GNU_PROPERTY_RISCV_FEATURE_1_CFI_LP_UNLABELED for zicfiss and zicfilp
extensions.
* For RISC-V dis-assembler, the definition of mapping symbol $x is changed,
so the file needs to be rebuilt since 2.45 once used .option arch directives.
* The LoongArch disassembler now properly accepts multiple disassembly
options given by -M, such as "-M no-aliases,numeric". (Previously only the
first option took effect.)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: fix BR2_BINUTILS_VERSION_2_45_X prompt to 2.45.1]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch adds information on how to generate a CycloneDX SBOM in
Buildroot. It also mentions how to track CVEs with that given SBOM.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Peter: reword slightly]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Enriches the input CycloneDX SBOM with vulnerability information and
analysis from the NVD database.
The NVD database is cloned using a mirror of it and the content is compared
locally. By default the path 'dl/buildroot-nvd' is used.
Example usage to analyse vulnerabilities of an input CycloneDX SBOM:
$ make show-info | utils/generate-cyclonedx | support/script/cve-check
The 'cve-check' can also be used to only enrich the vulnerabilities
present on the input SBOM with a set metadata (description, cvss,
references, ...) without applying an analysis.
With the following command the vulnerabilities ignored by Buildroot
present in the CycloneDX SBOM are enriched with description, cvss, etc
...
$ make show-info | utils/generate-cyclonedx | support/script/cve-check --enrich-only
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Peter: fix minor flake8 issues]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch move the 'download_nvd' call to the 'pkg-stats' script
instead of automatically calling 'read_nvd_dir'.
Since the cve.py file can be used as a library it's up to the caller to
decide whether or not to update the NVD database.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit 3963c3c06e added this
package which selects python-paramiko but forgot to add its dependency.
Fixes warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_PYTHON_PARAMIKO
Depends on [n]: BR2_PACKAGE_PYTHON3 [=y] && BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS [=n]
Selected by [y]:
- BR2_PACKAGE_PYTHON_SCP [=y] && BR2_PACKAGE_PYTHON3 [=y]
seen with https://autobuild.buildroot.net/results/423/4235283218bc49f53bf7cafd4a67f380dba659c0/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixed the following security issues:
CVE-2025-64458: Potential denial-of-service vulnerability in
HttpResponseRedirect and HttpResponsePermanentRedirect on Windows
CVE-2025-64459: Potential SQL injection via _connector keyword argument
https://docs.djangoproject.com/en/5.2/releases/5.2.8/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The S3 storage drivers defines the maximum size of a chunk to a value
thqt does not fit in the native integer on 32-bit architectures. This
causes build failures:
registry/storage/driver/s3-aws/s3.go:312:99: cannot use maxChunkSize
(untyped int constant 5368709120) as int value in argument to
getParameterAsInteger (overflows)
Ideally, we'd like to use a build tag that refers to whether the
architecture is 32- or 64-bit, but there is no such flag. Sigh...
Instead, backport a patch from upstream that papers over the issue, by
using the i386 build tag (of course, that still misses other 32-bit
archs, but are they really relevant in this case?).
Fixes:
https://autobuild.buildroot.org/results/8fa9c5f63f690b27336051be5178f0516e0c54d4/
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
[Julien: add "Fixes:" link]
Signed-off-by: Julien Olivain <ju.o@free.fr>
See the release notes: https://github.com/redis/redis/releases/tag/8.2.3
This fixes the following vulnerability:
- CVE-2025-62507:
Redis is an open source, in-memory database that persists on disk. In
versions 8.2.0 and above, a user can run the XACKDEL command with
multiple ID's and trigger a stack buffer overflow, which may
potentially lead to remote code execution. This issue is fixed in
version 8.2.3. To workaround this issue without patching the redis-
server executable is to prevent users from executing XACKDEL
operation. This can be done using ACL to restrict XACKDEL command.
https://www.cve.org/CVERecord?id=CVE-2025-62507
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The hash file for license (netcat.c) has changed due to copyright year
updates and changes not related to the license topic.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
[Julien: fix license hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Boolean Config.in symbols default to 'n', so we typically do not add such
redundant lines.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit 53a302c6ed ("package/pppd: Add an option to enable/disable CBCP
support.") added a 'default n' line to Config.in, but booleans default to
'n', so we typically do not add such redundant lines.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit a028f0a51d ("package/psplash: add support for fullscreen config
option") added a 'default n' line to Config.in, but booleans default to 'n',
so we typically do not add such redundant lines.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The final upstream release of libgtk2 was published in December
2020. libgtk2 no longer builds with GCC 14.x, even less so with GCC
15.x. While Debian has some fixes to make it build with GCC 14.x,
those are not sufficient to allow building libgtk2 with GCC 15.x.
libgtk2 is anyway very old, largely superseded by libgtk3 and then
libgtk4. It is therefore time to remove it.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Bernd: adjusted comment in package/avahi/avahi.mk]
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The package is causing build errors with newer gcc versions:
sectables.c:331:22: error: initialization of 'void (*)(void)' from
incompatible pointer type 'void (*)(unsigned char *, int)'
[-Wincompatible-pointer-types]
331 | { 0x00, 0x00, section_PAT },
and many more.
The latest release dates back to 2007, the latest change in the CVS-
based source repository[1] (downloaded as dvbsnoop.zip) is also from
2007. No newer or maintained forks were found.
State of upstream ticket system[2]:
Bugs: last update 2012
Support Requests: No open tickets found.
Patches: last update 2010
Feature Requests: 1 from 2021, the rest 2012 and older
Instead of fixing build errors for an unmaintained project which is not
used by any other package we remove it from buildroot.
Fixes:
https://autobuild.buildroot.net/results/ea6/ea6786248b9ecf0eb1c1c1f7cdd0202462b75e00/
[1] https://sourceforge.net/p/dvbsnoop/cvs/
[2] https://sourceforge.net/p/dvbsnoop/_list/tickets
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The package is causing build errors with newer gcc versions:
procrank.c:381:9: error: implicit declaration of function 'asprintf';
did you mean 'vsprintf'? [-Wimplicit-function-declaration]
The latest upstream commit dates back to 2018 and no open issues/
bug reports are present so the projects seems unmaintained.
Instead of fixing build errors for such a project which is not used by
any other package we remove it from buildroot.
Fixes:
https://autobuild.buildroot.net/results/f2b/f2b41d27cf32808783b582e8ad714fb653c05713/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
bctoolbox was only needed as a dependency of linphone, as is anyway
bundled in more recent versions of linphone, making a separate package
unnecessary.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
ortp was only needed as a dependency of linphone, as is anyway bundled
in more recent versions of linphone, making a separate package
unnecessary.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mediastreamer was only needed as a dependency of linphone, as is
anyway bundled in more recent versions of linphone, making a separate
package unnecessary.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
belr was only needed as a dependency of linphone, as is anyway bundled
in more recent versions of linphone, making a separate package
unnecessary.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
belle-sip was only needed as a dependency of linphone, as is anyway
bundled in more recent versions of linphone, making a separate package
unnecessary.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This package is no longer maintained in Buildroot: no maintainer in
DEVELOPERS file, and doesn't build since we bumped mbedtls to version
3.x in commit 3481a9643f, which first
appeared in 2025.05.
Also, upstream linphone has changed their strategy, and now their
specific dependencies (bctoolbox, belle-sip, etc.) are bundled in
linphone, so anyway the packaging needs to be adapted significantly.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit 770f915497, libjwt was bumped
from 1.17.2 to 3.2.0, which is a big bump. And the libjwt website
states "Version 3 of LibJWT is a complete overhaul of the code. Please
see documentation for usage."
And indeed, this version bump breaks the build of Asterisk. Therefore
asterisk uses its bundled version of libjwt now and this package can be
removed as no other package depends on it.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Peter: slightly reword help text]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit 770f915497, libjwt was bumped
from 1.17.2 to 3.2.0, which is a big bump. And the libjwt website
states "Version 3 of LibJWT is a complete overhaul of the code. Please
see documentation for usage."
And indeed, this version bump breaks the build of Asterisk:
res_stir_shaken/attestation.c: In function 'pack_payload':
res_stir_shaken/attestation.c:357:9: error: implicit declaration of function 'jwt_add_grants_json' [-Wimplicit-function-declaration]
357 | jwt_add_grants_json(jwt, payload_str);
| ^~~~~~~~~~~~~~~~~~~
In file included from /home/autobuild/autobuild/instance-11/output-1/build/asterisk-22.3.0/include/asterisk/module.h:39,
from res_stir_shaken/attestation.c:24:
res_stir_shaken/attestation.c: In function '_dtor_jwt':
res_stir_shaken/attestation.c:367:38: error: implicit declaration of function 'jwt_free'; did you mean 'jwks_free'? [-Wimplicit-function-declaration]
367 | RAII_VAR(jwt_t *, jwt, NULL, jwt_free);
| ^~~~~~~~
To fix this, let's use the bundled version of libjwt in Asterisk,
since even Asterisk master hasn't been fixed to be compatible with
libjwt 3.x.
Of course, this raises the question of whether the separate libjwt
package should be removed, as it is anyway only used by Asterisk.
Fixes:
http://autobuild.buildroot.net/results/2d39791c65c5b71b0533d4b2bce5f073f5919552/
Cc: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Bernd: Added libopenssl dependency needed by bundled libjwt]
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit adds broot, a fast and powerful file manager written
in Rust and licensed under MIT license. It supports filters, regular
expressions, and real-time "show-as-you-type" search for quick and easy
navigation, even in complex directory structures.
Signed-off-by: Alexander Shirokov <shirokovalexs@gmail.com>
[Peter: use select rather than depends on for rustc]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There are a number of kernel config fixups required for tailscale to
function properly, these are commonly enabled by default in various
kernel configs but lets make sure they are all enabled here as well.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes from https://github.com/libts/tslib/releases :
This release includes libts version 0.10.5 and the following changes:
* improved release procedure
* debug fixes for 32bit systems
* CMake and autoconf updates for newer versions
* fixes for minor cppcheck errors
* ts_conf test program fixes
Signed-off-by: Martin Kepplinger-Novaković <martink@posteo.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For release notes since edk2-stable202505, see:
https://github.com/tianocore/edk2/releases/tag/edk2-stable202508
This commit also updates the edk2-platforms packages with the last
commit merged at the edk2 release date (2025-08-12), which corresponds
to commit [1].
The edk2-non-osi package is not updated because it did not received
any commit since the last edk2 bump.
This commit has been runtime tested with tests using EDK2 package,
with commands:
support/testing/run-tests \
-d dl -o output_folder \
tests.boot.test_edk2 \
tests.boot.test_grub.TestGrubAArch64EFI \
tests.boot.test_grub.TestGrubi386EFI \
tests.boot.test_grub.TestGrubRiscV64EFI \
tests.boot.test_grub.TestGrubX8664EFI \
tests.fs.test_iso9660.TestIso9660Grub2EFI \
tests.fs.test_iso9660.TestIso9660Grub2Hybrid \
tests.package.test_fwts
It has also been runtime tested (by booting in qemu) with defconfigs
using EDK2 package:
qemu_aarch64_sbsa_defconfig
qemu_loongarch64_virt_efi_defconfig
qemu_riscv64_virt_efi_defconfig
[1] d1b297b2aa
Cc: Dick Olsson <hi@senzilla.io>
Cc: Romain Naour <romain.naour@smile.fr>
Cc: Vincent Stehlé <vincent.stehle@arm.com>
Tested-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As was done in dc7c6487cf (Makefile: check rootfs overlays with
BR2_ROOTFS_MERGED_USR enabled) to document how overlays should be
set up for the merged-usr case, and following 428ac6fcc4 (system:
add support for merged /usr/sbin (aka merged-bin), extend the
documentation to explain how rootfs overlays should be set up for
the merged-bin case.
Reported-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This allows using any of the hash algorithms supported by U-Boot for
checksum (hash-N) nodes when building a FIT image, instead of only
SHA-1 or SHA-256.
Fixes: 14a0169714 "package/uboot-tools:
Bump to version 2025.10"
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Brings a number of bugfixes and a (not applicable to Buildroot) security fix
for wolfssl (by dropping support for it).
https://curl.se/ch/8.17.0.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This bumps opensbi to v1.6 and add proper hash file.
Signed-off-by: Leo Yu-Chi Liang <ycliang@andestech.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Use tag instead of branch to download the linux source,
and add proper hash files.
Signed-off-by: Leo Yu-Chi Liang <ycliang@andestech.com>
[Julien: change linux-headers.hash to a symlink]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since version 256, systemd will taint the system if /usr/bin and
/usr/sbin are not merged, known as merged-bin:
# systemctl --no-pager status
● buildroot
State: running
Units: 166 loaded (incl. loaded aliases)
Jobs: 0 queued
Failed: 0 units
Since: Mon 2025-07-07 19:48:05 UTC; 19s ago
systemd: 257.7
Tainted: unmerged-bin
CGroup: /
├─init.scope
[...]
Although this is not yet an error, it will be in the future.
To be as ready as we can be when that happens, forcibly enable
merged-bin, like we did when we initially added merged-usr (except
this time we carry the select from systemd, even though it is not
yet strictly required, rather than from the init entry).
Extend the runtime test to catch any tainted flag.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Norbert Lange <nolange79@gmail.com>
Cc: Sen Hastings <sen@hastings.org>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
When an external toolchain does not have a merged-bin, we can end up
with a situation where the toolchain installs an staging/usr/sbin/
directory, overriding the sbin symlink with an actual directory. When
not using PPD, this does not cause any harm.
However, with PPD, the build fails when preparing the staging (the
host/) for packages when the skeleton is eventually rsynced, e.g.:
$ cat defconfig
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PER_PACKAGE_DIRECTORIES=y
BR2_INIT_NONE=y
BR2_ROOTFS_MERGED_USR=y
BR2_ROOTFS_MERGED_SBIN=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_ZLIB=y
# BR2_TARGET_ROOTFS_TAR is not set
$ make zlib
[...]
>>> zlib Configuring
mkdir -p [...]/per-package/zlib/host
rsync -a --hard-links --link-dest=[...]/per-package/host-skeleton/host/ [...]/per-package/host-skeleton/host/ [...]/per-package/zlib/host
rsync -a --hard-links --link-dest=[...]/per-package/libzlib/host/ [...]/per-package/libzlib/host/ [...]/per-package/zlib/host
rsync -a --hard-links --link-dest=[...]/per-package/skeleton/host/ [...]/per-package/skeleton/host/ [...]/per-package/zlib/host
could not make way for new symlink: aarch64-buildroot-linux-gnu/sysroot/usr/sbin
cannot delete non-empty directory: aarch64-buildroot-linux-gnu/sysroot/usr/sbin
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1338) [sender=3.3.0]
make[1]: *** [package/pkg-generic.mk:256: [...]/build/zlib/.stamp_configured] Error 23
make: *** [Makefile:23: _all] Error 2
The root cause is that, in the skeleton, we end up with
[staging]/usr/sbin as a synlink to bin, but when the external toolchain
gets installed, the symlinbk is replaced by a directory. Later, when we
aggregate the PPD before configuring a package, it often happens that a
dependant package be rsynced before the toolchain and the skeleton, as
seen above, in which case the sbin directory from the toolchain, by way
of the dependency to a package, is already present when rsync wants to
create a symlink as rsynced from the skeleton.
In the example above, this plays in this order:
1. skeleton gets installed, provides a symlink
2. toolchain-external-bootlin rsyncs from skeleton, gets a symlink
3. toolchain-external-bootlin gets installed, replaces symlink with a
directory
4. libzlib rsyncs from skeleton, gets a symlink, then rsyncs from
toolchain-e-b, gets a directory
5. zlib rsyncs from libzlib first (because alphabetical ordering), gets
a directory, then rsyncs from skeleton, which rsyncs from a symlink,
but the destination is a non-empty directory, so rsync fails.
It is perfectly legit that an external toolchain does not use a
merged-bin setup, so we must accept that as input. We do so by treating
the /usr/sbin entry specially, like we already do for a few others, of
which /sbin itself for example.
Note that the merged-usr setup has no issue, because we already handle
the lib*/ directories specially too.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
With a merged-bin setup, there is no need to move ifconfig and route, as
they would already be in the proper place.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Currently, we partially accept that a skeleton or a rootfs overlay be
merged:
- for unmerged, we accept all kind of situations: unmerged, partially
merged, badly merged, merged-usr or merged-bin, arbitrary relative
or absolute symlinks, and whatnots;
- for merged-usr, we strictly require a properly set up merged-usr,
and we refuse a merged-bin;
- for merged-bin, we stricty require a properly set up merged-bin.
The unmerged case is inconsistent with the other cases, especially it
allows for arbitrary symlinks that may point to arbitrary locations that
may even not belong to $(TARGET_DIR) at all...
We fix that by ensuring that the skeleton and overlays strictly adhere
to the merge-level of the configuration; i.e. for an unmerged config, we
require that the skeleton and overlays be strictly unmerged, that is,
/bin, /lib, and /sbin, and their counterparts in /usr, are actual
directories.
Thus, for all three types of merge level, the skeleton and overlays must
match the configured merge level.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Starting with version 256 [0], systemd warns when /usr/bin and
/usr/sbin are different directories; in the future, it may even
refuse to boot in such a situation.
Add support for merged-bin, not unlike the support we have for
merged-usr; we also make merged-bin a sub-case of merged-usr
(i.e. it is not possible to do merged-bin without merged-usr).
[0] https://github.com/systemd/systemd/blob/v256/NEWS#L265
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Acked-by: Arnout Vandecappelle <arnout@mind.be>
Acked-by: TIAN Yuanhao <tianyuanhao3@163.com>
Cc: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
We're going to need it to check merged-bin, so the naming would be
misleading as it would no longer be just about merged-usr.
Also drop the extension, it's useless.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Acked-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Currently, we accept that the merged usr is backward, i.e. that the
/usr/bin, /usr/sbin, and /usr/lib entries be symlinks to, resp., /bin,
/sbin, and /lib. We also allow either entries to be symlinks to other
parts of the root. Both are accepted despite the comment at the top of
the script explaining what should be accepted.
However, a properly merged usr is the other way around: /bin, /sbin, and
/lib are the symlinks to resp. /usr/bin, /usr/sbin, and /usr/lib, which
are actual directories.
Fix the check-merged-usr script accordingly: implement the test as we
mean it, by testing the conditions rather than resorting to a convoluted
and incorrect use of stat(1).
Even though the split between test_dir() and test_merged() seems
superfluous, it'll come useful when we introduce support for merged-bin
in a later patch.
For skeletons, we require that the directories do exist, while we allow
them to be missing for overlays; indeed, it is perfectly legit to
provide an overlay that only contains totally unrelated directories
(e.g. /var/www to populate a webroot for example).
Extend the heading-comment to be more explicit (and drop '/' as there is
nothing to say about it).
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
By moving the loop over the overlays into the script, we can generate
better error messages about how and why a skeleton or a specific overlay
is improperly setup for merged-usr.
We can also now rely on its exit code to decide whether the skeleton or
the overlays are properly setup, rather than stash the stdout/stderr to
a Makefile variable and test the emptiness thereof.
Introduce a --type option to pass the type of root to verify, for better
error reporting. This will incidentally be usefull in a future commit,
when we need to take different actions based on whether the root is a
skeleton or an overlay.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Rather than repeat the same canned sequence over and over again, move it
to a function that we can reuse as many times as needed. This will come
handy when we later need to check merged-bin.
Switch to using bash as it allows for nicer functions (local variables),
but we anyway require it globally already so that's not an additional
dependency.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Acked-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Kconfig applies the default values in the order they are defined, and
stops at the first which condition is met. In this case, the two
conditions are mutually exclusive, so we can drop the second one. This
also makes it obvious there actually is a default value.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Acked-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The current prompt is overly verbose, and departs from the usual
terminology used to refer to merged /usr, which, 10 years later [0],
makes it a little bit difficult to find or understand.
Furthermore, we're going to add another similar prompt for merged
/usr/sbin, and there's no way we want to introduce as similarly
convoluted prompt then.
Reword the prompt for the merged /usr option to the explicit "merged
/usr" everyone expects and understands.
[0] see commit c5bd8af65e (system: add options for /bin /sbin and
/lib to be symlinks into /usr)
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Acked-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Buildroot commit 14a0169714 added gnutls
as dependency to BR2_PACKAGE_UBOOT_TOOLS_MKEFICAPSULE in uboot-tools.mk
without adding the dependency and its reverse dependencies to the
Config.in causing a build error:
Makefile:578: *** gnutls is in the dependency chain of uboot-tools that
has added it to its _DEPENDENCIES variable without selecting it or
depending on it from Config.in. Stop.
Fixes:
https://autobuild.buildroot.net/results/39d/39db5ae9aad95e4976c3d8a40aca95b26568f8ea/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: remove "https" in comment]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit [1] has made ncurses a requirement for building the package.
The added patches fix the following build errors:
/usr/bin/install -c -d ../../../lib
buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-gcc -shared -Wl,-export-dynamic -o ../../../lib/libbrlttyxfv.so screen.o -ltinfo
buildroot/output/host/lib/gcc/arm-buildroot-linux-gnueabihf/14.3.0/../../../../arm-buildroot-linux-gnueabihf/bin/ld: cannot find -ltinfo: No such file or directory
collect2: error: ld returned 1 exit status
./unicode.c: In function ‘getTransliteratedCharacter’:
./unicode.c:349:27: error: initialization of ‘iconv_t’ {aka ‘long int’} from ‘void *’ makes integer from pointer without a cast [-Wint-conversion]
349 | static iconv_t handle = NULL;
| ^~~~
Update README hash:
- v6.8:
- Update the copyright from 2024 to 2025.
- v6.7:
- Update the supported braille devices lists.
- Add support for the HIMS eMotion.
- Add support for HT's Activator Pro models.
- Add support for the KGS Next Touch 40.
- Change the copyright from 2023 to 2024.
- Document that HT's Basic Braille Plus models are supported.
Release notes:
https://github.com/brltty/brltty/blob/BRLTTY-6.8/Documents/ChangeLog
[1] 8f7d65569e
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.56 and U-Boot to
version 2025.10.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
On v3.2.2, testing with an Infineon SLB9673 resulted in the following
error when attempting to read from a previously written NV index.
Upgrading to the latest release, v4.1.3, resolves the issue:
```shell
~# tpm2_nvread 0x1900001
WARN: Reading full size of the NV index
ERROR:esys:../tpm2-tss-3.2.2/src/tss2-esys/esys_iutil.c:1096:esys_GetResourceObject() Error: Esys handle does not exist (70018).
ERROR: Esys_SequenceComplete(0x70018) - esapi:The ESYS_TR resource object is bad
ERROR: Failed to get shandle
ERROR: Failed to read NVRAM area at index 0x1900001
ERROR: Unable to run tpm2_nvread
```
Between v3.2.2 and v4.1.3, the most notable update is v4.1.0 [1], which
includes a fix for CVE-2024-29040, along with 40+ bug fixes and 10+ new
features. Bumping to v4.1.3 adds access to these improvements and
addresses the NV index read issue.
[1] https://github.com/tpm2-software/tpm2-tss/releases/tag/4.1.0
Fixes:
https://www.cve.org/CVERecord?id=CVE-2024-29040
Signed-off-by: Abelino Romo <abelino.romo@gmail.com>
[Fiona: rebase for package/tpm2-tss changes]
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien:
- add "security" in commit log title
- add "Fixes:" and CVE url in commit log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The commit [1] set the default value of '<pkg>_CPE_ID_UPDATE' to not use
a wildcard by default. But instead of setting the value to '-' it set it
to an empty value instead.
According to document [2] section 6.1.2.1.1 the 'Not Attributed' value
bind to an hyphen ('-') and the blank statement bind to the 'Any' ('*').
Because the CPE matching function was incorrect using a blank statement
worked to remove the false positives but this is not correct according
to the CPE documentation.
[1] 53a8616460 package/pkg-generic.mk: use more sensible default value for <pkg>_CPE_ID_UPDATE
[2] https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf
Fixes: 53a8616460.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Given the following criteria: `cpe:2.3:a:oneidentitty:syslog-ng:*:*:*:*:-:*:*:*`.
The former `cpe_matches` implementation would match with the following
CPE: `cpe:2.3:a:oneidentitty:syslog-ng:4.71:*:*:*:premium:*:*:*`.
The 'hyphen' ('-') meaning is "Not Attributed" (NA) a criteria with no
attributed software edition shouldn't match with a CPE with an attributed
software edition:
https://csrc.nist.gov/pubs/ir/7695/final
This patch also create a distinct 'CPE' object that aggregate the
function specifics to CPEs like it's done for 'CVE'.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The `support/script/cve.py` file is used as a library. Depending on how
you use this library you might not want to write content to stdout when
calling its function.
This patch move the 'updating' log to the 'pkg-stats' script and write
the alert when LooseVersion doesn't have a version to stderr.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since Buildroot commit [1] "package/llvm-project: bump to version
21.1.4", bcc is failing at compilation time.
This commit adds an upstream patch to fix this issue.
[1] d6a7c02263
Signed-off-by: Julien Olivain <ju.o@free.fr>
The test tests.package.test_xen.TestXenArmv7 has become unstable after
commit 24ff258905 ("support/testing: test_xen: add networking"),
leading to a ~50% chance of failure on gitlab CI.
This seems to happen only with 32b (not with the 64b TestXenAarch64),
only with Qemu < 9.1, and when this happens the test will hang during a
step involving the simulated network and the dom1 (DHCP or ping).
The root cause is suspected to be a bug in the virtio-net hardware
emulation of the qemu version 7.2.15 included in the Buildroot docker
image.
As a workaround, remove all network interactions between dom1 and the
simulated network:
- Instead of the gateway, ping dom0 from dom1.
- Instead of using DHCP, configure the network with fixed IP addresses,
so that we know the IP address of the dom0.
A possible solution could have been to compile a host-qemu within the
test, by adding BR2_PACKAGE_HOST_QEMU=y and
BR2_PACKAGE_HOST_QEMU_SYSTEM_MODE=y in the test configuration.
This would have used the current Buildroot version (10.1.0) not affected
by this issue, but this would also have significantly increased the test
compilation time.
Since the DHCP is not really needed here to test the Xen networking
capability, this is why the network configuration simplification was
preferred here.
After those changes both Xen tests are stable on CI and locally.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/11871454648
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Julien Olivain <ju.o@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
- The mkeficapsule tools need gnutls to build, and the config dependency
to build the tool has changed
- CONFIG_FIT_SIGNATURE need to be defined to build fit_check_sign
- CONFIG_FIT_PRINT does not need to be defined anymore
- Remove patch 2 and reorder patch files
- Include linux/kconfig.h to include/config.h to allow IS_ENABLED macro
to be used in c files
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Julien: update .checkpackageignore to fix check-package errors]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes:
https://lists.exim.org/lurker/message/20251028.114149.3bf19800.en.html
Rebased patch 0001 due to upstream commit
cd43f5ee0f
Rebased patch 0004 due to upstream commit
834dae5565
Added patch 0005 to fix cross-builds.
Added ldflags for mips arch to solve build error with br-mips64-n64-full
defconfig, code copied from package/linux-tools/linux-tool-perf.mk.in:
output/per-package/exim/host/bin/mips64el-linux-ld: dkim_tmp.o: ABI is incompatible with that of the selected emulation
output/per-package/exim/host/bin/mips64el-linux-ld: failed to merge target specific data of file dkim_tmp.o
output/per-package/exim/host/bin/mips64el-linux-ld: dkim_transport.o: ABI is incompatible with that of the selected emulation
output/per-package/exim/host/bin/mips64el-linux-ld: failed to merge target specific data of file dkim_transport.o
output/per-package/exim/host/bin/mips64el-linux-ld: pdkim.o: ABI is incompatible with that of the selected emulation
output/per-package/exim/host/bin/mips64el-linux-ld: failed to merge target specific data of file pdkim.o
output/per-package/exim/host/bin/mips64el-linux-ld: signing.o: ABI is incompatible with that of the selected emulation
output/per-package/exim/host/bin/mips64el-linux-ld: failed to merge target specific data of file signing.o
output/per-package/exim/host/bin/mips64el-linux-ld: attempt to do relocatable link with elf64-tradlittlemips input and elf32-ntradlittlemips output
output/per-package/exim/host/bin/mips64el-linux-ld: dkim_tmp.o: file class ELFCLASS64 incompatible with ELFCLASS32
output/per-package/exim/host/bin/mips64el-linux-ld: final link failed: file in wrong format
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add "Upstream" header in patch 5 to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes since version 1.35.2, see:
https://github.com/janet-lang/janet/releases
remove upstream patch
diff LICENSE:
-Copyright (c) 2023 Calvin Rose and contributors
+Copyright (c) 2025 Calvin Rose and contributors
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
1.74 Timeout in bcm2835_i2c_write() increased by a factor of 10 because
some users have reported spurious timeouts at slow speeds.
1.75 Patches to bcm2835_aux_spi_transfernb() from Sean Goff to deal with
the case where the process is interrupted between filling the TX
FIFO and reading the RX FIFO.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.56 and U-Boot to
version 2025.10.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit e4749b826c disabled
parallel builds back in 2016. Nearly 10 years and a "Complete rewrite
[of] the BIND 9 build system" later
978c7b2e89
we enable parallel builds again, make -j1000 finished without problems.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commits 7b43e24818 and
8adeaec8af removed the possibility for
static builds but forgot to remove some related _CONF_OPTS.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds a package for Snagboot, the open-source
vendor-neutral recover and reflashing tool for embedded targets. We
install the dependencies needed for snagrecover and snagflash, but we
don't bother installing the dependencies of the GUI-based snagfactory,
as that would require Kivy on the host, which is Qt based.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds a new host package for python-pyfatfs, which is
needed by Snagboot.
Homepage: https://pypi.org/project/pyfatfs/
A small test doing some minimal verification that pyfatfs works is
also added.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds a host package for the Python 'fs' module, needed as
a dependency of pyfatfs, itself needed by Snagboot.
Homepage: https://pypi.org/project/fs/
In addition, a very simple test case is adding to check that
host-python-fs is minimally working.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The host variant will be needed by the host-python-fs package, soon to
be added.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The host variant of python-xmodem will be needed by Snagboot, so this
commit enables it. We also add a very simple test case that simply
makes sure we can import the module. Testing xmodem more extensively
is difficult without an actual serial port to open.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The host variant of python-pyusb will be neded for Snagboot, so it is
enabled with this commit. In addition, we're adding a very simple test
case to validate that host-python-pyusb minimally works.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
A host variant of python-tftpy will be needed for Snagboot, so enable
it, and add a very simple test for the host package. We considered
adding a test that actually starts a TFTP server with tftpy and then
downloads from that server with the client-side of tftpy, but
allocating an available UDP port reliably is tricky, so we kept the
test case very simple for now.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Colin Foster <colin.foster@in-advantage.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This quickly tests that the host-python-serial package at least
minimally works.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds a new host only package for the crccheck Python
module, which is a dependency of Snagboot.
Homepage on PyPi: https://pypi.org/project/crccheck/
This commit also adds a very basic test case that allows to verify
that the Python module can be imported and that some minimal
functionality works.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Runtime test cases are currently mostly used to test target packages,
and the BRTest class is perfect for that as we can easily feed a
Buildroot configuration, boot it under Qemu and run commands inside
the emulator.
A few tests use the more basic BRConfigTest when they have special
needs that don't match with BRTest.
However, as we are going to add a number of tests to verify the proper
functionality of some host only packages, which have no visible
menuconfig option, it makes sense to add another BRHostPkgTest class
that allows to easily trigger the build of "make host-<foo>
host-<bar>", and then run some commands on the host machine. Such
tests could be done by using BRConfigTest, but that would require a
bit of duplicated boilerplate, which BRHostPkgTest allows to remove.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
When run_cmd_on_host() runs a command that fails, we only get an
exception with no details to debug what happened. Let's improve that
by catching the exception, and printing the command output. This
requires redirecting stderr to stdout (instead of /dev/null) and
asking to get the output in text format.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes:
https://gitlab.com/NTPsec/ntpsec/-/blob/NTPsec_1_2_4/NEWS.adoc?ref_type=tags
Buildroot commit a532772468 added patch
0003 although it should have been 0002 => renumbered.
Added upstream commit as 0003 for partial build fix with gcc 14.x
Added another patch to fix build with gcc >= 14.x for
BR2_PACKAGE_NTPSEC_REFCLOCK_ALL=y
Move env variable declarations from _CONF_OPTS to _CONF_ENV to fix a
configure error caused by updated waf scripts included in this release.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a package for llama.cpp, a C/C++ LLM inference library, used in
popular projects like Ollama, RamaLama, and more.
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
[Julien:
- add a Config.in comment justifying the dynamic libraries for uclibc
- add missing conditions in Config.in toolchain dependencies
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For more details on the version bump, see:
- https://github.com/ImageMagick/ImageMagick/compare/7.1.2-3...7.1.2-8
Fixes the following vulnerability:
- CVE-2025-62171
ImageMagick is an open source software suite for displaying,
converting, and editing raster image files. In ImageMagick versions
prior to 7.1.2-7 and 6.9.13-32, an integer overflow vulnerability
exists in the BMP decoder on 32-bit systems. The vulnerability
occurs in coders/bmp.c when calculating the extent value by
multiplying image columns by bits per pixel. On 32-bit systems with
size_t of 4 bytes, a malicious BMP file with specific dimensions can
cause this multiplication to overflow and wrap to zero. The overflow
check added to address CVE-2025-57803 is placed after the overflow
occurs, making it ineffective. A specially crafted 58-byte BMP file
with width set to 536,870,912 and 32 bits per pixel can trigger this
overflow, causing the bytes_per_line calculation to become zero.
This vulnerability only affects 32-bit builds of ImageMagick where
default resource limits for width, height, and area have been
manually increased beyond their defaults. 64-bit systems with size_t
of 8 bytes are not vulnerable, and systems using default ImageMagick
resource limits are not vulnerable. The vulnerability is fixed in
versions 7.1.2-7 and 6.9.13-32.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-62171
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9pp9-cfwx-54rm
- cea1693e2d
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
See https://jvn.jp/en/jp/JVN19358384/
This fixes the following vulnerability:
- CVE-2025-24912:
hostapd fails to process crafted RADIUS packets properly. When hostapd
authenticates wi-fi devices with RADIUS authentication, an attacker in
the position between the hostapd and the RADIUS server may inject
crafted RADIUS packets and force RADIUS authentications to fail.
https://www.cve.org/CVERecord?id=CVE-2025-24912
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Removed all patches because they are included in this release, although
with different commits than mentioned in our patch files:
0001: acbbeef9f5
0002: f7ebc65f05
0003: c24909ba26
0004: c340e41950
Updated license hash due to upstream commit:
4bd66d4549
Removed python3 bindings due to their pending removal in 2.16:
https://download.gnome.org/sources/libxml2/2.15/libxml2-2.15.0.news
which prevents us from adding a dependency on host-doxygen due to
upstream commit
bbe5827c94
"Doxygen will also be required to build the Python bindings."
Removed lzma support due to upstream removal:
1763281cd6
Added configure options for threads and static/shared libs needed due to
upstream commit:
f070acc564
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The getunconfirmedbalance rpc call was marked as deprecated
in [1] (included in v0.19.0, released on 2019-11-08) and removed
in [2] (included in v30.0, released on 2025-10-09).
This commit replaces the old getbalance/getunconfirmedbalance rpc
calls with the new call getbalances (plural) returning a json
object containing all the data.
This commit is needed before updating bitcoin to v30.0.
[1] facfb4111d
[2] c3fe85e2d6
Cc: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The commit adds a backported upstream patch to fix the following build
failure:
ptp2/ptp-pack.c:3168:31: note: earlier argument should specify number of elements, later size of each element
ptp2/chdk.c: In function 'yuv_live_to_jpeg':
ptp2/chdk.c:1203:41: error: passing argument 3 of 'jpeg_mem_dest' from incompatible pointer type [-Wincompatible-pointer-types]
1203 | jpeg_mem_dest (&cinfo, &outbuf, &outlen);
| ^~~~~~~
| |
| uint64_t * {aka long long unsigned int *}
In file included from ptp2/chdk.c:31:
/home/autobuild/autobuild/instance-0/output-1/per-package/libgphoto2/host/armeb-buildroot-linux-gnueabi/sysroot/usr/include/jpeglib.h:989:43: note: expected 'long unsigned int *' but argument is of type 'uint64_t *' {aka 'long long unsigned int *'}
989 | unsigned long *outsize);
Fixes:
- https://autobuild.buildroot.org/results/db742e301a401c9f4bdf3c7e8cfde9f0ba1c4558
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This contains many bug and security fixes since v22.12.0.
See the release notes: https://poppler.freedesktop.org/releases.html
In addition:
- Drop patch that has been applied upstream
- Update a few cmake configuration options that changed upstream
There is currently a build failure when enabling gpgme, so disable it
unconditionally for now.
Finally, this fixes the following vulnerabilities:
- CVE-2024-6239:
A flaw was found in the Poppler's Pdfinfo utility. This issue occurs
when using -dests parameter with pdfinfo utility. By using certain
malformed input files, an attacker could cause the utility to crash,
leading to a denial of service.
https://www.cve.org/CVERecord?id=CVE-2024-6239
- CVE-2024-56378:
libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read
vulnerability within the JBIG2Bitmap::combine function in
JBIG2Stream.cc.
https://www.cve.org/CVERecord?id=CVE-2024-56378
- CVE-2025-32364:
A floating-point exception in the PSStack::roll function of Poppler
before 25.04.0 can cause an application to crash when handling
malformed inputs associated with INT_MIN.
https://www.cve.org/CVERecord?id=CVE-2025-32364
- CVE-2025-32365:
Poppler before 25.04.0 allows crafted input files to trigger out-of-
bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc
because of a misplaced isOk check.
https://www.cve.org/CVERecord?id=CVE-2025-32365
- CVE-2025-43903:
NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the
adbe.pkcs7.sha1 signatures on documents, resulting in potential
signature forgeries.
https://www.cve.org/CVERecord?id=CVE-2025-43903
- CVE-2025-50420:
An issue in the pdfseparate utility of freedesktop poppler v25.04.0
allows attackers to cause an infinite recursion via supplying a
crafted PDF file. This can lead to a Denial of Service (DoS).
https://www.cve.org/CVERecord?id=CVE-2025-50420
- CVE-2025-52886:
Poppler is a PDF rendering library. Versions prior to 25.06.0 use
`std::atomic_int` for reference counting. Because `std::atomic_int` is
only 32 bits, it is possible to overflow the reference count and
trigger a use-after-free. Version 25.06.0 patches the issue.
https://www.cve.org/CVERecord?id=CVE-2025-52886
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: mark commit as "security" in commit log title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Do not bump to a more recent version, as the build system has
fundamentally changed.
