From dd929c3d253dfaf9392d327c16c5e0d0f2b1353f Mon Sep 17 00:00:00 2001 From: Bernd Kuhls Date: Fri, 19 Jun 2026 19:28:10 +0200 Subject: [PATCH 1/6] package/ghostscript: security bump to version 10.07.1 https://ghostscript.readthedocs.io/en/gs10.07.1/News.html "This release addresses a number of potential security issues." Renumbered patch which was forgotten during the last version bump. Signed-off-by: Bernd Kuhls Signed-off-by: Julien Olivain --- package/ghostscript/{0002-brotli.patch => 0001-brotli.patch} | 0 package/ghostscript/ghostscript.hash | 4 ++-- package/ghostscript/ghostscript.mk | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) rename package/ghostscript/{0002-brotli.patch => 0001-brotli.patch} (100%) diff --git a/package/ghostscript/0002-brotli.patch b/package/ghostscript/0001-brotli.patch similarity index 100% rename from package/ghostscript/0002-brotli.patch rename to package/ghostscript/0001-brotli.patch diff --git a/package/ghostscript/ghostscript.hash b/package/ghostscript/ghostscript.hash index c2e48b01e60..94017262dff 100644 --- a/package/ghostscript/ghostscript.hash +++ b/package/ghostscript/ghostscript.hash @@ -1,5 +1,5 @@ -# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10070/SHA512SUMS -sha512 1c2a14951223c975a53bd9767c28bd3a6e420c385a5e0d7a60a5ff5b091bc027929c815bf57cddf97611e8d265ece1c219321737f2cabb5646685c6e8cdb85c9 ghostscript-10.07.0.tar.xz +# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10071/SHA512SUMS +sha512 7b38ca10fa7ab648924f7db3e2e4933c3d18e04c8db1346fca4d4f7b85dfbd7888d5fc46f413613b46429fb47b675a593994c25e50e9de4dcdbee3bdd8a5e449 ghostscript-10.07.1.tar.xz # Hash for license file: sha256 8ce064f423b7c24a011b6ebf9431b8bf9861a5255e47c84bfb23fc526d030a8b LICENSE diff --git a/package/ghostscript/ghostscript.mk b/package/ghostscript/ghostscript.mk index 159e06db915..250c851b286 100644 --- a/package/ghostscript/ghostscript.mk +++ b/package/ghostscript/ghostscript.mk @@ -4,7 +4,7 @@ # ################################################################################ -GHOSTSCRIPT_VERSION = 10.07.0 +GHOSTSCRIPT_VERSION = 10.07.1 GHOSTSCRIPT_SOURCE = ghostscript-$(GHOSTSCRIPT_VERSION).tar.xz GHOSTSCRIPT_SITE = https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs$(subst .,,$(GHOSTSCRIPT_VERSION)) GHOSTSCRIPT_LICENSE = AGPL-3.0 From 1db28a86877f6c2ec0797802ec667374aee59546 Mon Sep 17 00:00:00 2001 From: Bernd Kuhls Date: Sun, 21 Jun 2026 09:55:19 +0200 Subject: [PATCH 2/6] package/util-linux: lsfd needs headers >= 4.15 Buildroot commit 31af509b4f4fe52f67bd9109b8732a55b8f9cd2d bumped the package to 2.41.1 which includes upstream commit https://github.com/util-linux/util-linux/commit/036d72749ca274294051b43fd66727061a772b9c adding a dependency to BPF_OBJ_NAME_LEN for lsfd. BPF_OBJ_NAME_LEN was added to the kernel headers in version 4.15: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=cb4d2b3f03d8eed90be3a194e5b54b734ec4bbe9 so we need to raise the header version dependency for lsfd. The build error was found by the Gitlab pipelines for the defconfig bootlin-aarch64-glibc-old. Signed-off-by: Bernd Kuhls Signed-off-by: Fiona Klute --- package/util-linux/Config.