Merge pull request #3366 from flatcar/buildbot/weekly-portage-stable-package-updates-2025-10-13

Weekly portage-stable package updates 2025-10-13

Author: krnowak

changelog/security/2025-10-14-weekly-updates.md

@@ -0,0 +1,5 @@
+- expat ([CVE-2025-59375](https://www.cve.org/CVERecord?id=CVE-2025-59375))
+- intel-microcode ([CVE-2024-28956](https://www.cve.org/CVERecord?id=CVE-2024-28956), [CVE-2024-43420](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43420), [CVE-2024-45332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45332), [CVE-2025-20012](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20012), [CVE-2025-20054](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20054), [CVE-2025-20103](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20103), [CVE-2025-20623](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20623), [CVE-2025-24495](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24495), [CVE-2025-20053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20053), [CVE-2025-20109](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20109), [CVE-2025-22839](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22839), [CVE-2025-22840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22840), [CVE-2025-22889](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22889), [CVE-2025-26403](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26403))
+- nvidia-drivers ([CVE-2025-23280](https://www.cve.org/CVERecord?id=CVE-2025-23280), [CVE-2025-23282](https://www.cve.org/CVERecord?id=CVE-2025-23282), [CVE-2025-23300](https://www.cve.org/CVERecord?id=CVE-2025-23300), [CVE-2025-23330](https://www.cve.org/CVERecord?id=CVE-2025-23330), [CVE-2025-23332](https://www.cve.org/CVERecord?id=CVE-2025-23332), [CVE-2025-23345](https://www.cve.org/CVERecord?id=CVE-2025-23345))
+- openssh ([CVE-2025-61984](https://www.cve.org/CVERecord?id=CVE-2025-61984), [CVE-2025-61985](https://www.cve.org/CVERecord?id=CVE-2025-61985))
+- openssl ([CVE-2025-9230](https://www.cve.org/CVERecord?id=CVE-2025-9230), [CVE-2025-9231](https://www.cve.org/CVERecord?id=CVE-2025-9231), [CVE-2025-9232](https://www.cve.org/CVERecord?id=CVE-2025-9232))

