diff mbox series

[2/4] python3-ply: set CVE_PRODUCT and CVE_STATUS for CVE-2025-56005 as disputed

Message ID 20260710074415.3341616-2-mark.yang@lge.com
State New
Headers show
Series [1/4] python3-cryptography: set CVE_PRODUCT | expand

Commit Message

mark.yang July 10, 2026, 7:43 a.m. UTC
From: "mark.yang" <mark.yang@lge.com>

For python3-ply, the CVE_PRODUCT should be set to ply, not python:ply.
NVD registers ply as dabeaz:ply, so the default python:ply vendor prefix never matches and no CVEs are reported.

CVE-2025-56005 is disputed.
See https://nvd.nist.gov/vuln/detail/CVE-2025-56005

Signed-off-by: mark.yang <mark.yang@lge.com>
---
 meta/recipes-devtools/python/python3-ply_3.11.bb | 4 ++++
 1 file changed, 4 insertions(+)
diff mbox series

Patch

diff --git a/meta/recipes-devtools/python/python3-ply_3.11.bb b/meta/recipes-devtools/python/python3-ply_3.11.bb
index 2c5fa3f215..ce45bbc1bd 100644
--- a/meta/recipes-devtools/python/python3-ply_3.11.bb
+++ b/meta/recipes-devtools/python/python3-ply_3.11.bb
@@ -14,4 +14,8 @@  RDEPENDS:${PN}:class-target += "\
     python3-shell \
 "
 
+CVE_PRODUCT = "ply"
+# https://nvd.nist.gov/vuln/detail/CVE-2025-56005 Disputed
+CVE_STATUS[CVE-2025-56005] = "disputed: PoC fails to demonstrate code execution; picklefile is a developer-controlled parser-table cache parameter"
+
 BBCLASSEXTEND = "native nativesdk"