diff mbox series

[meta-oe,2/5] civetweb: ignore CVE-2025-9648

Message ID 20251209153953.951218-2-skandigraun@gmail.com
State Accepted
Headers show
Series [meta-oe,1/5] accountservice: ignore CVE-2023-3297 | expand

Commit Message

Gyorgy Sarvari Dec. 9, 2025, 3:39 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-9648

It is already fixed in the currently used version.

Also, update CVE-2025-55763's status to "fixed-version" (so it will be
marked as "Patched" in the CVE report instead of "Ignored")

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Ankur Tyagi Dec. 13, 2025, 7:21 p.m. UTC | #1 
I don't see the commit[1] which fixes this CVE in the current recipe version.

[1] https://github.com/civetweb/civetweb/commit/782e18903515f43bafbf2e668994e82bdfa51133
Gyorgy Sarvari Dec. 13, 2025, 7:35 p.m. UTC | #2 
On 12/13/25 20:21, Ankur Tyagi via lists.openembedded.org wrote:
> I don't see the commit[1] which fixes this CVE in the current recipe
> version.
>  
> [1]
> https://github.com/civetweb/civetweb/commit/782e18903515f43bafbf2e668994e82bdfa51133
>

The recipe fetches b6ef58f4c4c7fbe90fd1065bccf45b143345f1a6, which is
from 30/Sep/2025.
The fix is 782e18903515f43bafbf2e668994e82bdfa51133, from 2/Sep/2025


The first and last line are interesting from this log only:

$ ~/git/civetweb]$ git log -n 30 --oneline 
b6ef58f4 (HEAD) Do not scan third party projects  <== recipe revision
3784be9d AppVeyor: Add Visual Studio 2022
cafd5f8f Format code
3ee51c19 Update sqlite3
8543cf79 Appveyor: Deactivate SSL for VS2019 / VS2022
9cabe415 Merge branch 'master' of https://github.com/civetweb/civetweb
b4afd1e3 Merge pull request #1358 from DL6ER/lua-5.5
c7df0249 Fix timer test
b20a7bc1 Set minimum CMAKE version for tests
2fefc5c8 Add Lua 5.5 support
618790d4 Unittest: fix alignment
acaf7e3f Use atomic operations in timer test
4bd10c49 AppVeyor build: Replace obsolete Visual Studio builds by new one
b3a34ad2 Merge branch 'master' of https://github.com/civetweb/civetweb
98dab2e1 Merge pull request #1355 from aryanrahar/fix/uri-len-dup
48b58d1b Merge branch 'master' into fix/uri-len-dup
e06d8d96 Merge pull request #1352 from
mfranzen0906/feature/replace-asterisk-with-origin
7b7bde47 Merge pull request #1350 from Geeoon/various-typo-fixes
a9900426 Merge pull request #1341 from yubiuser/prevent/CRLF
c5844556 Merge pull request #1347 from
krispybyte/fix/uri-processing-heap-overflow
dfb58aad Merge pull request #1354 from
civetweb/dependabot/github_actions/master/actions/checkout-5
3e7ecedd Update SECURITY.md and LICENSE.md
d8c74f7c Update README
782e1890 Make parsing of URL encoded forms more robust <== Referenced fix
Ankur Tyagi Dec. 13, 2025, 7:58 p.m. UTC | #3 
On Sun, Dec 14, 2025 at 1:05 AM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
>
> On 12/13/25 20:21, Ankur Tyagi via lists.openembedded.org wrote:
> > I don't see the commit[1] which fixes this CVE in the current recipe
> > version.
> >
> > [1]
> > https://github.com/civetweb/civetweb/commit/782e18903515f43bafbf2e668994e82bdfa51133
> >
>
> The recipe fetches b6ef58f4c4c7fbe90fd1065bccf45b143345f1a6, which is
> from 30/Sep/2025.
> The fix is 782e18903515f43bafbf2e668994e82bdfa51133, from 2/Sep/2025
>
>

Sorry for the confusion, I had recipe open from my 'scarthgap'
workspace recipe which fetches
d7ba35bbb649209c66e582d5a0244ba988a15159
Your patch is correct.

> The first and last line are interesting from this log only:
>
> $ ~/git/civetweb]$ git log -n 30 --oneline
> b6ef58f4 (HEAD) Do not scan third party projects  <== recipe revision
> 3784be9d AppVeyor: Add Visual Studio 2022
> cafd5f8f Format code
> 3ee51c19 Update sqlite3
> 8543cf79 Appveyor: Deactivate SSL for VS2019 / VS2022
> 9cabe415 Merge branch 'master' of https://github.com/civetweb/civetweb
> b4afd1e3 Merge pull request #1358 from DL6ER/lua-5.5
> c7df0249 Fix timer test
> b20a7bc1 Set minimum CMAKE version for tests
> 2fefc5c8 Add Lua 5.5 support
> 618790d4 Unittest: fix alignment
> acaf7e3f Use atomic operations in timer test
> 4bd10c49 AppVeyor build: Replace obsolete Visual Studio builds by new one
> b3a34ad2 Merge branch 'master' of https://github.com/civetweb/civetweb
> 98dab2e1 Merge pull request #1355 from aryanrahar/fix/uri-len-dup
> 48b58d1b Merge branch 'master' into fix/uri-len-dup
> e06d8d96 Merge pull request #1352 from
> mfranzen0906/feature/replace-asterisk-with-origin
> 7b7bde47 Merge pull request #1350 from Geeoon/various-typo-fixes
> a9900426 Merge pull request #1341 from yubiuser/prevent/CRLF
> c5844556 Merge pull request #1347 from
> krispybyte/fix/uri-processing-heap-overflow
> dfb58aad Merge pull request #1354 from
> civetweb/dependabot/github_actions/master/actions/checkout-5
> 3e7ecedd Update SECURITY.md and LICENSE.md
> d8c74f7c Update README
> 782e1890 Make parsing of URL encoded forms more robust <== Referenced fix
>
diff mbox series

Patch

diff --git a/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb b/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb
index 1d0207edb1..0e13bc6deb 100644
--- a/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb
+++ b/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb
@@ -10,7 +10,8 @@  SRC_URI = "git://github.com/civetweb/civetweb.git;branch=master;protocol=https \
            file://0001-Unittest-Link-librt-and-libm-using-l-option.patch \
            "
 
-CVE_STATUS[CVE-2025-55763] = "cpe-incorrect: The vulnerability is fixed in the used revision"
+CVE_STATUS[CVE-2025-55763] = "fixed-version: The vulnerability is fixed in the used revision"
+CVE_STATUS[CVE-2025-9648] = "fixed-version: The vulnerability is fixed in the used revision"
 
 # civetweb supports building with make or cmake (although cmake lacks few features)
 inherit cmake