From patchwork Fri Jan 23 17:02:12 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79526
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F125FD77882
	for <webhook@archiver.kernel.org>; Fri, 23 Jan 2026 17:02:28 +0000 (UTC)
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com
 [209.85.128.44])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.112.1769187745335345715
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:25 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=mKUwMp+d;
 spf=pass (domain: gmail.com, ip: 209.85.128.44,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f44.google.com with SMTP id
 5b1f17b1804b1-47ee2715254so13407125e9.3
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769187744; x=1769792544;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=ih0qeP3nWwWELOmLvDivXER/zwh685mzFaFXfUr2mr4=;
        b=mKUwMp+dm3iAgKZfs+QisWyQc/fF7nXWayRNeLQBG5s1aU3PE5C56Of7OspOKp5YTE
         GmO+qBAYkIKrb8kOz+JJo4QxJG9XjWKx9GzkjdVF/tSiI63QypKsjIUGJndHSxZ0HINA
         h7JsrqECJulRlE+G5FXZKisraPhN/tRjBqCObc56lCW+7WVtlMc/hWqtvGX0qU2HUXN/
         DkHavGyhW6MBBImn77H8HKUHaHxYOtgi2ytaDWZHZBNcL50Z5F0yinfJN/Y0tt5GYLB2
         sbFPUQpTerNAnJrSEjJKThnAn0r0TajnxlQepdBetiJ5kkz1BzGfIuNFO9hRye7ZnpGp
         DbLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769187744; x=1769792544;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=ih0qeP3nWwWELOmLvDivXER/zwh685mzFaFXfUr2mr4=;
        b=vSg/P+hDtIEDTG7AbtWcYRB5ok5mkxMg0+oUQTMyCnQ8OkBd8nFDg43i16YuuaLf4L
         Nfk8r7eJQ9ZDgJ+hswdCkXAHRj9BJGFKI/ITPqqVm4nETRTOtTag+uiaLqjZSk/FXFv9
         WvJ3LSRWUfmi42u1z1wf5Cfq3dDTcBIgwhyxNnufb4Ss0YtkjPDvxTrraituJtkL8Z5C
         yxEFxk56tZ8LnNIedAnDaSa+/ZTdkadyVRpmZhrSqPJmXU6MjYZ+asLUtuE9/IrQdfVN
         QV4SUE51QuQ+RbbtX+ke+aKHCXzECcuewXYFNRz0Gh3TNrl925m6ncS7BTtsr81m61Ke
         QeNg==
X-Gm-Message-State: AOJu0YyGWtGsey/RvCzTti18DIM9cs5KPsktXoj+pcQqT6u1EYqN3lB4
	VOSupyhMiEc0npMc6B5/l4CiE9B0mXVFRZ5YZt2rPuwrNDXrQoZarlLc/CK+Dw==
X-Gm-Gg: AZuq6aI03i3kd77ZTGA93tw0Idyozu2MN7g5IZnka2mxgZoJoobKdF5TP8E09VIY+gQ
	ggH8KIoQ/IrKhN0uqAMG1yHv256ldH9YCzYsD28PNPxfhJS9XofKKNfTq6olqxJ/XVkveybJyeY
	rgRVGyYc1wcij0t/URoDNnZiNAr5EyzEUzMFJMYZ8mzLCPlDOJrbtaoUOg5PzPWIJMDvtaIB9dW
	9MHTLwYD37IMJb4D20g22cECSNTEk3KNkOn+8+lhG9nTHEDum6lIOMkVf3d5HeVHhy45kOL7Hji
	ylzbb+5P3b6wYlIh7jNBY/iPr2879BT8vuBOvy3PVRh1+tUWX8RtxMvHYiirN4CQuOxKnf63Cny
	eptnfKeaqcGrr/382/RRg/SSAenCdlZNH7h4aHTfPyPbXDT74cpNc9e3vannRxaSaEJXAQmHLMH
	3rQnnhFFMs
X-Received: by 2002:a05:600c:4e4e:b0:47d:4fbe:e6cc with SMTP id
 5b1f17b1804b1-4804c9596aamr58919705e9.13.1769187743295;
        Fri, 23 Jan 2026 09:02:23 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4804dbd4630sm25455165e9.17.2026.01.23.09.02.21
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 09:02:22 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][scarthgap][PATCH 01/10] python3-django: upgrade 4.2.20
 -> 4.2.27
Date: Fri, 23 Jan 2026 18:02:12 +0100
Message-ID: <20260123170221.671471-1-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 23 Jan 2026 17:02:28 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123786

Upstream has switched from setuptools3 build backend to setuptools_build_meta,
however their setuptools requirements are higher than what's available in oe-core.
As a workaround, add a patch that lowers the requirements. This change has been
tested by successfully executing the django test suite in qemu (without Selenium tests).