See the release notes:
- https://github.com/netdata/netdata/releases/tag/1.34.0
- https://github.com/netdata/netdata/releases/tag/v1.34.1
- https://github.com/netdata/netdata/releases/tag/v1.35.0
- https://github.com/netdata/netdata/releases/tag/v1.35.1
- https://github.com/netdata/netdata/releases/tag/v1.36.0
- https://github.com/netdata/netdata/releases/tag/v1.36.1
- https://github.com/netdata/netdata/releases/tag/v1.37.0
- https://github.com/netdata/netdata/releases/tag/v1.37.1
In addition, add upstream patch to fix cross-compilation.
This fixes the following vulnerabilities:
- CVE-2023-22496:
Netdata is an open source option for real-time infrastructure
monitoring and troubleshooting. An attacker with the ability to
establish a streaming connection can execute arbitrary commands on the
targeted Netdata agent. When an alert is triggered, the function
`health_alarm_execute` is called. This function performs different
checks and then enqueues a command by calling `spawn_enq_cmd`. This
command is populated with several arguments that are not sanitized.
One of them is the `registry_hostname` of the node for which the alert
is raised. By providing a specially crafted `registry_hostname` as
part of the health data that is streamed to a Netdata (parent) agent,
an attacker can execute arbitrary commands at the remote host as a
side-effect of the raised alert. Note that the commands are executed
as the user running the Netdata Agent. This user is usually named
`netdata`. The ability to run arbitrary commands may allow an attacker
to escalate privileges by escalating other vulnerabilities in the
system, as that user. The problem has been fixed in: Netdata agent
v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a
workaround, streaming is not enabled by default. If you have
previously enabled this, it can be disabled. Limiting access to the
port on the recipient Agent to trusted child connections may mitigate
the impact of this vulnerability.
https://www.cve.org/CVERecord?id=CVE-2023-22496
- CVE-2023-22497:
Netdata is an open source option for real-time infrastructure
monitoring and troubleshooting. Each Netdata Agent has an
automatically generated MACHINE GUID. It is generated when the agent
first starts and it is saved to disk, so that it will persist across
restarts and reboots. Anyone who has access to a Netdata Agent has
access to its MACHINE_GUID. Streaming is a feature that allows a
Netdata Agent to act as parent for other Netdata Agents (children),
offloading children from various functions (increased data retention,
ML, health monitoring, etc) that can now be handled by the parent
Agent. Configuration is done via `stream.conf`. On the parent side,
users configure in `stream.conf` an API key (any random UUID can do)
to provide common configuration for all children using this API key
and per MACHINE GUID configuration to customize the configuration for
each child. The way this was implemented, allowed an attacker to use a
valid MACHINE_GUID as an API key. This affects all users who expose
their Netdata Agents (children) to non-trusted users and they also
expose to the same users Netdata Agent parents that aggregate data
from all these children. The problem has been fixed in: Netdata agent
v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a
workaround, do not enable streaming by default. If you have previously
enabled this, it can be disabled. Limiting access to the port on the
recipient Agent to trusted child connections may mitigate the impact
of this vulnerability.
https://www.cve.org/CVERecord?id=CVE-2023-22497
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add comment before _AUTORECONF with patch name]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes since version 3.24.43, see:
https://gitlab.gnome.org/GNOME/gtk/-/blob/3.24.51/NEWS
Note: the "+" in the project name and source archive was removed
upstream. This commit updates _SOURCE and _SITE accordingly.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Julien: add link to release notes]
Signed-off-by: Julien Olivain <ju.o@free.fr>
See the release notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12352411&projectId=10510
Also update the download site to https
This fixes the following vulnerability:
- CVE-2024-23807:
The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5
contains a use-after-free error triggered during the scanning of
external DTDs. Users are recommended to upgrade to version 3.2.5
which fixes the issue, or mitigate the issue by disabling DTD
processing. This can be accomplished via the DOM using a standard
parser feature, or via SAX using the XERCES_DISABLE_DTD environment
variable. This issue has been disclosed before as CVE-2018-1311, but
unfortunately that advisory incorrectly stated the issue would be
fixed in version 3.2.3 or 3.2.4.
https://www.cve.org/CVERecord?id=CVE-2024-23807
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
When building in parallel with per-package directories
(BR2_PER_PACKAGE_DIRECTORIES=y), brmake output is often garbled:
2025-10-08T18:39:10 >>> host-dtc 1.7.2 Building
2025-10-08T18:39:11 checking for stdint.h... >>> host-dtc 1.7.2 Installing to host directory
2025-10-08T18:39:12 checking for limits.h... >>> host-gmp 6.3.0 Installing to host directory
Remove the spurious string between the timestamp and the ">>>" marker to
fix this.
We need some extra care to preserve the preceding "term bold" special
characters sequence.
We also prevent grep and sed to buffer their output too much. This leads to
more frequent output even when we might not be connected to a terminal; for
example: when brmake's output is piped to another program or when running
in CI.
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
See the many release notes: https://github.com/libvips/libvips/releases
Along that version bump:
- Change source code archive compression from .gz to .xz as this the
new upstream delivery format
- Switch from autotools to meson build system (see upstream commit
538aa2a841)
- Update the LICENSE file (see upstream commit
057703938e)
This fixes the following vulnerabilities:
- CVE-2025-29769:
libvips is a demand-driven, horizontally threaded image processing
library. The heifsave operation could incorrectly determine the
presence of an alpha channel in an input when it was not possible to
determine the colour interpretation, known internally within libvips
as "multiband". There aren't many ways to create a "multiband" input,
but it is possible with a well-crafted TIFF image. If a "multiband"
TIFF input image had 4 channels and HEIF-based output was requested,
this led to libvips creating a 3 channel HEIF image without an alpha
channel but then attempting to write 4 channels of data. This caused a
heap buffer overflow, which could crash the process. This
vulnerability is fixed in 8.16.1.
https://www.cve.org/CVERecord?id=CVE-2025-29769
- CVE-2025-59933:
libvips is a demand-driven, horizontally threaded image processing
library. For versions 8.17.1 and below, when libvips is compiled with
support for PDF input via poppler, the pdfload operation is affected
by a buffer read overflow when parsing the header of a crafted PDF
with a page that defines a width but not a height. Those using libvips
compiled without support for PDF input are unaffected as well as
thosewith support for PDF input via PDFium. This issue is fixed in
version 8.17.2. A workaround for those affected is to block the
VipsForeignLoadPdf operation via vips_operation_block_set, which is
available in most language bindings, or to set VIPS_BLOCK_UNTRUSTED
environment variable at runtime, which will block all untrusted
loaders including PDF input via poppler.
https://www.cve.org/CVERecord?id=CVE-2025-59933
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: update _LICENSE_FILES to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
When the test was introduced in [1], a comparison of the source and
the destination file was added, with a typo (the method ".cmp" name is
missing).
The test is failing with error such as in [2]:
Traceback (most recent call last):
File "/root/sample_python_scp.py", line 15, in <module>
assert filecmp("/etc/hostname", "/tmp/hostname")
~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: 'module' object is not callable
This commit fixes that.
[1] 7470587cfa
[2] https://gitlab.com/buildroot.org/buildroot/-/jobs/11781378510
Cc: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For relase notes, see:
https://go.dev/doc/devel/release#go1.25.0
go1.25.2 (released 2025-10-07) includes security fixes to the archive/tar,
crypto/tls, crypto/x509, encoding/asn1, encoding/pem, net/http, net/mail,
net/textproto, and net/url packages, as well as bug fixes to the compiler,
the runtime, and the context, debug/pe, net/http, os, and sync/atomic
packages. See release announce:
https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI
go1.25.3 (released 2025-10-13) includes fixes to the crypto/x509 package.
See release announce:
https://groups.google.com/g/golang-announce/c/YEyj6FUNbik
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: add links to release notes and announces]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Adding PKGLIBDIR to CFLAGS was necessary to fix the following error
raised during the compilation of the new version:
execute.c: In function ‘set_environ’:
execute.c:107:48: error: ‘PKGLIBDIR’ undeclared (first use in this function)
107 | *ppch++ = setlocalenv("%s=%s", "PATH", PKGLIBDIR ":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
| ^~~~~~~~~
execute.c:107:48: note: each undeclared identifier is reported only once for each function it appears in
execute.c:107:57: error: expected ‘)’ before string constant
107 | *ppch++ = setlocalenv("%s=%s", "PATH", PKGLIBDIR ":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
This PKGLIBDIR define was added upstream in commit [1] in the Makefile
default CFLAGS, but since Buildroot redefines those it needs to be added
back.
Release notes since 0.8.41:
https://salsa.debian.org/debian/ifupdown/-/blob/master/debian/changelog#L1
[1] 1eee7a3040
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps:
- U-Boot to version v2025.10
- Linux kernel to version 6.12.53 (LTS)
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.53 and U-Boot to
version 2025.10 for
- stm32mp135f_dk_defconfig
- stm32mp157a_dk1_defconfig
- stm32mp157c_dk2_defconfig
Tested on STM32MP157C-DK2 Discovery Board.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.194 and U-Boot to
version 2025.10.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.194 and U-Boot to
version 2025.10.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.1.155. The size of
xipImage has increased by only 1126 bytes (1673444 bytes compared to
1672318 in version 6.1.143).
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In some specific configurations (target 32bit x86, disable compiler
optimizations, and openssl binary enabled), the compilation fails
with the error:
/home/autobuild/autobuild/instance-7/output-1/host/lib/gcc/i686-buildroot-linux-gnu/14.3.0/../../../../i686-buildroot-linux-gnu/bin/ld: ./libcrypto.so: undefined reference to `ossl_aes_cfb128_vaes_dec'
/home/autobuild/autobuild/instance-7/output-1/host/lib/gcc/i686-buildroot-linux-gnu/14.3.0/../../../../i686-buildroot-linux-gnu/bin/ld: ./libcrypto.so: undefined reference to `ossl_aes_cfb128_vaes_enc'
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_x86_corei7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_OPTIMIZE_0=y
BR2_PACKAGE_OPENSSL=y
BR2_PACKAGE_LIBOPENSSL_BIN=y
EOF
make olddefconfig
make libopenssl
This commit adds a patch to fix the issue.
Fixes:
https://autobuild.buildroot.net/results/214/214b918f6b56e005b180145d245491971f3e3476/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add commands to reproduce the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
When mjpg-streamer is built with gcc >= 14 using libjpeg (rather than
jpeg-turbo), and with SDL is enabled (to enable the output_viewer),
the compilation can fail with error:
output_viewer.c:125:32: error: assignment to ‘boolean (*)(struct jpeg_decompress_struct *)’ from incompatible pointer type ‘int (*)(struct jpeg_decompress_struct *)’ [-Wincompatible-pointer-types]
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_LIBJPEG=y
BR2_PACKAGE_MJPG_STREAMER=y
BR2_PACKAGE_SDL=y
EOF
make olddefconfig
make mjpg-streamer
This commit adds a patch to fix this issue.
Fixes:
https://autobuild.buildroot.net/results/3a5/3a5674e4e7bb3f2894575191af24598e2a696912/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add commands to reproduce the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 553c55e9bd added the
qt6multimedia package including an option to build examples which
contains a dependency to qt6svg without selecting the package in
Config.in.
Fixes:
https://autobuild.buildroot.org/results/c94670cf255a1a6975e99d7b22a159f7fdc6f850/
Makefile:578: *** qt6svg is in the dependency chain of qt6multimedia
that has added it to its _DEPENDENCIES variable without selecting it
or depending on it from Config.in. Stop.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add an upstream patch to fix a build issue related to uint64_t:
utils.c: In function ‘get_uint64’:
utils.c:118:18: error: passing argument 1 of ‘str_toul’ from incompatible pointer type [-Wincompatible-pointer-types]
118 | str_toul(&defval, p, NULL, 16);
| ^~~~~~~
| |
| uint64_t * {aka long long unsigned int *}
In file included from utils.c:48:
utils.h:412:29: note: expected ‘long unsigned int *’ but argument is of type ‘uint64_t *’ {aka ‘long long unsigned int *’}
Fixes:
https://autobuild.buildroot.org/results/51af1d7bf71061f22d49213951a5f6a9565710c3/
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Waffle has two build systems. In commit f162f8126ec4 ("cmake:
deprecate cmake in favour of meson") [1], cmake is not the preferred
build system, and fails when used. Bump to latest version available
(which has been released a year ago) and switch to meson build system.
This commit also removes the package patches. They make no longer
sense since they are either merged or related to deprecated cmake
build. The .checkpackageignore patch entries are also removed.
This commit also forces the meson build.pkg_config_path value. The
default path goes for $(HOST)/lib/pkgconfig. This does not work for
latest waffle version since prefix in the pkg-config file points to the
host directory. This results in the concatenation of $(STAGING_DIR)/xxx
and $(HOST_DIR)/... which ultimately resolve in a file not found.
Instead, override the default path to $(STAGING_DIR)/usr/share.
[1] f162f8126e
Signed-off-by: Raphael Gallais-Pou <rgallaispou@gmail.com>
[Julien:
- squash patches related to the bump altogether
- change _VERSION to use "git describe --abbrev=40" format
- remove .checkpackageignore entries to fix check-package errors
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a basic test involving a local SSH connection (based on dropbear
server). The test validates that we are able, through python-scp, to
fetch the /etc/hostname file.
The test needs some basic key initialization to allow connecting to the
dropbear server, hence the custom run_sample_scripts method.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
[Julien:
- remove unneeded os import in test script
- execute setup commands with assertRunOk()
- create /root/.ssh with 0700 mode
- run sample scripts using super()
- check in the sample file that copied files are the same
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add python-scp as a new package. python-scp allows to send and receives
files in python through the scp1 protocol, on top of paramiko.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The test is using the django integration of whitenoise as it's the most
common setup and allows to model the test case after the django one as
well.
The setup we need to do is a bit more complicated though and follows
the whitenoise getting started documentation [1].
We then request a .css file from the django admin app that is enabled
by default in template project. Due to running django's development
server with --nostatic we ensure that static file handling is taken over
by whitenoise.
[1] https://whitenoise.readthedocs.io/en/stable/django.html
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Weston 14.0.2 has a "< 0.3.0" version constraint for the
libdisplay-info dependency. Upstream has relaxed the dependency,
explicitly stating "There are no breaking changes for the high-level
API that Weston uses" [1], but there is no release with the change
yet.
The change had to be backported due to restructuring on upstream
"main" since, where libdisplay-info has become a dependency of Weston
in general, not just the DRM backend.
[1] 683eabb61e
Fixes: 1a66cdf7b3
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog:
https://github.com/jawah/charset_normalizer/blob/master/CHANGELOG.md#changelog
Upstream setuptools-scm build dependency. Also the upper bound of
mypy(c) is currently high enough that we can remove the
--skip-dependency-check hack.
mypy(c) is now also optional if CHARSET_NORMALIZER_USE_MYPYC isn't set
to one. As we don't really care about the performance optimization in
the host package we can skip the mypyc step and remove the dependency on
mypyc for the host package.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Bumping pydantic requires also bumping pydantic-core (and vice versa),
so we do that in the same commit.
Release announcement for pydantic 2.12:
https://pydantic.dev/articles/pydantic-v2-12-release
pydantic-core had a build-time dependency on host-python-typing-extensions,
but that is no required, it builds fine without.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Julien: add pydantic-core in commit log title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Enhance the Xen python tests to exercise networking:
- Add the networking support we need to the Linux kernel configurations.
- Add a virtual network interface to the Xen dom1 configurations.
- Update the test in the following way:
* Start the emulator with restricted networking.
* Create a network bridge in dom0.
* Check that networking is functional in both domains by ping'ing the
gateway.
(Refer also to the diagram in the python script.)
- While at it, bump Linux kernel to 6.17.1 and U-Boot to 2025.07.
We also need to adjust the DTB address in the Arm 32b U-Boot script to
accommodate the new U-Boot version, which does not have enough free space
around the control DTB anymore.
We disable IPv6 in both kernel configurations to make the 32b test pass
on gitlab CI.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.34-ti-arm32-r12 and
U-Boot to version 2025.10.
Tested on beaglebone black.
Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This new version is required to compile grout v0.13.0.
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Release notes: https://www.python.org/downloads/release/python-3138/
Fixes the following security issues:
gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only
garbage-collected once they are no longer referenced by subparsers created
by ExternalEntityParserCreate(). Patch by Sebastian Pipping.
gh-139283: sqlite3: correctly handle maximum number of rows to fetch in
Cursor.fetchmany and reject negative values for Cursor.arraysize. Patch by
Bénédikt Tran.
gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to
the HTML5 standard
https://docs.python.org/release/3.13.8/whatsnew/changelog.html#security
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Peter: Mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See the release notes:
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.11
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.12
This fixes the following vulnerabilities:
- CVE-2025-52891:
ModSecurity is an open source, cross platform web application firewall
(WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before
2.9.11, an empty XML tag can cause a segmentation fault. If
SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is
application/xml, and at least one XML tag is empty (eg <foo></foo>),
then a segmentation fault occurs. This issue has been patched in
version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to
Off.
https://www.cve.org/CVERecord?id=CVE-2025-52891
- CVE-2025-54571:
ModSecurity is an open source, cross platform web application firewall
(WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below,
an attacker can override the HTTP response’s Content-Type, which could
lead to several issues depending on the HTTP scenario. For example, we
have demonstrated the potential for XSS and arbitrary script source
code disclosure in the latest version of mod_security2. This issue is
fixed in version 2.9.12.
https://www.cve.org/CVERecord?id=CVE-2025-54571
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
See the release notes:
https://github.com/redis/redis/blob/8.2.2/00-RELEASENOTES
This fixes the following vulnerabilities (in the Lua scripting engine):
- CVE-2025-46817:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted Lua script to cause an integer overflow and
potentially lead to remote code execution The problem exists in all
versions of Redis with Lua scripting. This issue is fixed in version
8.2.2.
https://www.cve.org/CVERecord?id=CVE-2025-46817
- CVE-2025-46818:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted Lua script to manipulate different LUA objects and
potentially run their own code in the context of another user. The
problem exists in all versions of Redis with LUA scripting. This issue
is fixed in version 8.2.2. A workaround to mitigate the problem
without patching the redis-server executable is to prevent users from
executing LUA scripts. This can be done using ACL to block a script by
restricting both the EVAL and FUNCTION command families.
https://www.cve.org/CVERecord?id=CVE-2025-46818
- CVE-2025-46819:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted LUA script to read out-of-bound data or crash the
server and subsequent denial of service. The problem exists in all
versions of Redis with Lua scripting. This issue is fixed in version
8.2.2. To workaround this issue without patching the redis-server
executable is to prevent users from executing Lua scripts. This can be
done using ACL to block a script by restricting both the EVAL and
FUNCTION command families.
https://www.cve.org/CVERecord?id=CVE-2025-46819
- CVE-2025-49844:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted Lua script to manipulate the garbage collector,
trigger a use-after-free and potentially lead to remote code
execution. The problem exists in all versions of Redis with Lua
scripting. This issue is fixed in version 8.2.2. To workaround this
issue without patching the redis-server executable is to prevent users
from executing Lua scripts. This can be done using ACL to restrict
EVAL and EVALSHA commands.
https://www.cve.org/CVERecord?id=CVE-2025-49844
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The website download page was updated for the latest releases of
2025.{02,05,08} in [1], but the column "Latest release date" wasn't
updated.
