Skip to content

[pull] master from buildroot:master #869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pull merged 10 commits into from
Feb 15, 2026
Merged

[pull] master from buildroot:master #869

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
073c6af
package/busybox: patch CVE-2025-60876
tperale Feb 15, 2026
d6e219a
package/haproxy: ignore CVE-2023-45539
tperale Feb 15, 2026
d94d4ff
package/haproxy: security bump to v2.6.23
tperale Feb 15, 2026
6dcf28e
package/coreutils: bump version to 9.10
bkuhls Feb 15, 2026
429bcb1
package/less: bump to version 692
passgat Feb 9, 2026
df61ce3
configs/acmesystems_acqua_a5_*: remove at91bootstrap3 license
edgar-bonet Feb 8, 2026
b034877
package/php: security bump version to 8.5.3
bkuhls Feb 15, 2026
576ce5a
package/intel-mediadriver: bump version to 26.1.2
bkuhls Feb 15, 2026
11c8c6e
package/intel-vpl-gpu-rt: bump version to 26.1.2
bkuhls Feb 15, 2026
6f1842a
package/kodi-pvr-mythtv: bump version to 21.2.15-Omega
bkuhls Feb 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions configs/acmesystems_acqua_a5_256mb_defconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ BR2_TARGET_AT91BOOTSTRAP3=y
BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_GIT=y
BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_REPO_URL="https://github.com/linux4sam/at91bootstrap.git"
BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_REPO_VERSION="v3.10.3"
BR2_TARGET_AT91BOOTSTRAP3_LICENSE_FILES=""
BR2_TARGET_AT91BOOTSTRAP3_DEFCONFIG="acqua-256m"
BR2_PACKAGE_HOST_DOSFSTOOLS=y
BR2_PACKAGE_HOST_GENIMAGE=y
Expand Down
1 change: 1 addition & 0 deletions configs/acmesystems_acqua_a5_512mb_defconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ BR2_TARGET_AT91BOOTSTRAP3=y
BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_GIT=y
BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_REPO_URL="https://github.com/linux4sam/at91bootstrap.git"
BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_REPO_VERSION="v3.10.3"
BR2_TARGET_AT91BOOTSTRAP3_LICENSE_FILES=""
BR2_TARGET_AT91BOOTSTRAP3_DEFCONFIG="acqua-512m"
BR2_PACKAGE_HOST_DOSFSTOOLS=y
BR2_PACKAGE_HOST_GENIMAGE=y
Expand Down
42 changes: 42 additions & 0 deletions package/busybox/0014-wget-dont-allow-control-characters-or-spaces-in-the-URL.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
From: Radoslav Kolev <[email protected]>
Date: Fri, 21 Nov 2025 11:21:18 +0200
Subject: wget: don't allow control characters or spaces in the URL
Forwarded: yes, https://lists.busybox.net/pipermail/busybox/2025-November/091840.html
Bug-Debian: https://bugs.debian.org/1120795

Fixes CVE-2025-60876 malicious URL can be used to inject
HTTP headers in the request.

Signed-off-by: Radoslav Kolev <[email protected]>
Reviewed-by: Emmanuel Deloget <[email protected]>
Upstream: https://sources.debian.org/data/main/b/busybox/1%3A1.37.0-10/debian/patches/wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch
Upstream: https://lists.busybox.net/pipermail/busybox/2025-November/091840.html
CVE: CVE-2025-60876
Signed-off-by: Thomas Perale <[email protected]>
---
networking/wget.c | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/networking/wget.c b/networking/wget.c
index ec3767793..fa555427b 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -536,6 +536,15 @@ static void parse_url(const char *src_url, struct host_info *h)
{
char *url, *p, *sp;

+ /* Fix for CVE-2025-60876 - don't allow control characters or spaces in the URL */
+ /* otherwise a malicious URL can be used to inject HTTP headers in the request */
+ const unsigned char *u = (void *) src_url;
+ while (*u) {
+ if (*u <= ' ')
+ bb_simple_error_msg_and_die("Unencoded control character found in the URL!");
+ u++;
+ }
+
free(h->allocated);
h->allocated = url = xstrdup(src_url);

--
2.47.3

3 changes: 3 additions & 0 deletions package/busybox/busybox.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ BUSYBOX_IGNORE_CVES += CVE-2022-28391
# 0013-testsuite-tar-tests-fix-test-after-cve-2025-46394.patch
BUSYBOX_IGNORE_CVES += CVE-2025-46394

# 0014-wget-dont-allow-control-characters-or-spaces-in-the-URL.patch
BUSYBOX_IGNORE_CVES += CVE-2025-60876

BUSYBOX_CFLAGS = \
$(TARGET_CFLAGS)

Expand Down
4 changes: 1 addition & 3 deletions package/coreutils/coreutils.hash
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# From https://lists.gnu.org/archive/html/coreutils-announce/2025-09/msg00000.html
sha1 a6a58e00688fe0705a7051b36592f1e43e89a9ef coreutils-9.8.tar.xz
sha256 e6d4fd2d852c9141a1c2a18a13d146a0cd7e45195f72293a4e4c044ec6ccca15 coreutils-9.8.tar.xz
# Locally computed
sha256 16535a9adf0b10037364e2d612aad3d9f4eca3a344949ced74d12faf4bd51d25 coreutils-9.10.tar.xz
sha256 3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986 COPYING
5 changes: 3 additions & 2 deletions package/coreutils/coreutils.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
#
################################################################################

COREUTILS_VERSION = 9.8
COREUTILS_VERSION = 9.10
COREUTILS_SITE = $(BR2_GNU_MIRROR)/coreutils
COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz
COREUTILS_LICENSE = GPL-3.0+
Expand All @@ -16,6 +16,7 @@ COREUTILS_CPE_ID_VENDOR = gnu
# if the system is compliant even with this option passed
COREUTILS_CONF_OPTS = --disable-rpath \
--disable-year2038 \
--enable-install-program=kill,uptime \
$(if $(BR2_TOOLCHAIN_USES_MUSL),--with-included-regex)

ifeq ($(BR2_PACKAGE_COREUTILS_INDIVIDUAL_BINARIES),y)
Expand Down Expand Up @@ -57,7 +58,7 @@ COREUTILS_CONF_ENV = ac_cv_c_restrict=no \

COREUTILS_BIN_PROGS = base64 cat chgrp chmod chown cp date dd df dir echo false \
kill link ln ls mkdir mknod mktemp mv nice printenv pwd rm rmdir \
vdir sleep stty sync touch true uname join
vdir sleep stty sync touch true uname uptime join

ifeq ($(BR2_PACKAGE_ACL),y)
COREUTILS_DEPENDENCIES += acl
Expand Down
4 changes: 2 additions & 2 deletions package/haproxy/haproxy.hash
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# From: http://www.haproxy.org/download/2.6/src/haproxy-2.6.22.tar.gz.sha256
sha256 4c0797f450f997dc287d2c7aafa7a0e5b7a2d71593a2cd58e664e8f3aea614fa haproxy-2.6.22.tar.gz
# From: http://www.haproxy.org/download/2.6/src/haproxy-2.6.23.tar.gz.sha256
sha256 1281d57f25e98456a042c81f32801a106a293c1340b0c06debb2a87d6a7b3611 haproxy-2.6.23.tar.gz
# Locally computed:
sha256 0717ca51fceaa25ac9e5ccc62e0c727dcf27796057201fb5fded56a25ff6ca28 LICENSE
sha256 5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62a doc/lgpl.txt
Expand Down
6 changes: 5 additions & 1 deletion package/haproxy/haproxy.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,16 @@
################################################################################

HAPROXY_VERSION_MAJOR = 2.6
HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).22
HAPROXY_VERSION = $(HAPROXY_VERSION_MAJOR).23
HAPROXY_SITE = http://www.haproxy.org/download/$(HAPROXY_VERSION_MAJOR)/src
HAPROXY_LICENSE = GPL-2.0+ and LGPL-2.1+ with exceptions
HAPROXY_LICENSE_FILES = LICENSE doc/lgpl.txt doc/gpl.txt
HAPROXY_CPE_ID_VENDOR = haproxy

# Incomplete NVD annotations, fixed since v2.6.15
# https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=832b672eee54866c7a42a1d46078cc9ae0d544d9
HAPROXY_IGNORE_CVES += CVE-2023-45539

HAPROXY_MAKE_OPTS = \
LD=$(TARGET_CC) \
PREFIX=/usr \
Expand Down
2 changes: 1 addition & 1 deletion package/intel-mediadriver/intel-mediadriver.hash
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
# Locally computed
sha256 c59cbef1de138bcda45b93ad2b7f3db65619756d5c126fb32a30076ba5bb71b0 intel-media-26.1.1.tar.gz
sha256 e2eea3df18d766059d6667a187ae47d0ea986fa0502d8ba8fdf92183e65e9871 intel-media-26.1.2.tar.gz
sha256 74979d5aaee78b8da82e3aafd415a216b6131dfff6d95d6930927c8a4e3bded3 LICENSE.md
2 changes: 1 addition & 1 deletion package/intel-mediadriver/intel-mediadriver.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

