| Message ID | 20260422090017.322293-1-adarsh.jagadish.kamini@est.tech |
|---|---|
| State | New |
| Headers | show |
| Series | [scarthgap] expat: mark CVE-2025-66382 as vulnerable-investigating | expand |
On Wed Apr 22, 2026 at 11:00 AM CEST, Adarsh Jagadish Kamini via lists.openembedded.org wrote: > From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> > > No fix is available yet for CVE-2025-66382 [1]. > > CVE_STATUS[CVE-2025-66382] = "vulnerable-investigating: no fix available yet" > > [1] https://www.cve.org/CVERecord?id=CVE-2025-66382 > > Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> > --- > meta/recipes-core/expat/expat_2.6.4.bb | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb > index 048093f010..81dbb6a687 100644 > --- a/meta/recipes-core/expat/expat_2.6.4.bb > +++ b/meta/recipes-core/expat/expat_2.6.4.bb > @@ -67,3 +67,4 @@ do_install_ptest:class-target() { > BBCLASSEXTEND += "native nativesdk" > > CVE_PRODUCT = "expat libexpat" Hello, > +CVE_STATUS[CVE-2025-66382] = "vulnerable-investigating: no fix available yet" We don't usually add "vulnerable-investigating" CVE_STATUS. So I have some questions: * What is the point of this change? * Wouldn't that apply to most of other applicable CVEs? * What does that change in the CVE reports? Thanks,
diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index 048093f010..81dbb6a687 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -67,3 +67,4 @@ do_install_ptest:class-target() { BBCLASSEXTEND += "native nativesdk" CVE_PRODUCT = "expat libexpat" +CVE_STATUS[CVE-2025-66382] = "vulnerable-investigating: no fix available yet"