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/util-linux/Config.in b/package/util-linux/Config.in index c63cec2a9cb..3df149b3de7 100644 --- a/package/util-linux/Config.in +++ b/package/util-linux/Config.in @@ -233,15 +233,15 @@ config BR2_PACKAGE_UTIL_LINUX_LOSETUP config BR2_PACKAGE_UTIL_LINUX_LSFD bool "lsfd" depends on BR2_USE_MMU # libsmartcols - depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_19 + depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_15 depends on !BR2_TOOLCHAIN_USES_UCLIBC # process_vm_readv select BR2_PACKAGE_UTIL_LINUX_LIBSMARTCOLS help List file descriptors (modern replacement for lsof) -comment "lsfd needs a musl or glibc toolchain w/ headers >= 3.19" +comment "lsfd needs a musl or glibc toolchain w/ headers >= 4.15" depends on BR2_USE_MMU - depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_19 \ + depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_15 \ || BR2_TOOLCHAIN_USES_UCLIBC config BR2_PACKAGE_UTIL_LINUX_LSLOGINS From 54f96add94901511862df18e527e456982005b8e Mon Sep 17 00:00:00 2001 From: Giulio Benetti Date: Mon, 22 Jun 2026 20:56:02 +0200 Subject: [PATCH 3/6] package/bind: security bump version to 9.20.24 Release notes: https://ftp.isc.org/isc/bind9/9.20.24/doc/arm/html/notes.html Changelog: https://ftp.isc.org/isc/bind9/9.20.24/doc/arm/html/changelog.html Fixes CVE-2026-3593. NOTE: Libraries libcap, liburcu are now mandatory. NOTE 2: the bind version 9.18.x series is marked by upstream as end-of-life. This commit switches to the current stable release series 9.20.x. See: https://kb.isc.org/docs/bind-9-end-of-life-dates https://www.isc.org/bind/ Signed-off-by: Giulio Benetti [Julien: add note 2 in commit log] Signed-off-by: Julien Olivain --- package/bind/Config.in | 15 ++++++++++----- package/bind/bind.hash | 4 ++-- package/bind/bind.mk | 4 ++-- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/package/bind/Config.in b/package/bind/Config.in index 512e948ca22..6f5f14a6bb5 100644 --- a/package/bind/Config.in +++ b/package/bind/Config.in @@ -1,10 +1,14 @@ config BR2_PACKAGE_BIND bool "bind" - depends on BR2_USE_MMU # fork(), libuv + depends on BR2_USE_MMU # fork(), libcap, libuv depends on BR2_TOOLCHAIN_HAS_SYNC_4 # libuv - depends on BR2_TOOLCHAIN_HAS_THREADS_NPTL # libuv + depends on BR2_TOOLCHAIN_HAS_THREADS # liburcu, libuv + depends on BR2_INSTALL_LIBSTDCPP # liburcu depends on !BR2_STATIC_LIBS # libuv depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # libuv + depends on BR2_PACKAGE_LIBURCU_ARCH_SUPPORTS # liburcu + select BR2_PACKAGE_LIBCAP + select BR2_PACKAGE_LIBURCU select BR2_PACKAGE_LIBUV select BR2_PACKAGE_OPENSSL help @@ -44,8 +48,9 @@ config BR2_PACKAGE_BIND_TOOLS endif -comment "bind needs a toolchain w/ NPTL, dynamic library, gcc >= 4.9" +comment "bind needs a toolchain w/ threads, dynamic library, C++, gcc >= 4.9" depends on BR2_USE_MMU depends on BR2_TOOLCHAIN_HAS_SYNC_4 - depends on !BR2_TOOLCHAIN_HAS_THREADS_NPTL || BR2_STATIC_LIBS \ - || !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 + depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS \ + || BR2_INSTALL_LIBSTDCPP || !