# based on https://software.intel.com/en-us/articles/build-and-debug-open-source-media-stack

INTEL_MEDIADRIVER_VERSION = 26.1.1
INTEL_MEDIADRIVER_VERSION = 26.1.2
INTEL_MEDIADRIVER_SITE = https://github.com/intel/media-driver/archive
INTEL_MEDIADRIVER_SOURCE= intel-media-$(INTEL_MEDIADRIVER_VERSION).tar.gz
INTEL_MEDIADRIVER_LICENSE = MIT, BSD-3-Clause
Expand Down
2 changes: 1 addition & 1 deletion package/intel-vpl-gpu-rt/intel-vpl-gpu-rt.hash
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
# Locally computed
sha256 67fd57d1c5709b58bb6406d60e3f2c4e0b47bd38c4a82c4c46619b78f6c23e72 intel-vpl-gpu-rt-26.1.1.tar.gz
sha256 1f0b4a81b206253d315d795e5c075312f6b20e0110c7cf9bc83d24bd548fc015 intel-vpl-gpu-rt-26.1.2.tar.gz
sha256 c31c3cc5fd66d1250dbca1c3d9011a9f874537442ac71c8de80f2f0fed13f297 LICENSE
2 changes: 1 addition & 1 deletion package/intel-vpl-gpu-rt/intel-vpl-gpu-rt.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
#
################################################################################

INTEL_VPL_GPU_RT_VERSION = 26.1.1
INTEL_VPL_GPU_RT_VERSION = 26.1.2
INTEL_VPL_GPU_RT_SITE = $(call github,intel,vpl-gpu-rt,intel-onevpl-$(INTEL_VPL_GPU_RT_VERSION))
INTEL_VPL_GPU_RT_LICENSE = MIT
INTEL_VPL_GPU_RT_LICENSE_FILES = LICENSE
Expand Down
2 changes: 1 addition & 1 deletion package/kodi-pvr-mythtv/kodi-pvr-mythtv.hash
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
# Locally computed
sha256 c34a54d06aefef1c4c250ab766c459becc1fdaf42782da75cf749b71585bf6dd kodi-pvr-mythtv-21.2.14-Omega.tar.gz
sha256 47d058a9bd960ccdc3352b2fac6f4aeb7587bad50cf1daee20d643c5e64deeb2 kodi-pvr-mythtv-21.2.15-Omega.tar.gz
sha256 310782e1abd43c4de6217c513e328bddf999d39302d67c6e05b10a59959827af LICENSE.md
2 changes: 1 addition & 1 deletion package/kodi-pvr-mythtv/kodi-pvr-mythtv.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
#
################################################################################

KODI_PVR_MYTHTV_VERSION = 21.2.14-Omega
KODI_PVR_MYTHTV_VERSION = 21.2.15-Omega
KODI_PVR_MYTHTV_SITE = $(call github,janbar,pvr.mythtv,$(KODI_PVR_MYTHTV_VERSION))
KODI_PVR_MYTHTV_LICENSE = GPL-2.0+
KODI_PVR_MYTHTV_LICENSE_FILES = LICENSE.md
Expand Down
4 changes: 2 additions & 2 deletions package/less/less.hash
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Locally calculated after checking pgp signature
# using DSA key F153A7C833235259
# https://www.greenwoodsoftware.com/less/less-691.sig
sha256 88b480eda1bb4f92009f7968b23189eaf1329211f5a3515869e133d286154d25 less-691.tar.gz
# https://www.greenwoodsoftware.com/less/less-692.sig
sha256 61300f603798ecf1d7786570789f0ff3f5a1acf075a6fb9f756837d166e37d14 less-692.tar.gz
# Locally calculated
sha256 3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986 COPYING
2 changes: 1 addition & 1 deletion package/less/less.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
#
################################################################################

LESS_VERSION = 691
LESS_VERSION = 692
LESS_SITE = http://www.greenwoodsoftware.com/less
LESS_LICENSE = GPL-3.0+
LESS_LICENSE_FILES = COPYING
Expand Down
2 changes: 1 addition & 1 deletion package/php/php.hash
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# From https://www.php.net/downloads.php?source=Y
sha256 cb75a9b00a2806f7390dd64858ef42a47b443b3475769c8af6af33a18b1381f1 php-8.5.2.tar.xz
sha256 ce65725b8af07356b69a6046d21487040b11f2acfde786de38b2bfb712c36eb9 php-8.5.3.tar.xz

# License file
sha256 b42e4df5e50e6ecda1047d503d6d91d71032d09ed1027ba1ef29eed26f890c5a LICENSE
2 changes: 1 addition & 1 deletion package/php/php.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
#
################################################################################

PHP_VERSION = 8.5.2
PHP_VERSION = 8.5.3
PHP_SITE = https://www.php.net/distributions
PHP_SOURCE = php-$(PHP_VERSION).tar.xz
PHP_INSTALL_STAGING = YES
Expand Down