changelog/updates/2025-10-14-weekly-updates.md

@@ -0,0 +1,26 @@
+- SDK: cmake ([3.31.9](https://cmake.org/cmake/help/v3.31/release/3.31.html#id1))
+- SDK: go ([1.25.1](https://go.dev/doc/devel/release#go1.25.minor) (includes [1.25](https://go.dev/doc/go1.25)))
+- SDK: qemu ([10.0.5](https://wiki.qemu.org/ChangeLog/10.0))
+- azure, dev: inotify-tools ([4.25.9.0](https://github.com/inotify-tools/inotify-tools/releases/tag/4.25.9.0))
+- azure, stackit: chrony ([4.8](https://gitlab.com/chrony/chrony/-/raw/4.8/NEWS))
+- base, dev: bind ([9.18.38](https://bind9.readthedocs.io/en/v9.18.38/notes.html#notes-for-bind-9-18-38))
+- base, dev: bpftool ([7.6.0](https://github.com/libbpf/bpftool/releases/tag/v7.6.0))
+- base, dev: btrfs-progs ([6.16.1](https://github.com/kdave/btrfs-progs/releases/tag/v6.16.1))
+- base, dev: expat ([2.7.3](https://raw.githubusercontent.com/libexpat/libexpat/refs/tags/R_2_7_3/expat/Changes))
+- base, dev: gettext ([0.23.2](https://gitweb.git.savannah.gnu.org/gitweb/?p=gettext.git;a=blob_plain;f=NEWS;h=a5cc8a63eb4f06e4a1171afda862812feb67d693;hb=e8e6cb71aec0de1f5758ac21327bb8cd69e33731) (includes [0.23.1](https://gitweb.git.savannah.gnu.org/gitweb/?p=gettext.git;a=blob_plain;f=NEWS;h=4aafedf9b10a66891838e1f35c7af020c6124ee0;hb=d9b0432a825bfe3fc72f9a081d295a9528cd8aac), [0.23.0](https://gitweb.git.savannah.gnu.org/gitweb/?p=gettext.git;a=blob_plain;f=NEWS;h=9d87d45408f510d15856a1dda8a9376573f0a9c5;hb=c12b25dc82104691ca80c4da1cbc538fcab42bf5)))
+- base, dev: git ([2.51.0](https://github.com/git/git/blob/v2.51.0/Documentation/RelNotes/2.51.0.adoc) (includes [2.50.0](https://github.com/git/git/blob/v2.50.0/Documentation/RelNotes/2.50.0.adoc)))
+- base, dev: intel-microcode ([20250812](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250812) (includes [20250512](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250512)))
+- base, dev: libxml2 ([2.14.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.6) (includes [2.14.5](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.5), [2.14.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.4), [2.14.3](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.3), [2.14.2](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.2), [2.14.1](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.1), [2.14.0](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.0)))
+- base, dev: nftables ([1.1.5](https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.5.txt))
+- base, dev: nvidia-drivers-service (amd64) ([535.274.02](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-535-274-02/index.html))
+- base, dev: nvidia-drivers-service (arm64) ([570.195.03](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-570-195-03/index.html))
+- base, dev: openssh ([10.2_p1](https://www.openssh.com/txt/release-10.2) (includes [10.1](https://www.openssh.com/txt/release-10.1)))
+- base, dev: openssl ([3.4.3](https://github.com/openssl/openssl/releases/tag/openssl-3.4.3))
+- base, dev: xfsprogs ([6.16.0](https://web.git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/tree/doc/CHANGES?h=v6.16.0) (includes [6.15.0](https://web.git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/tree/doc/CHANGES?h=v6.15.0)))
+- sysext-nvidia-drivers-535, sysext-nvidia-drivers-535-open: nvidia-drivers ([535.274.02](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-535-274-02/index.html))
+- sysext-nvidia-drivers-570, sysext-nvidia-drivers-570-open: nvidia-drivers ([570.195.03](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-570-195-03/index.html))
+- sysext-podman: crun ([1.21](https://github.com/containers/crun/releases/tag/1.21))
+- sysext-podman: netavark ([1.15.2](https://github.com/containers/netavark/releases/tag/v1.15.2) (includes [1.15.1](https://github.com/containers/netavark/releases/tag/v1.15.1), [1.15.0](https://github.com/containers/netavark/releases/tag/v1.15.0)))
+- sysext-podman: passt ([2025.06.11](https://archives.passt.top/passt-user/20250611175947.7d540ddc@elisabeth/T/#u))
+- sysext-python: platformdirs ([4.4.0](https://github.com/tox-dev/platformdirs/releases/tag/4.4.0))
+- sysext-python: typing-extensions ([4.15.0](https://raw.githubusercontent.com/python/typing_extensions/refs/tags/4.15.0/CHANGELOG.md))

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-util/catalyst/0001-Support-locale-gen-3-the-perl-version.patch

@@ -0,0 +1,47 @@
+From 2478055bf48a54c0fcb518bbd48a30b307db0009 Mon Sep 17 00:00:00 2001
+From: Kerin Millar <[email protected]>
+Date: Mon, 18 Aug 2025 14:25:20 +0200
+Subject: [PATCH 1/2] Support locale-gen-3 (the perl version)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Andreas K. Hüttel <[email protected]>
+---
+ targets/stage1/chroot.sh            | 6 +++++-
+ targets/support/chroot-functions.sh | 2 +-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/targets/stage1/chroot.sh b/targets/stage1/chroot.sh
+index e0587b59..541c060f 100755
+--- a/targets/stage1/chroot.sh
++++ b/targets/stage1/chroot.sh
+@@ -91,7 +91,11 @@ run_merge --implicit-system-deps=n --oneshot "${buildpkgs[@]}"
+ # not run locale-gen when ROOT is set. Since we've set LANG, we need to run
+ # locale-gen explicitly.
+ if [ -x "$(command -v locale-gen)" ]; then
+-	locale-gen --destdir "$ROOT"/ || die "locale-gen failed"
++	if ! locale-gen -V | grep -q '^locale-gen-2\.'; then
++		locale-gen --config /etc/locale.gen --prefix "$ROOT"/
++	else
++		locale-gen --destdir "$ROOT"/
++	fi || die "locale-gen failed"
+ fi
+ 
+ # Why are we removing these? Don't we need them for final make.conf?
+diff --git a/targets/support/chroot-functions.sh b/targets/support/chroot-functions.sh
+index d8472d46..08738d0a 100755
+--- a/targets/support/chroot-functions.sh
++++ b/targets/support/chroot-functions.sh
+@@ -284,7 +284,7 @@ show_debug() {
+ }
+ 
+ readonly locales="
+-C.UTF8 UTF-8
++C.UTF-8 UTF-8
+ "
+ 
+ if [[ ${RUN_DEFAULT_FUNCS} != no ]]
+-- 
+2.51.0
+

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-util/catalyst/0002-Fix-UTF-8-spelling.patch

@@ -0,0 +1,41 @@
+From 8f3dad52ef6b7360f69f93554172d76aa5d59d8a Mon Sep 17 00:00:00 2001
+From: Sam James <[email protected]>
+Date: Mon, 15 Sep 2025 12:35:43 +0100
+Subject: [PATCH 2/2] Fix UTF-8 spelling
+
+Bug: https://bugs.gentoo.org/962878
+Signed-off-by: Sam James <[email protected]>
+---
+ catalyst/base/stagebase.py | 2 +-
+ targets/stage1/chroot.sh   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/catalyst/base/stagebase.py b/catalyst/base/stagebase.py
+index 8a3d2af6..d09b3aad 100644
+--- a/catalyst/base/stagebase.py
++++ b/catalyst/base/stagebase.py
+@@ -1252,7 +1252,7 @@ class StageBase(TargetBase, ClearBase, GenBase):
+                 '\n'
+                 '# This sets the language of build output to English.\n'
+                 '# Please keep this setting intact when reporting bugs.\n'
+-                'LC_MESSAGES=C.utf8\n')
++                'LC_MESSAGES=C.UTF-8\n')
+ 
+     def write_binrepos_conf(self):
+         # only if catalyst.conf defines the host and the spec defines the path...
+diff --git a/targets/stage1/chroot.sh b/targets/stage1/chroot.sh
+index 541c060f..dc8571bd 100755
+--- a/targets/stage1/chroot.sh
++++ b/targets/stage1/chroot.sh
+@@ -67,7 +67,7 @@ sed -i "/USE=\"${USE} build\"/d" ${clst_make_conf}
+ 
+ echo "$locales" > /etc/locale.gen
+ for etc in /etc "$ROOT"/etc; do
+-	echo "LANG=C.UTF8" > ${etc}/env.d/02locale
++	echo "LANG=C.UTF-8" > ${etc}/env.d/02locale
+ done
+ update_env_settings
+ 
+-- 
+2.51.0
+

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-util/catalyst/README.md

@@ -0,0 +1,3 @@
+The patches fix some locale generation issues in catalyst - they are
+currently a part of the master branch, so there is no release that
+contain those fixes yet.

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -40,6 +40,7 @@ app-crypt/azure-keyvault-pkcs11
 =app-emulation/open-vmdk-1.0 *
 
 # Keep versions on both arches in sync.
+=app-emulation/qemu-10.0.5 ~arm64
 =app-emulation/qemu-guest-agent-9.2.0 ~arm64
 
 # Packages are in Gentoo but not expected to be used outside Flatcar, so they
@@ -50,26 +51,17 @@ dev-cpp/azure-identity
 dev-cpp/azure-security-keyvault-certificates
 dev-cpp/azure-security-keyvault-keys
 
-# CVE-2025-47910
-=dev-lang/go-1.24.7 ~amd64 ~arm64
-
 # Keep versions on both arches in sync.
 =dev-lang/yasm-1.3.0-r1 ~arm64
 =dev-libs/cowsql-1.15.9 ~arm64
 =dev-libs/ding-libs-0.6.2-r1 ~arm64
 
