From f8e89786f92ac65e10c76b8ce3b0d833cfbaf48f Mon Sep 17 00:00:00 2001
From: "manuel.diener" <manuel.diener@othermo.de>
Date: Wed, 11 Feb 2026 15:19:43 +0100
Subject: [PATCH 1/6] package/python-django: security bump to 6.0.2

Fixes the following security issues:
- CVE-2025-13473 (low): Username enumeration through timing difference in mod_wsgi authentication handler
- CVE-2025-14550 (moderate): Potential denial-of-service vulnerability via repeated headers when using ASGI
- CVE-2026-1207 (high): Potential SQL injection via raster lookups on PostGIS
- CVE-2026-1285 (moderate): Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods
- CVE-2026-1287 (high): Potential SQL injection in column aliases via control characters
- CVE-2026-1312 (high): Potential SQL injection via QuerySet.order_by and FilteredRelation

See the release notes here:
https://docs.djangoproject.com/en/dev/releases/6.0.2/
Also includes the bugfixes from version 6.0.1:
https://docs.djangoproject.com/en/dev/releases/6.0.1/

Signed-off-by: Manuel Diener <manuel.diener@othermo.de>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
---
 package/python-django/python-django.hash | 4 ++--
 package/python-django/python-django.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 388b9df82cf9..f1ddcc71286c 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,6 +1,6 @@
 # md5, sha256 from https://pypi.org/pypi/django/json
-md5  2f0e8520f6cf3cd6bbc81ec4226f11c7  django-6.0.tar.gz
-sha256  7b0c1f50c0759bbe6331c6a39c89ae022a84672674aeda908784617ef47d8e26  django-6.0.tar.gz
+md5  0836ceb8f1f4694f87f0a698c64bd00e  django-6.0.2.tar.gz
+sha256  3046a53b0e40d4b676c3b774c73411d7184ae2745fe8ce5e45c0f33d3ddb71a7  django-6.0.2.tar.gz
 # Locally computed sha256 checksums
 sha256  b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
 sha256  de642dff9b1019c2c7209032fb94ea92060084efb0bc4238d81a2219e21c7382  django/contrib/gis/measure.py
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index d6d9bba0ebef..18871163d66b 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-PYTHON_DJANGO_VERSION = 6.0
+PYTHON_DJANGO_VERSION = 6.0.2
 PYTHON_DJANGO_SOURCE = django-$(PYTHON_DJANGO_VERSION).tar.gz
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/15/75/19762bfc4ea556c303d9af8e36f0cd910ab17dff6c8774644314427a2120
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/26/3e/a1c4207c5dea4697b7a3387e26584919ba987d8f9320f59dc0b5c557a4eb
 PYTHON_DJANGO_LICENSE = BSD-3-Clause, MIT (jquery, utils/archive.py), BSD-2-Clause (inlines.js), CC-BY-4.0 (admin svg files)
 PYTHON_DJANGO_LICENSE_FILES = LICENSE \
 	django/contrib/gis/measure.py \

From 267fac241c80054bd1b96ed1f2b1a569a96f0985 Mon Sep 17 00:00:00 2001
From: Bernd Kuhls <bernd@kuhls.net>
Date: Wed, 11 Feb 2026 17:34:22 +0100
Subject: [PATCH 2/6] package/strace: bump version to 6.19

Updated license hash due to copyright year bump:
https://github.com/strace/strace/commit/4d6755b556fb00fe5c33b09b08f951bad956c580

This bump includes two upstream commits
https://github.com/strace/strace/commit/bf9384561f295340f85c69deb307740fc9dc28f0
https://github.com/strace/strace/commit/822b5e840dbf4a80262eaea455d9bc7b6a00d245

that fix build errors introduced by the bump of linux-headers to version
6.19 with buildroot commit 566150745bf61fdc1aee68fcf319bc4e8942960a.
This bump is not included in any buildroot LTS branch so no backport
necessary.

Fixes:
https://autobuild.buildroot.net/results/7a3/7a35bfcae87b1fbe1d6e0c4271a364ce330c1d51/

