From 4d4dc5f54235c83ce3bc676edc674cae68b66371 Mon Sep 17 00:00:00 2001 From: Bernd Kuhls Date: Sat, 14 Mar 2026 13:23:26 +0100 Subject: [PATCH 1/7] package/libxml2: security bump version to 2.15.2 Release notes: https://download.gnome.org/sources/libxml2/2.15/libxml2-2.15.2.news - CVE-2026-1757 fix: Memory leak in xmllint Shell - shell.c - CVE-2026-0990 fix: Prevent infinite recursion in xmlCatalogListXMLResolve - CVE-2026-0992 fix: Exponential behavior when handling - parser: Fix infinite loop in xmlCtxtParseContent - CVE-2025-10911 libxslt related: Ignore next/prev of documents when traversing XPath - CVE-2026-0989 fix: Add RelaxNG include limit Signed-off-by: Bernd Kuhls Signed-off-by: Julien Olivain --- ...evert-cmake-Fix-installation-directories-in-libxml2.patch | 5 +++-- package/libxml2/libxml2.hash | 4 ++-- package/libxml2/libxml2.mk | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/package/libxml2/0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch b/package/libxml2/0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch index 75232b6f0053..70f1d9899c92 100644 --- a/package/libxml2/0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch +++ b/package/libxml2/0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch @@ -8,6 +8,7 @@ This reverts commit 75dde50b20215a2a3a445b62f36a67c8ed337cab. Upstream: https://gitlab.gnome.org/GNOME/libxml2/-/issues/898#note_2452864 +[Bernd: rebased for 2.15.2] Signed-off-by: Bernd Kuhls --- configure.ac | 11 ----------- @@ -19,7 +20,7 @@ diff --git a/configure.ac b/configure.ac index 4eb629bb..150e06eb 100644 --- a/configure.ac +++ b/configure.ac -@@ -1006,17 +1006,6 @@ AC_SUBST(XML_PRIVATE_LIBS) +@@ -1008,17 +1008,6 @@ AC_SUBST(XML_PRIVATE_LIBS) AC_SUBST(XML_PRIVATE_CFLAGS) AC_SUBST(XML_INCLUDEDIR) @@ -70,7 +71,7 @@ diff --git a/meson.build b/meson.build index 31c73b62..8728852c 100644 --- a/meson.build +++ b/meson.build -@@ -577,9 +577,6 @@ config_cmake = configuration_data() +@@ -590,9 +590,6 @@ config_cmake = configuration_data() config_cmake.set('LIBXML_MAJOR_VERSION', v_maj) config_cmake.set('LIBXML_MINOR_VERSION', v_min) config_cmake.set('LIBXML_MICRO_VERSION', v_mic) diff --git a/package/libxml2/libxml2.hash b/package/libxml2/libxml2.hash index 637ba52bb8ba..35c8810ed936 100644 --- a/package/libxml2/libxml2.hash +++ b/package/libxml2/libxml2.hash @@ -1,4 +1,4 @@ -# From https://download.gnome.org/sources/libxml2/2.15/libxml2-2.15.1.sha256sum -sha256 c008bac08fd5c7b4a87f7b8a71f283fa581d80d80ff8d2efd3b26224c39bc54c libxml2-2.15.1.tar.xz +# From https://download.gnome.org/sources/libxml2/2.15/libxml2-2.15.2.sha256sum +sha256 c8b9bc81f8b590c33af8cc6c336dbff2f53409973588a351c95f1c621b13d09d libxml2-2.15.2.tar.xz # License files, locally calculated sha256 5d4873884a890122a4b9b20ad56ac6f7da1d796a5bfcf04a427970ac96217626 Copyright diff --git a/package/libxml2/libxml2.mk b/package/libxml2/libxml2.mk index 35d373e13018..0a365fa689f5 100644 --- a/package/libxml2/libxml2.mk +++ b/package/libxml2/libxml2.mk @@ -5,7 +5,7 @@ ################################################################################ LIBXML2_VERSION_MAJOR = 2.15 -LIBXML2_VERSION = $(LIBXML2_VERSION_MAJOR).1 +LIBXML2_VERSION = $(LIBXML2_VERSION_MAJOR).2 LIBXML2_SOURCE = libxml2-$(LIBXML2_VERSION).tar.xz LIBXML2_SITE = \ https://download.gnome.org/sources/libxml2/$(LIBXML2_VERSION_MAJOR) From 9b839527e38a2ed71ab7d5432ad740d5e7b71962 Mon Sep 17 00:00:00 2001 From: Bernd Kuhls Date: Sat, 14 Mar 2026 19:51:00 +0100 Subject: [PATCH 2/7] package/ell: bump version to 0.83 https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ChangeLog?h=0.83 Signed-off-by: Bernd Kuhls Signed-off-by: Julien Olivain --- package/ell/ell.hash | 2 +- package/ell/ell.