-# CVE-2025-59375
-=dev-libs/expat-2.7.2 ~amd64 ~arm64
-
 # CVE-2025-7039
 =dev-libs/glib-2.84.4 ~amd64 ~arm64
 
 # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
 =dev-libs/jose-12 **
 
-# CVE-2025-58050
-=dev-libs/libpcre2-10.46 ~amd64 ~arm64
-
 # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
 =dev-libs/luksmeta-9-r1 **
 
@@ -97,7 +89,10 @@ dev-cpp/azure-security-keyvault-keys
 =net-libs/libnetfilter_cttimeout-1.0.1 ~arm64
 
 # CVE-2025-9086, CVE-2025-10148
-=net-misc/curl-8.16.0-r1 ~amd64 ~arm64
+=net-misc/curl-8.16.0-r1 ~arm64
+
+# CVE-2025-61984, CVE-2025-61985
+=net-misc/openssh-10.2_p1 ~amd64 ~arm64
 
 # Packages are in Gentoo but not expected to be used outside Flatcar, so they
 # are generally never stabilised. Thus an unusual form is used to pick up the

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask

@@ -20,9 +20,3 @@
 
 # Pulls in LLVM and clang.
 >=sys-block/thin-provisioning-tools-1.0.14
-
-# Too large to fit into our /boot partition - the size grew by 3MB. We
-# mask a specific version in hope that the future update may be smaller,
-# who knows.
-=sys-firmware/intel-microcode-20250512_p20250513
-=sys-firmware/intel-microcode-20250812_p20250813

sdk_container/src/third_party/coreos-overlay/x11-drivers/nvidia-drivers-service/nvidia-drivers-service-535.261.03.ebuild renamed to sdk_container/src/third_party/coreos-overlay/x11-drivers/nvidia-drivers-service/nvidia-drivers-service-535.274.02.ebuild

@@ -4,3 +4,4 @@ DIST containerd-2.0.4.tar.gz 10450939 BLAKE2B f82ed40eab0f1d186f4fb04217b8f75a9d
 DIST containerd-2.0.5.tar.gz 10452563 BLAKE2B bf03316c9211eaa17a3b40b1fc9f9aca42fe3e621e086e612eb07c286c6b62bc7a0a2426ce7b6742dce2924d570ab599aefb43463c4fa6be277e562bad79668f SHA512 af89a5c9ad5f931c5fee33c75c13c296fc9ec966f2c64ec244897695eebb365bcb542f6b431e60d4ef7213f0ea11d3a8896d1b7f033ed445e6b521b7ddbffe6f
 DIST containerd-2.1.0.tar.gz 10610618 BLAKE2B 147c21b4650543af9b0e533e381a0505ba927d6e9270b9b03a09016eb3ccf29875db7fa274944fea2ff7b029b6a05a17d14c61e24b5f3426b31f320831eeb46a SHA512 e9bb128917bb6b2e21a8e05344af3fdcdda8620be20e54407bc2c73046278a88a77bcbed6ef7a59099c9ee3303283db46b90b71afdd45236d3c534749ba844e0
 DIST containerd-2.1.1.tar.gz 10610787 BLAKE2B acc2d769752c783643795d228c0d267b0802e09166dc783e84087da0029a822a64688f5e59c047c47b25f50ca2a1ccb7f5b6216ad6beeb4489df308e525e9716 SHA512 542f7cae61e1ef2e1b529b0bea66d7ad9016d4605de73de9c9c8a738e50ec6f470b939d1546482320515b77424bffe1cf24b721173ac0c0ecd0100c92817cfb1
+DIST containerd-2.1.4.tar.gz 10614131 BLAKE2B b8f4007b4bb368a1fa04c913d606f65d2ea4a17a6419ce12f2b6112eee2574d7a09fb8e2500d1c2f21bef8792dc047df4d63446211ae006662e616facda91f24 SHA512 a9f84784e917621ee5ea38ad20b8106e642fbf463a00d319b73a1a8e4d1fdd5be2fba0789b6a5d31107ef239d3713eced99ce979d4b2764714271a63c0936c15