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
---
 package/strace/strace.hash | 8 ++++----
 package/strace/strace.mk   | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/strace/strace.hash b/package/strace/strace.hash
index 268045ef1dfa..63c32a53ef8e 100644
--- a/package/strace/strace.hash
+++ b/package/strace/strace.hash
@@ -1,6 +1,6 @@
 # Locally calculated after checking signature with RSA key from
-# https://raw.githubusercontent.com/strace/strace/refs/tags/v6.18/GPG-KEY
-# https://strace.io/files/6.18/strace-6.18.tar.xz.asc
-sha256  0ad5dcba973a69e779650ef1cb335b12ee60716fc7326609895bd33e6d2a7325  strace-6.18.tar.xz
-sha256  ca2a0994c57e48b16828008c80cdb626e471b6b59116a8443b2ce4e3c77ddc3b  COPYING
+# https://raw.githubusercontent.com/strace/strace/refs/tags/v6.19/GPG-KEY
+# https://strace.io/files/6.19/strace-6.19.tar.xz.asc
+sha256  e076c851eec0972486ec842164fdc54547f9d17abd3d1449de8b120f5d299143  strace-6.19.tar.xz
+sha256  b897cf6bb865cdd72f49fba6ca7b66ad075b9bc51d3cf372923220ce18b5350f  COPYING
 sha256  7c379436436a562834aa7d2f5dcae1f80a25230fa74201046ca1fba4367d39aa  LGPL-2.1-or-later
diff --git a/package/strace/strace.mk b/package/strace/strace.mk
index 5230b4d60cc7..3f9e68820c8f 100644
--- a/package/strace/strace.mk
+++ b/package/strace/strace.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-STRACE_VERSION = 6.18
+STRACE_VERSION = 6.19
 STRACE_SOURCE = strace-$(STRACE_VERSION).tar.xz
 STRACE_SITE = https://github.com/strace/strace/releases/download/v$(STRACE_VERSION)
 STRACE_LICENSE = LGPL-2.1+

From c637c3dda4a9b8fc1200b32181162dc48a940b1a Mon Sep 17 00:00:00 2001
From: Michael Nosthoff <buildroot@heine.tech>
Date: Wed, 11 Feb 2026 16:42:09 +0100
Subject: [PATCH 3/6] package/i2pd: bump to version 2.59.0

- Requirement for Boost.DateTime was removed in 2.54.0 [0]
- Requirement for Boost.System was removed in 2.59.0 [1]
- drop "WITH_GUI" conf_opt as it was dropped in 2.32.0 [2]
- LICENSE hash changed due to year bump.

Release notes:
https://github.com/PurpleI2P/i2pd/releases/tag/2.59.0

[0] https://github.com/PurpleI2P/i2pd/commit/0992a5124fc9d214624fccdf4386a50f53d6f8ef
[1] https://github.com/PurpleI2P/i2pd/commit/06a86f31a12815fbd16615cc9fa17199bac1ac17
[2] https://github.com/PurpleI2P/i2pd/commit/db6a0e6ad9124ef9b6217af487b3c844234ba5e1

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Julien Olivain <ju.o@free.fr>
---
 package/i2pd/Config.in | 2 --
 package/i2pd/i2pd.hash | 6 +++---
 package/i2pd/i2pd.mk   | 4 +---
 3 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/package/i2pd/Config.in b/package/i2pd/Config.in
index c1ba08ef757d..cb6f7894eae5 100644
--- a/package/i2pd/Config.in
+++ b/package/i2pd/Config.in
@@ -9,10 +9,8 @@ config BR2_PACKAGE_I2PD
 	depends on BR2_USE_WCHAR # boost
 	depends on !BR2_TOOLCHAIN_HAS_GCC_BUG_64735 # exception_ptr
 	select BR2_PACKAGE_BOOST
-	select BR2_PACKAGE_BOOST_DATE_TIME
 	select BR2_PACKAGE_BOOST_FILESYSTEM
 	select BR2_PACKAGE_BOOST_PROGRAM_OPTIONS
-	select BR2_PACKAGE_BOOST_SYSTEM
 	select BR2_PACKAGE_OPENSSL
 	select BR2_PACKAGE_ZLIB
 	help
diff --git a/package/i2pd/i2pd.hash b/package/i2pd/i2pd.hash
index a539a4dd1ae4..0d7755b58516 100644
--- a/package/i2pd/i2pd.hash
+++ b/package/i2pd/i2pd.hash
@@ -1,4 +1,4 @@
-# From https://github.com/PurpleI2P/i2pd/releases/download/2.58.0/SHA512SUMS
-sha512  d5d87a04ff5f8481516c00b07dd46726dfb3f0de67f4932874a0655b4adfa448a434056a131d727dd79a2f3ee1f6cc9aef5dc176a0b5ab546d8e94b6c0b38ee5  i2pd-2.58.0.tar.gz
+# From https://github.com/PurpleI2P/i2pd/releases/download/2.59.0/SHA512SUMS
+sha512  5fa4365eaa6fbc0e448732d3c96b867e27db21927727aeb9df8241d56fea08561028a7b6d51ba7fa1141d53c95b848108806edb9f420c2ebbed85f627f045af7  i2pd-2.59.0.tar.gz
 # Locally computed:
-sha256  5ec428c65b0bc8680e08daa75aa060fe72b5b3c3b89082ac02031e0f2d3d0039  LICENSE
+sha256  eb5ac2a5ede8cd6bed9e6d93ad943119a73bfaba378f21bafa307f9b026b2034  LICENSE
diff --git a/package/i2pd/i2pd.mk b/package/i2pd/i2pd.mk
index 3681e6006e8a..ac0348c24a48 100644
--- a/package/i2pd/i2pd.mk
+++ b/package/i2pd/i2pd.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-I2PD_VERSION = 2.58.0
+I2PD_VERSION = 2.59.0
 I2PD_SITE = $(call github,PurpleI2P,i2pd,$(I2PD_VERSION))
 I2PD_LICENSE = BSD-3-Clause
 I2PD_LICENSE_FILES = LICENSE
@@ -15,8 +15,6 @@ I2PD_DEPENDENCIES = \
 	openssl \
 	zlib
 
