[scarthgap,01/19] curl: ignore CVE-2025-10966

Message ID	3de9b86c295c88005d4df53e5137bb09ea104ed0.1762872962.git.steve@sakoman.com
State	RFC
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.216.46, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 01/19] curl: ignore CVE-2025-10966 Date: Tue, 11 Nov 2025 06:58:09 -0800 Message-ID: <3de9b86c295c88005d4df53e5137bb09ea104ed0.1762872962.git.steve@sakoman.com> In-Reply-To: <cover.1762872962.git.steve@sakoman.com> References: <cover.1762872962.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,01/19] curl: ignore CVE-2025-10966 \| expand [scarthgap,01/19] curl: ignore CVE-2025-10966 [scarthgap,02/19] go: fix CVE-2025-58185 [scarthgap,03/19] go: fix CVE-2025-58187 [scarthgap,04/19] go: fix CVE-2025-58188 [scarthgap,05/19] go: fix CVE-2025-58189 [scarthgap,06/19] go: fix CVE-2025-47912 [scarthgap,07/19] go: fix CVE-2025-61723 [scarthgap,08/19] go: fix CVE-2025-61724 [scarthgap,09/19] webkitgtk: upgrade 2.44.3 -> 2.44.4 [scarthgap,10/19] wireless-regdb: upgrade 2024.10.07 -> 2025.10.07 [scarthgap,11/19] ca-certificates: update 20211016 -> 20240203 [scarthgap,12/19] ca-certificates: Add comment for provenance of SRCREV [scarthgap,13/19] ca-certificates: get sources from debian tarballs [scarthgap,14/19] ca-certificates: upgrade 20240203 -> 20241223 [scarthgap,15/19] ca-certificates: submit sysroot patch upstream, drop default-sysroot.patch [scarthgap,16/19] ca-certificates: upgrade 20241223 -> 20250419 [scarthgap,17/19] ca-certificates: fix on-target postinstall script [scarthgap,18/19] oeqa/selftest/devtool: Update after upstream repo changes [scarthgap,19/19] xf86-video-intel: correct SRC_URI as freedesktop anongit is down

Message ID

3de9b86c295c88005d4df53e5137bb09ea104ed0.1762872962.git.steve@sakoman.com

State

RFC

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 01/19] curl: ignore CVE-2025-10966
Date: Tue, 11 Nov 2025 06:58:09 -0800
Message-ID: 
 <3de9b86c295c88005d4df53e5137bb09ea104ed0.1762872962.git.steve@sakoman.com>
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap,01/19] curl: ignore CVE-2025-10966 | expand

Commit Message

Steve Sakoman Nov. 11, 2025, 2:58 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Per [1] this CVE applies only when wolfssl backed is used.
8.17.0 removed WolfSSL support completely.

[1] https://curl.se/docs/CVE-2025-10966.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/curl/curl_8.7.1.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 713d90a378..6c02746394 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -39,6 +39,7 @@  CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on go
 
 CVE_STATUS[CVE-2025-0725] = "not-applicable-config: gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older"
 CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}"
+CVE_STATUS[CVE-2025-10966] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}"
 
 
 inherit autotools pkgconfig binconfig multilib_header ptest

[scarthgap,01/19] curl: ignore CVE-2025-10966

Commit Message

Patch