From patchwork Sat Jan 3 08:48:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77953 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8D06FC6160 for ; Sat, 3 Jan 2026 08:48:44 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.21539.1767430118475321037 for ; Sat, 03 Jan 2026 00:48:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=KDaEVliS; spf=pass (domain: gmail.com, ip: 209.85.128.47, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-47775fb6c56so98699935e9.1 for ; Sat, 03 Jan 2026 00:48:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767430117; x=1768034917; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=aTewHuoM7N0xKZNVpZlV8KSd5u/uglf/ZVtwRX1vK40=; b=KDaEVliSWUD5s32S0xv50bBag7IObfXLbPjvIKGlWtkknDMdk7GPTvhjcMEX/eIp8K Yc6IQRERF5S2hSvMTAMMhM6xZQo2Rml6M0sxW3vYyE+HB/hsDUQxG2A1tV1g6y8uUIWq MfoFdoNu/Rjr0n6Y2MA+wEzVhdMcNwj0CryIfLooerIPzRWLWyj/OqiODvPA+TAAhaPQ +sXXlqmSb7VFJwPUUaNo3MCuSiEST/G7Q/yqlLHvLyojfwvHuCXTqTRYQdNgzqFjSaT7 prkmSq6oX5Mk0F0C+bPwsBtiPd5cCYnbdP0cP4FBhdBEpvTCkHOWydSZcHVjUPj2M093 OlNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767430117; x=1768034917; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=aTewHuoM7N0xKZNVpZlV8KSd5u/uglf/ZVtwRX1vK40=; b=cZLmARrVJOJhpOfJ/Vb8PLCFZHmRi7g57J1qdPfiFtktRinBipsdqun5cER9ACB+5a Uk3lNH9BalR58rC7PCWEozrZCYHPWLvucEcBBhmh0DMZwlRmwJ0R3PUNW54AGuCJgazi yXgxdFmQzkVG83Z1ZVVkfnlHIqfciK2QX6jE2YNnf8wiShsgnJvcoEVQplm1sdswoQD2 VNH2Kbh4epwrhgYw3aEPNoKBhzM8bobJKM++jNX83sK7GRuytUQ0CqLTwQEHLebfoEQf zMYIXdxU7a7ZJAY62CiWeUMC/4YDBGdBt/gPiRhryemAEC52yJa/wCroL0AvBZkKWzjb WdDw== X-Gm-Message-State: AOJu0YwxaQhwQPr7dkQdBldGfTHVBA0B7rr9nZGsYEAVDvTB0Z4yicvn 2kd0M88ZEJ3rU3d3r7Q5B2TF+DtzgiJNM1Xg3+qZiG2TTp2gc4vsfRAaHNx0bg== X-Gm-Gg: AY/fxX66TxeEAYqjO+6sfot+CqRiZvlJJoc5uIzApBfvSO7pw6n6r06dc6VwOWPzYbI E3HTQTgjW6hlBy4LCg0sfl9+y4aI/4zdTjvIqIVXo5JzeyhKbbBJTwhVH6Tiq7XJpQE1QJod3Kx T736oZUrme5gv2XYxy/ltFcRF1wkk5O6pAni7ag/mQMGW4VLMIH0u6Q28qniqIniGMckpduHfZ0 WxYMclquZKla9qpqA92XyzNmPlZOX5YiJxs9VTKGIvVl/bMfyPvhhLDopDdZlcSSLWrtwnwdPpZ C1Nu7bOjFIklQ1iMQW7deIOZu+ldfpIzAUo3+Is3cY6Bz7JAjrPYzx035KkWzZgd8cThG8Bo+4X K5hmWLl4Az823CyjgCy7PJcL3fblHTdVaQ+xJQFfoM9ZBGv7pH9rQWxwgcndCTOgNb/d0tsQgZw TMdpxaNhnN X-Google-Smtp-Source: AGHT+IFW4YMbSyzJw6PPDVCpGqtE1ydBxEeVS24de3+nwVmw4augs4WXG/cwfx8X/EEGpGpoS4j/MQ== X-Received: by 2002:a05:600c:1914:b0:477:6d96:b3e5 with SMTP id 5b1f17b1804b1-47d1955b79amr500261405e9.7.1767430116585; Sat, 03 Jan 2026 00:48:36 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d13ed34sm26491645e9.2.2026.01.03.00.48.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 03 Jan 2026 00:48:35 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-webserver][kirkstone][PATCH 1/5] phpmyadmin: ignore CVE-2020-22452 Date: Sat, 3 Jan 2026 09:48:31 +0100 Message-ID: <20260103084835.2022951-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 03 Jan 2026 08:48:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123099 Details: https://nvd.nist.gov/vuln/detail/CVE-2020-22452 The fix is present in the recipe version (5.1.4)[1] [1]: https://github.com/phpmyadmin/phpmyadmin/pull/16004/commits/ca42395ee4b2936d3702524f8fb8bec1e9502bc7 Signed-off-by: Gyorgy Sarvari --- meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.4.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.4.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.4.bb index 0b855735cb..ca114d1f80 100644 --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.4.bb +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.4.bb @@ -41,3 +41,6 @@ FILES:${PN} = "${datadir}/${BPN} \ ${sysconfdir}/apache2/conf.d" RDEPENDS:${PN} += "bash php-cli" + +# fix is contained in the recipe version +CVE_CHECK_IGNORE = "CVE-2020-22452" From patchwork Sat Jan 3 08:48:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77954 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6E59FC6179 for ; Sat, 3 Jan 2026 08:48:44 +0000 (UTC) Received: from mail-wm1-f66.google.com (mail-wm1-f66.google.com [209.85.128.66]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.21540.1767430119239111098 for ; Sat, 03 Jan 2026 00:48:39 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ZNQjpTLJ; spf=pass (domain: gmail.com, ip: 209.85.128.66, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f66.google.com with SMTP id 5b1f17b1804b1-47d5e021a53so20325705e9.3 for ; Sat, 03 Jan 2026 00:48:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767430118; x=1768034918; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=O/XbN8DIxsWhzBevWbutP2XRXRkCTytR4mRuiZ6vcoM=; b=ZNQjpTLJQIFvs+72IYlDgCxWwD/K/BLtEsbni+43SdsMI8VEGOHykC0SlkZoDkQDaq i1KhgY7wLKZGw6mq9dL12AUvGA2q+BRWG91mo212oD/DSwQC5K+LNaBHLm/C4fzQ1msC j68j0IZgYbdd9nhfkTu7ohBgW/1ZiZBvmdLjmkC7xGqJRKmNf9yKlOTF24DT6BzotOXq /pd3/9JPJzTGXj6rMYWj17wsChyUSsEQrC2paweKY41raPCk49BZOWsuCtVh3zw9vkJ7 LqNTtia+14vw7iHbYTAvJ+/bFp9fj/GXhGQYizAwFVaUCj3mjqTLcQtm3otmyKkkHsGu 2/hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767430118; x=1768034918; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=O/XbN8DIxsWhzBevWbutP2XRXRkCTytR4mRuiZ6vcoM=; b=wpH8lAEj+3WsDJtoQLFpl3fjgFC5ATl+gHEKCEXTA5FTT1p4cmRhmvfK3enG2akGzA 5qRHO/QCCfdzZy8EV3yGaTLMbcTEE/QTLZ5Z7YH1SsEmzUWW2evKKU2xD3HXK738HQop wl1ezuc6+wdsJHopXhkPz/ZiNCNnwZkoCl8w/TR0bnLKBjkA5rIM2Ur2lANt3EUJuOai 6TlNKx2kaytcqXN77ItgqQoXGfczisyiUxl5rv2uF6XCnmAnS3BTM7WzZONwB4dIwqX/ opHoBdJZFPxNOVWp9PU4Fmp81mH6XJqR4mCCmWuOkiKEg+Un97dfqxkvchM6aBUGyxn9 u60A== X-Gm-Message-State: AOJu0YyQuG2T9zs21yuCD1GDGXwN+RxQKJ7vPVPcutTJsqKc9SHEurNM qgckA7wmvEIG5ucIUR3Sml7FL7JVCVtuyiy8oPC4CLg3H9I6xsp0mXd/1Vg6AFiN X-Gm-Gg: AY/fxX5FpXi0lZ+iR5NfCBqfjghsQ8SfcO3nGUYF1OFwg3l64oXqC7Y6NJsHMwbDgpz Ezbuk3eCzyCS59e8SblctlWqokiQ3rMqT/1rXPhKL9ibDrftSfPGKCoyDnU2ig4A8T+TwddJ83V mvhX7xxT/DMNjHgJDjT6tyb2g9ROD66FeTye4RDe7x1ERyd6qy1PkGjQhUFLO8yZodXTsCqqFgA bbaNjVvHI4zw2GEbtHB6iuWSwEcvdxL3IroIF9Tuf3RV2IBwECk+9n+8ZGSNy3jCxIDu23oHu8n RCK/5IlKZqzRfxBaLavy/Qkune0yfGtpSrG6SOvrxE1ScTDI5f0xZIXovJnr6pFOUnvoB67C6yf 8dBMDG1LgaaWgn4/Bh744hTHffy5CKTQziLYcea8ClIhP4Jt9SPye+1e66b70Iw99RSaM1FLYh8 IxdIDPk6fV X-Google-Smtp-Source: AGHT+IHbcloNuMpxszZYiSsMw7z+gZyDH+YA/D39g8bQgG08+X4HixaIQ5OblNtJbGhertxqwVZyVw== X-Received: by 2002:a05:600c:1c21:b0:47b:e2a9:2bd9 with SMTP id 5b1f17b1804b1-47d19583142mr648052645e9.31.1767430117568; Sat, 03 Jan 2026 00:48:37 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d13ed34sm26491645e9.2.2026.01.03.00.48.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 03 Jan 2026 00:48:36 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 2/5] sassc: ignore CVE-2022-43357 Date: Sat, 3 Jan 2026 09:48:32 +0100 Message-ID: <20260103084835.2022951-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260103084835.2022951-1-skandigraun@gmail.com> References: <20260103084835.2022951-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 03 Jan 2026 08:48:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123100 From: Peter Marko This CVE is fixed in current libsass recipe version. So wrapper around it will also not show this problem. It's usual usecase is to be statically linked with libsass which is probably the reason why this is listed as vulnerable component. [1] links [2] as issue tracker which points to [3] as fix. [4] as base repository for the recipe is not involved and files from [3] are not present in this repository. [1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357 [2] https://github.com/sass/libsass/issues/3177 [3] https://github.com/sass/libsass/pull/3184 [4] https://github.com/sass/sassc/ Signed-off-by: Peter Marko Signed-off-by: Khem Raj (cherry picked from commit 576b84263bac4dda26d84d116a9e7628a126f866) Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE) Kirkstone has also the fixed libsass version (3.6.6), the CVE can be considered fixed. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-support/sass/sassc_git.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-oe/recipes-support/sass/sassc_git.bb b/meta-oe/recipes-support/sass/sassc_git.bb index 9bb8c76e87..12e201a3d7 100644 --- a/meta-oe/recipes-support/sass/sassc_git.bb +++ b/meta-oe/recipes-support/sass/sassc_git.bb @@ -11,4 +11,7 @@ SRCREV = "66f0ef37e7f0ad3a65d2f481eff09d09408f42d0" S = "${WORKDIR}/git" PV = "3.6.2" +# cpe-incorrect: this is CVE for libsass, not sassc wrapper +CVE_CHECK_IGNORE = "CVE-2022-43357" + BBCLASSEXTEND = "native" From patchwork Sat Jan 3 08:48:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77956 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1650FC6177 for ; Sat, 3 Jan 2026 08:48:54 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.21713.1767430120001089156 for ; Sat, 03 Jan 2026 00:48:40 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=RL7v6ik3; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-47bdbc90dcaso79927345e9.1 for ; Sat, 03 Jan 2026 00:48:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767430118; x=1768034918; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=uRs83gwsmxyzRTSD/PtTiZOkNl4uAL/lhZeb6y7dI3k=; b=RL7v6ik3rrYP24UPNl2uBj6d3reeQcckZNNT6EI9C9inx8sY18Xlt/hKIHZQAr+lGl Sngh06ltRau5OcZWo64LlCdYxmsatTnhlPqw0Rp8lXe8xXlPGvSuMndtlNW5jWX4Esyw Yfne6wcrG4NLLT7TbnQbAWlkXVynl3SzpW8fTx62JAMMKIjjQTPa7IJnpTX67CLGQdDR l8SoNeECGOImqkQcxCWBFDaxvWgqeou3AX1r54WmiUzi9clXmUy0IDFJrf4jiOqeVpyC oTFJBKIyMvfuwDiJ5zsIKUISG90608xf7/snEq4pKcLwI4I+c4tP8TfyMGmSGGEq9oTM 5GDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767430118; x=1768034918; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=uRs83gwsmxyzRTSD/PtTiZOkNl4uAL/lhZeb6y7dI3k=; b=vwq3P7OpPcFG8vp/YFrSYwUYCGhXF1F0KX0Nu1vSaOdIxunOrEfJdKS2RhZCTkdBVi SwQFQcuPrR3bWP5n2fqU5MDJhPRURwQXpxqtH5oDGWzRocUCdhxm+6MXeahdZg42wxrX rjUInAeI1WhH2ASfj5DqG9Nsm3w5ZlB66/1HrUiqDKyoFomYaKIWGrdnZOjfC2TYyg1S 1wdOch30xvFMutVdYAdzZuDEb7w+k9jVuXdbEJ7ymQwbpTJBI/6YA1DRWrDzK0k5BB+x 8YgOncuIQMTu6sAouosV4vaAMMajgzZoYvg3h9bwh6a5Ub1/yzOk75E9AzJUuYKRjr+u DNEA== X-Gm-Message-State: AOJu0Yw4VHoYO83PFCZbh93zbDBVkFyFkl2Ndo8gX+yC8aH/pD4Y6lAc AeIGDsBPs8RnrK9DK2zzyVe0o10ZAoD/RjD1eQLabLx+JNgNpERjgoz/HPgxsQ== X-Gm-Gg: AY/fxX6HCpU6wufMN0eK8vIZL7mXPqDJFr/OBg8iUEOZaQF0W+qELzD6yTuR91qU5S4 mH+hyxZBJVA6cR+c/owv8+OOhXqLZS/smTE/NJJmc4OAefB8YiL7Oo/cDLWqzm/H/9ruBD2u6Bl BUcR6uMzDRu7erCM9fvu1P1W7En+jukWBin0Et5a/CfYLaBNAPVt6l4C042Ev0lmQJWM79cu6bb BoH0uT7+r8e+M+2XIeey1Nr74i9bM+e/5hA0M4S933ZO8cDt44QdIacM3QxDKaquxptLZjuyrk4 IrHdB0/zW1VbIuQkpibOdvLcTx0wVerbdFoRgJhxD8UiOndynh53zsxLJ8tHkycc16uH+UZkUJ6 x2diifJR90/u7C8xrZuXizRBPMT57UH/useqzRyzAAStsU0PuMpwrHBxBQsTCdUOCVWHiLG70qP RWgHeTVkN1LMjMgZneonM= X-Google-Smtp-Source: AGHT+IGmhesPC0S46fMev31pVwfxeD+d683YMjyKVJlxKG4wVi3P0Eesj/T3IqrZd1WS7+SdxGGzYg== X-Received: by 2002:a05:600c:3ba7:b0:477:7af8:c88b with SMTP id 5b1f17b1804b1-47d1953d798mr542300955e9.11.1767430118314; Sat, 03 Jan 2026 00:48:38 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d13ed34sm26491645e9.2.2026.01.03.00.48.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 03 Jan 2026 00:48:37 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 3/5] nodejs: ignore CVE-2024-3566 and CVE-2024-36138 Date: Sat, 3 Jan 2026 09:48:33 +0100 Message-ID: <20260103084835.2022951-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260103084835.2022951-1-skandigraun@gmail.com> References: <20260103084835.2022951-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 03 Jan 2026 08:48:54 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123101 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-3566 https://nvd.nist.gov/vuln/detail/CVE-2024-36138 This vulnerabilities affect Windows only. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb index 9326b26421..11e9717c6a 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb @@ -54,6 +54,9 @@ CVE_CHECK_IGNORE = "CVE-2023-30583 CVE-2023-30584 CVE-2023-30587" # the vulnerability was introduced later (with libuv 1.45) CVE_CHECK_IGNORE += "CVE-2024-22017" +# this vulnerabilities affect only Windows +CVE_CHECK_IGNORE += "CVE-2024-3566 CVE-2024-36138" + # v8 errors out if you have set CCACHE CCACHE = "" From patchwork Sat Jan 3 08:48:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77955 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD913FC6176 for ; Sat, 3 Jan 2026 08:48:44 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.21541.1767430120682839247 for ; Sat, 03 Jan 2026 00:48:40 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=kTlJzFZ5; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-47d63594f7eso14431945e9.0 for ; Sat, 03 Jan 2026 00:48:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767430119; x=1768034919; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=awKsvZFs7UMjaKiH9AEldbvZuxchOQzDOMDsiqLWPmw=; b=kTlJzFZ5dzNZT1E3sHp8dqZVrlT8kYUwBYZWTWI6ko8jlLoGqNIkstzzdBTsuQLlSG 9zon6E2taEkNmXq2svoLquKd/uTRK4KxXdqvMVg5hmPd+r1ICTfSNiQKvk+rIejUmh8i WwXKSv1kUoTfigOczSYzsqzg5zz1JYhRenG6kLkq8dkw+P47k1RjBTi2AwcAVEAkmrv1 byEN84w+zdDrgDPfmjH1QleEioblx8hHmK+63cIOcMlRRPNCnjxNG+Krz5vOuiYwRP4o dQ0rZIXrOn2rKBVfGeZTPwxTTeM7j0hj7+tZN0NCS0p5W6zItj88L2tL/8fcvfS7XLjR gxCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767430119; x=1768034919; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=awKsvZFs7UMjaKiH9AEldbvZuxchOQzDOMDsiqLWPmw=; b=Vx566Qph2X7LWTjqHWQnXpU+pIJZXRgDiWz+38NuRx/9mGm0KQIh1hDaXBC2dx8rUX NUMzW7Abo/bYbJzRa+ypXsurN4Np2Ok9UxdTTKSsUC0eU1kjktU9etbcWBgvJ9EXekno 9hF9eJ5+dUjDI9+nOZefSCWMPuivTf4i6aoSBRnQu3Cb80kEQhpfF2S837dWwtpvX42d NJ3edQRu3d5bowz3udkhdoD8IfcxfW/yeMSretelt0+cTJWqNHOkxquopTKfsSk4pNc6 3BCflgRvl2K9M2vFmaOu327GA04ctXHgpjGeqTKqv2qoDwR6XaFIUSfJYCURa9h0nkPw xAXg== X-Gm-Message-State: AOJu0YzycXJbAuvhgk+L82iqsuGkGYAk7Zwdk3jFEwe/LpcmQjAW+bHg mHF2kzPXx4XciwMXVrNWqBWf1SeOGb8OrOyjcKWCAA6/o3cmr/p0UKcTBrh0Gw== X-Gm-Gg: AY/fxX50plgPw3R2YaTUcs5/d8KbohvBN2pvgXZAYWnroeiHKty1JN5Qror0WSivqY6 fhhwfTy5PUo2jlTLJsNW3blPvJmdl2KbxQMTlPV6XzI8XvndmVpJjKPNc8pirN1jl7Hwc9480XX 6GETXvcrdZkNAu5duwt4rQNMnVBn8ABYlm4fI+YIacVXvj3EDFom+pzyHd6DqLY3A1MIcuy06Iv 3VRQ9RVcEPKozQlQ4hCAhPEKc0jpkwZQFAmXDqixE2mmM2xRRmZ59C/ZwQyuIGe2yyGfaayWp27 x3QGGGb7MdY0ADQwQnIPhfItXstKwWT3CtFFv4NGcut60Bx1yTE0bqkr2tjm21LNyK9zZYLHUwf FYkVyCw5cKrQCuQIzdgcy08OspEicNM/qeLkSLkIsGx2Kx1TxnieFBxw/qXxaoDzZjXmGR0iWU/ kmNPjZLPZm X-Google-Smtp-Source: AGHT+IFuJ27k5MKa+7d02WO1TvUDOd+ZodVwnGjdRK1QfFbY3QO1BzEnerxh6DeT0sGU4W+BPFo5hw== X-Received: by 2002:a05:600c:3489:b0:479:2a09:9262 with SMTP id 5b1f17b1804b1-47d1953dabamr541249285e9.9.1767430119045; Sat, 03 Jan 2026 00:48:39 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d13ed34sm26491645e9.2.2026.01.03.00.48.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 03 Jan 2026 00:48:38 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 4/5] nodejs: ignore CVE-2024-36137 Date: Sat, 3 Jan 2026 09:48:34 +0100 Message-ID: <20260103084835.2022951-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260103084835.2022951-1-skandigraun@gmail.com> References: <20260103084835.2022951-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 03 Jan 2026 08:48:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123102 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36137 The vulnerability affects the permission model, which was introduced[1] in v20 - the recipe version isn't vulerable yet. [1]: https://github.com/nodejs/node/commit/00c222593e49d817281bc88a322f41f8dca95885 Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb index 11e9717c6a..2a7324a203 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb @@ -49,7 +49,7 @@ S = "${WORKDIR}/node-v${PV}" CVE_PRODUCT = "nodejs node.js" # the vulnerabilities were introduced in v20 -CVE_CHECK_IGNORE = "CVE-2023-30583 CVE-2023-30584 CVE-2023-30587" +CVE_CHECK_IGNORE = "CVE-2023-30583 CVE-2023-30584 CVE-2023-30587 CVE-2024-36137" # the vulnerability was introduced later (with libuv 1.45) CVE_CHECK_IGNORE += "CVE-2024-22017" From patchwork Sat Jan 3 08:48:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77952 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8D5BFC6177 for ; Sat, 3 Jan 2026 08:48:44 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.21542.1767430121457139552 for ; Sat, 03 Jan 2026 00:48:41 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=YYM7SxWR; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-47a95efd2ceso113497645e9.2 for ; Sat, 03 Jan 2026 00:48:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767430120; x=1768034920; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YP7TaSwPbfWbjBIYENl/PHmWuJ42b969Ap2VGXi7NzI=; b=YYM7SxWRKmUa421a/Yj3bYEw6bEeqk9jCQyJt9s2OgtHu5NQ7cYJXDzRD9tGO8Ta0P IfR80sHaLhBHWzGkb8BoJkD9Yyg2Ua9YCDJ7mNjfCrt4ZQhWsda8br4qYb5VmhVnaDIx 2qcaQw75uXQogz07+2GXcapr04CCmE4A79UoprkXx6dHB+kp1BHWoV51Fr2Q+cBgB+Jl dNJ1yHZNpOumY7NDy0XGks9jUeb//BmwTeGWLQUGCxSunfhniJgaoeTX3zMJCnK6hdTp yJbV3+xRKiVNMsi/EiMaLitn/iDLGsoiJP9OcEFdQvOrXpOc/Mya/CYxdSAYxeCz+K6Y LakA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767430120; x=1768034920; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=YP7TaSwPbfWbjBIYENl/PHmWuJ42b969Ap2VGXi7NzI=; b=PAeHCOO7b4xiOFfKqmUjFMvfPuvanToNd4skG2YTVzVEzWW5zpjxmn9FqmIoeLbN0I 5J/jD31CfvaB//bQRNvezRYvaDCOsbAFlpkVMeq0kBUSnrId/huj4lse8084MF/fPv9u AMxPnk+A75UmT81GrWysukBvaMe8Kxe9mqrwo/akkIie44BHN5LFU5qfmb3bybjjx4Fb y6OEPNGZwVnOHDw3Kdp//BMlICc8Qk16veuoFMxH+gqlJOyY0MpwfSZVJKCLYubrVvyY rFYySpXF6sUtPT8ujTeXUctZfKBVVak0jUkFNI0uLGrg2qAPuvVgG60LlaWnbNEx7957 cgpw== X-Gm-Message-State: AOJu0Yz0PTf8Fo2NnJBniSdLDqOUM1D+h6drSUHXHshSsY8ViZa6tgaj o+HmSsCFEO/jsfk8uNPxe/IJq6nj2GLrQb3nBiSidHApRCsmw+PaUS2j0/Pv0A== X-Gm-Gg: AY/fxX63IZoDi9TzGVLHUrK0yklI4jySjIuapnIHOc0g94Tgw1EM26CU/ZSI8fnWMcP SPlHR8CMAaZy9oQ72FpxSTeDVLPTgPV8KMHxS3lHbsgLtDmdhO7FpN/TdQr140wsKa41oAFRh6b 1b2DGkZWlFsZpH1QLtn57zz8P3QlWDNIJMwLRdfMKNXWXiLD0I6nj9g2ym/6VspT0j0nilQgQQu E4A2Hd1NrG8MCGE/mbuktibtadmbN/DJGwoxkUKFSNzv3inCXZrV+8BJ8pIh/O6W6uBSur0WlrD yVAJtR16jacrWxmn5wWH2hczX6Y4jXf5Tts1L+F25wOJePvwMpUz1hgEuH1dv8+PbNIjVFv72N5 5DnZjmQGXI4EVBGj8Mh5QlWnM5no2NwYAVJX926IDqYsOudtvHtyuIY2fykV7eFXK6uiuISmzse e1Ar3WDp16 X-Google-Smtp-Source: AGHT+IFdiAWLZupcVYh11CK/pWxC8ZxI/OdeO0GSE0zj4/4OPJk+2mTCJEs7UfmUJ7PtJMoPZvCxZw== X-Received: by 2002:a05:600c:858e:b0:46f:c55a:5a8d with SMTP id 5b1f17b1804b1-47d1c629902mr423842135e9.4.1767430119751; Sat, 03 Jan 2026 00:48:39 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d13ed34sm26491645e9.2.2026.01.03.00.48.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 03 Jan 2026 00:48:39 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 5/5] netdata: ignore CVE-2024-32019 Date: Sat, 3 Jan 2026 09:48:35 +0100 Message-ID: <20260103084835.2022951-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260103084835.2022951-1-skandigraun@gmail.com> References: <20260103084835.2022951-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 03 Jan 2026 08:48:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123103 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32019 The vulnerability affects the ndsudo binary, part of netdata. This binary was introduced in version 1.45.0[1], and the recipe contains v1.34.1 - which is not vulnerable yet. Ignore the CVE due to this. [1]: https://github.com/netdata/netdata/commit/0c8b46cbfd05109a45ee4de27f034567569fa3fa Signed-off-by: Gyorgy Sarvari --- meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb b/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb index 71fb0783b6..516fde6281 100644 --- a/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb +++ b/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb @@ -79,3 +79,6 @@ do_install:append() { FILES:${PN} += "${localstatedir}/cache/netdata/ ${localstatedir}/lib/netdata/" RDEPENDS:${PN} = "bash zlib" + +# versions <1.45.0 are not vulnerable yet +CVE_CHECK_IGNORE = "CVE-2024-32019"