Release notes for Yocto-5.0.2 (Scarthgap)

Security Fixes in Yocto-5.0.2

cups: Fix CVE-2024-35235
gcc: Fix CVE-2024-0151
gdk-pixbuf: Fix CVE-2022-48622
ghostscript: fix CVE-2024-29510, CVE-2024-33869, CVE-2024-33870 and CVE-2024-33871
git: Fix CVE-2024-32002, CVE-2024-32004, CVE-2024-32020, CVE-2024-32021 and CVE-2024-32465
glib-2.0: Fix CVE-2024-34397
glibc: Fix CVE-2024-2961, CVE-2024-33599, CVE-2024-33600, CVE-2024-33601 and CVE-2024-33602
ncurses: Fix CVE-2023-45918 and CVE-2023-50495
openssl: Fix CVE-2024-4603 and CVE-2024-4741
util-linux: Fix CVE-2024-28085
xserver-xorg: Fix CVE-2024-31080, CVE-2024-31081, CVE-2024-31082 and CVE-2024-31083

Fixes in Yocto-5.0.2

appstream: Upgrade to 1.0.3
apr: submit 0001-Add-option-to-disable-timed-dependant-tests.patch upstream
base-files: profile: fix error sh: 1: unknown operand
bash: Fix file-substitution error-handling bug
bash: mark build-tests.patch as Inappropriate
binutils: Fix aarch64 disassembly abort
bitbake: bb: Use namedtuple for Task data
bitbake: cooker: Handle ImportError for websockets
bitbake: fetch2/gcp: Add missing runfetchcmd import
bitbake: fetch2/wget: Canonicalize DL_DIR paths for wget2 compatibility
bitbake: fetch2/wget: Fix failure path for files that are empty or don’t exist
bitbake: hashserv: client: Add batch stream API
bitbake: parse: Improve/fix cache invalidation via mtime
bitbake: runqueue: Add timing warnings around slow loops
bitbake: runqueue: Allow rehash loop to exit in case of interrupts
bitbake: runqueue: Improve rehash get_unihash parallelism
bitbake: runqueue: Process unihashes in parallel at init
bitbake: siggen/runqueue: Report which dependencies affect the taskhash
bitbake: siggen: Enable batching of unihash queries
bitbake: tests/fetch: Tweak test to match upstream repo url change
bitbake: tests/fetch: Tweak to work on Fedora40
build-appliance-image: Update to scarthgap head revision
busybox: update CVE-2022-28391 patches upstream status
cdrtools-native: Fix build with GCC 14
classes: image_types: apply EXTRA_IMAGECMD:squashfs* in oe_mksquashfs()
classes: image_types: quote variable assignment needed by dash
consolekit: Disable incompatible-pointer-types warning as error
cracklib: Modify patch to compile with GCC 14
cronie: Upgrade to 1.7.2
cups: Upgrade to 2.4.9
db: ignore implicit-int and implicit-function-declaration issues fatal with gcc-14
devtool: modify: Catch git submodule error for go code
devtool: standard: update-recipe/finish: fix update localfile in another layer
devtool: sync: Fix Execution error
expect: ignore various issues now fatal with gcc-14
expect: mark patches as Inactive-Upstream
gawk: fix readline detection
gcc : Upgrade to v13.3
gcc-runtime: libgomp fix for gcc 14 warnings with mandb selftest
gdk-pixbuf: Upgrade to 2.42.12
git: set –with-gitconfig=/etc/gitconfig for -native builds
git: Upgrade to 2.44.1
glib-2.0: Upgrade to 2.78.6
glibc: Update to latest on stable 2.39 branch (273a835fe7…)
glibc: correct LICENSE to “GPL-2.0-only & LGPL-2.1-or-later”
go: Drop the linkmode completely
goarch: Revert “disable dynamic linking globally”
gstreamer1.0-plugins-good: Include qttools-native during the build with qt5 PACKAGECONFIG
gtk4: Disable int-conversion warning as error
icu: add upstream submission links for fix-install-manx.patch
ipk: Fix clean up of extracted IPK payload
iproute2: Fix build with GCC-14
iproute2: drop obsolete patch
iputils: splitting the ping6 as a package
kea: Remove -fvisibility-inlines-hidden from C++ flags
kea: remove unnecessary reproducibility patch
kernel.bbclass: check, if directory exists before removing empty module directory
kexec-tools: Fix build with GCC-14 on musl
lib/oe/package-manager: allow including self in create_packages_dir
lib/package_manager/ipk: Do not hardcode payload compression algorithm
libarchive: Upgrade to 3.7.4
libcgroup: fix build on non-systemd systems
libgloss: Do not apply non-existent patch
libinput: fix building with debug-gui option
libtraceevent: submit meson.patch upstream
libunwind: ignore various issues now fatal with gcc-14
libusb1: Set CVE_PRODUCT
llvm: Switch to using release tarballs
llvm: Upgrade to 18.1.5
lrzsz connman-gnome libfm: ignore various issues fatal with gcc-14
ltp: Fix build with GCC-14
ltp: add iputils-ping6 to RDEPENDS
lttng-ust: Upgrade to 2.13.8
mesa: Upgrade to 24.0.5
oeqa/postactions: Do not use -l option with df
oeqa/sdk/assimp: Upgrade and fix for gcc 14
oeqa/sdkext/devtool: replace use of librdfa
oeqa/selftest/debuginfod: use localpkgfeed to speed server startup
oeqa/selftest/devtool: Revert fix test_devtool_add_git_style2”
oeqa/selftest/devtool: add test for modifying recipes using go.bbclass
oeqa/selftest/devtool: add test for updating local files into another layer
oeqa/selftest/devtool: fix _test_devtool_add_git_url
oeqa: selftest: context: run tests serially if testtools/subunit modules are not found
openssl: Upgrade to 3.2.2
p11-kit: ignore various issues fatal with gcc-14 (for 32bit MACHINEs)
patchtest: test_metadata: fix invalid escape sequences
poky.conf: bump version for 5.0.2
ppp: Add RSA-MD in LICENSE
procps: fix build with new glibc but old kernel headers
ptest-runner: Bump to 2.4.4 (95f528c)
recipetool: Handle several go-import tags in go resolver
recipetool: Handle unclean response in go resolver
run-postinsts.service: Removed –no-reload to fix reload warning when users execute systemctl in the first boot.
selftest/classes: add localpkgfeed class
serf: mark patch as inappropriate for upstream submission
taglib: Upgrade to 2.0.1
ttyrun: define CVE_PRODUCT
uboot-sign: fix loop in do_uboot_assemble_fitimage
update-rc.d: add +git to PV
webkitgtk: Upgrade to 2.44.1
xinput-calibrator: mark upstream as inactive in a patch
xserver-xorg: Upgrade to 21.1.12
yocto-uninative: Update to 4.5 for gcc 14
zip: Fix build with gcc-14