Moreover, indicate that 2025.05.3 is the EOL stable release.
[1] e5501d7b1a
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The 6.16.x series is now EOL upstream, so drop the linux-headers
option and add legacy handling for it.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Bump to last revision and install the newly added CYW43439 firmware.
The brcmfmac4339-sdio.1CK.txt file has been removed from the firmware
therefore the Kconfig option has been removed.
The firmware files prefix have been changed from brcmfmac to cyfmac
therefore the rename helpers have change.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Policy booleans allow adjusting certain policy rules at runtime
(including whether changing policy booleans is allowed). The new
option allows setting their defaults at build time.
A monolithic policy (like built by package/refpolicy) does not support
persistent changes to policy booleans, so changing the defaults is
required to make changes across boots. Adjusting policy/booleans.conf
after "make conf" is intended for that purpose [1, 2].
[1] https://github.com/SELinuxProject/refpolicy/pull/355#issuecomment-792758725
[2] 4d97523c71/README (L186-L191)
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Updating the hash of the WHENCE file, due to firmware additions and
firmware changes, but no changes to the redistribution/licensing
conditions.
Updated paths for iwlwifi files due to upstream commits:
078946281c06205c0eb8
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since its inception in 9646e80fca (micropython: new package), the
ppc-specific CFLAGS are simply assigned, and since 9fd9f4e675
(package/micropython: define MICROPY_NLR_SETJMP for xtensa), the same
goes for the xtensa CFLAGS.
Although they are mutually exclusive (different archs) and that there is
no prior assignment, the customs are to use append assignment in
conditional blocks, to avoid accidentally overwriting a valure set
previously.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Chris Packham <judge.packham@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Before commit 50bc5aa17b (package/micropython: fix segfault at exit()
with gcc >= 14), only architecture-specific CFLAGS were passed, and only
one per arch. But 50bc5aa17b introduced a non-arch CFLAGS, for gcc
versions, so when the build happens for an architecture for which there
is a CFLAGS, and when gcc is 14 or newer, there are two CFLAGS added,
causing build failures:
[...] /usr/bin/make [...] CFLAGS_EXTRA=-DMICROPY_GCREGS_SETJMP=1 -DMICROPY_NLR_SETJMP=1 [...]
/usr/bin/make: invalid option -- 'D'
/usr/bin/make: invalid option -- 'M'
Usage: make [options] [target] ...
The fix is simple enough: just quote the CFLAGS.
Fixes: https://autobuild.buildroot.org/results/b18/b18d6fa9938c1267a771fdbcd8b4c3df812cd6b9/
Fixes: 50bc5aa17b
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Chris Packham <judge.packham@gmail.com>
Cc: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The update makes some warnings about unknown classes and permissions
during boot with current kernels go away.
Upstream changelogs [1, 2] list as "notable changes":
* Updates to support screen 5.0.
* Add labeling for bcachefs.
* Various systemd updates and fixes.
* Several updates and fixes for systemd
* Add new permissions and policy capabilities
* Drop reiserfs support (it was removed in kernel 6.13)
Plus a number of new modules.
[1] https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20250618
[2] https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20250923
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: keep a new line in hash file between sources and license]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a local patch pending upstream to fix build failure with Linux 6.17
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: update patch Upstream link with commit ID]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add local patch pending upstream to fix build failure with Linux 6.17.
Fixes:
Still not occured
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With this version we can build with Linux 6.17.
Fixes:
still not occured.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: add new line at end of hash file to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
SELinux policies commonly contain "dontaudit" rules, which omit
certain denied actions from the audit logs to keep the log volume
manageable. When investigating issues this can become a problem in
itself because messages that could show the cause might be hidden.
The common advice is to use "semodule -DB" to temporarily disable the
dontaudit rules, but this is only possible with a modular policy,
while package/refpolicy builds a monolithic policy. Instead, the
Rules.monolithic makefile offers the "enableaudit" target, which
removes any dontaudit rules before compiling the policy.
This patch adds a config option to run the enableaudit target during
the configure stage, intended for debug builds.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: remove unneeded "default n" in Config.in]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The previous URL [1] currently redirects to [2], which as of this
commit is about two months old and contains a readme that just says
"PoC by Callgh0st". When the package was added with commit [3]
the help text URL matched REFPOLICY_SITE, so presumably the help was
forgotten when the site URL was updated in [4], and there has been
some kind of hostile takeover of the former upstream repository since.
[1] https://github.com/TresysTechnology/refpolicy
[2] https://github.com/Exact-Realty/refpolicy
[3] bb442abdf1
[4] cfa018d9f3
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: add commit ID which forgot to update the package homepage]
Signed-off-by: Julien Olivain <ju.o@free.fr>
$(PREFIX)/lib/python$(PYTHON3_VERSION_MAJOR) is for the standard
library, additional modules like this should go to site-packages.
This patch changes only the host package because Python bindings are
disabled for the target package.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
/usr/lib/python$(PYTHON3_VERSION_MAJOR) is for the standard library,
additional modules like this should go to site-packages.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Drop upstream patch.
Main change in this release is cmake 4 build fix.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In 2016 buildroot commit b4c050e9af added
-std=gnu++98 also to CFLAGS knowing that it will cause warnings:
https://lists.nongnu.org/archive/html/gpsd-dev/2016-09/msg00082.html
'Although this leads to lots of warnings on every compilation with gcc:
"cc1: warning: command line option '-std=gnu++98' is valid for C++/ObjC++ but not for C"'
These warnings are still present but cause a misdetection in configure
Checking if strerror_r() returns int... no
because here warnings are treated as errors, quoting config.log:
cc1: error: command-line option ‘-std=gnu++98’ is valid for C++/ObjC++ but not for C [-Werror]
cc1: all warnings being treated as errors
In 2017 upstream committed
d287c76f4f
which added "std::" namespace prefixes and fixed the original problem.
-std=gnu++98 being removed from CFLAGS lets configure correctly detect
strerror_r():
Checking if strerror_r() returns int... yes
and no new build errors occur:
arm-aarch64 [ 1/35]: OK
bootlin-aarch64-glibc [ 2/35]: OK
bootlin-arcle-hs38-uclibc [ 3/35]: OK
bootlin-armv5-uclibc [ 4/35]: OK
bootlin-armv7-glibc [ 5/35]: OK
bootlin-armv7m-uclibc [ 6/35]: SKIPPED
bootlin-armv7-musl [ 7/35]: OK
bootlin-m68k-5208-uclibc [ 8/35]: SKIPPED
bootlin-m68k-68040-uclibc [ 9/35]: OK
bootlin-microblazeel-uclibc [10/35]: OK
bootlin-mipsel32r6-glibc [11/35]: OK
bootlin-mipsel-uclibc [12/35]: OK
bootlin-openrisc-uclibc [13/35]: OK
bootlin-powerpc64le-power8-glibc [14/35]: OK
bootlin-powerpc-e500mc-uclibc [15/35]: OK
bootlin-riscv32-glibc [16/35]: OK
bootlin-riscv64-glibc [17/35]: OK
bootlin-riscv64-musl [18/35]: OK
bootlin-s390x-z13-glibc [19/35]: OK
bootlin-sh4-uclibc [20/35]: OK
bootlin-sparc64-glibc [21/35]: OK
bootlin-sparc-uclibc [22/35]: OK
bootlin-x86-64-glibc [23/35]: OK
bootlin-x86-64-musl [24/35]: OK
bootlin-x86-64-uclibc [25/35]: OK
bootlin-x86-i686-musl [26/35]: OK
bootlin-xtensa-uclibc [27/35]: OK
br-arm-basic [28/35]: SKIPPED
br-arm-full-nothread [29/35]: SKIPPED
br-arm-full-static [30/35]: SKIPPED
br-i386-pentium4-full [31/35]: FAILED
br-mips64-n64-full [32/35]: OK
br-mips64r6-el-hf-glibc [33/35]: OK
br-powerpc-603e-basic-cpp [34/35]: SKIPPED
br-powerpc64-power7-glibc [35/35]: OK
35 builds, 6 skipped, 1 build failed, 0 legal-info failed, 0 show-info failed
The br-i386-pentium4-full error is not caused by gpsd:
package/python3/python3.mk:324: *** Python3 doesn't work with uClibc and
kernel headers < 5.1. Please use a different toolchain or unselect
Python3..
Fixes:
https://autobuild.buildroot.org/results/52d747d33d714ea10b9e7ee10adeadd9e4512c2d/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Tested-by: Yann E. MORIN <yann.morin@orange.com>
Reviewed-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerability:
- CVE-2018-13410
Info-ZIP Zip 3.0, when the -T and -TT command-line options are used,
allows attackers to cause a denial of service (invalid free and
application crash) or possibly have unspecified other impact because
of an off-by-one error. NOTE: it is unclear whether there are
realistic scenarios in which an untrusted party controls the -TT
value, given that the entire purpose of -TT is execution of
arbitrary commands
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2018-13410
This patch also includes the patch 0009 which address a buffer overflow
when passing unicode characters that doesn't have a CVE assigned.
Tested with `./support/testing/run-tests -d dl -o output_folder -k tests.package.test_zip`
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit [1] introduced an extra empty line in the hash file
which makes check-package to report the error:
package/rsyslog/rsyslog.hash:4: consecutive empty lines
This commit fixes that.
[1] b39d3d8f62
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://chrony-project.org/news.html
Enhancements:
- Add maxunreach option to limit selection of unreachable sources
- Add -u option to chronyc to drop root privileges
(default chronyc user is set by configure script)
Bug fixes:
- Hide chronyc socket to mitigate unsafe permissions change
- Fix refclock extpps option to work on Linux >= 6.15
- Validate refclock samples for reachability updates
Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
/etc/audit/audit.rules is the path used by augenrules,
/etc/audit/rules.d/ should be used for snippets to be combined into
that file using augenrules.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
"mkdir -Z" tries to create the directory with the default type context
and does not accept any parameter, leading to mkdir creating a
directory by the name of "system_u:object_r:auditd_log_t" (or failing
to, with a read-only rootfs). Use "--context=" instead to specify the
context.
Letting start-stop-daemon create the auditd PID file leads to an
incorrect label, with type "initrc_runtime_t" instead of
"auditd_runtime_t", which would prevent auditd from writing or
deleting it. Auditd manages its own PID file and daemonizes by
default, so simply drop the --background and --make-pidfile options
from start-stop-daemon.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Cadence MHDP8546 DPTX IP used in TI J721E SoC needs the firmware to
work.
Signed-off-by: Andy Yan <andyshrk@163.com>
[Julien: move Config.in entry from "Wifi" to "Video" section]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://www.php.net/releases/8.4/en.php
Changelog: https://www.php.net/ChangeLog-8.php#PHP_8_4
Removed patch 0006 which is included in this release, rebased remaining
patches.
php commit 1f847a0bdf
added a check on the httpd binary which requires STAGING_DIR being part
of SBINDIR as reported by apxs, adjust apache.mk accordingly.
Upstream commit
ea4e8d513c
causes a build error with older uclibc-based toolchains when detecting
copy_file_range, disable it by adding php_cv_func_copy_file_range=no to
_CONF_ENV for uclibc-toolchains.
Upstream commit
063213b1ae
changed the name of the cache variable ac_cv_have_pcre2_jit to
php_cv_have_pcre2_jit.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
BOARD_DIR is not used, so drop it and quote $BINARIES_DIR to make shellcheck
happy.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Added optional support for gtk3 which was added upstream:
e87dcfdaf8
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Added upstream patch to fix a missing include, autobuild did not record
any build errors but Arch Linux provides the patch:
bad3196d4e
Switched to gitlab tarball because the previous site does not provide a
tarball for version 1.2.2 which was tagged in 2016:
https://gitlab.xiph.org/xiph/libao/-/tags/1.2.2
Added autoreconf due to usage of gitlab tarball which does not contain
a configure script.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
See the release notes on
https://github.com/erlang/otp/releases?q=OTP-26.&expanded=true
Also, remove patch that is now applied upstream
This fixes the following vulnerabilities:
- CVE-2024-53846:
OTP is a set of Erlang libraries, which consists of the Erlang runtime
system, a number of ready-to-use components mainly written in Erlang,
and a set of design principles for Erlang programs. A regression was
introduced into the ssl application of OTP starting at OTP-25.3.2.8,
OTP-26.2, and OTP-27.0, resulting in a server or client verifying the
peer when incorrect extended key usage is presented (i.e., a server
will verify a client if they have server auth ext key usage and vice
versa).
https://www.cve.org/CVERecord?id=CVE-2024-53846
- CVE-2025-4748:
Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability in Erlang OTP (stdlib modules) allows
Absolute Path Traversal, File Manipulation. This vulnerability is
associated with program files lib/stdlib/src/zip.erl and program
routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless
the memory option is passed. This issue affects OTP from OTP 17.0
until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to
stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
https://www.cve.org/CVERecord?id=CVE-2025-4748
- CVE-2025-26618:
Erlang is a programming language and runtime system for building
massively scalable soft real-time systems with requirements on high
availability. OTP is a set of Erlang libraries, which consists of the
Erlang runtime system, a number of ready-to-use components mainly
written in Erlang. Packet size is not verified properly for SFTP
packets. As a result when multiple SSH packets (conforming to max SSH
packet size) are received by ssh, they might be combined into an SFTP
packet which will exceed the max allowed packet size and potentially
cause large amount of memory to be allocated. Note that situation
described above can only happen for successfully authenticated users
after completing the SSH handshake. This issue has been patched in OTP
versions 27.2.4, 26.2.5.9, and 25.3.2.18. There are no known
workarounds for this vulnerability.
https://www.cve.org/CVERecord?id=CVE-2025-26618
- CVE-2025-30211:
Erlang/OTP is a set of libraries for the Erlang programming language.
Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously
formed KEX init message can result with high memory usage.
Implementation does not verify RFC specified limits on algorithm names
(64 characters) provided in KEX init message. Big KEX init packet may
lead to inefficient processing of the error data. As a result, large
amount of memory will be allocated for processing malicious data.
Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue.
Some workarounds are available. One may set option `parallel_login` to
`false` and/or reduce the `max_sessions` option.
https://www.cve.org/CVERecord?id=CVE-2025-30211
- CVE-2025-32433:
Erlang/OTP is a set of libraries for the Erlang programming language.
Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH
server may allow an attacker to perform unauthenticated remote code
execution (RCE). By exploiting a flaw in SSH protocol message
handling, a malicious actor could gain unauthorized access to affected
systems and execute arbitrary commands without valid credentials. This
issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and
OTP-25.3.2.20. A temporary workaround involves disabling the SSH
server or to prevent access via firewall rules.
https://www.cve.org/CVERecord?id=CVE-2025-32433
- CVE-2025-46712:
Erlang/OTP is a set of libraries for the Erlang programming language.
In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for
OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to
enforce strict KEX handshake hardening measures by allowing optional
messages to be exchanged. This allows a Man-in-the-Middle attacker to
inject these messages in a connection during the handshake. This issue
has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12
(for OTP-26), and OTP-25.3.2.21 (for OTP-25).
https://www.cve.org/CVERecord?id=CVE-2025-46712
- CVE-2025-48038:
Allocation of Resources Without Limits or Throttling vulnerability in
Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
Resource Leak Exposure. This vulnerability is associated with program
files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0
until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from
3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48038
- CVE-2025-48039:
Allocation of Resources Without Limits or Throttling vulnerability in
Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
Resource Leak Exposure. This vulnerability is associated with program
files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0
until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from
3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48039
- CVE-2025-48040:
Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh
(ssh_sftp modules) allows Excessive Allocation, Flooding. This
vulnerability is associated with program files
lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until
OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1
until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48040
- CVE-2025-48041:
Allocation of Resources Without Limits or Throttling vulnerability in
Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
Flooding. This vulnerability is associated with program files
lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until
OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1
until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48041
NB: Since Erlang is quite a "large" package, containing the language itself,
some libraries, and some "applications", it's difficult to tell which CVEs
are exactly affecting Buildroot, but it's a good idea to update anyway
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
And adjust the dtb path to the new subdir after commit 724ba6751532 ("ARM:
dts: Move .dts files to vendor sub-directories") in v6.5.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With the change to default to gcc 14.x with commit 1e1fafa1f0
("package/gcc: switch to GCC 14.x as the default"), the old u-boot version
no longer builds:
board/ti/am57xx/board.c:948:17: error: implicit declaration of function 'do_cape_detect'; did you mean 'do_board_detect'? [-Wimplicit-function-declaration]
https://gitlab.com/buildroot.org/buildroot/-/jobs/11570241744
So move to u-boot 2025.04 to fix that. We still need a small patch as
(early) beagleboneai boards do not have the EEPROM (or eMMC partition)
populated, so include the bb.org patch from
0b161f8e89
The new u-boot version needs both openssl and gnutls on the host, so enable
them.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: remove patch entry in .checkpackageignore to
fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since Buildroot commit [1] "package/vulkan-{headers,loader,tools}:
bump to 1.4.317 release", the vulkan-headers package is failing at
configuration time with toolchains without C++ support, with error:
The C++ compiler
"/bin/false"
is not able to compile a simple test program.
This is due to upstream commit [2], which added CXX to the CMake
project file.
This commit fixes the issue by adding the C++ dependency.
Fixes:
https://autobuild.buildroot.org/results/10f63398940d52be9a8ee306daf4203ceca25eb8
[1] 52664093de
[2] 85256c712c
Signed-off-by: Julien Olivain <ju.o@free.fr>
The roseapplepi defconfig fails to build u-boot since the move to GCC 15.x:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11501385206
The issues are mainly related to missing includes, but given that the build
has been broken for a while, there is no mainline u-boot support for the
platform and the minimal kernel support has not seen any updates since it
was added for v5.15, just drop the defconfig.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The upstream libbson repository has been archived since october 2020,
and there is a known vulnerabilities affecting it (CVE-2025-0755).
Since no other package depends on libbson, and it hasn't seen any recent
activity, let's simply remove it from Buildroot. In case anyone needs a
bson implementation, one could integrate the replacement from mongo-c-driver
instead, see https://github.com/mongodb/mongo-c-driver/tree/master/src/libbson
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Removed patch which is included in this release.
Added sha256 hash provided by upstream.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For release note, see:
https://docs.djangoproject.com/en/5.2/releases/5.2.7/
This fixes the following vulnerabilities:
- CVE-2025-59681:
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(),
QuerySet.aggregate(), and QuerySet.extra() are subject to SQL
injection in column aliases, when using a suitably crafted dictionary,
with dictionary expansion, as the **kwargs passed to these methods (on
MySQL and MariaDB).
https://www.cve.org/CVERecord?id=CVE-2025-59681
- CVE-2025-59682:
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract()
function, used by the "startapp --template" and "startproject
--template" commands, allows partial directory traversal via an
archive with file paths sharing a common prefix with the target
directory.
https://www.cve.org/CVERecord?id=CVE-2025-59682
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add link to release note]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The board/versal/post-image.sh script has an unnecessary mkdir command:
mkdir -p "${BINARIES_DIR}"
This directory is created before calling the post image scripts,
in [1].