Changes:
4.2.27: https://docs.djangoproject.com/en/6.0/releases/4.2.27/
- Fix CVE-2025-13372
- Fix CVE-2025-64460
- Fixed a regression in Django 4.2.26 where DisallowedRedirect was raised by
  HttpResponseRedirect and HttpResponsePermanentRedirect for URLs longer than 2048 characters.
  The limit is now 16384 characters

4.2.26: https://docs.djangoproject.com/en/6.0/releases/4.2.26/
- Fix CVE-2025-64458
- Fix CVE-2025-64459

4.2.25: https://docs.djangoproject.com/en/6.0/releases/4.2.25/
- Fix CVE-2025-59681
- Fix CVE-2025-59682

4.2.24: https://docs.djangoproject.com/en/6.0/releases/4.2.24/
- Fix CVE-2025-57833

4.2.23: https://docs.djangoproject.com/en/6.0/releases/4.2.23/
- Fix CVE-2025-48432

4.2.22: https://docs.djangoproject.com/en/6.0/releases/4.2.22/
- Fix CVE-2025-48432

4.2.21: https://docs.djangoproject.com/en/6.0/releases/4.2.21/
- Change build backend
- Fix CVE-2025-32873
- Fixed a data corruption possibility in file_move_safe() when
  allow_overwrite=True, where leftover content from a previously larger file could
  remain after overwriting with a smaller one due to lack of truncation
- Fixed a regression in Django 4.2.20, introduced when fixing CVE 2025-26699,
  where the wordwrap template filter did not preserve empty lines between paragraphs
  after wrapping text

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../0001-lower-setuptools-requirements.patch  | 25 +++++++++++++++++++
 .../python/python3-django_4.2.20.bb           | 14 -----------
 .../python/python3-django_4.2.27.bb           | 17 +++++++++++++
 3 files changed, 42 insertions(+), 14 deletions(-)
 create mode 100644 meta-python/recipes-devtools/python/python3-django-4.2.27/0001-lower-setuptools-requirements.patch
 delete mode 100644 meta-python/recipes-devtools/python/python3-django_4.2.20.bb
 create mode 100644 meta-python/recipes-devtools/python/python3-django_4.2.27.bb

diff --git a/meta-python/recipes-devtools/python/python3-django-4.2.27/0001-lower-setuptools-requirements.patch b/meta-python/recipes-devtools/python/python3-django-4.2.27/0001-lower-setuptools-requirements.patch
new file mode 100644
index 0000000000..5f6707467b
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-4.2.27/0001-lower-setuptools-requirements.patch
@@ -0,0 +1,25 @@
+From 10ddc1ee660ed5ee4d9aa21f751eb07a1b260b6c Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Fri, 23 Jan 2026 13:49:53 +0100
+Subject: [PATCH] lower setuptools requirements
+
+Scarthgap ships with version 69.1.1 - adjust the requirements for that.
+
+Upstream-Status: Inappropriate [specific to OE LTS versions]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ pyproject.toml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pyproject.toml b/pyproject.toml
+index 4635d0e..319b261 100644
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -1,6 +1,6 @@
+ [build-system]
+ requires = [
+-    "setuptools>=75.8.1; python_version >= '3.9'",
++    "setuptools>=69.0.0; python_version >= '3.9'",
+     "setuptools<75.4.0; python_version < '3.9'",
+ ]
+ build-backend = "setuptools.build_meta"
diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
deleted file mode 100644
index 3fb8b03224..0000000000
--- a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb
+++ /dev/null
@@ -1,14 +0,0 @@
-require python-django.inc
-inherit setuptools3
-
-SRC_URI[sha256sum] = "92bac5b4432a64532abb73b2ac27203f485e40225d2640a7fbef2b62b876e789"
-
-RDEPENDS:${PN} += "\
-    python3-sqlparse \
-    python3-asgiref \
-"
-
-# Set DEFAULT_PREFERENCE so that the LTS version of django is built by
-# default. To build the 4.x branch, 
-# PREFERRED_VERSION_python3-django = "4.2.20" can be added to local.conf
-DEFAULT_PREFERENCE = "-1"
diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.27.bb b/meta-python/recipes-devtools/python/python3-django_4.2.27.bb
new file mode 100644
index 0000000000..038b0220fa
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django_4.2.27.bb
@@ -0,0 +1,17 @@
+require python-django.inc
+inherit python_setuptools_build_meta
+
+SRC_URI += "file://0001-lower-setuptools-requirements.patch"
+SRC_URI[sha256sum] = "b865fbe0f4a3d1ee36594c5efa42b20db3c8bbb10dff0736face1c6e4bda5b92"
+
+RDEPENDS:${PN} += "\
+    python3-sqlparse \
+    python3-asgiref \
+"
+
+PYPI_PACKAGE = "django"
+
+# Set DEFAULT_PREFERENCE so that the LTS version of django is built by
+# default. To build the 4.x branch, 
+# PREFERRED_VERSION_python3-django = "4.2.%" can be added to local.conf
+DEFAULT_PREFERENCE = "-1"