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/ell/ell.hash b/package/ell/ell.hash index 034ab74c4bd0..ccd11151c76c 100644 --- a/package/ell/ell.hash +++ b/package/ell/ell.hash @@ -1,5 +1,5 @@ # From https://mirrors.edge.kernel.org/pub/linux/libs/ell/sha256sums.asc -sha256 672ca1e44dc0ddce1665941754b4e2b3b9203481d7d7a60e0b5f39829d73fa14 ell-0.81.tar.xz +sha256 39a562f5ab2768e69da1ffbb1f98a8eb3483baffc7d2ef6adc3705e4fd4e53fb ell-0.83.tar.xz # License files sha256 ec60b993835e2c6b79e6d9226345f4e614e686eb57dc13b6420c15a33a8996e5 COPYING diff --git a/package/ell/ell.mk b/package/ell/ell.mk index db9dc80366cc..799438e5e62d 100644 --- a/package/ell/ell.mk +++ b/package/ell/ell.mk @@ -4,7 +4,7 @@ # ################################################################################ -ELL_VERSION = 0.81 +ELL_VERSION = 0.83 ELL_SOURCE = ell-$(ELL_VERSION).tar.xz ELL_SITE = $(BR2_KERNEL_MIRROR)/linux/libs/ell ELL_LICENSE = LGPL-2.1+ From 66b617af7bc53c9e4dfb3bc12a75902417847666 Mon Sep 17 00:00:00 2001 From: Bernd Kuhls Date: Sat, 14 Mar 2026 19:51:01 +0100 Subject: [PATCH 3/7] package/iwd: bump version to 3.12 https://git.kernel.org/pub/scm/network/wireless/iwd.git/tree/ChangeLog?h=3.12 Signed-off-by: Bernd Kuhls Signed-off-by: Julien Olivain --- package/iwd/iwd.hash | 2 +- package/iwd/iwd.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/iwd/iwd.hash b/package/iwd/iwd.hash index 7ad2fb382d9e..67064e35eb31 100644 --- a/package/iwd/iwd.hash +++ b/package/iwd/iwd.hash @@ -1,5 +1,5 @@ # From https://mirrors.edge.kernel.org/pub/linux/network/wireless/sha256sums.asc -sha256 640bff22540e1714f71772a83123aff6f810b7eb9d7d6df1e10fb2695beb5115 iwd-3.10.tar.xz +sha256 d89a5e45c7180170e19be828f9e944a768c593758094fc57a358d0e7c4cb1a49 iwd-3.12.tar.xz # License files sha256 ec60b993835e2c6b79e6d9226345f4e614e686eb57dc13b6420c15a33a8996e5 COPYING diff --git a/package/iwd/iwd.mk b/package/iwd/iwd.mk index a150a3048b36..caecb62d64b4 100644 --- a/package/iwd/iwd.mk +++ b/package/iwd/iwd.mk @@ -4,7 +4,7 @@ # ################################################################################ -IWD_VERSION = 3.10 +IWD_VERSION = 3.12 IWD_SOURCE = iwd-$(IWD_VERSION).tar.xz IWD_SITE = $(BR2_KERNEL_MIRROR)/linux/network/wireless IWD_LICENSE = LGPL-2.1+ From b38ef052d6124aecee2803ce1b46b354437b8619 Mon Sep 17 00:00:00 2001 From: Bernd Kuhls Date: Sat, 14 Mar 2026 19:39:04 +0100 Subject: [PATCH 4/7] package/file: bump version to 5.47 https://github.com/file/file/blob/FILE5_47/ChangeLog Signed-off-by: Bernd Kuhls Signed-off-by: Julien Olivain --- package/file/file.hash | 4 ++-- package/file/file.