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 \ + || BR2_PACKAGE_LIBURCU_ARCH_SUPPORTS diff --git a/package/bind/bind.hash b/package/bind/bind.hash index 766540ee224..a1ff3c61018 100644 --- a/package/bind/bind.hash +++ b/package/bind/bind.hash @@ -1,4 +1,4 @@ -# Verified from https://ftp.isc.org/isc/bind9/9.18.50/bind-9.18.50.tar.xz.asc +# Verified from https://ftp.isc.org/isc/bind9/9.20.24/bind-9.20.24.tar.xz.asc # with key D99CCEAF879747014F038D63182E23579462EFAA -sha256 a24f93be94712a8c11752294410f2f8a2510ec7fdc931d207fc61cdf30e54f4d bind-9.18.50.tar.xz +sha256 989fef1fc88ea59d04cd86f854dca5a4616a20a9968bcdde3c1a3668ab36be08 bind-9.20.24.tar.xz sha256 9734825d67a3ac967b2c2f7c9a83c9e5db1c2474dbe9599157c3a4188749ebd4 COPYRIGHT diff --git a/package/bind/bind.mk b/package/bind/bind.mk index 54870bfa4ed..2b8156d0d0f 100644 --- a/package/bind/bind.mk +++ b/package/bind/bind.mk @@ -4,7 +4,7 @@ # ################################################################################ -BIND_VERSION = 9.18.50 +BIND_VERSION = 9.20.24 BIND_SOURCE= bind-$(BIND_VERSION).tar.xz BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION) BIND_INSTALL_STAGING = YES @@ -32,7 +32,7 @@ BIND_CONF_OPTS = \ --disable-static \ --with-openssl=$(STAGING_DIR)/usr -BIND_DEPENDENCIES = host-pkgconf libuv openssl +BIND_DEPENDENCIES = host-pkgconf libcap liburcu libuv openssl BIND_CFLAGS = $(TARGET_CFLAGS) From 91d356ee7e85016e659fece19c9cd660b3cb4787 Mon Sep 17 00:00:00 2001 From: Bernd Kuhls Date: Sat, 20 Jun 2026 20:46:51 +0200 Subject: [PATCH 4/6] package/util-linux: allow musl build for login/runuser/su Buildroot commit f89ca996b6deb660b53c33196b8b309fac659bf9 fixed the build of linux-pam with musl in 2020 but did not remove the restric- tions in place for login/runuser/su which were added earlier with these commits: login (2015): 25ecd24579f293ef4fcc6847094c4af39f4113af runuser (2017): 09860f354ae0824cfead384e994d3f119e22b851 su (2017): c6488923fb785ac11f6ec78e53db5da22203b178 Signed-off-by: Bernd Kuhls Signed-off-by: Fiona Klute --- package/util-linux/Config.in | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/package/util-linux/Config.in b/package/util-linux/Config.in index 3df149b3de7..e6ee4c3ceda 100644 --- a/package/util-linux/Config.in +++ b/package/util-linux/Config.in @@ -210,17 +210,15 @@ config BR2_PACKAGE_UTIL_LINUX_LOGIN depends on BR2_ENABLE_LOCALE # linux-pam depends on BR2_USE_WCHAR # linux-pam depends on !BR2_STATIC_LIBS # linux-pam - depends on !BR2_TOOLCHAIN_USES_MUSL # linux-pam depends on BR2_USE_MMU # fork(), linux-pam depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # linux-pam select BR2_PACKAGE_LINUX_PAM help Begin a session on the system -comment "login needs a uClibc or glibc toolchain w/ wchar, locale, dynamic library, gcc >= 4.9" +comment "login needs a toolchain w/ wchar, locale, dynamic library, gcc >= 4.9" depends on !(BR2_ENABLE_LOCALE && BR2_USE_WCHAR) \ || BR2_STATIC_LIBS \ - || BR2_TOOLCHAIN_USES_MUSL \ || !