tjh.dev
commits
This adds also other bugs fixes as a fallout of the CVE fixes.
https://lix.systems/blog/2025-06-27-lix-critical-bug/
Change-Id: I40ab05a2a9279ba9b39c2f9f9e16c1eb171d2c29
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
(cherry picked from commit 3d505c03610b6102af6d870ae3506a151cef1f68)
(cherry picked from commit e80b7744ac9111f9c5af1bdf0bc7a695c8489646)
(cherry picked from commit 60e35e4ded6e91524364a74b3b4ec233ed9321f2)
(cherry picked from commit 51f994d5b5301d4d55ebc025f6bdd8de4a939890)
(cherry picked from commit 99f2e655d9db009ee0b4ede3edced5f6c882c7f4)
(cherry picked from commit 8d80a5164fbfee749e6ab5cf2c88133f17f6dee4)
(cherry picked from commit 0c9b46d726de1def9234da1d4cd7773e1ed87fe2)
(cherry picked from commit 922fd0ed08486530075e4a0af55dbac6811315a0)
Fixes CVE-2025-4404.
Changes:
https://www.freeipa.org/release-notes/4-12-4.html
(cherry picked from commit 774f09236c1682a650a9f92999565c6394dad56b)
(cherry picked from commit e69a73e84bd25369e0b05de8e5dccec2a2f4e91c)
Manual backport of 790125f6f53f697910ea1820a3f4c20db886157e.
(cherry picked from commit acda3554ec2f178830c0399d2abc6e7989be0134)
(cherry picked from commit 2da8778b92452ccc781961c251bb9a5885c1a217)
(cherry picked from commit ead088fa1bd4f4ddc7d06490d6979bb53e60da68)
Upstream, intentionally or not, no longer appends the EFI image
with a .pad section for us to hook the rest of the UKI to. This
simply dehardcodes .pad from the awk script, instead using the
very last section in the binary. (Currently .reloc)
Co-authored-by: Yaroslav Bolyukin <iam@lach.pw>
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
(cherry picked from commit 54dadb2a6236ecaa12d72dc8e0a5bdf96d919f84)
Since we won't be upgrading to 4.20 due to the release freeze, we'll
track the 4.19 maintenance updates during the 25.05 release cycle.
Includes patches for XSA #469. (Training Solo)
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
(cherry picked from commit b3ea0c48e0ce0f9a4de92eb2c12664d3fd84abb2)
(cherry picked from commit b79ae227e152989f0abd2fe5e34bb5cfefddbf1f)
(cherry picked from commit 6c57a54925d72a9142c65c1171c0e86a93c8ae50)
https://www.mozilla.org/en-US/firefox/140.0.1/releasenotes/
(cherry picked from commit fce68634c523157701fe868d5a782db33789fb8a)
https://www.mozilla.org/en-US/firefox/140.0.1/releasenotes/
(cherry picked from commit 484e2f243a29d3be86c33c44b233ef26a36e695b)
When backporting a PR from master -> 25.05 -> 24.11 in a chain, the last
cherry-pick will have two references to different commits in it. If
there was conflict resolution in the first step, the diff will show up
again in the last step. This can be fixed by comparing against the right
hash - always the last one.
(cherry picked from commit df5b98a38c13768766da4ef350872ee0fef206da)
(cherry picked from commit 456de96e37aec5d81afa60bc31cef70603f1d35c)
(cherry picked from commit 9e6602c2fe9eb66ab7f5e9559a669d281a4f7abd)
(cherry picked from commit dc846b10c7213819bb4e5cc4c78bd6b0455f9f6f)
(cherry picked from commit 87fac376d5f5eeba73bebc58fc48e26df193320f)
(cherry picked from commit b14fb5197d607cb1e570d49bb51934a1875c79ba)
(cherry picked from commit 80a07153b974448b2260d7e7ac5a3566f5e9cce2)
(cherry picked from commit cebfdcddfa10c3ecceafccf6478932b450d467c0)
(cherry picked from commit ee91d33b4bfd26f7b29f217e09fc7fe8d7eced89)
(cherry picked from commit 0bb03280b7b9a7c2ea90016204360e507ac500a2)
Currently, the labels job fails a few times each day with network
failures. Retrying the requests should help.
(cherry picked from commit 181802791664a7540b2e008a9daa2f8923842a96)
We already tried to fix this case earlier, but didn't account for all
cases: A scheduled workflow can also encounter a pull request with
failed PR workflow. This failure doesn't need to be in the Eval part, so
artifacts could *still* be available. To make sure PRs always get
rebuild labels, just ignore the status condition. Either the artifact is
there, or it is not.
(cherry picked from commit 3be9e2afc1f5745477addf578a87dad76d3d6517)
(cherry picked from commit 4e9df2fc31d16dc04dff3d500583e4569c3ff07e)
The `page` number is 1-based, but the remainder might very well be 0.
This lead to not looking at the 100 oldest PRs, ever.
(cherry picked from commit 10c63e51170fa43f4e2ff021e8e113578f855662)
Upstream, intentionally or not, no longer appends the EFI image
with a .pad section for us to hook the rest of the UKI to. This
simply dehardcodes .pad from the awk script, instead using the
very last section in the binary. (Currently .reloc)
Co-authored-by: Yaroslav Bolyukin <iam@lach.pw>
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
(cherry picked from commit 54dadb2a6236ecaa12d72dc8e0a5bdf96d919f84)
Since we won't be upgrading to 4.20 due to the release freeze, we'll
track the 4.19 maintenance updates during the 25.05 release cycle.
Includes patches for XSA #469. (Training Solo)
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
(cherry picked from commit b3ea0c48e0ce0f9a4de92eb2c12664d3fd84abb2)
When backporting a PR from master -> 25.05 -> 24.11 in a chain, the last
cherry-pick will have two references to different commits in it. If
there was conflict resolution in the first step, the diff will show up
again in the last step. This can be fixed by comparing against the right
hash - always the last one.
(cherry picked from commit df5b98a38c13768766da4ef350872ee0fef206da)
We already tried to fix this case earlier, but didn't account for all
cases: A scheduled workflow can also encounter a pull request with
failed PR workflow. This failure doesn't need to be in the Eval part, so
artifacts could *still* be available. To make sure PRs always get
rebuild labels, just ignore the status condition. Either the artifact is
there, or it is not.
(cherry picked from commit 3be9e2afc1f5745477addf578a87dad76d3d6517)