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package/file/file.hash b/package/file/file.hash index 53c4d5c4db5a..bb367893a9c9 100644 --- a/package/file/file.hash +++ b/package/file/file.hash @@ -1,6 +1,6 @@ # Locally calculated after verifying signature -# https://astron.com/pub/file/file-5.46.tar.gz.asc +# https://astron.com/pub/file/file-5.47.tar.gz.asc # using key BE04995BA8F90ED0C0C176C471112AB16CB33B3A -sha256 c9cc77c7c560c543135edc555af609d5619dbef011997e988ce40a3d75d86088 file-5.46.tar.gz +sha256 45672fec165cb4cc1358a2d76b5d57d22876dcb97ab169427ac385cbe1d5597a file-5.47.tar.gz sha256 0bfa856a9930bddadbef95d1be1cf4e163c0be618e76ea3275caaf255283e274 COPYING sha256 2e14b6fa9a74f952ebfde3c96527158df281c953cfaf35609eb854d4da30131c src/vasprintf.c diff --git a/package/file/file.mk b/package/file/file.mk index a33b306c4cb9..b70b3c521c3f 100644 --- a/package/file/file.mk +++ b/package/file/file.mk @@ -4,7 +4,7 @@ # ################################################################################ -FILE_VERSION = 5.46 +FILE_VERSION = 5.47 FILE_SITE = https://astron.com/pub/file FILE_LICENSE = BSD-2-Clause, BSD-3-Clause (vasprintf.c) FILE_LICENSE_FILES = COPYING src/vasprintf.c From cc80c554154edf9aec9d65a49f72f685c5f21b4c Mon Sep 17 00:00:00 2001 From: Bernd Kuhls Date: Sat, 14 Mar 2026 17:53:07 +0100 Subject: [PATCH 5/7] package/dos2unix: bump version to 7.5.4 https://waterlan.home.xs4all.nl/dos2unix/ChangeLog.txt Updated license hash due to copyright year bump: https://sourceforge.net/p/dos2unix/dos2unix/ci/0ab159a6c80bd647f4830fb45059472eb1e11d3e/ Signed-off-by: Bernd Kuhls Signed-off-by: Julien Olivain --- package/dos2unix/dos2unix.hash | 6 +++--- package/dos2unix/dos2unix.mk | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package/dos2unix/dos2unix.hash b/package/dos2unix/dos2unix.hash index 3e9bf7882e3a..c48f70d574bf 100644 --- a/package/dos2unix/dos2unix.hash +++ b/package/dos2unix/dos2unix.hash @@ -1,4 +1,4 @@ # Locally calculated after checking pgp signature -# https://waterlan.home.xs4all.nl/dos2unix/dos2unix-7.5.3.tar.gz.asc -sha256 28a4b0d9f9179da4e44c567b9c01f818b070a20827115fffd96f760dcfa0f3b2 dos2unix-7.5.3.tar.gz -sha256 bff21c3509fe7348c8327745b2f80d8847b04868073c6d0861bf8c773db66515 COPYING.txt +# https://waterlan.home.xs4all.nl/dos2unix/dos2unix-7.5.4.tar.gz.asc +sha256 f811a2b9e4a0c936c61ef7c1732993d1820e5cf011f4d93861885ccb8101ca21 dos2unix-7.5.4.tar.gz +sha256 e09d0709ac6a24d995565989267f2e097325778ed47738ee889a7124bc89a3ef COPYING.txt diff --git a/package/dos2unix/dos2unix.mk b/package/dos2unix/dos2unix.mk index 4c57a4de5f9d..8794aa46bfe5 100644 --- a/package/dos2unix/dos2unix.mk +++ b/package/dos2unix/dos2unix.mk @@ -4,7 +4,7 @@ # ################################################################################ -DOS2UNIX_VERSION = 7.5.3 +DOS2UNIX_VERSION = 7.5.4 DOS2UNIX_SITE = http://waterlan.home.xs4all.nl/dos2unix DOS2UNIX_LICENSE = BSD-2-Clause DOS2UNIX_LICENSE_FILES = COPYING.txt From bdeb0d0a3208e97645e9f7771d53c14e5fb441b8 Mon Sep 17 00:00:00 2001 From: Bernd Kuhls Date: Sat, 14 Mar 2026 19:44:53 +0100 Subject: [PATCH 6/7] package/flashrom: bump version to 1.7.0 https://github.com/flashrom/flashrom/blob/v1.7.0/doc/release_notes/v_1_6.rst https://github.com/flashrom/flashrom/blob/v1.7.0/doc/release_notes/v_1_7.rst Renamed license file and updated license hash due to upstream commit: https://github.com/flashrom/flashrom/commit/4b370bebb7bcd45274d5734e736a2e2c90d4d307 Signed-off-by: Bernd Kuhls Signed-off-by: Julien Olivain --- package/flashrom/flashrom.hash | 4 ++-- package/flashrom/flashrom.mk | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package/flashrom/flashrom.hash b/package/flashrom/flashrom.hash index 0e1faf34e7a4..4ffb34720d00 100644 --- a/package/flashrom/flashrom.hash +++ b/package/flashrom/flashrom.hash @@ -1,3 +1,3 @@ # Locally computed -sha256 3f4dc7878e962e165b7eba73104d4e61231f9d4e838eb47df6ca3d87060a2aa5 flashrom-1.5.1.tar.gz -sha256 ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6 COPYING +sha256 c5a8892158bd749aadfee6e114eec268130cdd8c2027fd1ddf44273755b07b59 flashrom-1.7.0.tar.gz +sha256 e51c99ee054c216999e7a8db04a2e7a6b39915dccc8a58e54b48a720e0c4158a COPYING.rst diff --git a/package/flashrom/flashrom.mk b/package/flashrom/flashrom.mk index f253c5f9d85d..8e1fb47905c3 100644 --- a/package/flashrom/flashrom.mk +++ b/package/flashrom/flashrom.mk @@ -4,10 +4,10 @@ # ################################################################################ -FLASHROM_VERSION = 1.5.1 +FLASHROM_VERSION = 1.7.0 FLASHROM_SITE = $(call github,flashrom,flashrom,v$(FLASHROM_VERSION)) FLASHROM_LICENSE = GPL-2.0+ -FLASHROM_LICENSE_FILES = COPYING +FLASHROM_LICENSE_FILES = COPYING.rst FLASHROM_INSTALL_STAGING = YES FLASHROM_CONF_OPTS = \ -Dclassic_cli=enabled \ From 2e2d0389188681a5bedac73b8fb9ba6147e48887 Mon Sep 17 00:00:00 2001 From: Bernd Kuhls Date: Sat, 14 Mar 2026 13:32:29 +0100 Subject: [PATCH 7/7] package/xz: bump version to 5.8.2 https://github.com/tukaani-project/xz/releases/tag/v5.8.2 "- Fix the build on ARM64 on glibc versions older than 2.24 (2016). They don't have HWCAP_CRC32 in ." Updated license hashes due to upstream commit https://github.com/tukaani-project/xz/commit/6d287a3ae90e1b990294f3d5264003d81e853c5e Fixes: https://autobuild.buildroot.net/results/b0d/b0dbae7b2c884f5fef0017755b28932a83921a5a/ "check/crc32_arm64.h:27:25: fatal error: sys/auxv.h: No such file or directory 27 | # include " Signed-off-by: Bernd Kuhls Signed-off-by: Julien Olivain --- package/xz/xz.hash | 8 ++++---- package/xz/xz.mk | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package/xz/xz.hash b/package/xz/xz.hash index 0e0618ec0276..99daa5e9dfb5 100644 --- a/package/xz/xz.hash +++ b/package/xz/xz.hash @@ -1,11 +1,11 @@ # Locally calculated after checking pgp signature -# https://github.com/tukaani-project/xz/releases/download/v5.8.1/xz-5.8.1.tar.bz2.sig +# https://github.com/tukaani-project/xz/releases/download/v5.8.2/xz-5.8.2.tar.bz2.sig # using key 3690C240CE51B4670D30AD1C38EE757D69184620 Lasse Collin -sha256 5965c692c4c8800cd4b33ce6d0f6ac9ac9d6ab227b17c512b6561bce4f08d47e xz-5.8.1.tar.bz2 +sha256 60345d7c0b9c8d7ffa469e96898c300def3669f5047fc76219b819340839f3d8 xz-5.8.2.tar.bz2 # Hash for license files sha256 616a3ad264ce29b8f1cb97e53037b139d406899ca8d1f799651e17bfa09830b8 COPYING sha256 0b01625d853911cd0e2e088dcfb743261034a091bb379246cb25a14cc4c74bf1 COPYING.0BSD -sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING.GPLv2 +sha256 edaef632cbb643e4e7a221717a6c441a4c1a7c918e6e4d56debc3d8739b233f6 COPYING.GPLv2 sha256 3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986 COPYING.GPLv3 -sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LGPLv2.1 +sha256 20e50fe7aae3e56378ebf0417d9de904f55a0e61e4df315333e632a4d3555d95 COPYING.LGPLv2.1 diff --git a/package/xz/xz.mk b/package/xz/xz.mk index b1e210a172dc..8aa0716b18b3 100644 --- a/package/xz/xz.mk +++ b/package/xz/xz.mk @@ -4,7 +4,7 @@ # ################################################################################ -XZ_VERSION = 5.8.1 +XZ_VERSION = 5.8.2 XZ_SOURCE = xz-$(XZ_VERSION).tar.bz2 XZ_SITE = https://github.com/tukaani-project/xz/releases/download/v$(XZ_VERSION) XZ_INSTALL_STAGING = YES