From patchwork Fri Jan 23 17:02:13 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79523
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EF852D77887
	for <webhook@archiver.kernel.org>; Fri, 23 Jan 2026 17:02:28 +0000 (UTC)
Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com
 [209.85.128.54])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.114.1769187745913802334
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:26 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=C5zJ5hEP;
 spf=pass (domain: gmail.com, ip: 209.85.128.54,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f54.google.com with SMTP id
 5b1f17b1804b1-4801c1ad878so25128085e9.1
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769187744; x=1769792544;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=jbAwHTRIBxE3JSGMww8E45wjkvEFoRZ6hAH2pqVAzK8=;
        b=C5zJ5hEPhdxn+sy6HxMD4ND3FSUaDFjhQKKlkUeSbAU2o61MUkuqq7No+NWBD8cNrC
         mL5ca1UYhZrfh59L25hXHKoItn+6cAo1wyHKZI8imTt9zm/fFEtXy9IoR/hdn9o4b+Wj
         v6bkvFPmkgKVEeoiufAJF4pC5vz792ywpRKkl4J7ZnGmwV28nocYW9xu2GZlP5vHk0y5
         bdGq1eR7LSmsIuwnHRESmac96pM7K0yWloVOBiOuMWZHn2/ssOSyURC6U/F9q/iZ135P
         0PdIJapG5qWkMa1awyBMLclp5r9qjpYkbFo58JoMwONPfGkVrZAVqq/XnG41gPLobD8P
         2vxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769187744; x=1769792544;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=jbAwHTRIBxE3JSGMww8E45wjkvEFoRZ6hAH2pqVAzK8=;
        b=SizB5HsFbveatMD/qGt0E06R13+V2m0D2imoEwmys6wCg9u0cqvXS+moc75iyOF8R3
         mgmehDAcPLCO9fTRBaZZMy9drW03Aa4HgcQFM4l5+dokq4U33wK1twlYM/hmf73A1J1V
         XKV60beUdDyWaM5r/wUt1/X59HpeU2rgu6+BwCn2YbxG7my4fEzoTgmphFy22yAjh0qf
         x4yPi/jMXIeSPJz1gjvwFz19eIht0DvmETjG8A7X43v7DvWj0fO++t8f40MLzJWMDMBX
         bDRUe2Oz7BWi1ZVWR6/MJTXVP31vr8oJ8LoWBVM/oC+u88M0CoWy2YczvDXquSp74UKw
         1iiw==
X-Gm-Message-State: AOJu0Yw0jsZVQqcKpYG5WUg126WpXd0OZPnJ9TIOxbr3W9wX8gUXrFh8
	mgGlS/NGARKWOXsHlpIid0PSORxKqM9480FRICuw+4MwitIgn5ij25gRc6kXIg==
X-Gm-Gg: AZuq6aJx3bKVfljmbiqEk00qbleBXXuMGolGi0HJjsysrLCSBu5uP3ifM0yYYoLsS8W
	5awA1MbPITV6LG3FV5udDKZbrDvaCkNb610xIUH0sTSn2J1H9hfSfl6Pvz95Xve6xSSocFsAKil
	QMJHknW4rEf6nXavVZZf8BNBKkb+QXTcNNMdXWEAJbMgPzGAh1x8Za382Xkpy+32KY/u4QV1XGS
	p3CDfbz7j/On0N5DAgCGCrJffREDNU0ujBT1TJr+3clo1E2S+xVnFu5aO19MbQNEYRn00EEDlvY
	l6FeNLIdjZlrKjs9+Frharj6cSrSeXsBIFqWWx/0GZ/mMoyJQ399XmEeCHBW3Fbafuq1AexXFUe
	qmm/J10ToDy30Ix4/ywHHEZk93GldKYVhyaFiAESF2i6/8LSfBJf612nPNzv1C2BK7MUbH0Hf3f
	XR6nO4JyFn
X-Received: by 2002:a05:600c:35c4:b0:477:9574:d641 with SMTP id
 5b1f17b1804b1-4804c9b194emr64428345e9.22.1769187744035;
        Fri, 23 Jan 2026 09:02:24 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4804dbd4630sm25455165e9.17.2026.01.23.09.02.23
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 09:02:23 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][scarthgap][PATCH 02/10] redis: ignore CVE-2025-46686
Date: Fri, 23 Jan 2026 18:02:13 +0100
Message-ID: <20260123170221.671471-2-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260123170221.671471-1-skandigraun@gmail.com>
References: <20260123170221.671471-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 23 Jan 2026 17:02:28 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123787

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-46686

Upstream disputes that it is a security violation, and says that
implementing a mitigation for this would negatively affect the rest
of the application, so they elected to ignore it.

See Github advisory about the same vulnerability:
https://github.com/redis/redis/security/advisories/GHSA-2r7g-8hpc-rpq9

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 868b4b2959c1f6be13693e31eae5b27a1fa697e6)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-oe/recipes-extended/redis/redis_6.2.21.bb | 2 ++
 meta-oe/recipes-extended/redis/redis_7.2.12.bb | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/meta-oe/recipes-extended/redis/redis_6.2.21.bb b/meta-oe/recipes-extended/redis/redis_6.2.21.bb
index 82e029fd82..c47f51692d 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.21.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.21.bb
@@ -23,6 +23,8 @@ SRC_URI[sha256sum] = "6383b32ba8d246f41bbbb83663381f5a5f4c4713235433cec22fc4a47e
 
 inherit autotools-brokensep update-rc.d systemd useradd
 
+CVE_STATUS[CVE-2025-46686] = "disputed: upstream rejected because mitigating it would affect other functionality"
+
 FINAL_LIBS:x86:toolchain-clang = "-latomic"
 FINAL_LIBS:riscv32 = "-latomic"
 FINAL_LIBS:mips = "-latomic"
diff --git a/meta-oe/recipes-extended/redis/redis_7.2.12.bb b/meta-oe/recipes-extended/redis/redis_7.2.12.bb
index 98af45cb88..2b4087a74b 100644
--- a/meta-oe/recipes-extended/redis/redis_7.2.12.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.2.12.bb
@@ -21,6 +21,8 @@ SRC_URI[sha256sum] = "97c60478a7c777ac914ca9d87a7e88ba265926456107e758c62d8f971d
 
 inherit autotools-brokensep pkgconfig update-rc.d systemd useradd
 
+CVE_STATUS[CVE-2025-46686] = "disputed: upstream rejected because mitigating it would affect other functionality"
+
 FINAL_LIBS:x86:toolchain-clang = "-latomic"
 FINAL_LIBS:riscv32 = "-latomic"
 FINAL_LIBS:mips = "-latomic"

From patchwork Fri Jan 23 17:02:14 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79525
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 10B9AD7788C
	for <webhook@archiver.kernel.org>; Fri, 23 Jan 2026 17:02:29 +0000 (UTC)
Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com
 [209.85.128.42])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.115.1769187747388512254
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:27 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=V8+PIX0I;
 spf=pass (domain: gmail.com, ip: 209.85.128.42,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f42.google.com with SMTP id
 5b1f17b1804b1-47ee07570deso18967495e9.1
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769187746; x=1769792546;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=SJPI0K/4y0sDpUuS4W8nsyLed9LctEUPeDvEeMFNXOc=;
        b=V8+PIX0I2pusBmrHta2N3nbMhH1l5YLtyLntTjhBCDMGE9OGAxO1HaUMJubY0042qY
         kYB3M4vsPGIASge1cDt7aBWoM9evSzL56rKMcmRjWm2zwWFwo1RG/al4fuvIh+MmqCfg
         f8qxf/EBR8STJLt/nlXBW5CKH66d/+fgmtBfkJjq/EVkM8rTblqAt7a++nLcLg2Ba4vn
         Wqw3OM/4vNo/RlRqGByC/L5AYQGHfVHw+I0PleEo5bxUCK9/rYEfCqwdoUQ85aKbP62d
         3VUSK2cRL6RNchhiAJvYrydunHpX35+7y92Z4Pi1FMWVwY8ZYyr80Qd4P0xt06hh3WRu
         YV4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769187746; x=1769792546;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=SJPI0K/4y0sDpUuS4W8nsyLed9LctEUPeDvEeMFNXOc=;
        b=WYGoLj8mp1G6OE5sTdMQsbfBrC8mai7Owx9emU/PxU53F90YJF4NNjPKmfSuRh8nS5
         ugHJH7+xF1TnhOS4BJOKDMcmdsfW7/xE7eMw7VaYvmIswVRE8apqgMEspVw8w+Ocg+tC
         MbvRPHAJCGfWJ0Brs0ynKG5IhaL64GE5xlIS3BIjJUtk7tZu5IhIeX9vV5D2hjRIKGwq
         5PKyo355VJtA+LTgyB2KA9m31S+IVXp/1dfuGe6wOTwzXSQ56hPIKvMFstBVhtBIKnFR
         ms+Gt7TPBNo/1/C1JFhzdDXKF89oM2S0BUlQ8gLck6mI/uX5MRNyzQyQ/ihO9HIGMNsY
         G10w==
X-Gm-Message-State: AOJu0Yzjbjnzfpwe0SJMJS/MLT77l693iX/Pde0WehMVZVCJn2opCn5w
	ebXR2nUnaA0Qr6veq+ItY17lo4CS8e3gDGuN7gGyN+952iQbwj8QLg+E18wZxA==
X-Gm-Gg: AZuq6aLTTkCPKV41eqUpo3ypT+F+UGWPFoN6tHyoEY1JWitzhEIBvPUfvoRZ1kk5zOn
	Im3qMjlqc6e3M+zAdJe/+ptYIpQpRKqcOVQ7xw5eEWWL00UM+lKXFQEudSW/6fcuTdwh33uDpwg
	zhOLYnR5Dxjv10mGfe1NQ+71PNKXhW9rZC2hHUEsORv8f2ZLY38Z/IBsmyPNJeupAouUWGN+NPy
	UjSxdyoMLY6/G771yrIlHgdUiAAqvCKfrcsDRZWfhKc8CkRwPNCBM1GIYhMhHoqC+gmPGKne3ua
	v8ZdDNbQb1fo6crGy/TjuyKztWkVg39cfEJZ7+NZ+NmgbrlPxlq4oQw8zuiB5jUZ0haA+7WLMIA
	eQeJJ6DpjVjvrkuTq9pv7ZmTYXmEtKEJzU/yTaxzWwmJtXS+yGe+u6R6rpC5JW4oLISjApl49t1
	la+RUvD5f3Ad8y/P4a1/U=
X-Received: by 2002:a05:600c:6748:b0:47e:e20e:bbb0 with SMTP id
 5b1f17b1804b1-4804c9a4690mr60693365e9.6.1769187744772;
        Fri, 23 Jan 2026 09:02:24 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4804dbd4630sm25455165e9.17.2026.01.23.09.02.24
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 09:02:24 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-networking][scarthgap][PATCH 03/10] strongswan: patch
 CVE-2025-62291
Date: Fri, 23 Jan 2026 18:02:14 +0100
Message-ID: <20260123170221.671471-3-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260123170221.671471-1-skandigraun@gmail.com>
References: <20260123170221.671471-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 23 Jan 2026 17:02:29 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123789

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-62291

Pick the patch that is mentioned on the vendor's blog[1], that
is also referenced in the NVD report.

[1]: https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-%28cve-2025-62291%29.html

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../strongswan/CVE-2025-62291.patch           | 45 +++++++++++++++++++
 .../strongswan/strongswan_5.9.14.bb           |  3 +-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch

diff --git a/meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch b/meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch
new file mode 100644
index 0000000000..df5568235e
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch
@@ -0,0 +1,45 @@
+From 8412dbb2dc054191b03df8e7fbc3dd8bf4c10be3 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Thu, 9 Oct 2025 11:33:45 +0200
+Subject: [PATCH] eap-mschapv2: Fix length check for Failure Request packets on
+ the client
+
+For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes
+`message_len` to become negative, which is then used in calls to malloc()
+and memcpy() that both take size_t arguments, causing an integer
+underflow.
+
+For 6 and 7, the huge size requested from malloc() will fail (it exceeds
+PTRDIFF_MAX) and the returned NULL pointer will cause a segmentation
+fault in memcpy().
+
+However, for 8, the allocation is 0, which succeeds.  But then the -1
+passed to memcpy() causes a heap-based buffer overflow (and possibly a
+segmentation fault when attempting to read/write that much data).
+Fortunately, if compiled with -D_FORTIFY_SOURCE=3 (the default on e.g.
+Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer
+overflow and causes the daemon to get aborted immediately instead.
+
+Fixes: f98cdf7a4765 ("adding plugin for EAP-MS-CHAPv2")
+Fixes: CVE-2025-62291
+
+CVE: CVE-2025-62291
+Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/c687ada6a6f68913651e355fd09f906893096b32]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+index 1bb54c8..9ad509a 100644
+--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
++++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+@@ -974,7 +974,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
+ 	data = in->get_data(in);
+ 	eap = (eap_mschapv2_header_t*)data.ptr;
+ 
+-	if (data.len < 3) /* we want at least an error code: E=e */
++	if (data.len < HEADER_LEN + 3) /* we want at least an error code: E=e */
+ 	{
+ 		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
+ 		return FAILED;
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
index 2e2da8274b..4592381a36 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
@@ -9,7 +9,8 @@ DEPENDS = "flex-native flex bison-native"
 DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', '  tpm2-tss', '', d)}"
 
 SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
-          "
+           file://CVE-2025-62291.patch \
+           "
 
 SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"
 

From patchwork Fri Jan 23 17:02:15 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79524
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0A21AD77888
	for <webhook@archiver.kernel.org>; Fri, 23 Jan 2026 17:02:29 +0000 (UTC)
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com
 [209.85.128.43])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.115.1769187747341884270
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:27 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=BnBGMoua;
 spf=pass (domain: gmail.com, ip: 209.85.128.43,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f43.google.com with SMTP id
 5b1f17b1804b1-4801d21c411so13127425e9.3
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769187746; x=1769792546;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=PRHKQEXpF/bfZaD/EGB40LJu++yrIYdY5BoWluxbGpE=;
        b=BnBGMouaDj9aMxE8cH03VY51/QyFQi1GxwqDGs/RBZMUR7mpZ5bRezPxQhXFKYaYcj
         4eHIRg8HsshOUiv2MfPzUPg1SIOP/SzLNVwBx9xTpJ43k+QNBS2DmylUCFxIeOzWzBwb
         RFTBOYAqVPXtuSh/SyEvp6ayp/RCt+Mw/ghdYJiEAUGVqxeXFUo3QAKNFtnlSWvuPVId
         scEy+gbYmYxfiwRNd13sl2E4E7v3CcPRPVvY5d4KjFCQSE9WkYJ0qaRn5X4OSUcSIMRC
         2qY/NN6YD4v/nUwMy1yLmBmDYrd3RnEP0uFcRb1DGGkXM+wlAAZdaMyCK4yc/OqNyH5D
         e3JQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769187746; x=1769792546;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=PRHKQEXpF/bfZaD/EGB40LJu++yrIYdY5BoWluxbGpE=;
        b=mANfMAFwXrKZD+l7Az6IFBCDLpjQkix44PRdN7rMoKAYdDEgDUmziYDMjoKr/WTf6s
         FeGfzakbSoZu9MekqmiQjojwpMrfYnepkSrnBXej1F07bLLbv3NHYZYfZqbyigJGwz1j
         I4uIZs3/hnKNt5SRF5HLJN9bLpxu0l48z+Onq9aP+ZbkYmpV9cW6ZhvkmXXqw1EjS/en
         h8lbMrxneCgIzAxoKAFGpTEMZMvkMCOzgjIfuvI7/kgfgK1VpuVxlGUbatl9bGsGADa9
         AjMS9KJwTAU3fXWV98NOt+cx1ty+5lC0CCDPEgOGo+CGDubGa9nsZEkympFfHJidGnR+
         n1Gg==
X-Gm-Message-State: AOJu0Yy7RL+XhH4z5nXkdvd/j1PwHRp14+9pJbeH027VknepRIwNNrr/
	cIj3L34mtm7ZuNHjlHPROhxCMa7sm/MBjspQ13vpQObuLxBBy5kcv0+YHRzR4Q==
X-Gm-Gg: AZuq6aIQEL9l38Zgpn6z8Ldit5/qObHmSKE/NaxcXJ3Vo+azU7o1NSdU4w77gnJeq6W
	Iqkoap0VCKrmwI/YS2tLisJp4arQ57E2SKFNp1SMwj8bcZmuPSgOzGlnkRVNuDF2Q9WCCDqYCt9
	nOYbLwsCL6jcUYAAHbi8Dlwmb7441NMFAo0oN26VoTt8uBvlftZmSt9MoevbQdt/uTziOSiPaua
	9/XSN7y/mIvjQ5n5I7QUn/M05N48Ojb2Fwcy8wyjG7XaXsa1YTwoRmWA0t6m0cKLEePjNmFb5rM
	dzoOD7dqbi7NowGM22Unsd4IzMnx7uSpkcG76f43WZc2Xw+CPBOX84IvhYq0NZUBo33CZjfwpYi
	SrRxFU5SWh6tjZFglOJdIKR7AhEBb/YHZWX2gG5O775yqcTr0h0hTzsOHHkMXbz3xzWHcUwMU0q
	3U1B4iSlci
X-Received: by 2002:a05:600c:3f12:b0:47e:e2ec:9947 with SMTP id
 5b1f17b1804b1-4804c9c9dd5mr61943595e9.33.1769187745567;
        Fri, 23 Jan 2026 09:02:25 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4804dbd4630sm25455165e9.17.2026.01.23.09.02.24
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 09:02:25 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][scarthgap][PATCH 04/10] python3-flask-cors: upgrade
 4.0.0 -> 4.0.2
Date: Fri, 23 Jan 2026 18:02:15 +0100
Message-ID: <20260123170221.671471-4-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260123170221.671471-1-skandigraun@gmail.com>
References: <20260123170221.671471-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 23 Jan 2026 17:02:29 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123788

Contains a fix for CVE-2024-6221 (related patch dropped) and CVE-2024-1681

Changelog:
4.0.1:
- Fix Read the Docs builds
- Update extension.py to clean request.path before logging it
- Update CI to include Python 3.12 and flask 3.0.3

4.0.2:
- Bump requests from 2.31.0 to 2.32.0 in /docs
- Backwards Compatible Fix for CVE-2024-6221
- Add unit tests for Private-Network

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../python3-flask-cors/CVE-2024-6221.patch    | 110 ------------------
 ...s_4.0.0.bb => python3-flask-cors_4.0.2.bb} |   8 +-
 2 files changed, 2 insertions(+), 116 deletions(-)
 delete mode 100644 meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch
 rename meta-python/recipes-devtools/python/{python3-flask-cors_4.0.0.bb => python3-flask-cors_4.0.2.bb} (71%)

diff --git a/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch b/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch
deleted file mode 100644
index 9049b2ffe6..0000000000
--- a/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From 7ae310c56ac30e0b94fb42129aa377bf633256ec Mon Sep 17 00:00:00 2001
-From: Adriano Sela Aviles <adriano.selaviles@gmail.com>
-Date: Fri, 30 Aug 2024 12:14:31 -0400
-Subject: [PATCH] Backwards Compatible Fix for CVE-2024-6221 (#363)
-
-CVE: CVE-2024-6221
-
-Upstream-Status: Backport [https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec]
-
-Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
----
- docs/configuration.rst  | 14 ++++++++++++++
- flask_cors/core.py      |  8 +++++---
- flask_cors/extension.py | 16 ++++++++++++++++
- 3 files changed, 35 insertions(+), 3 deletions(-)
-
-diff --git a/docs/configuration.rst b/docs/configuration.rst
-index 91282d3..c750cf4 100644
---- a/docs/configuration.rst
-+++ b/docs/configuration.rst
-@@ -23,6 +23,19 @@ CORS_ALLOW_HEADERS (:py:class:`~typing.List` or :py:class:`str`)
-    Headers to accept from the client.
-    Headers in the :http:header:`Access-Control-Request-Headers` request header (usually part of the preflight OPTIONS request) matching headers in this list will be included in the :http:header:`Access-Control-Allow-Headers` response header.
-
-+CORS_ALLOW_PRIVATE_NETWORK (:py:class:`bool`)
-+   If True, the response header :http:header:`Access-Control-Allow-Private-Network`
-+   will be set with the value 'true' whenever the request header
-+   :http:header:`Access-Control-Request-Private-Network` has a value 'true'.
-+
-+   If False, the reponse header :http:header:`Access-Control-Allow-Private-Network`
-+   will be set with the value 'false' whenever the request header
-+   :http:header:`Access-Control-Request-Private-Network` has a value of 'true'.
-+
-+   If the request header :http:header:`Access-Control-Request-Private-Network` is
-+   not present or has a value other than 'true', the response header
-+   :http:header:`Access-Control-Allow-Private-Network` will not be set.
-+
- CORS_ALWAYS_SEND (:py:class:`bool`)
-    Usually, if a request doesn't include an :http:header:`Origin` header, the client did not request CORS.
-    This means we can ignore this request.
-@@ -83,6 +96,7 @@ Default values
- ~~~~~~~~~~~~~~
-
- * CORS_ALLOW_HEADERS: "*"
-+* CORS_ALLOW_PRIVATE_NETWORK: True
- * CORS_ALWAYS_SEND: True
- * CORS_AUTOMATIC_OPTIONS: True
- * CORS_EXPOSE_HEADERS: None
-diff --git a/flask_cors/core.py b/flask_cors/core.py
-index 5358036..bd011f4 100644
---- a/flask_cors/core.py
-+++ b/flask_cors/core.py
-@@ -36,7 +36,7 @@ CONFIG_OPTIONS = ['CORS_ORIGINS', 'CORS_METHODS', 'CORS_ALLOW_HEADERS',
-                   'CORS_MAX_AGE', 'CORS_SEND_WILDCARD',
-                   'CORS_AUTOMATIC_OPTIONS', 'CORS_VARY_HEADER',
-                   'CORS_RESOURCES', 'CORS_INTERCEPT_EXCEPTIONS',
--                  'CORS_ALWAYS_SEND']
-+                  'CORS_ALWAYS_SEND', 'CORS_ALLOW_PRIVATE_NETWORK']
- # Attribute added to request object by decorator to indicate that CORS
- # was evaluated, in case the decorator and extension are both applied
- # to a view.
-@@ -56,7 +56,8 @@ DEFAULT_OPTIONS = dict(origins='*',
-                        vary_header=True,
-                        resources=r'/*',
-                        intercept_exceptions=True,
--                       always_send=True)
-+                       always_send=True,
-+                       allow_private_network=True)
-
-
- def parse_resources(resources):
-@@ -186,7 +187,8 @@ def get_cors_headers(options, request_headers, request_method):
-
-     if ACL_REQUEST_HEADER_PRIVATE_NETWORK in request_headers \
-             and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true':
--        headers[ACL_RESPONSE_PRIVATE_NETWORK] = 'true'
-+        allow_private_network = 'true' if options.get('allow_private_network') else 'false'
-+        headers[ACL_RESPONSE_PRIVATE_NETWORK] = allow_private_network
-
-     # This is a preflight request
-     # http://www.w3.org/TR/cors/#resource-preflight-requests
-diff --git a/flask_cors/extension.py b/flask_cors/extension.py
-index c00cbff..694953f 100644
---- a/flask_cors/extension.py
-+++ b/flask_cors/extension.py
-@@ -136,6 +136,22 @@ class CORS(object):
-
-         Default : True
-     :type vary_header: bool
-+
-+    :param allow_private_network:
-+        If True, the response header `Access-Control-Allow-Private-Network`
-+        will be set with the value 'true' whenever the request header
-+        `Access-Control-Request-Private-Network` has a value 'true'.
-+