Just above the command, the script is making a symlink for the Linux DTB in
the ${BINARIES_DIR}, so if the ${BINARIES_DIR} did not already exist with
images inside, the script would fail regardless of whether this mkdir is
executed or not.
For this reason, remove the mkdir call from the script because it is not
necessary.
[1] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.08/Makefile#L829
Signed-off-by: Neal Frager <neal.frager@amd.com>
[Julien: add a link showing where the directory is created]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerabilities:
- CVE-2024-57822:
In Raptor RDF Syntax Library through 2.0.16, there is a heap-based
buffer over-read when parsing triples with the nquads parser in
raptor_ntriples_parse_term_internal().
https://www.cve.org/CVERecord?id=CVE-2024-57822
- CVE-2024-57823:
In Raptor RDF Syntax Library through 2.0.16, there is an integer
underflow when normalizing a URI with the turtle parser in
raptor_uri_normalize_path().
https://www.cve.org/CVERecord?id=CVE-2024-57823
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release note, see:
https://ghostscript.readthedocs.io/en/gs10.06.0/News.html
This fixes the following vulnerabilities:
- CVE-2025-59798:
Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow
in pdf_write_cmap in devices/vector/gdevpdtw.c.
https://www.cve.org/CVERecord?id=CVE-2025-59798
- CVE-2025-59799:
Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow
in pdfmark_coerce_dest in devices/vector/gdevpdfm.c via a large size
value.
https://www.cve.org/CVERecord?id=CVE-2025-59799
- CVE-2025-59800:
In Artifex Ghostscript through 10.05.1, ocr_begin_page in
devices/gdevpdfocr.c has an integer overflow that leads to a heap-
based buffer overflow in ocr_line8.
https://www.cve.org/CVERecord?id=CVE-2025-59800
- CVE-2025-59801:
In Artifex GhostXPS before 10.06.0, there is a stack-based buffer
overflow in xps_unpredict_tiff in xpstiff.c because the
samplesperpixel value is not checked.
https://www.cve.org/CVERecord?id=CVE-2025-59801
Also remove patch that is now applied upstream, and add new patch from
upstream to fix a compilation issue on 32bits platforms
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien:
- add link to release note in commit log
- fix URL in hash file comment
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerability:
- CVE-2025-8869:
When extracting a tar archive pip may not check symbolic links point
into the extraction directory if the tarfile module doesn't implement
PEP 706. Note that upgrading pip to a "fixed" version for this
vulnerability doesn't fix all known vulnerabilities that are
remediated by using a Python version that implements PEP 706. Note
that this is a vulnerability in pip's fallback implementation of tar
extraction for Python versions that don't implement PEP 706 and
therefore are not secure to all vulnerabilities in the Python
'tarfile' module. If you're using a Python version that implements PEP
706 then pip doesn't use the "vulnerable" fallback code. Mitigations
include upgrading to a version of pip that includes the fix, upgrading
to a Python version that implements PEP 706 (Python >=3.9.17,
>=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or
inspecting source distributions (sdists) before installation as is
already a best-practice.
https://www.cve.org/CVERecord?id=CVE-2025-8869
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add options to install the WCN7850 or QCN9274 firmware.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
[Julien:
- reindent _FIRMWARE_FILES with one tab
- move ath12k license hashes near ath10k
- inverse QCN9274/WCN7850 order in Config.in
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Currently, the xilinx-prebuilt package uses an if-then-else statement for
deciding which files need to be installed from the xilinx-prebuilt repo. This
works fine for now because there are really only two options, either versal or
zynqmp/kria.
Starting with the xilinx_v2025.2 release, the versal2 family along with the
vek385 board will be added to Buildroot and thus the xilinx-prebuilt package
as well. In the future, additional families will also probably be added to
this package.
To avoid creating a long if-then-else-then-else statement which will only grow
in complexity over time, simplify the logic of the xilinx-prebuilt package by
giving each xilinx family its own if statement. In the long term, this will
make the xilinx-prebuilt package easier to understand and maintain.
For this reason, this patch moves the zynqmp/kria families from the "else"
statement to having an if statement separate from the versal family.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add optional zstd compression type support for QEMU.
In order to a file compressed with zstd on host to be applied to
target QEMU, zstd on both host and target should be enabled.
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Note:
The first file matching the pattern "iwlwifi-ty-a0-gf-a0*" was
introduced in commit [1], first included in version 20201022.
[1] 4f41e9d643
Signed-off-by: Alex McLain <alex@alexmclain.com>
[Julien: add the note in commit log when the first
firmware was introduced
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The web link www.zedboard.org is no longer valid as it routes to a generic
avnet.com boards link. Fix this issue by providing direct links to the Avnet
ZedBoard and Tria MicroZed boards.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As the xilinx.com website will soon be going away, migrate all xilinx board
web links from xilinx.com to amd.com.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since upstream commit [1] ("Deprecate the slaveOnly option in favor
of clientOnly."), included in v4.0, ptp4l complains about the
"slaveOnly" option being deprecated on startup.
Update the default config to silence this warning.
[1] fe01cc7c96
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Users may be building U-Boot outside Buildroot or Build U-Boot but not use
the rauc u-boot bootloader backend (E.G. as using the U-Boot environment is
tricky in secure boot setups) - So replace the selects by a note in the help
text.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
axfsutils is a host-only package, so drop it now that the axfs root
filesystem support has been dropped.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The file system support is not mainline and hasn't been updated since 2019,
so drop it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This defconfig no longer builds:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11161167596
It is still based on the 4.8.6 kernel, which is not even an LTS
kernel, so we cannot easily update to fix the issues which are most
likely due to the newer gcc/binutils versions we're using now.
There is no DEVELOPERS entry attached to this configuration as well,
and this defconfig has been broken for at least 2 months, probably
more (our Gitlab CI history is only kept for ~2 months). So let's drop
it, unles someone volunteers to resurrect it.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The fbtft linux extension was only needed for very old kernels (<4.0)
that are no longer available in Buildroot.
Let's therefore remove it.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
wlroots 0.19.0 includes API breaking changes.
This commit bump the cage version to include the upstream commit [1]
which updates to this new wlroots API.
[1] 9ad44e4f52
Signed-off-by: Raphael Pavlidis <raphael.pavlidis@gmail.com>
[Julien: change _VERSION to use "git describe --abbrev=40" format]
Signed-off-by: Julien Olivain <ju.o@free.fr>
- Requires libxkbcommon >= 1.8.0 as of commit 34d3f466
- Drop upstream 0001-box-drawings-handle-architecture-with-soft-float.patch
Tested by building an image with sway and opening foot with win + return.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The package has been abandoned for several years. The only package that
previously relied on dmenu-wayland was the swaybar option for the sway package,
and that option now relies on wmenu.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[Julien:
- add select BR2_LEGACY in legacy option to fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
wmenu is an efficient dynamic menu for Sway and wlroots based Wayland
compositors. It provides a Wayland-native dmenu replacement which
maintains the look and feel of dmenu.
Furthermore, as of commit [1], sway uses wmenu instead of dmenu-wayland
with the following commit message:
"""
Switch default config to wmenu-run
This removes the last dependency bit on dmenu. No need for
"swaymsg exec" anymore: wmenu-run handles the xdg-activation
shenanigans.
"""
As such, change sway/Config.in to select wmenu instead of dmenu-wayland when
a user selects swaybar.
[1] b44015578a
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This defconfig enables EDK2 UEFI firmware and grub2 x86_64-efi boot
of a Linux Kernel in QEMU virt machine.
Signed-off-by: Scott Fan <fancp2007@gmail.com>
[Julien:
- add .in suffix to genimage.cfg and grub.cfg template file names
- change UUID_TMP template variable to %PARTUUID%
- use human readable partition-type-uuid in genimage.cfg.in
- break long qemu-system-x86_64 command line in readme.txt
- add "-serial stdio" in readme.txt qemu command line for CI
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For change log, see:
https://xmlrpc-c.sourceforge.io/change.html
Since version 1.65, Libxml2 was made the default XML parser. Hence,
if libxml2 package is not selected, disable libxml2 support
explicitly.
Remove already upstreamed patch.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
A visual editor for binary files. Bvi allows the user to edit binary files
with a VI-like interface.
Signed-off-by: Dimitrios Siganos <dimitris@siganos.org>
[Julien:
- sort DEVELOPERS entries
- reword commit log title
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For more details on the version bump, see:
- https://gitlab.com/libtiff/libtiff/-/releases/v4.7.1
This bump includes the security fix for CVE-2025-8176, CVE-2025-8177
that were addressed in commit [1][2].
Also fixes the following vulnerabilities:
- CVE-2024-13978
A vulnerability was found in LibTIFF up to 4.7.0. It has been
declared as problematic. Affected by this vulnerability is the
function t2p_read_tiff_init of the file tools/tiff2pdf.c of the
component fax2ps. The manipulation leads to null pointer
dereference. The attack needs to be approached locally. The
complexity of an attack is rather high. The exploitation appears to
be difficult. The patch is named
2ebfffb0e8836bfb1cd7d85c059cd285c59761a4. It is recommended to apply
a patch to fix this issue.
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2024-13978
- 2ebfffb0e8
- CVE-2025-8961
A weakness has been identified in LibTIFF 4.7.0. This affects the
function main of the file tiffcrop.c of the component tiffcrop.
Executing manipulation can lead to memory corruption. The attack can
only be executed locally. The exploit has been made available to the
public and could be exploited.
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-8961
- 0ac97aa7a5
- CVE-2025-9165
A flaw has been found in LibTIFF 4.7.0. This affects the function
_TIFFmallocExt/_TIFFCheckRealloc/TIFFHashSetNew/InitCCITTFax3 of the
file tools/tiffcmp.c of the component tiffcmp. Executing
manipulation can lead to memory leak. The attack is restricted to
local execution. The exploit has been published and may be used.
This patch is called ed141286a37f6e5ddafb5069347ff5d587e7a4e0. It is
best practice to apply a patch to resolve this issue.
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-9165
- ed141286a3
This commit also updates the LICENSE.md hash file, which was updated
upstream to include a historical license. See:
a0b623c780
[1] b3974df966 package/tiff: add patches to fix CVE-2025-8176
[2] 3db725d71d package/tiff: add patch to fix CVE-2025-8177
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien: fix license hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The CVE-2025-8851 [1] has been fixed in upstream commit [2] that is part
of the v4.7.0 release.
Because the NVD reference includes the version '<2024-08-11' most of CVE
checker will fail to compare it against 4.7.0 and report it as a
positive.
[1] https://nvd.nist.gov//vuln/detail/CVE-2025-8851
[2] 8a7a48d7a6
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Bump the xilinx-prebuilt default version to xilinx_v2025.1_update1, so that
all versal defconfigs use this new release tag.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Bump the versal_vek280_defconfig to use version xilinx_v2025.1_update1 of the
xilinx-prebuilt boot pacakge.
As part of this update, the vek280 pdi file has been updated and the memory
map has been corrected to match the Linux intree dts memory node, so the
vek280 dts memory node patch is no longer required.
f755d022cd
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add the xilinx_v2025.1_update1 release tag hash to the xilinx-prebuilt
package, so that Xilinx boards can use this new release tag.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
AMD / Xilinx has made the decision to change the name of plm.elf to plmfw.elf
in the prebuilt binaries repo starting with the next update.
This patch updates the xilinx-prebuilt package to support either the old
plm.elf filename or the new plmfw.elf filename.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Migrate the BR2_TARGET_UBOOT_ZYNQMP dependency to the new
BR2_TARGET_XILINX_FIRMWARE_ARCH_SUPPORTS symbol. Also, add a cpu dependency
on BR2_cortex_a53 since the zynqmp platform is based on the ARM Cortex-A53
and the BR2_TARGET_UBOOT_ZYNQMP should not be available for other CPUs with
aarch64 architecture.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With the new cpu dependencies included in the xilinx-prebuilt package,
BR2_TARGET_XILINX_PREBUILT_VERSAL is now default when BR2_cortex_a72 is
selected. This means that BR2_TARGET_XILINX_PREBUILT_VERSAL is not needed
in the versal_*_defconfig files anymore.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add an architecture cpu dependency to each family to make sure that users can
only install prebuilt firmware which is applicable to their target device
family.
The versal family is based on BR2_cortex_a72.
The kria and zynqmp families are based on BR2_cortex_a53.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add an architecture cpu dependency to each application to make sure that users
can only build applications which are applicable to their target device
family.
The versal_plm and versal_psmfw applications are specific to versal devices
which are based on BR2_cortex_a72.
The zynqmp_pmufw application is specific to zynqmp devices which are based on
BR2_cortex_a53.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Currently, the xilinx-embeddedsw and xilinx-prebuilt packages are appearing
for any aarch64 processor. As all Xilinx processors that need these packages
are ARM Cortex-A53 or ARM Cortex-A72, this means that these packages are
often appearing as options for non-Xilinx platforms.
To reduce this occurrence, this patch creates a new symbol
BR2_TARGET_XILINX_FIRMWARE_ARCH_SUPPORTS to limit the appearance of the
xilinx-embeddedsw and xilinx-prebuilt boot packages to only platforms based
on the BR2_cortex_a53 or BR2_cortex_a72 CPU and aarch64 architecture.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a defconfig to build an AArch64 disk image with a U-Boot based
firmware implementing the subset of UEFI defined by EBBR[1], as well as
a Linux OS booting with UEFI, to run on the IOT-GATE-iMX8 from Compulab.
The generated firmware binary can also be used to install or run another
OS supporting the EBBR specification.
This configuration is based on the work of Paul Liu[2] and is not related
with the official BSP from Compulab.
This has been tested on actual hardware.
While at it, add this defconfig to myself in DEVELOPERS.
[1] https://github.com/ARM-software/ebbr
[2] https://git.linaro.org/plugins/gitiles/people/paul.liu/systemready/build-scripts
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Ying-Chun Liu (Paul Liu) <paul.liu@linaro.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Also set BuiltForPackageManager=buildroot so that cloudflared's update
command informs the user to update cloudflared via buildroot.
Without BuiltForPackageManager set:
cloudflared update
INF cloudflared is up to date version=
With BuiltForPackageManager set:
cloudflared update
ERR cloudflared was installed by buildroot. Please update using the same method.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For relase notes, see:
https://go.dev/doc/devel/release#go1.25.0
Building Go 1.24 and later requires Go 1.22.6 or later for bootstrap.
To support this we use our previous Go version 1.23.12 as the version
for go-bootstrap-stage4 and have the build for Go 1.25.1 depend on
go-bootstrap-stage4.
Go version 1.23.12 is the latest go version we can build using
go-bootstrap-stage3.
The package build for go-bootstrap-stage4 if effectively identical to
go-bootstrap-stage3 with only the Go version and stage number changed.
Note: go version 1.25.1 release note mention a security fix
which is for CVE-2025-47910. This commit is not marked as security
bump, because the issue was introduced in version 1.25.0 which
was not included in Buildroot. See:
https://pkg.go.dev/vuln/GO-2025-3955
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Tested-by: Christian Stewart <christian@aperture.us>
[Julien: add link to release notes and
comment about CVE in commit log.
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Patches submitted to update these packages have gone ignored for
months without comment, and I no longer wish to recieve daily
emails about them being out of date.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since the Xilinx Zynq SoC family is always based on ARM Cortex-A9 CPUs, the
BR2_TARGET_UBOOT_ZYNQ option should only be available when the BR2_cortex_a9
option is selected.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
On Zynq, the booloader is responsible for some basic initializations, such as
enabling peripherals, DDR and configuring pinmuxes. The ps7_init_gpl.c file
(and optionally, ps7_init_gpl.h) contains the code for such initializations.
Although U-Boot contains ps7_init_gpl.c files for some boards, each of them
describes only one specific configuration. Users of a different board, or
needing a different configuration, can generate custom files using the Xilinx
Vivado development tools.
This patch adds Buildroot support for custom zynq ps7_init_gpl.c files in the
same way that is already done for zynqmp when working with custom hardware
that is not already supported by u-boot.
To test this feature, the following configs can be added to any zynq_defconfig:
BR2_TARGET_UBOOT_ZYNQ=y
BR2_TARGET_UBOOT_ZYNQ_PS7_INIT_FILE=<path to custom board ps7_init_gpl.c>
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Brandon Maier <brandon.maier@collins.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps the binutils-bare-metal package to version 2.45. In the
process, it also decouples binutils-bare-metal from the binutils package
since the binutils package does not yet have support for version 2.45.
With the decoupling, the 3 downstream binutils 2.44 patches were evaluated.
Patches not needed for binutils-bare-metal:
0001-sh-conf.patch
0002-poison-system-directories.patch
Patches already included with binutils version 2.45:
0003-objdump-memleak.patch
https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d
Since none of these patches need to be applied to binutils-bare-metal 2.45,
the link to the binutils patch directory is deleted.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch decouples the gcc-bare-metal package from the gcc package to avoid
potential build issues when bumping the version of one package before the
other.
Such as the build issue example here:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11026775160
Since the gcc-bare-metal package does not currently require the gcc 15.2.0
downstream patches, this patch simply deletes the link for patching
gcc-bare-metal 15.2.0 with patches that are not needed for bare-metal apps.
As for the hash link, this patch creates a new file called gcc-bare-metal.hash
which has the same hashes in the gcc.hash file. But by having its own hash
file, hashes from the gcc package can be removed when version bumping without
causing build errors for the gcc-bare-metal package.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Sometimes the default GCC and newlib libraries built for a given
architecture tuple are not based on the desired ABI. Since ABI definitions are
different between architectures, the simplest solution is to allow users to
build bare-metal toolchains with --enable-multilib. This way, the libraries
for every available ABI will be built and users will be able to select the
desired library for their user applications.
This patch adds the option BR2_TOOLCHAIN_BARE_METAL_BUILDROOT_MULTILIB to give
users the choice to enable multilib, if desired.
Please note that when using a string of architecture tuples, this option will
apply to all architectures in the string, so it can significantly increase
build time.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Jesse Taube <Mr.Bossman075@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This removes a warning reported by shellcheck: "Double quote to prevent
globbing and word splitting". As a result, the file can be removed from
.checkpackageignore.
Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds BR2_DOWNLOAD_FORCE_CHECK_HASHES=y and
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_GLIBC_STABLE=y in the
defconfig, bumps kernel to 6.16.7, and adds custom hash files and
removes the exception entry in .checkpackageignore.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
[Julien:
- mention kernel bump in commit title
- move BR2_DOWNLOAD_FORCE_CHECK_HASHES=y down in defconfig
- remove linux-headers hash file
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Increase again the partition size to accommodate latest kernel.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds BR2_DOWNLOAD_FORCE_CHECK_HASHES=y and
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV6_EABIHF_GLIBC_STABLE=y in the
defconfig, bumps kernel to 6.16.7, and adds custom hash files and
removes the exception entry in .checkpackageignore.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
[Julien:
- mention kernel bump in commit title
- move BR2_DOWNLOAD_FORCE_CHECK_HASHES=y down in defconfig
- remove linux-headers hash file
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The elfutils package provides libdw, which is required by sysprof.