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 config BR2_PACKAGE_UTIL_LINUX_LOSETUP @@ -366,7 +364,6 @@ config BR2_PACKAGE_UTIL_LINUX_RUNUSER bool "runuser" depends on (BR2_ENABLE_LOCALE && BR2_USE_WCHAR) # linux-pam depends on !BR2_STATIC_LIBS - depends on !BR2_TOOLCHAIN_USES_MUSL # linux-pam depends on BR2_USE_MMU # fork(), linux-pam depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # linux-pam select BR2_PACKAGE_LINUX_PAM @@ -375,10 +372,9 @@ config BR2_PACKAGE_UTIL_LINUX_RUNUSER to ask for a password, because it may be executed by the root user only) -comment "runuser needs a uClibc or glibc toolchain w/ wchar, locale, dynamic library, gcc >= 4.9" +comment "runuser needs a toolchain w/ wchar, locale, dynamic library, gcc >= 4.9" depends on !(BR2_ENABLE_LOCALE && BR2_USE_WCHAR) \ || BR2_STATIC_LIBS \ - || BR2_TOOLCHAIN_USES_MUSL \ || !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 config BR2_PACKAGE_UTIL_LINUX_SCHEDUTILS @@ -411,17 +407,15 @@ config BR2_PACKAGE_UTIL_LINUX_SU bool "su" depends on (BR2_ENABLE_LOCALE && BR2_USE_WCHAR) # linux-pam depends on !BR2_STATIC_LIBS - depends on !BR2_TOOLCHAIN_USES_MUSL # linux-pam depends on BR2_USE_MMU # fork(), linux-pam depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # linux-pam select BR2_PACKAGE_LINUX_PAM help Run a command with substitute user and group ID -comment "su needs a uClibc or glibc toolchain w/ wchar, locale, dynamic library, gcc >= 4.9" +comment "su needs a toolchain w/ wchar, locale, dynamic library, gcc >= 4.9" depends on !(BR2_ENABLE_LOCALE && BR2_USE_WCHAR) \ || BR2_STATIC_LIBS \ - || BR2_TOOLCHAIN_USES_MUSL \ || !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 config BR2_PACKAGE_UTIL_LINUX_SULOGIN From 8fe41d5506d1d1c7a453be9977a4ffa65d39e886 Mon Sep 17 00:00:00 2001 From: Giulio Benetti Date: Thu, 25 Jun 2026 14:35:36 +0200 Subject: [PATCH 5/6] package/mongoose: security bump to version 7.22 Release notes: https://github.com/cesanta/mongoose/releases/tag/7.22 Fixes CVE-2026-37635. Signed-off-by: Giulio Benetti Signed-off-by: Julien Olivain --- package/mongoose/mongoose.hash | 2 +- package/mongoose/mongoose.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/mongoose/mongoose.hash b/package/mongoose/mongoose.hash index 556a4388803..1a60b0c89c6 100644 --- a/package/mongoose/mongoose.hash +++ b/package/mongoose/mongoose.hash @@ -1,3 +1,3 @@ # Locally computed: -sha256 d4ddbd12c12f223abefcc0a74417a638ae5c118d7cf10ba546553c6b0e0b5ada mongoose-7.21.tar.gz +sha256 87727cd2c240ff559b16e9710d44b61ba3513dbee50428bd8ee1596d7c58460a mongoose-7.22.tar.gz sha256 f0d9cfd6f7d92f6ec061a5fb2882f67d2521a151bf09a637c33ca6181834b048 LICENSE diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk index 8250751eb89..207d31cdfad 100644 --- a/package/mongoose/mongoose.mk +++ b/package/mongoose/mongoose.mk @@ -4,7 +4,7 @@ # ################################################################################ -MONGOOSE_VERSION = 7.21 +MONGOOSE_VERSION = 7.22 MONGOOSE_SITE = $(call github,cesanta,mongoose,$(MONGOOSE_VERSION)) MONGOOSE_LICENSE = GPL-2.0 MONGOOSE_LICENSE_FILES = LICENSE From 9998130badb6101cdf6f6da0bbd1228d79825b63 Mon Sep 17 00:00:00 2001 From: Giulio Benetti Date: Mon, 22 Jun 2026 15:01:19 +0200 Subject: [PATCH 6/6] package/util-linux: fix CVE-2026-27456 As mentioned here[1] we require patch[2] to fix CVE-2026-27456. [1]: https://lore.kernel.org/util-linux/c2fo4x3lcppsj77k564i4qodmon3wagx47qf4mqwjwdtiplupg@jmaqrlzp273h/T/#u [2]: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?h=stable/v2.41&id=2dacaf3eea391e3bbf48e7d3ecce02cafe045b6d Cc: Alexander Dahl Signed-off-by: Giulio Benetti [Fiona: add CVE trailer to patch file] Signed-off-by: Fiona Klute --- ...at2-RESOLVE_NO_SYMLINKS-for-backing-.patch | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 package/util-linux/0003-loopdev-use-openat2-RESOLVE_NO_SYMLINKS-for-backing-.patch diff --git a/package/util-linux/0003-loopdev-use-openat2-RESOLVE_NO_SYMLINKS-for-backing-.patch b/package/util-linux/0003-loopdev-use-openat2-RESOLVE_NO_SYMLINKS-for-backing-.patch new file mode 100644 index 00000000000..7195c223ac4 --- /dev/null +++ b/package/util-linux/0003-loopdev-use-openat2-RESOLVE_NO_SYMLINKS-for-backing-.patch @@ -0,0 +1,59 @@ +From 2dacaf3eea391e3bbf48e7d3ecce02cafe045b6d Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Wed, 27 May 2026 15:15:22 +0200 +Subject: [PATCH] loopdev: use openat2(RESOLVE_NO_SYMLINKS) for backing file + +Use ul_open_no_symlinks() instead of open(O_NOFOLLOW) when +LOOPDEV_FL_NOFOLLOW is set. O_NOFOLLOW only rejects symlinks at the +last path component, but TOCTOU attacks swap intermediate components. +openat2(RESOLVE_NO_SYMLINKS) rejects symlinks at any component. + +Upstream: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?h=stable/v2.41&id=2dacaf3eea391e3bbf48e7d3ecce02cafe045b6d +CVE: CVE-2026-27456 +Signed-off-by: Karel Zak +(cherry picked from commit 119d23f1e3f55cf10e3c66dab80fc308c9f26456) +Signed-off-by: Giulio Benetti +[Fiona: add CVE trailer] +Signed-off-by: Fiona Klute +--- + lib/loopdev.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/lib/loopdev.c b/lib/loopdev.c +index 76685be70..31377fc9a 100644 +--- a/lib/loopdev.c ++++ b/lib/loopdev.c +@@ -1412,16 +1412,21 @@ int loopcxt_setup_device(struct loopdev_cxt *lc) + if (lc->config.info.lo_flags & LO_FLAGS_DIRECT_IO) + flags |= O_DIRECT; + if (lc->flags & LOOPDEV_FL_NOFOLLOW) +- flags |= O_NOFOLLOW; +- +- if ((file_fd = open(lc->filename, mode | flags)) < 0) { +- if (mode != O_RDONLY && (errno == EROFS || errno == EACCES)) +- file_fd = open(lc->filename, (mode = O_RDONLY) | flags); ++ file_fd = ul_open_no_symlinks(lc->filename, mode | flags, 0); ++ else ++ file_fd = open(lc->filename, mode | flags); + +- if (file_fd < 0) { +- DBG(SETUP, ul_debugobj(lc, "open backing file failed: %m")); +- return -errno; +- } ++ if (file_fd < 0 && mode != O_RDONLY ++ && (errno == EROFS || errno == EACCES)) { ++ mode = O_RDONLY; ++ if (lc->flags & LOOPDEV_FL_NOFOLLOW) ++ file_fd = ul_open_no_symlinks(lc->filename, mode | flags, 0); ++ else ++ file_fd = open(lc->filename, mode | flags); ++ } ++ if (file_fd < 0) { ++ DBG(SETUP, ul_debugobj(lc, "open backing file failed: %m")); ++ return -errno; + } + DBG(SETUP, ul_debugobj(lc, "backing file open: OK")); + +-- +2.47.3 +