-I2PD_CONF_OPTS += -DWITH_GUI=OFF
-
 ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y)
 I2PD_CONF_OPTS += \
 	-DHAVE_CXX_ATOMICS_WITHOUT_LIB=OFF \

From fc9a75807967e684c87cbcafead045ba0b62cc94 Mon Sep 17 00:00:00 2001
From: Kadambini Nema <kadambini.nema@gmail.com>
Date: Mon, 9 Feb 2026 22:34:34 -0800
Subject: [PATCH 4/6] package/ustreamer: bump version to 6.52

Changelog:
https://github.com/pikvm/ustreamer/compare/v6.42...v6.52

Signed-off-by: Kadambini Nema <kadambini.nema@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
---
 package/ustreamer/ustreamer.hash | 2 +-
 package/ustreamer/ustreamer.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/ustreamer/ustreamer.hash b/package/ustreamer/ustreamer.hash
index e2196b5b77fb..f5351e4f9c31 100644
--- a/package/ustreamer/ustreamer.hash
+++ b/package/ustreamer/ustreamer.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256  40c10b522c34bcb95bda9844a5a2a06173fea9a5d948882d70740cbe1fe7a8b4  ustreamer-6.42.tar.gz
+sha256  db00adfa02acfbdf6682ffae8e418b582d623e1971672d5df19858e02e2f3b0e  ustreamer-6.52.tar.gz
 sha256  8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903  LICENSE
diff --git a/package/ustreamer/ustreamer.mk b/package/ustreamer/ustreamer.mk
index bf87dc8abd47..b699b30c8499 100644
--- a/package/ustreamer/ustreamer.mk
+++ b/package/ustreamer/ustreamer.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-USTREAMER_VERSION = 6.42
+USTREAMER_VERSION = 6.52
 USTREAMER_SITE = $(call github,pikvm,ustreamer,v$(USTREAMER_VERSION))
 USTREAMER_LICENSE = GPL-3.0+
 USTREAMER_LICENSE_FILES = LICENSE

From bf832ca167da934e411c90ca95fb5c6245b59861 Mon Sep 17 00:00:00 2001
From: Giulio Benetti <giulio.benetti@benettiengineering.com>
Date: Tue, 10 Feb 2026 17:48:51 +0100
Subject: [PATCH 5/6] package/mali-driver: bump to version 2026-02-10

This version builds up to Linux version 6.19.

Fixes:
still not happened

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
---
 package/mali-driver/mali-driver.hash | 2 +-
 package/mali-driver/mali-driver.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/mali-driver/mali-driver.hash b/package/mali-driver/mali-driver.hash
index c6b027f1a309..0c0de10dac40 100644
--- a/package/mali-driver/mali-driver.hash
+++ b/package/mali-driver/mali-driver.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  bbfd78d3342fe8bdef5e37659740f69818aa1b3be3a75e5bb085223d87a2a1d4  mali-driver-ef3da788030833289040e4396bff010edcc2289b.tar.gz
+sha256  cafcf9af1c8ce5045dc0f077c51b87d204ddad6cf7e5db22bbf6a3d4356be972  mali-driver-5c13ca89d83dec3e51ed1880dff726838bfdecd3.tar.gz
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  LICENSE
diff --git a/package/mali-driver/mali-driver.mk b/package/mali-driver/mali-driver.mk
index 40ae03a1dff0..77ef8963a594 100644
--- a/package/mali-driver/mali-driver.mk
+++ b/package/mali-driver/mali-driver.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-MALI_DRIVER_VERSION = ef3da788030833289040e4396bff010edcc2289b
+MALI_DRIVER_VERSION = 5c13ca89d83dec3e51ed1880dff726838bfdecd3
 MALI_DRIVER_SITE = $(call github,bootlin,mali-driver,$(MALI_DRIVER_VERSION))
 MALI_DRIVER_DEPENDENCIES = linux
 MALI_DRIVER_LICENSE = GPL-2.0

