| Message ID | 20251106202021.3084656-1-peter.marko@siemens.com |
|---|---|
| State | Under Review |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [scarthgap] curl: ignore CVE-2025-10966 | expand |
On Fri, Nov 7, 2025 at 9:21 AM Peter Marko via lists.openembedded.org <peter.marko=siemens.com@lists.openembedded.org> wrote: > > From: Peter Marko <peter.marko@siemens.com> > > Per [1] this CVE applies only when wolfssl backed is used. > 8.17.0 removed WolfSSL support completely. But the recipe version in use is 8.7.1, so how is this applicable? Or am I missing something? > > [1] https://curl.se/docs/CVE-2025-10966.html > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- > meta/recipes-support/curl/curl_8.7.1.bb | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb > index 713d90a3787..6c027463949 100644 > --- a/meta/recipes-support/curl/curl_8.7.1.bb > +++ b/meta/recipes-support/curl/curl_8.7.1.bb > @@ -39,6 +39,7 @@ CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on go > > CVE_STATUS[CVE-2025-0725] = "not-applicable-config: gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older" > CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}" > +CVE_STATUS[CVE-2025-10966] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}" > > > inherit autotools pkgconfig binconfig multilib_header ptest > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#225992): https://lists.openembedded.org/g/openembedded-core/message/225992 > Mute This Topic: https://lists.openembedded.org/mt/116159923/3619737 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ankur.tyagi85@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
> -----Original Message----- > From: Ankur Tyagi <ankur.tyagi85@gmail.com> > Sent: Thursday, November 6, 2025 21:43 > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > Cc: openembedded-core@lists.openembedded.org > Subject: Re: [OE-core][scarthgap][PATCH] curl: ignore CVE-2025-10966 > > On Fri, Nov 7, 2025 at 9:21 AM Peter Marko via lists.openembedded.org > <peter.marko=siemens.com@lists.openembedded.org> wrote: > > > > From: Peter Marko <peter.marko@siemens.com> > > > > Per [1] this CVE applies only when wolfssl backed is used. > > 8.17.0 removed WolfSSL support completely. > > But the recipe version in use is 8.7.1, so how is this applicable? Or > am I missing something? Also here, 8.7.1 is less than 8.17, so when NVD enters CPE for this CVE it would be reported without this patch. Peter > > > > > [1] https://curl.se/docs/CVE-2025-10966.html > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > --- > > meta/recipes-support/curl/curl_8.7.1.bb | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes- > support/curl/curl_8.7.1.bb > > index 713d90a3787..6c027463949 100644 > > --- a/meta/recipes-support/curl/curl_8.7.1.bb > > +++ b/meta/recipes-support/curl/curl_8.7.1.bb > > @@ -39,6 +39,7 @@ CVE_STATUS[CVE-2024-32928] = "ignored: > CURLOPT_SSL_VERIFYPEER was disabled on go > > > > CVE_STATUS[CVE-2025-0725] = "not-applicable-config: gzip decompression > of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` > option, using zlib 1.2.0.3 or older" > > CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', > 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}" > > +CVE_STATUS[CVE-2025-10966] = "${@bb.utils.contains('PACKAGECONFIG', > 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}" > > > > > > inherit autotools pkgconfig binconfig multilib_header ptest > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#225992): https://lists.openembedded.org/g/openembedded- > core/message/225992 > > Mute This Topic: https://lists.openembedded.org/mt/116159923/3619737 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub > [ankur.tyagi85@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > >
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 713d90a3787..6c027463949 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -39,6 +39,7 @@ CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on go CVE_STATUS[CVE-2025-0725] = "not-applicable-config: gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older" CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}" +CVE_STATUS[CVE-2025-10966] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}" inherit autotools pkgconfig binconfig multilib_header ptest