It is not an optional dependency.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes building sysprof when elfutils is also selected (which is
a common setup). The debuginfod client support relies in elfutils
being built with the libdebuginfod option enabled; but Buildroot
unconditionally disables it in the elfutils package. See commit [1].
[1] 52c5c6050c
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
[Julien: add link to commit disabling debuginfod]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Some links are still pointing to git.buildroot.org, which is the old URL
for the official Buildroot git repository. The repository is now hosted
at gitlab.com. Update those old links accordingly.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Many links pointing to buildroot.org are still prefixed with HTTP.
Update those to HTTPS.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
See the release notes:
- https://github.com/OpenPrinting/cups/releases/tag/v2.4.13
- https://github.com/OpenPrinting/cups/releases/tag/v2.4.14
This fixes the following vulnerabilities:
- CVE-2025-58060:
OpenPrinting CUPS is an open source printing system for Linux and
other Unix-like operating systems. In versions 2.4.12 and earlier,
when the `AuthType` is set to anything but `Basic`, if the request
contains an `Authorization: Basic ...` header, the password is not
checked. This results in authentication bypass. Any configuration that
allows an `AuthType` that is not `Basic` is affected. Version 2.4.13
fixes the issue.
https://www.cve.org/CVERecord?id=CVE-2025-58060
- CVE-2025-58364:
OpenPrinting CUPS is an open source printing system for Linux and
other Unix-like operating systems. In versions 2.4.12 and earlier, an
unsafe deserialization and validation of printer attributes causes
null dereference in the libcups library. This is a remote DoS
vulnerability available in local subnet in default configurations. It
can cause the cups & cups-browsed to crash, on all the machines in
local network who are listening for printers (so by default for all
regular linux machines). On systems where the vulnerability
CVE-2024-47176 (cups-filters 1.x/cups-browsed 2.x vulnerability) was
not fixed, and the firewall on the machine does not reject incoming
communication to IPP port, and the machine is set to be available to
public internet, attack vector "Network" is possible. The current
versions of CUPS and cups-browsed projects have the attack vector
"Adjacent" in their default configurations. Version 2.4.13 contains a
patch for CVE-2025-58364.
https://www.cve.org/CVERecord?id=CVE-2025-58364
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds BR2_DOWNLOAD_FORCE_CHECK_HASHES=y in the defconfig
and adds custom hash files. The exception entry in .checkpackageignore
is also removed.
Signed-off-by: Scott Fan <fancp2007@gmail.com>
[Julien: change linux.hash comment to reuse hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
When searching for the official git repository in the documentation,
readers are forwarded to the buildroot website Download page with a link
pointing to buildroot.org/download, which returns a 404.
Fix the dead link by adding the missing .html suffix.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The CMake build system has logic to detect the git repo info and include it
in the version output. This unfortunately gets confused and adds the git
info of the Buildroot repository when building inside the repo:
-- Found Git version: refs/heads/rtl_433-25.02 commit a367362af0 from 2025-09-21T20:07:58+0200
-- Using Git version tag: 2025.08-283-ga367362af0 on rtl_433-25.02 at 202509212007
rtl_433 -V
rtl_433 version 2025.08-283-ga367362af0 branch rtl_433-25.02 at 202509212007 inputs file rtl_tcp RTL-SDR
Pass GIT_DIR=. to the configure step similar to how it is already done for
the build step to disable this.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update icu to 77.1.
The LICENSE file contains a lot of changes, so no diff
is presented.
Patch 0002-workaround-toolchain-bugs.patch is no longer required.
Reorder the other patches accordingly.
Update patch 0003-fix-static-linking-with-icu-uc.patch so that
it applies cleanly.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
TestGitHash and TestGitRefs are failing on Gitlab-CI since 2025-08-18
(first runtime-test failures report for master) [1] due a new Gitlab-CI
security settings that prevents the any use of localhost (127.0.0.1) on
the Gitlab-CI runner [2]:
"To prevent exploitation of insecure internal web services, all webhook
and integration requests to the following local network addresses are
not allowed:
Private network addresses, including 127.0.0.1, ::1, 0.0.0.0,
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and IPv6 site-local
(ffc0::/10) addresses."
Gitlab suggest using a second container as a Services [3] since each
containers have access to one another and can communicate when running
the job. But this is really not practical to run git daemon since the
service is started before the Buildroot git tree is fetched and git
daemon needs git-remote directory content.
See [4]:
"If you have your service that tries to write to CI_PROJECT_DIR
immediately after it's started - it will not work and fail with an
error like '/builds/nknapp/gitlab-ci-test/': No such file or directory
error. Because that directory is most probably not there yet, as the
job step that creates it is yet to be executed!"
Also, using Gitlab-CI services requires to handle GitTestBase setUp
differently on Gitlab-CI than local use of run-tests.
So Gitlab-CI services is not an option.
We could move support/testing/tests/download/git-remote to our Gitlab
group (https://gitlab.com/buildroot.org) but since it's only intended
for testing the git download backend, we don't really want to do that.
So the only remaining choice to clone the repository from the Buildroot
git tree (local machine).
To do so, we have to do the following changes:
- Replace all "git://localhost:$(GITREMOTE_PORT_NUMBER)" by
"$(GITREMOTE_DIR)". GITREMOTE_DIR will contain the absolute path to
tests/download/git-remote directory.
- Force to use git download backend using "SITE_METHOD = git" otherwise
the download infra will fall back using wget download backend.
- Cloning a git repository with submodules using the "file://" protocol
needs to be allowed from git config. It's disabled by default:
"fatal: transport 'file' not allowed"
Use a local gitconfig file generated by GitTestBase before starting
TestGitHash and TestGitRefs with:
[protocol "file"]
allow = always
This is considered safe since we are using a git repository from the
Buildroot git tree.
- Running TestGitHash and TestGitRefs on Gitlab-CI requires additional
git config settings to disable ownership check of the git tree [5].
Thanks to Arnout for advices about GIT_CONFIG_GLOBAL.
Runtime tested:
https://gitlab.com/kubu93/buildroot/-/jobs/11428504450 (TestGitHash)
https://gitlab.com/kubu93/buildroot/-/jobs/11428490035 (TestGitRefs)
[1] https://lore.kernel.org/buildroot/68a3ee65.500a0220.397724.30db@mx.google.com/
[2] https://docs.gitlab.com/security/webhooks/#allow-requests-to-the-local-network-from-webhooks-and-integrations
[3] https://docs.gitlab.com/ci/services/
[4] https://gitlab.com/gitlab-org/gitlab-runner/-/issues/25982#note_2139685797
[5] a016b693f7
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124174 (TestGitHash)
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124173 (TestGitRefs)
Cc: Arnout Vandecappelle <arnout@rnout.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As reported on the mailing list [1] while investigating the
TestZfsUclibc Gitlab-CI failure, the python 3.13 interpreter itsef
segfault at runtime:
Fatal Python error: _PyThreadState_Attach: non-NULL old thread state
Python runtime state: preinitialized
Thread 0xSegmentation fault
This issue is related to the python 3.13 version bump [2] were several
internal changes were added [3] to support PEP 703 [4].
PEP 793 is about CPython’s global interpreter lock (“GIL”) removal
for multi-threads support that requires a working C11 "thread_local"
for thread-local storage [5].
The new uclibc-ng 1.0.55 release contains a fix for this issue [6].
This version is included in Buildroot commit [7].
Since the prebuilt Bootling aarch64 uclibc stable 2025.08-1 is based
on previous uClibc-ng release (1.0.54) we have to use the internal
toolchain backend to build a new uClibc-ng toolchain using uclibc-ng
1.0.55. Note: the toolchain config defined in this commit reflects
the options enabled in the Bootling aarch64 uclibc external
toolchains.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124859 (TestZfsUclibc)
[1] https://lore.kernel.org/buildroot/7a4d245d-1556-43c9-8997-6b1f791afbfe@gmail.com/ (TestZfsUclibc)
[2] d63e207eb8
[3] 6e97a9647a
[4] https://peps.python.org/pep-0703/
[5] https://gcc.gnu.org/onlinedocs/gcc-15.1.0/gcc/Thread-Local.html
[6] 94c1297d52
[7] 5250bba8e5
Cc: José Luis Salvador Rufo <salvador.joseluis@gmail.com>
Tested-by: José Luis Salvador Rufo <salvador.joseluis@gmail.com>
Cc: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
[Julien:
- add link to buildroot commit updating uclibc-ng to 1.0.55
- add a note in the commit log about the toolchain config
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Finally the aarch64 tls bug is fixed. (python 3.13 segfault)
Unfortunately it is not covered by any testcase of uClibc-ng-test.
Here is the git shortlog for the release:
Marius Melzer (1):
malloc-standard: Fix truncation problem in malloc
Waldemar Brodkorb (5):
Fix Sysvipc for ARM, AARCH64, RISCV64, KVX and m68k
remove uClibc specific gettext_printf
aarch64: do not force tls-model in CPU_CFLAGS, this isn't required
aarch64: respect r_addend for TLSDESC relocations
bump version for 1.0.55 release
yliu (5):
mips32: Preventing FORCE_FRAME_POINTER from being optimized away
mips32: Define __IPC_64 according to kernel version
time64: fixed msgctl/semctl/shmctl result errors for for MIPS32/RISCV32
time64: fix *ctl functions in mips32eb/mips64
time64: fix *ctl functions in mips32eb
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Tested-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerability:
- CVE-2025-6375:
A vulnerability was found in poco up to 1.14.1. It has been rated as
problematic. Affected by this issue is the function MultipartInputStream
of the file Net/src/MultipartReader.cpp. The manipulation leads to null
pointer dereference. The attack needs to be approached locally. The
exploit has been disclosed to the public and may be used. Upgrading to
version 1.14.2 is able to address this issue. The patch is identified as
6f2f85913c191ab9ddfb8fae781f5d66afccf3bf. It is recommended to upgrade
the affected component.
For more information see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-6375
- 6f2f85913c
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security issue:
CVE-2025-8713: PostgreSQL optimizer statistics can expose sampled data
within a view, partition, or child table
PostgreSQL optimizer statistics allow a user to read sampled data within
a view that the user cannot access. Separately, statistics allow a user
to read sampled data that a row security policy intended to hide.
PostgreSQL maintains statistics for tables by sampling data available in
columns; this data is consulted during the query planning process. Prior
to this release, a user could craft a leaky operator that bypassed view
access control lists (ACLs) and bypassed row security policies in
partitioning or table inheritance hierarchies. Reachable statistics data
notably included histograms and most- common-values lists. CVE-2017-7484
and CVE-2019-10130 intended to close this class of vulnerability, but
this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19,
and 13.22 are affected.
CVE-2025-8714: PostgreSQL pg_dump lets superuser of origin server execute
arbitrary code in psql client
Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious
superuser of the origin server to inject arbitrary code for restore-time
execution as the client operating system account running psql to restore
the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore
is affected when used to generate a plain-format dump. This is similar to
MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14,
14.19, and 13.22 are affected.
CVE-2025-8715: PostgreSQL pg_dump newline in object name executes
arbitrary code in psql client and in restore target server
Improper neutralization of newlines in pg_dump in PostgreSQL allows a user
of the origin server to inject arbitrary code for restore-time execution
as the client operating system account running psql to restore the dump,
via psql meta-commands inside a purpose-crafted object name. The same
attacks can achieve SQL injection as a superuser of the restore target
server. pg_dumpall, pg_restore, and pg_upgrade are also affected.
Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class
of problem, but version 11.20 reintroduced it.
https://www.postgresql.org/about/news/postgresql-176-1610-1514-1419-1322-and-18-beta-3-released-3118/
Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update all qemu defconfigs to the latest Kernel LTS version.
Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
While doing a per-package build the package is failing to
compile with this error (gcc 13.x glibc toochain):
make[3]: Entering directory
'/home/wbx/buildroot-2025.02.3/output/build/xapp_xdm-1.1.14/xdm' CC
session.o session.c:146:11: fatal error: crypt.h: No such file or
directory 146 | # include <crypt.h> | ^~~~~~~~~
compilation terminated.
Fix this error by providing the needed glibc dependencies.
Fixes:
https://autobuild.buildroot.org/results/b75/b75ad8f1159613656dce482992c800545d60ae69/
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
aespipe-v2.4i April 29 2025
- Added AES Crypto Extension opcodes for 64-bit arm64 on Linux.
- aes-armv8sca.S aes-armv8ce.S : add PAC/BTI branch protection
support. Patch from Emanuele Rocca <emanuele.rocca@arm.com>
aespipe-v2.4j September 2 2025
- Added configure script autodetection for 32-bit ARM -marm compile
flag. This option is needed with some compilers that default to
generating code in Thumb mode.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerability:
- CVE-2025-55763
Buffer Overflow in the URI parser of CivetWeb 1.14 through 1.16 (latest)
allows a remote attacker to achieve remote code execution via a crafted
HTTP request. This vulnerability is triggered during request processing
and may allow an attacker to corrupt heap memory, potentially leading to
denial of service or arbitrary code execution.
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-55763
- 76e222bcb7
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a patch fixing prototype issues with GCC 15.x. The patch cannot be
submitted upstream because the problematic code has completely changed
in newer releases.
No autobuilder failures because they were hidden by 'c-icap' not
building with GCC 15.x.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The SBSA Reference Platform was updated to neoverse-n2 (armv9.0a)
in Qemu v9.1 [1].
The Armv9-A and Neoverse N2 core support was added in Buildroot
commit [2].
Since the test_edk2 uses the Qemu sbsa-ref machine, this commit
aligns it to use the neoverse-n2 cpu.
[1] b1d592e7b0
[2] 9845bd4541
Signed-off-by: Julien Olivain <ju.o@free.fr>
The SBSA Reference Platform was updated to neoverse-n2 (armv9.0a)
in Qemu v9.1 [1].
The Armv9-A and Neoverse N2 core support was added in Buildroot
commit [2].
Since the test_fwts uses the Qemu sbsa-ref machine, this commit
aligns it to use the neoverse-n2 cpu.
[1] b1d592e7b0
[2] 9845bd4541
Signed-off-by: Julien Olivain <ju.o@free.fr>
Take two patches from the Debian jxrlib package, and integrate them to
fix the build of the bundled jxrlib library found in the libfreeimage
package.
libfreeimage isn't exactly well maintained: its last version 3.18.0 is
quite old (July 2018), there's a fairly large number of tickets in the
bug tracker claiming to be CVE
reports (https://sourceforge.net/p/freeimage/bugs/), it is still using
SVN as the version control system.
However, it is used as an optional dependency for CEGUI, and a
mandatory dependency for Ogre. However, it no longer seems to be a
dependency for more recent versions of Ogre. But in any case it cannot
simply be dropped.
Fixes:
https://autobuild.buildroot.net/results/452462285bf93b13f092fb41696952f415e75b2f/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerability:
- CVE-2025-8835:
A vulnerability was found in JasPer up to 4.2.5. Affected by this
vulnerability is the function jas_image_chclrspc of the file
src/libjasper/base/jas_image.c of the component Image Color Space
Conversion Handler. The manipulation leads to null pointer dereference.
It is possible to launch the attack on the local host. The exploit has
been disclosed to the public and may be used. The identifier of the
patch is bb7d62bd0a2a8e0e1fdb4d603f3305f955158c52. It is recommended to
apply a patch to fix this issue.
For more information see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-8835
- bb7d62bd0a
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerability:
- CVE-2023-51257:
An invalid memory write issue in Jasper-Software Jasper v.4.1.1 and
before allows a local attacker to execute arbitrary code.
For more information see:
- https://nvd.nist.gov//vuln/detail/CVE-2023-51257
- aeef5293c9
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This CVE is specific for the version 5.1.5 still present in Buildroot.
It has been fixed in 5.2.3 and thereby doesn't affects the other
versions available in Buildroot.
- CVE-2014-5461
Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through
5.2.x before 5.2.3 allows context-dependent attackers to cause a denial
of service (crash) via a small number of arguments to a function with a
large number of fixed arguments.
For more information see:
- https://security-tracker.debian.org/tracker/CVE-2014-5461
- https://udd.debian.org/patches.cgi?src=lua5.1&version=5.1.5-11
A patch present in Debian is used to address this vulnerability.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerability:
- CVE-2025-53644:
OpenCV is an Open Source Computer Vision Library. Versions prior to
4.12.0 have an uninitialized pointer variable on stack that may lead
to arbitrary heap buffer write when reading crafted JPEG images.
Version 4.12.0 fixes the vulnerability.
https://www.cve.org/CVERecord?id=CVE-2025-53644
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The CPE 'iputils_project:iputils' has been deprecated in favour of
'iputils:iputils'.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
We dropped support for python2 a while back in [1], as such we
can remove the python six module which was only needed for
backwards comaptibility with python2.
[1] 2743ce00ca
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Julien: add commit ref removing python2 support]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add host-pkgconf dependency which is needed for finding openssl.
Set OPENSSL_NO_VENDOR=1 in the environment to ensure we use the
system openssl library.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
License has changed due to license change from regular MIT to
MIT-no-attribution:
67a170dc79
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Drop python-anyio runtime dependency which is now an optional
dependency of asyncclick. See:
ca93155e16
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Julien: add commit reference for anyio dependency change]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Running the command:
make apitrace-patch
fails with error:
Applying 0003-Explicit-header-stdint.patch using patch:
patching file frametrim/ft_dependecyobject.hpp
Reversed (or previously applied) patch detected! Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file frametrim/ft_dependecyobject.hpp.rej
patching file retrace/metric_writer.cpp
Reversed (or previously applied) patch detected! Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file retrace/metric_writer.cpp.rej
Commit [1] "package/apitrace: fix build with GCC 15.x" introduced a
package patch in the branch master while Buildroot was in RC cycle.
This same commit was cherry-picked in [2] in the branch "next" to also
apply cleanly the patch for commit [3] "package/apitrace: bump to
version 13".
The merge commit [4] kept the apitrace package patch
"0003-Explicit-header-stdint.patch".
This commit fixes the issue by removing this stale patch.
[1] a4b0913280
[2] bf55f4713e
[3] aec2f2ddc4
[4] 0af159ae2b
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Running the command:
make cpp-httplib-patch
fails with error:
Applying 0001-merge-commit-from-fork.patch using patch:
patching file httplib.h
Reversed (or previously applied) patch detected! Skipping patch.
2 out of 2 hunks ignored -- saving rejects to file httplib.h.rej
patching file test/test.cc
Hunk #1 FAILED at 42.
Hunk #2 FAILED at 2839.
Hunk #3 FAILED at 3624.
3 out of 3 hunks FAILED -- saving rejects to file test/test.cc.rej
Commit [1] "package/cpp-httplib: add patch for CVE-2025-46728"
introduced a package patch in the branch next while Buildroot was in
RC cycle. Just after, commit [2] "package/cpp-httplib: bump to
v0.25.0", also in branch next, removed this package patch.
This commit [1] was cherry-picked in [3] in the branch master, to
apply only the security fix for the 2025.08 release.
The merge commit [4] kept the cpp-httplib package patch
"0001-merge-commit-from-fork.patch".
This commit fixes the issue by removing this stale patch.
Fixes:
https://autobuild.buildroot.org/results/5b9843089ade428997035e49817208ce9c09a10e
[1] aea7c89396
[2] 519d03657c
[3] fd313c4ceb
[4] 0af159ae2b
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The "board/arm/foundation-v8/readme.txt" board documentation file [1]
recommends to start the Foundation_Platform emulator with a nat
network, but the corresponding defconfig does include the dhcp
network configuration for the network interface.