From 6a7fe6382aab710eee2338b061f1f4e4f8793e36 Mon Sep 17 00:00:00 2001
From: Romain Naour <romain.naour@smile.fr>
Date: Mon, 2 Feb 2026 15:45:50 +0100
Subject: [PATCH 6/6] support/testing/tests/package/test_firewalld: use ext2
 instead of cpio

The CPIO filesystem generated by the test_firewalld test is too
large, and doesn't fit as an initramfs in the 256MB of RAM available
in the versatilepb machine. This causes a "Initramfs unpacking failed:
write error" when booting, and many files being missing from the root
filesystem, ultimately causing the test to fail.

The test_firewalld test initially started to fail following a systemd
update [1][3]:

  [BRTEST# systemctl is-active firewalld
  failed

But really started to crash at boot following a python 3.14 update
[2][4]:

  Run /init as init process
  /init: exec: line 15: /sbin/init: not found

Also, update TestFirewalldSysVInit to use ext2 instead of cpio.

[1] 926e0504d06b5d61d7affb24b94b133b916b71f7
[2] a0a6abc8b193e5bdab5326324d7299c19d5d8c67

Fixes:
[3] https://gitlab.com/buildroot.org/buildroot/-/jobs/12944797059
[4] https://gitlab.com/buildroot.org/buildroot/-/jobs/11856840940

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
---
 .../testing/tests/package/test_firewalld.py   | 20 +++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/support/testing/tests/package/test_firewalld.py b/support/testing/tests/package/test_firewalld.py
index 700337f63736..1093873b3875 100644
--- a/support/testing/tests/package/test_firewalld.py
+++ b/support/testing/tests/package/test_firewalld.py
@@ -23,19 +23,21 @@ class TestFirewalldSystemd(infra.basetest.BRTest):
         BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
         BR2_PACKAGE_PYTHON3=y
         BR2_PACKAGE_FIREWALLD=y
-        BR2_TARGET_ROOTFS_CPIO=y
+        BR2_TARGET_ROOTFS_EXT2=y
+        BR2_TARGET_ROOTFS_EXT2_SIZE="512M"
         # BR2_TARGET_ROOTFS_TAR is not set
         """
 
     def test_run(self):
-        cpio_file = os.path.join(self.builddir, "images", "rootfs.cpio")
+        ext2_file = os.path.join(self.builddir, "images", "rootfs.ext2")
         kernel_file = os.path.join(self.builddir, "images", "zImage")
         dtb_file = os.path.join(self.builddir, "images", "vexpress-v2p-ca9.dtb")
         self.emulator.boot(arch="armv7",
                            kernel=kernel_file,
-                           kernel_cmdline=["console=ttyAMA0,115200"],
+                           kernel_cmdline=["console=ttyAMA0,115200",
+                                           "rootwait", "root=/dev/mmcblk0"],
                            options=[
-                               "-initrd", cpio_file,
+                               '-drive', f'file={ext2_file},if=sd,format=raw',
                                "-dtb", dtb_file,
                                "-M", "vexpress-a9"
                            ])
@@ -78,19 +80,21 @@ class TestFirewalldSysVInit(infra.basetest.BRTest):
         BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
         BR2_PACKAGE_PYTHON3=y
         BR2_PACKAGE_FIREWALLD=y
-        BR2_TARGET_ROOTFS_CPIO=y
+        BR2_TARGET_ROOTFS_EXT2=y
+        BR2_TARGET_ROOTFS_EXT2_SIZE="512M"
         # BR2_TARGET_ROOTFS_TAR is not set
         """
 
     def test_run(self):
-        cpio_file = os.path.join(self.builddir, "images", "rootfs.cpio")
+        ext2_file = os.path.join(self.builddir, "images", "rootfs.ext2")
         kernel_file = os.path.join(self.builddir, "images", "zImage")
         dtb_file = os.path.join(self.builddir, "images", "vexpress-v2p-ca9.dtb")
         self.emulator.boot(arch="armv7",
                            kernel=kernel_file,
-                           kernel_cmdline=["console=ttyAMA0,115200"],
+                           kernel_cmdline=["console=ttyAMA0,115200",
+                                           "rootwait", "root=/dev/mmcblk0"],
                            options=[
-                               "-initrd", cpio_file,
+                               '-drive', f'file={ext2_file},if=sd,format=raw',
                                "-dtb", dtb_file,
                                "-M", "vexpress-a9"
                            ])