diff mbox series

[meta-networking,3/7] dovecot: ignore already fixed CVEs

Message ID 20260406120314.3514982-3-skandigraun@gmail.com
State Under Review
Headers show
Series [meta-oe,1/7] botan: upgrade 3.11.0 -> 3.11.1 | expand

Commit Message

Gyorgy Sarvari April 6, 2026, 12:03 p.m. UTC 
The following CVEs are fixed in the current version already,
however they are tracked without version info.

Upstream has confirmed[1] that these vulnerabilities are fixed,
and Debian has also identified the relevant commits:

CVE-2025-30189: https://security-tracker.debian.org/tracker/CVE-2025-30189
CVE-2026-0394: https://security-tracker.debian.org/tracker/CVE-2026-0394
CVE-2026-24031: https://security-tracker.debian.org/tracker/CVE-2026-24031
CVE-2026-27855: https://security-tracker.debian.org/tracker/CVE-2026-27855
CVE-2026-27860: https://security-tracker.debian.org/tracker/CVE-2026-27860

[1]: https://seclists.org/fulldisclosure/2026/Mar/13

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-networking/recipes-support/dovecot/dovecot_2.4.3.bb | 5 +++++
 1 file changed, 5 insertions(+)
diff mbox series

Patch

diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.4.3.bb b/meta-networking/recipes-support/dovecot/dovecot_2.4.3.bb
index a8930979ea..10ca595029 100644
--- a/meta-networking/recipes-support/dovecot/dovecot_2.4.3.bb
+++ b/meta-networking/recipes-support/dovecot/dovecot_2.4.3.bb
@@ -81,3 +81,8 @@  FILES:${PN}-dev += "${libdir}/dovecot/libdovecot*.so"
 FILES:${PN}-dbg += "${libdir}/dovecot/*/.debug"
 
 CVE_STATUS[CVE-2016-4983] = "not-applicable-platform: Affects only postinstall script on specific distribution."
+CVE_STATUS[CVE-2025-59031] = "fixed-version: fixed since v2.4.2"
+CVE_STATUS[CVE-2026-0394] = "fixed-version: fixed since v2.4.1"
+CVE_STATUS[CVE-2026-24031] = "fixed-version: fixed since v2.4.3"
+CVE_STATUS[CVE-2026-27855] = "fixed-version: fixed since v2.4.3"
+CVE_STATUS[CVE-2026-27860] = "fixed-version: fixed since v2.4.3"