[pull] master from buildroot:master#858
Merged
pull[bot] merged 6 commits intomir-one:masterfrom Feb 10, 2026
Merged
Conversation
Fixes the following security vulnerability: CVE-2025-13151: Stack-based buffer overflow in asn1_expand_octet_string function https://lists.gnu.org/archive/html/help-libtasn1/2026-01/msg00001.html Release notes: https://lists.gnu.org/archive/html/help-libtasn1/2026-01/msg00000.html Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
Fixes the following vulnerabilities: CVE-2025-61732: cmd/cgo: remove user-content from doc strings in cgo ASTs A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. To prevent this behavior, the cgo compiler will no longer parse user-provided doc comments. CVE-2025-68121: crypto/tls: unexpected session resumption when using Config.GetConfigForClient Config.GetConfigForClient is documented to use the original Config's session ticket keys unless explicitly overridden. This can cause unexpected behavior if the returned Config modifies authentication parameters, like ClientCAs: a connection initially established with the parent (or a sibling) Config can be resumed, bypassing the modified authentication requirements. If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the server) or InsecureSkipVerify is false (on the client), crypto/tls now checks that the root of the previously-verified chain is still in ClientCAs/RootCAs when resuming a connection. Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue related to session ticket keys being implicitly shared by Config.Clone. Since this fix is broader, the Config.Clone behavior change has been reverted. Note that VerifyPeerCertificate still behaves as documented: it does not apply to resumed connections. Applications that use Config.GetConfigForClient or Config.Clone and do not wish to blindly resume connections established with the original Config must use VerifyConnection instead (or SetSessionTicketKeys or SessionTicketsDisabled). For more details, see the announcement: https://groups.google.com/g/golang-announce/c/K09ubi9FQFk Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
Fixes the following security vulnerabilities: CVE-2026-1584: libgnutls: Fix NULL pointer dereference in PSK binder verification A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello could lead to a denial of service attack via crashing the server. The updated code guards against the problematic dereference. CVE-2025-14831: libgnutls: Fix name constraint processing performance issue Verifying certificates with pathological amounts of name constraints could lead to a denial of service attack via resource exhaustion. Reworked processing algorithms exhibit better performance characteristics. For more details, see the release notes: https://lists.gnupg.org/pipermail/gnutls-help/2026-February/004914.html Drop now upstreamed 0001-audit-crau-fix-compilation-with-gcc-11.patch: https://gitlab.com/gnutls/gnutls/-/commit/f5666f8f1f653cfe2bef808a9c9b61534f279ed1 Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
Fixes the following security vulnerability: CVE-2026-25646 (High): Heap buffer overflow in png_set_quantize when called with no histogram and a palette larger than twice the requested maximum number of colors. For more details, see the advisory: GHSA-g8hp-mq4h-rqm3 Release notes: https://github.com/pnggroup/libpng/blob/v1.6.55/ANNOUNCE Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
https://ccache.dev/releasenotes.html#_ccache_4_12_3 Use sha256 tarball hash provided by upstream. Updated license hash due to copyright year bump: ccache/ccache@ec03916 Signed-off-by: Bernd Kuhls <[email protected]> Signed-off-by: Marcus Hoffmann <[email protected]>
https://lists.gnu.org/archive/html/m4-announce/2026-02/msg00000.html Signed-off-by: Bernd Kuhls <[email protected]> Signed-off-by: Marcus Hoffmann <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )