@@ -7,6 +7,11 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41"
SRC_URI[sha256sum] = "9d98cc980ecc96be6eb4c1994ce35d28d8b1f5e5208a23b421187d1209dbb7d1"
CVE_PRODUCT = "aiohttp"
+CVE_STATUS_GROUPS = "CVE_AIOHTTP_FIX_3_13_4"
+CVE_AIOHTTP_FIX_3_13_4[status] = "fixed-version: fixed in 3.13.4"
+CVE_AIOHTTP_FIX_3_13_4 = "CVE-2026-22815 CVE-2026-34513 CVE-2026-34514 \
+CVE-2026-34515 CVE-2026-34516 CVE-2026-34517 CVE-2026-34518 CVE-2026-34519 \
+CVE-2026-34520 CVE-2026-34525"
inherit python_setuptools_build_meta pypi
All these CVEs have been fixed already, the relevant NVD reports mention it explicitly that 3.13.4 is fixed, along with referencing the commit that fixes the respective vulnerabilities. However each of these are tracked without version info by NVD -.- Due to this, mark them explicitly as patched. Relevant reports: https://nvd.nist.gov/vuln/detail/CVE-2026-22815 https://nvd.nist.gov/vuln/detail/CVE-2026-34513 https://nvd.nist.gov/vuln/detail/CVE-2026-34514 https://nvd.nist.gov/vuln/detail/CVE-2026-34515 https://nvd.nist.gov/vuln/detail/CVE-2026-34516 https://nvd.nist.gov/vuln/detail/CVE-2026-34517 https://nvd.nist.gov/vuln/detail/CVE-2026-34518 https://nvd.nist.gov/vuln/detail/CVE-2026-34519 https://nvd.nist.gov/vuln/detail/CVE-2026-34520 https://nvd.nist.gov/vuln/detail/CVE-2026-34525 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../recipes-devtools/python/python3-aiohttp_3.13.5.bb | 5 +++++ 1 file changed, 5 insertions(+)