| Message ID | 20251106202024.3084674-1-peter.marko@siemens.com |
|---|---|
| State | Under Review |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [kirkstone] curl: ignore CVE-2025-10966 | expand |
On Fri, Nov 7, 2025 at 9:20 AM Peter Marko via lists.openembedded.org <peter.marko=siemens.com@lists.openembedded.org> wrote: > > From: Peter Marko <peter.marko@siemens.com> > > Per [1] this CVE applies only when wolfssl backed is used. > 8.17.0 removed WolfSSL support completely. But the recipe version in use is 7.82, so how is this applicable? Or am I missing something? > > [1] https://curl.se/docs/CVE-2025-10966.html > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- > meta/recipes-support/curl/curl_7.82.0.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb > index 54362e6978..2326392a4f 100644 > --- a/meta/recipes-support/curl/curl_7.82.0.bb > +++ b/meta/recipes-support/curl/curl_7.82.0.bb > @@ -79,6 +79,8 @@ CVE_CHECK_IGNORE += "CVE-2023-42915" > CVE_CHECK_IGNORE += "CVE-2024-32928" > # ignored: gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older > CVE_CHECK_IGNORE += "CVE-2025-0725" > +# not-applicable-config: applicable only with wolfssl > +CVE_CHECK_IGNORE += "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'CVE-2025-10966','',d)}" > > inherit autotools pkgconfig binconfig multilib_header > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#225993): https://lists.openembedded.org/g/openembedded-core/message/225993 > Mute This Topic: https://lists.openembedded.org/mt/116159924/3619737 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ankur.tyagi85@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
> -----Original Message----- > From: Ankur Tyagi <ankur.tyagi85@gmail.com> > Sent: Thursday, November 6, 2025 21:42 > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > Cc: openembedded-core@lists.openembedded.org > Subject: Re: [OE-core][kirkstone][PATCH] curl: ignore CVE-2025-10966 > > On Fri, Nov 7, 2025 at 9:20 AM Peter Marko via lists.openembedded.org > <peter.marko=siemens.com@lists.openembedded.org> wrote: > > > > From: Peter Marko <peter.marko@siemens.com> > > > > Per [1] this CVE applies only when wolfssl backed is used. > > 8.17.0 removed WolfSSL support completely. > > But the recipe version in use is 7.82, so how is this applicable? Or > am I missing something? 7.82 is less than 8.17 (which was released couple only days ago), so this CVE is applicable and needs to be handled. Peter > > > > > [1] https://curl.se/docs/CVE-2025-10966.html > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > --- > > meta/recipes-support/curl/curl_7.82.0.bb | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes- > support/curl/curl_7.82.0.bb > > index 54362e6978..2326392a4f 100644 > > --- a/meta/recipes-support/curl/curl_7.82.0.bb > > +++ b/meta/recipes-support/curl/curl_7.82.0.bb > > @@ -79,6 +79,8 @@ CVE_CHECK_IGNORE += "CVE-2023-42915" > > CVE_CHECK_IGNORE += "CVE-2024-32928" > > # ignored: gzip decompression of content-encoded HTTP responses with the > `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older > > CVE_CHECK_IGNORE += "CVE-2025-0725" > > +# not-applicable-config: applicable only with wolfssl > > +CVE_CHECK_IGNORE += "${@bb.utils.contains('PACKAGECONFIG', > 'openssl', 'CVE-2025-10966','',d)}" > > > > inherit autotools pkgconfig binconfig multilib_header > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#225993): https://lists.openembedded.org/g/openembedded- > core/message/225993 > > Mute This Topic: https://lists.openembedded.org/mt/116159924/3619737 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub > [ankur.tyagi85@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > >
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 54362e6978..2326392a4f 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -79,6 +79,8 @@ CVE_CHECK_IGNORE += "CVE-2023-42915" CVE_CHECK_IGNORE += "CVE-2024-32928" # ignored: gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older CVE_CHECK_IGNORE += "CVE-2025-0725" +# not-applicable-config: applicable only with wolfssl +CVE_CHECK_IGNORE += "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'CVE-2025-10966','',d)}" inherit autotools pkgconfig binconfig multilib_header