This commit adds the "eth0" interface to be configured by DHCP
at boot, in order to have a working network connectivity.
[1] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.08/board/arm/foundation-v8/readme.txt#L39
Cc: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog:
git log --oneline ac6742520d..b621b157b4
b621b15 aarch64: Enable access into FEAT_SPE_FDS register from EL2 and below
785302c aarch64: Enable use of ZT0
7f5a545 aarch64: Enable use of FPMR
0f3a153 aarch64: shuffle ID_AA64PFR{0,1}_EL1 definitions
0e78492 Makefile: Ensure initrd parameters in /chosen are up-to-date
1571345 aarch64: Enable access into FEAT_PMUv3p9 registers from EL2 and below
e1b9137 aarch64: Enable access into FEAT_FGT2 registers from EL2 and below
Cc: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since boot-wrapper-aarch64 introduction in commit [1]
"boot-wrapper-aarch64: new package", the package never received a hash
file. This commit adds it, including the source archive and license
hashes.
[1] 7689b72e00
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit [1] ("package: replace git:// URLs with https://
URLs where possible") switched _SITE URL from git to https, but did
not updated the package homepage in Config.in.
This commit updates it to match the package _SITE URL.
[1] 6626bf7c5f
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes
(https://github.com/redis/redis/blob/8.2.1/00-RELEASENOTES)
=============================================================
8.2.1 (v8.2.1) Committed Mon 18 Aug 2025 12:00:00 IST
=============================================================
Update urgency: `MODERATE`: Program an upgrade of the server, but it's not urgent.
- #14240 `INFO KEYSIZES` - potential incorrect histogram updates on cluster mode with modules
- #14274 Disable Active Defrag during flushing replica
- #14276 `XADD` or `XTRIM` can crash the server after loading RDB
- #Q6601 Potential crash when running `FLUSHDB` (MOD-10681)
- Query Engine - LeanVec and LVQ proprietary Intel optimizations were removed from Redis Open Source
- #Q6621 Fix regression in `INFO` (MOD-10779)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog: https://github.com/libgeos/geos/releases/tag/3.14.0
Bump minimal GCC version to 7. (Switched to C++17 as minimum requirement)
e142764b77
Since commit 26292ce880
libgeos uses fenv.h to catch FPU exceptions. Some libc implementation may
have no fenv support. So add a patch to detect fenv.h availability.
Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
[Julien:
- reformat patch title to fix check-package error
- add Upstream header in patch to fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes:
https://github.com/SELinuxProject/selinux/releases/download/3.9/RELEASE-3.9.txt
Notable changes related to policycoreutils: none.
However, in terms of packaging, there's a change: the top-level
Makefile of policycoreutils now uses pkg-config to find libselinux and
libsemanage. So building directly the subdirs no longer works because
the variables defined by the top-level Makefile are no longer set. So
we simplify the whole packaging by building from the top-level
Makefile. In order for this pkg-config to work for the host variant,
we need to pass $(HOST_MAKE_ENV) in the environment of make, so we
also did the same for consistency with $(TARGET_MAKE_ENV).
In terms of dependencies: policycoreutils directly links with
libselinux, libsemanage and libsepol, so all three are needed for both
the target and host variants. And host-pkgconf is now needed for the
host variant, as it's used to detect the dependent libraries.
The patches also need to be refreshed, except 0003 that is dropped
since it was a backport from upstream.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
merge policycoreutils
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes:
https://github.com/SELinuxProject/selinux/releases/download/3.9/RELEASE-3.9.txt
Notable changes for libsepol:
* libsepol: Add new 'netif_wildcard' policy capability
* libsepol: Allow multiple policycap statements
* libsepol: Support genfs_seclabel_wildcard
We can drop our patch since SELinux now has an official DISABLE_SHARED
variable to do a static-only build (but it needs a 'y' value and not a
'1' value like our previous variable needed).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
policycoreutils uses getpass(), which with musl is only defined with
some feature macro defined, such as _GNU_SOURCE. So let's pick-up an
upstream fix to address this issue.
There are no autobuilder failures, the issue was most likely hidden by
other failures with musl affecting the SELinux stack.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The build of libsemanage on musl configurations fails with:
direct_api.c: In function 'semanage_direct_install_file':
direct_api.c:1746:20: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
1746 | filename = basename(path);
| ^~~~~~~~
This fails to build even with a GCC 14.x toolchain, even with
libsemanage 3.7, which is the version we have in our LTS branch.
Let's backport an upstream patch fixing this issue.
Fixes:
https://autobuild.buildroot.net/results/913852e35c925888ced37e15be3731b9d3963019/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Luvi 2.14.0 fails to build with GCC 14.x for several reasons due to
too old lua-openssl 0.8.2-0 submodule:
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/ocsp.c: In function 'openssl_ocsp_request_read':
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/ocsp.c:124:29: error: passing argument 1 of 'PEM_ASN1_read_bio' from incompatible pointer type [-Wincompatible-pointer-types]
124 | OCSP_REQUEST *req = pem ? PEM_read_bio_OCSP_REQUEST(bio, NULL, NULL)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
| |
| char * (*)()
Fixed in lua-openssl by [1].
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/x509.c: In function 'openssl_push_general_name':
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/x509.c:377:45: error: passing argument 2 of 'openssl_push_asn1type' from incompatible pointer type [-Wincompatible-pointer-types]
377 | openssl_push_asn1type(L, general_name->d.x400Address);
| ~~~~~~~~~~~~~~~^~~~~~~~~~~~
| |
| ASN1_STRING * {aka struct asn1_string_st *}
Fixed in lua-openssl by [2].
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/openssl.c: In function 'luaclose_openssl':
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/stdatomic.h:387:9: error: implicit declaration of function '__c11_atomic_fetch_sub'; did you mean '__atomic_fetch_sub'? [-Wimplicit-function-declaration]
387 | __c11_atomic_fetch_sub(object, operand, order)
Fixed in lua-openssl by [3].
Instead of fixing one by one each issues, update to the latest release
that include lua-openssl 0.9.0-0. Luvi v2.15.0 still have some GCC 14.x
issues, backport two additional patches.
Download luvi sources using git method since the release archive
no longer include the release version in its name [4].
Luvi switched to PCRE2 [5], update the optional dependency.
Update TestLuvi to select PCR2 package.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124430 (TestLuvi)
[1] bfeedbe8c0
[2] e5b5420cc5
[3] cfcaa16d1a
[4] https://github.com/luvit/luvi/releases/download/v2.15.0/luvi-source.tar.gz
[5] https://github.com/luvit/luvi/releases/tag/v2.15.0
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security issue:
- CVE-2025-58050: PCRE2: heap-buffer-overflow read in match_ref due to
missing boundary restoration in SCS
Compared to 10.45, this release has only a minimal code change to prevent a
read-past-the-end memory error, of arbitrary length. An attacker-controlled
regex pattern is required, and it cannot be triggered by providing crafted
subject (match) text. The (*ACCEPT) and (*scs:) pattern features must be
used together.
Release 10.44 and earlier are not affected.
https://github.com/PCRE2Project/pcre2/security/advisories/GHSA-c2gv-xgf5-5cc2https://www.cve.org/CVERecord?id=CVE-2025-58050
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: add link to CVE in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The last mariadb version bump [1] added -DHAVE_SYSTEM_LIBFMT_EXITCODE=0
to workaround cross-compiling issue during libfmt cmake check.
But it actually requies at least cmake >= 3.30 to work.
Indeed, our docker image used by Gitlab-CI uses cmake 3.25.1 and
segfault while testing for libfmt.
-- Performing Test HAVE_SYSTEM_LIBFMT
/bin/bash: line 1: 163369 Segmentation fault
$ cmake --version
cmake version 3.25.1
Using the same TestPerlDBDmysql configuration locally with
cmake 3.30.8 installed build fine.
Looking at cmake cmTryRunCommand.cxx history from 3.30.x show that
several fixes about cross-compiling isses were applied to cmake 3.26.x
[2] probably solving the issue. Requires BR2_HOST_CMAKE_AT_LEAST_3_30
for now, since only cmake 3.30.8 installed locally was tested.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124486 (TestPerlDBDmysql)
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124439 (TestMariaDB)
[1] 6cd8f95346 ("package/mariadb: bump version to 10.11.11")
[2] https://gitlab.kitware.com/cmake/cmake/-/commits/v3.30.9/Source/cmTryRunCommand.cxx?ref_type=tags
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
xlib_xtrans clients (for example xserver_xorg-server) are failing to
compile with gcc 15.1.0.
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_XORG7=y
BR2_PACKAGE_XSERVER_XORG_SERVER=y
EOF
make olddefconfig
make xserver_xorg-server
which outputs the compilation error:
auth.c: In function 'GenerateRandomData': auth.c:320:5: warning:
ignoring return value of 'read' declared with attribute
'warn_unused_result' [-Wunused-result] 320 | read(fd, buf, len);
| ^~~~~~~~~~~~~~~~~~ In file included from
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/string.h:548,
from
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/X11/Xos.h:62,
from
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/X11/Xtrans/Xtrans.h:54,
from
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/X11/Xtrans/Xtransint.h:79,
from
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/X11/Xtrans/transport.c:55,
from xstrans.c:17: In function 'strncpy', inlined from
'_XSERVTransGetHostname' at
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/X11/Xtrans/Xtrans.c:1351:5,
inlined from '_XSERVTransConvertAddress' at
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/X11/Xtrans/Xtransutil.c:188:12:
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/bits/string_fortified.h:100:10:
error: '__builtin_strncpy' offset [130, 319] from the object at 'name'
is out of the bounds of referenced subobject 'nodename' with type
'char[65]' at offset 65 [-Werror=array-bounds=] 100 | return
__builtin___strncpy_chk (__dest, __src, __len, |
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 101 |
__glibc_objsize (__dest)); |
~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/X11/Xtrans/Xtransint.h:105:
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/sys/utsname.h:
In function '_XSERVTransConvertAddress':
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/sys/utsname.h:54:10:
note: subobject 'nodename' declared here 54 | char
nodename[_UTSNAME_NODENAME_LENGTH]; | ^~~~~~~~ cc1: some
warnings being treated as errors make[2]: *** [Makefile:696: xstrans.lo]
Error 1 make[2]: *** Waiting for unfinished jobs.... make[2]: Leaving
directory
'/home/wbx/buildroot/output/build/xserver_xorg-server-21.1.18/os'
make[1]: *** [Makefile:796: all-recursive] Error 1 make[1]: Leaving
directory '/home/wbx/buildroot/output/build/xserver_xorg-server-21.1.18'
make: *** [package/pkg-generic.mk:273:
/home/wbx/buildroot/output/build/xserver_xorg-server-21.1.18/.stamp_built]
Error 2
The update fixes the compile error.
See here for changes:
https://lists.x.org/archives/xorg/2025-March/061900.html
The COPYRIGHT was updated from 2005 to 2025.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
[Julien: add commands to reproduce the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Using /dev/null as file source because the package doesn't provide a default
systemv service configuration file.
Signed-off-by: Angelo Compagnucci <angelo.compagnucci@gmail.com>
[Julien: remove S43htpdate .checkpackageignore entry
to fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove libgtk2, we need to first drop support for
gtk2 in yad. It continues to support gtk3.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Arnout: simply .mk file: BR2_PACKAGE_LIBGTK3_X11 is always true]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove the libgtk2 package, we must first remove
sylpheed which requires libgtk2.
Even though there has been some upstream activity as recent as three
years ago, the package hasn't been updated for libgtk3.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, we need to drop the optional
dependency of putty on libgtk2.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, we need to first remove support for
the gtk2 backend of pinentry, which this patch does.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, we need to drop libgtk2 support
from opencv4. gtk3 support remains in place.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Woodrow Douglass <wdouglass@carnegierobotics.com>
[Arnout: add legacy handling]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, we need to drop libgtk2 support from
opencv3. gtk3 support remains in place.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Arnout: add legacy handling.]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove the libgtk2 package, let's drop the gtk
frontend from netsurf. It is worth mentioning that the gtk3 frontend
remains in place as an alternative.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, let's drop the optional dependency
of mjpegtools on libgtk2, and forcefully disable gtk support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This window manager requires libgtk2, which we are about to remove, so
let's drop metacity.
Although metacity is still actively developed on gnome.org, it hasn't
seen an update in Buildroot since 2011, so probably nobody is using it.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, let's drop the optional dependency
of lv2 on libgtk2.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
libsexy requires libgtk2, which we're about to remove, so let's drop
libsexy. The last release was in 2007.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
libglade requires libgtk2, which we're about to remove, so let's drop
libglade. The last release was in 2009 and it doesn't exist any more on
gitlab.gnome.org.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, the libfm and pcmanfm packages need
to be adjusted so that they work with libgtk3 only. This requires a
bit of re-arrangment of the dependencies, to properly propagate the
libgtk3 dependencies.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to drop libgtk2, let's remove the optional dependency
of libcanberra to libgtk2.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This package needs libgtk2, which we are about to remove.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This package requires libgtk2, which we are about to remove.
It has not seen an update in 20 years.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Arnout: add legacy handling.]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, let's drop the optional dependency
of gtkiostream on libgtk2.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, let's drop gtk2-engines, which
obviously relies on libgtk2.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The gkrellm client needs libgtk2, which we are about to drop from
Buildroot.
Even though gkrellm has a somewhat active upstream at
https://git.srcbox.net/gkrellm/gkrellm, it isn't clear whether it is
compatible with Gtk 3 or not.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Arnout: reword help text, drop legacy for BR2_PACKAGE_GKRELLM_SERVER]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, let's drop the wmgui support from
cwiid, which is libgtk2 only.
Note that cwiid hasn't seen a commit in the past 16 years, so there's
no real hope to see wmgui fixed to have support for a more recent Gtk
version. And perhaps this separately calls for removing cwiid
entirely from Buildroot.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we are about to drop support for libgtk2, let's drop the reference
to libgtk2 from the adwaita-icon-theme package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This bump, with the exception of the 5.4 series, fixes the VMSCAPE bug:
CVE-2025-40300.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Remove support for aufs, as it is outdated and unmaintained in Buildroot.
Users are encouraged to use overlayfs in place of aufs.
This patch removes support for aufs package providing sources for
the kernel extension, the related Buildroot kernel extension configuration,
as well as the userspace utilities.
This also allows to remove some special cases in configuration utilities.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Romain: fix legacy handling text]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The symlink bin/lld -> $(GNU_TARGET_NAME)/bin/lld is broken inside a
SDK containing host-lld package. The symlink still points to the
location of lld inside the build's host folder instead of the location
of lld inside the SDK. In consequence GCC is not able to find lld
linker. Changing the symlink to be relative during host-lld
installation fixes the problem.
Signed-off-by: Victor Krawiec <victor.krawiec@arturia.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
This toolchain is more than 7 years old now, and not maintained anymore.
Let's therefore remove it from Buildroot. There are still some
alternatives in-tree, such as Bootlin toolchains
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
This toolchain is more than 7 years old now, and not maintained anymore.
Let's therefore remove it from Buildroot. There are still some
alternatives in-tree, such as ARM and Bootlin toolchains
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Romain:
- rename TestExternalToolchainLinaroArm to TestExternalToolchainArmGnu
- update toolchain prefix arm-linux-gnueabihf to arm-none-linux-gnueabihf
- replace BR2_TOOLCHAIN_EXTERNAL_LINARO_ARM by BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_GLIBC_STABLE
since the ARM toolchain can't be enabled due to missing NEON support
]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
This toolchain is more than 7 years old now, and not maintained anymore.
Let's therefore remove it from Buildroot. There are still some
alternatives in-tree, such as ARM and Bootlin toolchains
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
This toolchain is more than 7 years old now, and not maintained anymore.
Let's therefore remove it from Buildroot. There are still some
alternatives in-tree, such as ARM and Bootlin toolchains
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
This toollchain is almost 10 years old now, and not maintained anymore.
Let's therefore remove it from Buildroot. Newer maintained external
toolchains for MIPS are still available from Bootlin
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Romain: remove leftover link to binutils 2.27 bug 19908]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Without systemd package/docker-engine requires another way to mount
/sys/fs/cgroup, so far provided by BR2_PACKAGE_CGROUPFS_MOUNT for
cgroup v1. Replace this with BR2_PACKAGE_CGROUPFS_V2_MOUNT for cgroup
v2 support. 5.2 is the minimum recommended version for cgroup v2
support according to the Docker documentation: "v4.15 or later (v5.2
or later is recommended)" [1].
Depending on the selected container runtime users may need to adjust
kernel configurations to enable options required by that runtime with
cgroup v2 (e.g. CONFIG_CGROUP_BPF for runc).
Propagate dependencies accordingly: The Docker btrfs filesystem driver
does not need a separate and lower minimum headers version,
package/mender-update-modules needs to apply the new "depends on".
[1] https://docs.docker.com/engine/containers/runmetrics/#running-docker-on-cgroup-v2
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Since commit 947dbc92a2 the Bootlin
stable toolchain uses headers 5.4, which can lead to build outputs
incompatible with older kernels. Update to the latest 5.4 kernel to
avoid this. The kernel config is updated according to the requirements
of current Docker, runc, and crun.
Additionally switch the CPU of the test VM to Haswell, to avoid
dockerd failing to start with a "This program can only be run on AMD64
processors with v3 microarchitecture support" error.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
php-lua fails to build in buildroot 2025.08-rc3 on the following error:
in file included from [...]/usr/include/php/Zend/zend.h:32,
from [...]/usr/include/php/main/php.h:31,
from [...]/build/php-lua-2.0.7/lua.c:24:
[...]/build/php-lua-2.0.7/lua.c: In function ‘php_lua_write_property’:
[...]/build/php-lua-2.0.7/lua.c:247:37:
error: ‘val’ undeclared (first use in this function); did you mean
‘zval’?
247 | lua_pushlstring(L, ZSTR_VAL(val), ZSTR_LEN(val));
| ^~~
[...]/usr/include/php/Zend/zend_string.h:66:26:
note: in definition of macro ‘ZSTR_VAL’
66 | #define ZSTR_VAL(zstr) (zstr)->val
| ^~~~
[...]/build/php-lua-2.0.7/lua.c:247:37:
note: each undeclared identifier is reported only once for each function
it appears in
247 | lua_pushlstring(L, ZSTR_VAL(val), ZSTR_LEN(val));
| ^~~
[...]/usr/include/php/Zend/zend_string.h:66:26:
note: in definition of macro ‘ZSTR_VAL’
66 | #define ZSTR_VAL(zstr) (zstr)->val
| ^~~~
make[2]: *** [Makefile:214: lua.lo] Error 1
The issue triggers only if lua interpreter version is lower than 5.2. In
this case, php_lua_write_property calls ZSTR_VAL on the wrong variable.
Fix php-lua build by calling ZSTR_VAL on the correct variable.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124501 (TestPhpLuaLuajit)
Suggested-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
[Romain: add link to failing TestPhpLuaLuajit]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Bump to the latest tagged version of ti-linux-firmware to pull in
updates for TI's DM and TIFS firmware for TI's K3 processors
Signed-off-by: Bryan Brattlof <bb@ti.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The git.ti.com cgit server continues to be plagued with reliability
issues which are reportedly from heavy bot traffic. To combat this the
system administrators have removed the archived downloads feature from
this server.
