Skip to content

[pull] master from buildroot:master#1074

Merged
pull[bot] merged 11 commits into
mir-one:masterfrom
buildroot:master
Jul 1, 2026
Merged

[pull] master from buildroot:master#1074
pull[bot] merged 11 commits into
mir-one:masterfrom
buildroot:master

Conversation

@pull

@pull pull Bot commented Jul 1, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

Dowan Gullient via buildroot and others added 11 commits July 1, 2026 19:56
In the precedent patch "support/testing: test_gnupg2.py: use
assertRunNotOk()" [1] a small typo (OK instead of Ok) was introduced
in the test_gnupg2.py file, which caused a runtime failure.

This patch simply replace "self.assertRunNotOK(cmd)" with
"self.assertRunNotOk(cmd)" to correct this typo.

[1] cb79185

Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
[Fiona: fix commit message formatting]
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
For more information on the release, see:
  - https://mariadb.com/docs/release-notes/community-server/10.11/10.11.18

It fixes the following vulnerabilities:

- CVE-2026-48163:
    MariaDB server is a community developed fork of MySQL server. From
    versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1
    to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, during the SST
    the donor node is interpolating parameters that the joiner sent into
    the command line. Not all parameters were properly validated which
    could allow a malicious joiner to execute arbitrary shell commands on
    the donor side via the rsync SST method. This issue has been patched
    in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.

For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2026-48163

- CVE-2026-48165:
    MariaDB server is a community developed fork of MySQL server. From
    versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1
    to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, a high-
    privileged MariaDB user could've used wsrep_sst_receive_address or
    wsrep_sst_donor global system variables to execute shell commands as
    the uid of the mariadbd process on the galera joiner node. This issue
    has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and
    12.3.2.

For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2026-48165

- CVE-2026-49261:
    MariaDB server is a community developed fork of MySQL server. Versions
    10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through
    11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with  `wsrep_notify_cmd`
    enabled would execute shell commands embedded in the name of the
    joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and
    12.3.2. As a workaround, anyone who cannot upgrade now should disable
    `wsrep_notify_cmd`.

For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2026-49261

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
See the changelog:

- https://github.com/ImageMagick/Website/blob/main/ChangeLog.md#712-24---2026-05-26
- https://github.com/ImageMagick/Website/blob/main/ChangeLog.md#712-25---2026-06-04
- ImageMagick/ImageMagick@7.1.2-25...7.1.2-26

The bump to the v7.1.2-25 fixes the following vulnerabilities:

- CVE-2026-53465
- CVE-2026-53464
- CVE-2026-53463
- CVE-2026-53462
- CVE-2026-53461
- CVE-2026-53460

The bump to the v7.1.2-24 fixes the following vulnerabilities:

- CVE-2026-49219
- CVE-2026-49218
- CVE-2026-48994
- CVE-2026-48734
- CVE-2026-48733
- CVE-2026-48724

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://gitlab.torproject.org/tpo/core/tor/-/blob/tor-0.4.9.11/ReleaseNotes

Fixes TROVE-2026-025 & TROVE-2026-026.

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For release notes, see:
https://github.com/CISOfy/lynis/releases/tag/3.1.7

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Agec is a simple file encryption tool that implements the
age format in C with minimal dependencies. The tool supports
asymmetric encryption based on X25519, and a passphrase
encryption based on scrypt.

https://git.sr.ht/~min/agec
https://age-encryption.org

Encryption is silently broken for files <35 bytes, so add a patch submitted
upstream to fix that.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This release now includes our local patch so we can drop it.

Changelog: https://git.glasklar.is/sigsum/core/sigsum-c/-/blob/v1.1.0/NEWS?ref_type=tags#L1-28

Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes:
https://arma.sourceforge.net/docs.html#changelog

Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://github.com/intel/media-driver/releases/tag/intel-media-26.2.3

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://github.com/intel/vpl-gpu-rt/releases/tag/intel-onevpl-26.2.3

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
@pull pull Bot locked and limited conversation to collaborators Jul 1, 2026
@pull pull Bot added the ⤵️ pull label Jul 1, 2026
@pull pull Bot merged commit 8a66e2f into mir-one:master Jul 1, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants