<feed xmlns='http://www.w3.org/2005/Atom'>
<title>staging/xback/package/libs, branch master</title>
<subtitle>Staging tree of Koen Vandeputte</subtitle>
<id>https://git.openwrt.org/openwrt/staging/xback/atom?h=master</id>
<link rel='self' href='https://git.openwrt.org/openwrt/staging/xback/atom?h=master'/>
<link rel='alternate' type='text/html' href='https://git.openwrt.org/openwrt/staging/xback/'/>
<updated>2026-07-15T14:00:50Z</updated>
<entry>
<title>mbedtls: fix arm32 build errors with GCC 15.3</title>
<updated>2026-07-15T14:00:50Z</updated>
<author>
<name>Shiji Yang</name>
</author>
<published>2026-06-13T14:19:06Z</published>
<link rel='alternate' type='text/html' href='https://git.openwrt.org/openwrt/staging/xback/commit/?id=b04fa18ce60bada61876a72298c9262077d3e228'/>
<id>urn:sha1:b04fa18ce60bada61876a72298c9262077d3e228</id>
<content type='text'>
It seems that GCC 15.3 has added additional OOB checks for ARCH arm32.

Signed-off-by: Shiji Yang &lt;yangshiji66@outlook.com&gt;
Link: https://github.com/openwrt/openwrt/pull/23774
Signed-off-by: Jonas Jelonek &lt;jelonek.jonas@gmail.com&gt;
</content>
</entry>
<entry>
<title>openssl: update to 3.5.7</title>
<updated>2026-06-18T10:21:05Z</updated>
<author>
<name>Hauke Mehrtens</name>
</author>
<published>2026-06-17T23:44:32Z</published>
<link rel='alternate' type='text/html' href='https://git.openwrt.org/openwrt/staging/xback/commit/?id=0d5fa224879029fde0637e2aa3707059c1264394'/>
<id>urn:sha1:0d5fa224879029fde0637e2aa3707059c1264394</id>
<content type='text'>
This release incorporates the following bug fixes and mitigations:

 * Fixed heap use-after-free in PKCS7_verify(). (CVE-2026-45447)
 * Fixed CMS AuthEnvelopedData processing may accept forged messages. (CVE-2026-34182)
 * Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler. (CVE-2026-34183)
 * Fixed NULL pointer dereference in QUIC server initial packet handling. (CVE-2026-42764)
 * Fixed AES-OCB IV ignored on EVP_Cipher() path. (CVE-2026-45445)
 * Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. (CVE-2026-7383)
 * Fixed out-of-bounds read in CMS password-based decryption. (CVE-2026-9076)
 * Fixed heap buffer over-read in ASN.1 content parsing. (CVE-2026-34180)
 * Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys. (CVE-2026-34181)
 * Fixed possible NULL dereference in password-dased CMS decryption. (CVE-2026-42766)
 * Fixed NULL pointer dereference in CRMF EncryptedValue decryption. (CVE-2026-42767)
 * Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt(). (CVE-2026-42768)
 * Fixed trust anchor substitution via cert/issuer typo in CMP rootCaKeyUpdate. (CVE-2026-42769)
 * Fixed FFC-DH peer validation uses attacker-supplied q. (CVE-2026-42770)
 * Fixed incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. (CVE-2026-45446)

Link: https://github.com/openwrt/openwrt/pull/23852
Signed-off-by: Hauke Mehrtens &lt;hauke@hauke-m.de&gt;
</content>
</entry>
<entry>
<title>libnl: add host package</title>
<updated>2026-06-10T19:30:40Z</updated>
<author>
<name>John Audia</name>
</author>
<published>2026-04-11T13:16:44Z</published>
<link rel='alternate' type='text/html' href='https://git.openwrt.org/openwrt/staging/xback/commit/?id=7329e1be21bd3426b3ee67f58e3abe5c5f385def'/>
<id>urn:sha1:7329e1be21bd3426b3ee67f58e3abe5c5f385def</id>
<content type='text'>
Add a host package, which is a new requirement for nfs-kernel-server.

Signed-off-by: John Audia &lt;therealgraysky@proton.me&gt;
Link: https://github.com/openwrt/openwrt/pull/22889
Signed-off-by: Jonas Jelonek &lt;jelonek.jonas@gmail.com&gt;
</content>
</entry>
<entry>
<title>uclient: update to Git HEAD (2026-06-07)</title>
<updated>2026-06-08T22:57:32Z</updated>
<author>
<name>Hauke Mehrtens</name>
</author>
<published>2026-06-07T11:31:36Z</published>
<link rel='alternate' type='text/html' href='https://git.openwrt.org/openwrt/staging/xback/commit/?id=ab253fb4bbd96521ef7081f0e7eec5b1b57b69da'/>
<id>urn:sha1:ab253fb4bbd96521ef7081f0e7eec5b1b57b69da</id>
<content type='text'>
f227ab4f1285 uclient: fix memory leak of url when backend alloc fails
645236607a3d uclient: free proxy_url in uclient_free
53d2d11fb00d uclient-http: fix NULL deref when digest WWW-Authenticate lacks params
0ba1b8718be5 ucode: check calloc return in uc_uclient_new
5cb19466d076 uclient-fetch: reset redirect counter per request
568c447950c1 uclient-fetch: retry short writes and surface errors
4c4a61a69ac3 uclient-fetch: use strtoull to parse Content-Length
440ca260622d uclient-http: validate Content-Length and chunk sizes from the server
8658324bd234 uclient: cast to unsigned char before ctype classifications
bf403fa0f8e5 uclient-fetch: reject CR in --header values
ec47f4176b1e uclient-fetch: always allocate auth_str and free it on exit
391dacd10d31 uclient-http: fail digest auth when the cnonce cannot be randomized
ba1f4311b099 ucode: clamp read length to the size of the static buffer
0ba47f319b09 uclient-fetch: advance to the next URL between requests
9dd0055d527d uclient: initialize *port for unknown address families
f816506651d5 uclient-http: start digest nonce count at 1
9b9b2da40835 uclient-http: fix 2-byte buffer undercount in digest add_field
80fb1e5ee68b ucode: avoid double-free of SSL context on ssl_init error
d44fb561bbcf ucode: don't clear an unrelated registry slot on free
02562403d2a3 uclient-fetch: close the output file before fetching the next URL
4a63561d0012 uclient-http: initialize fd to -1 so a failed connect can't close stdin
428ae8342118 uclient: cancel pending timers in uclient_free()
ffd8db308289 uclient-fetch: guard SSL debug setup against a missing SSL context
9f4db039a263 ucode: release callback argument references
d2af92b0aad9 uclient-http: resolve redirects against the proxy target URL
5dddda023267 uclient-utils: avoid out-of-bounds pointer in get_url_filename
8507588e7ce7 uclient-http: use the proxy target URL for HTTP authentication
322c89c6ca0a uclient-http: retry 401 auth for all body-less request methods
db3bb00ddda7 uclient-http: accept unquoted digest auth parameter values
5ce9983b2a11 uclient-http: follow 303 and 308 redirects
070c868486dc uclient-fetch: finalize request on invalid 206 Content-Range
83659a5a9bc1 uclient-fetch: concatenate multiple URLs into a single -O file
43bed2753998 ucode: don't leak string references in status()/get_headers()
03b17e4fc793 uclient-fetch: attach credentials to the proxy target, not the proxy
74c07b12f7ab uclient-fetch: don't run the progress meter in spider mode
daad21fa2c17 uclient-fetch: handle init_request failure on the 204 resume retry

Link: https://github.com/openwrt/openwrt/pull/23693
Signed-off-by: Hauke Mehrtens &lt;hauke@hauke-m.de&gt;
</content>
</entry>
<entry>
<title>libmd: update to 1.2.0</title>
<updated>2026-06-04T07:59:32Z</updated>
<author>
<name>Seo Suchan</name>
</author>
<published>2026-06-03T13:37:18Z</published>
<link rel='alternate' type='text/html' href='https://git.openwrt.org/openwrt/staging/xback/commit/?id=e288f421f846ff2c8bb7fd16f678447aacd0ec57'/>
<id>urn:sha1:e288f421f846ff2c8bb7fd16f678447aacd0ec57</id>
<content type='text'>
this brings sha3 and black support into it.

90c4f43 Release libmd 1.2.0
fc4f75a build: Set TAR_OPTIONS to avoid leaking maintainer information on dist
36d829e build: Request tar-ustar format for distribution
c1b3bff Remove spurious blank lines at the beginning of functions
0ae00e2 Fix and hook SHA3 and SHAKE support
2c0d2f0 Add internal endian conversion functions support
3bb8921 Add internal explicit_bzero() support
4442c4b Add SHA3 and SHAKE support
7b740a6 doc: Move derived code attribution to a Comment field
bb5a08e doc: Remove redundant «Copyright ©» prefix from Copyright field in COPYING
9b03479 build: Add Maintainer and License fields to the .pc file
8fffa5f doc: Remove «All rights reserved» from COPYING
d5b8e85 build: Rename LIBMD_ABI to SOVERSION
ea62163 build: Add a coverage regex to the CI job
7e32142 man: Sync SHA2 changes from OpenBSD
488d585 build: Add a new vpath-tests CI test
b49ee25 build: Refactor autogen call into before_script
137dd4e build: Fix out-of-tree build

Signed-off-by: Seo Suchan &lt;tjtncks@gmail.com&gt;
Link: https://github.com/openwrt/openwrt/pull/23643
Signed-off-by: Jonas Jelonek &lt;jelonek.jonas@gmail.com&gt;
</content>
</entry>
<entry>
<title>libxml2: update to 2.15.3</title>
<updated>2026-06-04T07:49:44Z</updated>
<author>
<name>Seo Suchan</name>
</author>
<published>2026-06-03T11:00:40Z</published>
<link rel='alternate' type='text/html' href='https://git.openwrt.org/openwrt/staging/xback/commit/?id=43ee70c53f483b9fbe04d5085ac2480bf533c973'/>
<id>urn:sha1:43ee70c53f483b9fbe04d5085ac2480bf533c973</id>
<content type='text'>
Update to latest release. new maintainer upstream didn't make changelog, so see https://gitlab.gnome.org/GNOME/libxml2/-/commits/2.15?ref_type=heads for commits betwwen 2.15.1 and 2.15.3

Signed-off-by: Seo Suchan &lt;tjtncks@gmail.com&gt;
Link: https://github.com/openwrt/openwrt/pull/23642
Signed-off-by: Jonas Jelonek &lt;jelonek.jonas@gmail.com&gt;
</content>
</entry>
<entry>
<title>libubox: update to Git HEAD (2026-05-23)</title>
<updated>2026-05-23T17:33:16Z</updated>
<author>
<name>Hauke Mehrtens</name>
</author>
<published>2026-05-23T00:09:47Z</published>
<link rel='alternate' type='text/html' href='https://git.openwrt.org/openwrt/staging/xback/commit/?id=ffc0a6bc389340e67ca9cfc52044a9154cc31d56'/>
<id>urn:sha1:ffc0a6bc389340e67ca9cfc52044a9154cc31d56</id>
<content type='text'>
19e88cc41288 json_script: use size_t for calloc_a() length argument
9afc71053481 udebug-remote: pass size_t to calloc_a()
73a21977c52a treewide: use size_t for length variables to avoid implicit narrowing
1fe93d2fefb2 blob, udebug-remote: silence -Wconversion warnings in trivial cases

Link: https://github.com/openwrt/openwrt/pull/23485
Signed-off-by: Hauke Mehrtens &lt;hauke@hauke-m.de&gt;
</content>
</entry>
<entry>
<title>libubox: update to Git HEAD (2026-05-03)</title>
<updated>2026-05-10T23:16:43Z</updated>
<author>
<name>Hauke Mehrtens</name>
</author>
<published>2026-05-03T20:21:05Z</published>
<link rel='alternate' type='text/html' href='https://git.openwrt.org/openwrt/staging/xback/commit/?id=6421a596a6db9def70e23bafc81a7e7d8a876cc3'/>
<id>urn:sha1:6421a596a6db9def70e23bafc81a7e7d8a876cc3</id>
<content type='text'>
895f92164b66 uloop: add ULOOP_PRIORITY support for EPOLLPRI events
f9b1f3ff17ba uloop: revert my flag changes from the ULOOP_PRIORITY change
2982bfb1c325 blob: fix wrong type for realloc result in blob_buffer_grow()
78c20f6c8579 json_script: convert recursive __json_script_file_free() to iterative
e7c13bf8cbca usock: fix off-by-one in nanosecond normalization in poll_restart()
68b3f1588de4 uloop: usock: add error checking for fcntl and remove duplicate include
03821f942c49 uloop: fix undefined behavior in signal bit operations for signals &gt; 32
e6e6fd83e26d blobmsg: fix policy name length overflow and add bounds check in blobmsg_parse()
d30b9cc1a02d usock: fix integer overflow in timeout calculations
406e342bb900 udebug: fix double off-by-one in udebug_entry_vprintf()
700eca0bac66 blobmsg_json: fix integer overflow in blobmsg_puts()
6351fe552162 blobmsg_json: floor strbuf size and tighten the post-format guard
58b6543f1b25 blobmsg: fix unsigned integer overflow in blobmsg_alloc_string_buffer()
d7a3ae699df0 blobmsg: use correct byte-order macro when setting BLOB_ATTR_EXTENDED
23c6618a5b90 blobmsg_json: fix double format string to avoid truncation and data loss
1edf1d704e76 jshn: fix integer overflow and type confusion in jshn_parse_file
9b488010c4a7 utils: fix integer overflow in __calloc_a()
40a87f734b94 blob: fix integer overflow in buffer growth functions
02fccb465651 blob: use size_t for blob_memdup() length
0fa612ca08f7 json_script: avoid alloca() on attacker-controlled pattern length
8c9862b6921b blobmsg: fix integer overflow in blobmsg_realloc_string_buffer()
5fbef5bb94fb ustream: avoid INT_MAX overflow on malloc in ustream_vprintf()
1501e60e5554 md5: detect read errors in md5sum() instead of returning a bogus hash

Link: https://github.com/openwrt/openwrt/pull/23212
Signed-off-by: Hauke Mehrtens &lt;hauke@hauke-m.de&gt;
</content>
</entry>
<entry>
<title>libmnl: assign PKG_LICENSE_FILES</title>
<updated>2026-05-08T08:22:40Z</updated>
<author>
<name>Wei-Ting Yang</name>
</author>
<published>2026-05-08T05:53:55Z</published>
<link rel='alternate' type='text/html' href='https://git.openwrt.org/openwrt/staging/xback/commit/?id=febc349ab45c36b87d19d7bce7870f5e0103392c'/>
<id>urn:sha1:febc349ab45c36b87d19d7bce7870f5e0103392c</id>
<content type='text'>
Ref: https://git.netfilter.org/libmnl/tree/COPYING

Signed-off-by: Wei-Ting Yang &lt;williamatcg@gmail.com&gt;
Link: https://github.com/openwrt/openwrt/pull/23257
Signed-off-by: Robert Marko &lt;robimarko@gmail.com&gt;
</content>
</entry>
<entry>
<title>pcre2: fix PKG_LICENSE_FILES after upstream rename</title>
<updated>2026-05-07T16:20:24Z</updated>
<author>
<name>Michael Pfeifroth</name>
</author>
<published>2026-04-30T12:00:47Z</published>
<link rel='alternate' type='text/html' href='https://git.openwrt.org/openwrt/staging/xback/commit/?id=ab8cebbc97d0ad7e3ec3d1c5d507428a4f2bc870'/>
<id>urn:sha1:ab8cebbc97d0ad7e3ec3d1c5d507428a4f2bc870</id>
<content type='text'>
PCRE2 10.47 renamed LICENCE to LICENCE.md. Update PKG_LICENSE_FILES
to match the actual filename in the source tarball.

Signed-off-by: Michael Pfeifroth &lt;michael.pfeifroth@westermo.com&gt;
Link: https://github.com/openwrt/openwrt/pull/23164
Signed-off-by: Robert Marko &lt;robimarko@gmail.com&gt;
</content>
</entry>
</feed>