Switch to TI's Github mirror so new downloads continue to be possible.
Signed-off-by: Bryan Brattlof <bb@ti.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
In all theory, we could iterate over CNI_PLUGINS_INSTALL_BINS, which
already contains the basenames $(notdir) of the binaries to install,
but *_INSTALL_BINS is now an internal implementation detail, and
can't be guaranteed to be stable.
Hence, iterate over the list of targets, and somewhat duplicate the
install commands from the infra, using make's $(notdir) rather than
calling to the shell's to call basename.
Note: we need to stop setting _INSTALL_BINS, as a following commit will
check that it is not explicitly set, and fail otherwise.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Christian Stewart <christian@aperture.us>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Now that the pkg-golang infra automatically sets _INSTALL_BINS by
default to the list of notdir of _BUILD_TARGETS, there is no need to do
that in packages anymore.
Most packages were already using the notdir construct, so those are
trivially fixed; a few had a hard-coded list that matched the built
targets list, so they too are trivially fixed.
host-mender-artifact was slightly different, in that it explicitly set
the _BIN_NAME to mender-artifact, which happens to be the default; it
also set _INSTALL_BINS to _BIN_NAME, so again using the default. This
package can also be fixed easily.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Angelo Compagnucci <angelo.compagnucci@gmail.com>
Cc: Christian Stewart <christian@aperture.us>
Cc: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Currently, when a golang package defines multiple _BUILD_TARGETS, it has
to basically repeat the same list in its _INSTALL_BINS.
When a golang package defines multiple _BUILD_TARGETS, the pkg-golang
infra will forcibly use the basename (the notdir) of each target as the
name of the generated binary; there is no option to set a per-target
binary name.
However, the pkg-golang infra by default tries to install a binary named
after the package rawname. This forces packages to basically repeat the
same list as their _BUILD_TARGETS to override _INSTALL_BINS, when the
list of generated binaries is already known to the infra.
We change the pkg-golang infra to better cover such a case:
- if _BUILD_TARGET is '.' (the default), keep the current scheme:
install a single binary named after the package rwaname;
- if _BUILD_TARGET is not '.', and contains a single word, use the
notdir of the built target, but allow the user to override it with
_BIN_NAME (the current behaviour);
- otherwise (_BUILD_TARGETS is set to more than one word), do not
allow the user to set _BIN_NAME (it does not make sense), but set
_INSTALL_BINS by default to the notdir of _BUILD_TARGETS.
We still allow the user to set _INSTALL_BINS in the last case, to cover
the case for existing packages; those are going to be "fixed" in the
following commits.
We now consider that _INSTALL_BINS is an internal implementation details
that should no longer be exposed to the users, so we drop it from the
documentation; we rephrase the corresponding part for _BUILD_TARGETS.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Christian Stewart <christian@aperture.us>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Reviewed-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Re-introduce the 2025.05.x branch on the downloads page, which was
removed with the 2025.08 release.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Add an option to install the firmware files for Wifi in Mediatek
MT7986 SOC, which are present on BananaPi r3.
Signed-off-by: Mattias Walström <lazzer@gmail.com>
[Julien:
- fix tabs/spaces to remove check-package errors
- move config to keep alphabetical order
- add info in .mk comment
- reindent LINUX_FIRMWARE_FILES
- move .mk block to keep alphabetical order
- fix license file to LICENCE.mediatek
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
- add firmware to support BE20x devices
- extend bluetooth helptext as it already includes the required firmwares
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
[Julien: reflow BR2_PACKAGE_LINUX_FIRMWARE_IBT help string
to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Include the SoC model in both hostname and /etc/issue to match the
.dts file names.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Use a newer commit ID (2023-07-24). While not the latest, this commit
marks a significant milestone in the ongoing development and support
of AST2600 SoC boards.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
[Julien: reword commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Linux images are growing larger, and the current kernel partition size
of 4352K is no longer sufficient. Increase the partition size to
accommodate the larger images.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since Linux 6.5 moved .dts files to vendor sub-directories, adjust the
post-image.sh script to take into account the 'aspeed/' prefix in .dts
file names.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Julien Olivain <ju.o@free.fr>
We're bumping from version 10 to 13.
Version 11 doesn't really have release notes.
Version 12: https://github.com/apitrace/apitrace/releases/tag/12.0
Version 13: https://github.com/apitrace/apitrace/releases/tag/13.0
Patch 0001-thirdparty-libbacktrace-backtrace-h-include-config.h.patch
no longer makes sense: config.h no longer exists, and building with
musl works fine without it.
Both patches 0002 and 0003 were backport from upstream, so they can be
dropped.
We must switch from downloaded the auto-generated Github tarball to
fetching using Git, as fetching submodules is now mandatory to get
some bundled thirdparty libraries (yerk).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This version builds fine with GCC 15.x, without passing -std=gnu99.
Changes are described at
https://web.mit.edu/Kerberos/www/krb5-1.22/. Most relevant details:
User experience
The libdefaults configuration variable "request_timeout" can
be set to limit the total timeout for KDC requests. When
making a KDC request, the client will now wait
indefinitely (or until the request timeout has elapsed) on a
KDC which accepts a TCP connection, without contacting any
additional KDCs. Clients will make fewer DNS queries in some
configurations.
The realm configuration variable "sitename" can be set to
cause the client to query site-specific DNS records when
making KDC requests.
Administrator experience
Principal aliases are supported in the DB2 and LMDB KDB
modules and in the kadmin protocol. (The LDAP KDB module has
supported aliases since release 1.7.)
UNIX domain sockets are supported for the Kerberos and kpasswd
protocols.
systemd socket activation is supported for krb5kdc and kadmind.
Developer experience
KDB modules can be be implemented in terms of other modules
using the new krb5_db_load_module() function.
The profile library supports the modification of empty
profiles and the copying of modified profiles, making it
possible to construct an in-memory profile and pass it to
krb5_init_context_profile().
GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to
gss_init_sec_context() to request strict enforcement of
channel bindings by the acceptor.
Protocol evolution
The PKINIT preauth module supports elliptic curve client
certificates, ECDH key exchange, and the Microsoft paChecksum2
field.
The IAKERB implementation has been changed to comply with the
most recent draft standard and to support realm discovery.
Message-Authenticator is supported in the RADIUS
implementation used by the OTP kdcpreauth module.
Code quality
Removed old-style function declarations, to accomodate
compilers which have removed support for them.
Added OSS-Fuzz to the project's continuous integration
infrastructure.
Rewrote the GSS per-message token parsing code for improved
safety.
This commit also updates the NOTICE license file hash after year update
and few other minor reformatting.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: update NOTICE license file hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
These external linux drivers haven't seen any activity in Buildroot
for a while, and are anyway aimed at an old kernel version (4.19).
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Acked-by: David Lechner <david@lechnology.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
In cases where no hotplug is available (by choice or by the lack of a
proper hotplug method for a device), this service can be used to load
kernel module drivers by reading the /etc/modules-load.d/*.conf files.
The modules files matches the one used by systemd, which in turn has
a builtin mechanism to load a module at boot, therefore making systemv
init on par with systemd features.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[Arnout:
- add exception for missing DAEMON variable;
- fix shellcheck warnings
]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
check-package has a mechanism for a specific file to make an exception
to a specific checker, by preceding the offending line with
"check-package ... <checker class>". However, this is not possible for
the global checks that are done in the checker's after() function.
Allow exceptions for the global checks by writing the same
"check-package ... <checker class>" comment on the last line of the
file.
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
nnn is a fast and minimal text-based file manager. It is written in C
and has minimal dependencies, which makes it portable and suitable for
embedded systems.
Project page: https://github.com/jarun/nnn
Wiki: https://en.wikipedia.org/wiki/Nnn_(file_manager)
Signed-off-by: Alexander Shirokov <shirokovalexs@gmail.com>
[Arnout:
- add missing dependency on BR2_USE_MMU (found with test-pkg);
- add missing comment in Config.in;
- add musl-fls dependency when needed (found with test-pkg);
- add host-pkgconf dependency;
- add NNN_MAKE_ENV to collect everything in make environment;
- drop TARGET_MAKE_ENV from environment, it's already in
TARGET_CONFIGURE_OPTS;
- add PREFIX to NNN_MAKE_FLAGS: it is currently not used in the
build step, but in the future it may be used;
- use NORL=0/1 for readline optional dependency, the Makefile says that
the "norl" target is legacy;
- remove comment about readline dependency, it's obvious;
- indent continuation line with an extra tab.
]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This commit adds BR2_DOWNLOAD_FORCE_CHECK_HASHES=y and
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_GLIBC_STABLE=y in the
defconfig, bumps kernel to 6.12.43, and adds custom hash files.
The exception entry in .checkpackageignore is also removed.
Signed-off-by: Jesse Taube <Mr.Bossman075@gmail.com>
[Peter: correct linux-headers.patch symlink]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The patch bumps the Linux kernel to version 6.12.36 and U-Boot to
version 2025.07 for
- stm32mp135f_dk_defconfig
- stm32mp157a_dk1_defconfig
- stm32mp157c_dk2_defconfig
The new version of U-Boot with commit [1] enabled OF_UPSTREAM flag for
STM32MP15 platforms. This required properly updating the DEVICE_TREE
parameter to pass to U-Boot in order to successfully complete the build.
Tested on STM32MP157C-DK2 Discovery Board.
[1] 35f90f76f4
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.186 and U-Boot to
version 2025.07.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.186 and U-Boot to
version 2025.07.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.186 and, for the SD
configuration, also updates U-Boot to version 2025.07.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.1.143. The size of xipImage
has increased by only 514 bytes (1672318 bytes compared to 1671804 in
version 6.1.133).
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
GNU Radio contains a block to uses Soapy SDR has sink or source.
Since the SoapySDR package is now available in Buildroot, it is possible
to update GNU Radio package to enable or disable the gr-soapy block.
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fix the following vulnerability:
- CVE-2025-46728
cpp-httplib is a C++ header-only HTTP/HTTPS server and client library.
Prior to version 0.20.1, the library fails to enforce configured size
limits on incoming request bodies when `Transfer-Encoding: chunked` is
used or when no `Content-Length` header is provided. A remote attacker
can send a chunked request without the terminating zero-length chunk,
causing uncontrolled memory allocation on the server. This leads to
potential exhaustion of system memory and results in a server crash or
unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits
during parsing. If the limit is exceeded at any point during reading,
the connection is terminated immediately. A short-term workaround
through a Reverse Proxy is available. If updating the library
immediately is not feasible, deploy a reverse proxy (e.g., Nginx,
HAProxy) in front of the `cpp-httplib` application. Configure the
proxy to enforce maximum request body size limits, thereby stopping
excessively large requests before they reach the vulnerable library
code.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-46728
- 7b752106ac
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The each_cpe() method is careful that some CVEs have no
"configurations", but some CVEs such as
https://nvd.nist.gov/vuln/detail/CVE-2025-32915 apparently have a
"configurations" node, but no "nodes" inside the "configurations",
causing an exception:
Traceback (most recent call last):
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 1382, in <module>
__main__()
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 1371, in __main__
check_package_cves(args.nvd_path, packages)
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 679, in check_package_cves
check_package_cve_affects(cve, cpe_product_pkgs)
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 638, in check_package_cve_affects
for product in cve.affected_products:
^^^^^^^^^^^^^^^^^^^^^
File "/home/buildroot/buildroot-stats/support/scripts/cve.py", line 185, in affected_products
return set(cpe_product(p['id']) for p in self.each_cpe())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/buildroot/buildroot-stats/support/scripts/cve.py", line 185, in <genexpr>
return set(cpe_product(p['id']) for p in self.each_cpe())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/buildroot/buildroot-stats/support/scripts/cve.py", line 173, in each_cpe
for node in nodes['nodes']:
~~~~~^^^^^^^^^
KeyError: 'nodes'
Fixes:
54f8d97c91 ("support/scripts/pkg-stats: adapt to NVD v2 json format")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Romain:
- add reference to buildroot commit introducing the issue
- a similar patch was sent by Daniel Lang (thanks!)]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Update the kernel, U-Boot, ATF tags, as well as documentation, used by
the LS1046A-FRWY to the latest Linux Factory release.
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
[Julien: add missing BR2_TARGET_UBOOT_NEEDS_GNUTLS=y]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the kernel, U-Boot, ATF tags, as well as documentation, used by
the LS1046A-RDB to the latest Linux Factory release.
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
[Julien: add missing BR2_TARGET_UBOOT_NEEDS_GNUTLS=y]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the kernel, U-Boot, ATF tags, as well as documentation, used by
the LS1043A-RDB to the latest Linux Factory release.
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
[Julien:
- add missing BR2_TARGET_UBOOT_NEEDS_GNUTLS=y
- replace "LS1028A-RDB" by "LS1043A-RDB" in commit log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the kernel, U-Boot, ATF tags, as well as documentation, used by
the LS1028A-RDB to the latest Linux Factory release.
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
[Julien: add missing BR2_TARGET_UBOOT_NEEDS_GNUTLS=y]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The commit we were previously on, 45e6925, was the head of the master
branch and now became tag lf-6.12.20-2.0.0, which we can use as is.
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This is nominally a bugfix release which now also includes the patch we
previously backported, so we can remove it.
However, it also introduced some breakage:
- Builds with older toolchains (like br-arm-full-static, GCC 9) fail
because the introduction of C23 [[fallthrough]] to the code was not
properly gated on compiler support.
- Compiling for x86 without SSE2 support (e.g. with
bootlin-x86-i686-musl) fails because the check for native half-with
float arithmetic support on the target was not strict enough.
Import unreleased upstream patches that fix these issues.
Release notes: https://github.com/intel/tinycbor/releases/tag/v0.6.1
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add OP-TEE OS Support. NXP BSP lf-6.12.3-1.0.0 version.
The i.MX93 Boot Container requires a raw TEE binary without a TEE header.
Update the imx9-bootloader-prepare.sh script and Config.in accordingly
to ensure compatibility with this requirement.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
[Julien: remove empty line in hash file to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This new version v0.6.0-11-g7e06aa3 (lastest git commit)
supports more bayer formats:
b5ad78a1c6
Signed-off-by: Sébastien Tisserand <sebastien.tisserand@armadeus.com>
Reviewed-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
[Julien: use "git describe --tags --abbrev=40" format in _VERSION]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Upstream FRR accepts --enable-multipath=N in the range 1-999. Buildroot
previously hardcoded 256.
Add a config integer to set the maximum ECMP paths at build time, keeping
256 as the default. Lower values help match hardware limits or reduce
memory; higher values are useful for software routing or lab testing.
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
[Julien:
- reword commit log title
- replace python '%' formatting with '+' concatenation
- remove IP address assertion in test controller as it
is already in sample script
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
From 0.9.1 the pyroute2 core is async, the synchronous API remains
available as a wrapper.
Upstream changelog:
https://github.com/svinota/pyroute2/blob/0.9.4/CHANGELOG.rst
pyroute2 now requires the python3 ssl module at runtime. This is
reflected in Config.in.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
[Julien:
- add comment in commit log about new ssl runtime dependency
- add runtime comment in Config.in
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release e-mail:
https://inbox.sourceware.org/libc-alpha/5906001.DvuYhMxLoT@pinacolada/
Major new features:
* The following ISO C23 function families (introduced in TS
18661-4:2015) are now supported in <math.h>. Each family includes
functions for float, double, long double, _FloatN and _FloatNx, and a
type-generic macro in <tgmath.h>.
- Power and absolute-value functions: compoundn, pown, powr, rootn,
rsqrt.
* On Linux, the pthread_gettid_np function has been added.
* The ISO C2Y family of unsigned abs functions, i.e. uabs, ulabs,
ullabs, and uimaxabs, is now supported.
* On Linux, the <termios.h> interface now supports arbitrary baud rates;
speed_t is redefined to simply be the baud rate specified as an
unsigned int, which matches the kernel interface.
* The thread-local cache in malloc (tcache) now supports caching of
large blocks. This feature can be enabled by setting the tunable
glibc.malloc.tcache_max to a larger value (max 4194304). Tcache is
also significantly faster for small sizes.
* A new configure option, "--enable-sframe", can be used to enable
SFrame support of the GNU C Libraries. SFrame is a new stack trace
information format which can be used by backtrace. It requires
binutils with a minimum version of 2.45.
* Support for lightweight stack guard pages via madvise and the
MADV_GUARD_INSTALL flag has been added to pthread_create.
* Additional optimized and correctly rounded mathematical functions have
been imported from the CORE-MATH project, in particular acospif,
asinpif, atanpif, atan2pif, cospif, sinpif, tanpif.
* The testsuite has been significantly extended, including coverage of
the functionality of the printf and scanf function families in many
variants.
* The manual has been significantly extended and updated, particularly
the threads, terminal, filesystem, resource, and math chapters.
* Code has been added to detect the x86-64 Intel Arrow Lake, Panther
Lake, Clearwater Forest, and Diamond Rapids microarchitectures.
* Regarding S390, support for the new z17 platform has been added.
Deprecated and removed features, and other changes affecting compatibility:
* The glibc.rtld.execstack tunable now supports a compatibility mode to
allow programs that require an executable stack through dynamically
loaded shared libraries.
* On Linux, the <termio.h> header and the definition of struct termio
in <sys/ioctl.h> have been removed. The termio interface has been
obsolete since the very first version of POSIX.1 in 1988, replaced
with <termios.h>.
* The support for TX lock elision of pthread mutexes has been deprecated
on all architectures and will be removed in the next release.
* On AArch64 Linux targets supporting the Scalable Matrix Extension
(SME), setjmp and sigsetjmp will disable the ZA state of SME.
Changes to build and runtime requirements:
* GCC 12.1 or later is now required to build the GNU C Library.
* GNU Binutils 2.39 or later is now required to build the GNU C Library.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: resolve conflict with commit feaf53585a]
Signed-off-by: Julien Olivain <ju.o@free.fr>
glibc 2.42 drops <termio.h>, so the libsanitizer code needs to be
adjusted accordingly, by backporting upstream gcc fixes.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien:
- renumbered 14.3.0/0003 patch to 14.3.0/0004
- renumbered 15.1.0/0002 patch to 15.1.0/0004
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
From the release notes:
(https://github.com/redis/redis/blob/8.2.0/00-RELEASENOTES)
===========================================================
8.2 GA (v8.2.0) Released Mon 4 Aug 2025 15:00:00 IST
===========================================================
This is the General Availability release of Redis Open Source 8.2.
- Streams - new commands: `XDELEX` and `XACKDEL`; extension to `XADD` and `XTRIM`
- Bitmap - `BITOP`: new operators: `DIFF`, `DIFF1`, `ANDOR`, and `ONE`
- Query Engine - new SVS-VAMANA vector index type which supports vector compression
- More than 15 performance and resource utilization improvements
- New metrics: per-slot usage metrics, key size distributions for basic data types, and more
Note: the full release note mention three CVEs fixed in 8.1.x and 8.2.x
series. Those security fixes were already included in version 8.0.2 and
8.0.3, already in Buildroot. Therefore, this commit is not marked as
security related.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add comment in commit log about CVE in release note]
Signed-off-by: Julien Olivain <ju.o@free.fr>
2025-08-11 17:23:38 +02:00
4444 changed files with 38904 additions and 41963 deletions
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
