[kirkstone,04/16] python3: update CVE product

Message ID	06f615e6939a22bc8f12b30d8dea582ab3ccebe6.1752611671.git.steve@sakoman.com
State	New
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.215.181, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/16] python3: update CVE product Date: Tue, 15 Jul 2025 13:36:05 -0700 Message-ID: <06f615e6939a22bc8f12b30d8dea582ab3ccebe6.1752611671.git.steve@sakoman.com> In-Reply-To: <cover.1752611671.git.steve@sakoman.com> References: <cover.1752611671.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/16] Revert "coreutils: fix CVE-2025-5278" \| expand [kirkstone,01/16] Revert "coreutils: fix CVE-2025-5278" [kirkstone,02/16] coreutils: fix CVE-2025-5278 [kirkstone,03/16] libxml2: fix CVE-2025-49794 & CVE-2025-49796 [kirkstone,04/16] python3: update CVE product [kirkstone,05/16] openssl: upgrade 3.0.16 -> 3.0.17 [kirkstone,06/16] openssl: fix CVE-2024-41996 [kirkstone,07/16] ofono: fix CVE-2023-4232 [kirkstone,08/16] ofono: fix CVE-2023-4235 [kirkstone,09/16] ghostscript: ignore CVE-2025-46646 [kirkstone,10/16] iputils: patch CVE-2025-48964 [kirkstone,11/16] gdk-pixbuf: fix CVE-2025-7345 [kirkstone,12/16] sudo: upgrade from 1.9.15p2 to 1.9.15p5 [kirkstone,13/16] sudo: upgrade 1.9.15p5 -> 1.9.17p1 [kirkstone,14/16] bintuils: stable 2.38 branch update [kirkstone,15/16] oeqa/core/decorator: add decorators to skip based on HOST_ARCH [kirkstone,16/16] tcf-agent: correct the SRC_URI

Message ID

06f615e6939a22bc8f12b30d8dea582ab3ccebe6.1752611671.git.steve@sakoman.com

State

New

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 04/16] python3: update CVE product
Date: Tue, 15 Jul 2025 13:36:05 -0700
Message-ID: 
 <06f615e6939a22bc8f12b30d8dea582ab3ccebe6.1752611671.git.steve@sakoman.com>
In-Reply-To: <cover.1752611671.git.steve@sakoman.com>
References: <cover.1752611671.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/16] Revert "coreutils: fix CVE-2025-5278" | expand

Commit Message

Steve Sakoman July 15, 2025, 8:36 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

There are two "new" CVEs reported for python3, their CPEs are:
* CVE-2020-1171: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
* CVE-2020-1192: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
These are for "Visual Studio Code Python extension".

Solve this by addding CVE vendor to python CVE product to avoid
confusion with Microsoft as vendor.

Examining CVE DB for historical python entries shows:
sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython'
   ...> or product like 'python%3' group by vendor, product;
microsoft|python|2
python|python|1054
python_software_foundation|python|2

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/python/python3_3.10.18.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/python/python3_3.10.18.bb b/meta/recipes-devtools/python/python3_3.10.18.bb
index 0b57a0ebee..875b52cde9 100644
--- a/meta/recipes-devtools/python/python3_3.10.18.bb
+++ b/meta/recipes-devtools/python/python3_3.10.18.bb
@@ -51,7 +51,7 @@  SRC_URI[sha256sum] = "ae665bc678abd9ab6a6e1573d2481625a53719bc517e9a634ed2b9fefa
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
 UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
 
-CVE_PRODUCT = "python"
+CVE_PRODUCT = "python:python python_software_foundation:python"
 
 # Upstream consider this expected behaviour
 CVE_CHECK_IGNORE += "CVE-2007-4559"

[kirkstone,04/16] python3: update CVE product

Commit Message

Patch