-+        If False, the reponse header `Access-Control-Allow-Private-Network`
-+        will be set with the value 'false' whenever the request header
-+        `Access-Control-Request-Private-Network` has a value of 'true'.
-+
-+        If the request header `Access-Control-Request-Private-Network` is
-+        not present or has a value other than 'true', the response header
-+        `Access-Control-Allow-Private-Network` will not be set.
-+
-+        Default : True
-+    :type allow_private_network: bool
-     """
-
-     def __init__(self, app=None, **kwargs):
---
-2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.2.bb
similarity index 71%
rename from meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb
rename to meta-python/recipes-devtools/python/python3-flask-cors_4.0.2.bb
index 77b51c5515..ca9facac46 100644
--- a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb
+++ b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.2.bb
@@ -7,13 +7,9 @@ SECTION = "devel/python"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=118fecaa576ab51c1520f95e98db61ce"
 
-PYPI_PACKAGE = "Flask-Cors"
+PYPI_PACKAGE = "flask_cors"
 
-SRC_URI += " \
-        file://CVE-2024-6221.patch \
-"
-
-SRC_URI[sha256sum] = "f268522fcb2f73e2ecdde1ef45e2fd5c71cc48fe03cffb4b441c6d1b40684eb0"
+SRC_URI[sha256sum] = "493b98e2d1e2f1a4720a7af25693ef2fe32fbafec09a2f72c59f3e475eda61d2"
 
 inherit pypi setuptools3
 

From patchwork Fri Jan 23 17:02:16 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79522
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EE7C7D77886
	for <webhook@archiver.kernel.org>; Fri, 23 Jan 2026 17:02:28 +0000 (UTC)
Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com
 [209.85.128.54])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.117.1769187748218938589
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:28 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=gRpMZ4Xc;
 spf=pass (domain: gmail.com, ip: 209.85.128.54,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f54.google.com with SMTP id
 5b1f17b1804b1-47f3b7ef761so17525305e9.0
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769187747; x=1769792547;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=yZp/Zpm6dCKDdVaSBVayeF2UM/RaX/u3K4+KOL9Toww=;
        b=gRpMZ4Xc9Fz95TgOupiGXPSSSJkMc5qKxTYyvGWy4IlmT92my+deJRITxgUi5M/CGR
         SFFCi6vY7sFZ6zRkCPh1tbkdQIptrFQDYvpKekRUxmYPjvrawLYXYSr8JUfbE+uQHgu/
         k62DVVVtT13bsIlxiF9uaQkKdBgVMCWLJnuw7e6cKQrZHaL3jftG9sFJDAtoKjlWGd6e
         1K9h5nc0xqRXQ5CTxH36oiWRWZx+5uiDcnMcxqj9UTvrSJ5yogR997yn5UK1slKbz8B0
         fB0BTucG430YmTPwsqN5LCWK2XqZmolW6TmgpPt0Q1Err6oZov5Y0+i32kcWObq1tKh/
         klRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769187747; x=1769792547;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=yZp/Zpm6dCKDdVaSBVayeF2UM/RaX/u3K4+KOL9Toww=;
        b=HQG9umD7d11LUaITxkex6rPMb+HAuo6Rc3VExueRwbrsxKuc+8jSEGB0gPTJ9lzWmV
         eQSsnrad/jWpYCqTaPTTjdYLuFux7BQJC2BtNAbwV2RY4DM13ik2cI14Q46Wnrqe7iGc
         MZFJchUhMvVjYi5dYlALPkGw04gU+4crVH3u/o2ToBbwbW/NcgOPFyjCSNK5pc8Cjm3A
         rPxFF4IH8YONjWsO1mobAV7YbBwydr0BnXzrBtTax5kOWtuVh2vZan6/9YYR9BehcW7g
         pDf4BdyK/CG69HbM0DTBOHoPU+rHbPKQyuHQ2srniZJLnN3bIdg6whZeb7Avr9a7kZIS
         ZC6g==
X-Gm-Message-State: AOJu0YxVwhOOBRVny6ke2ArdOdjddzhm6kQ6D0b4UoK/CdsCjNHPBq5s
	k2pXEhjAIE1XZQfZcXTmvF5XvC2qXLyIPm5Bqg5t6YpeEdfjn4Q/bctKIPadeQ==
X-Gm-Gg: AZuq6aK+gnK3GCAYofEmCSGiN9EV9LU6CCjIKjdvrpDPMaVHl7T6HdTVQONhjd2Wbm1
	pi8oyUa58hwU04x1vbdN98tzDFBwWDg5CZz+kSENciSXimbII5KQ4H3E+cYEYfYXyCoGg9c2Mmy
	ynmWWcjWkZWQQBDF0ITT6vEDgojsaudaqe/XtKeIiPeL3r7tPkaPRw0E0snCAHwC38NvmdctRSl
	eFwjyLwpBxcswK/iE5nO/yEr/SlY4Ja/mobL4dMo3a1lroVhvC6KT6wXRjhC2iQBLqy1MHdZAOA
	OBtFCJeCbuGe7sV8QfcJLxuirmX3pGEWSV8m3LcyjfNJVD9rDuRxtpPMsATlIAcD6qcB53b0efN
	Qyvaiqa70To3zlMwBz3HV9p4MYfhIhpdMadyKeJn8VlbCLDb/9ckUHzSw3L3uUL8rLnU6q+0bFq
	U7TcdJLLYi7BAV1odACws=
X-Received: by 2002:a05:600c:8b09:b0:480:1e9e:f9b with SMTP id
 5b1f17b1804b1-4804c960f04mr65361995e9.16.1769187746309;
        Fri, 23 Jan 2026 09:02:26 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4804dbd4630sm25455165e9.17.2026.01.23.09.02.25
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 09:02:25 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][scarthgap][PATCH 05/10] python3-waitress: upgrade 3.0.0
 -> 3.0.2
Date: Fri, 23 Jan 2026 18:02:16 +0100
Message-ID: <20260123170221.671471-5-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260123170221.671471-1-skandigraun@gmail.com>
References: <20260123170221.671471-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 23 Jan 2026 17:02:28 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123790

Contains fixes for CVE-2024-49768 and CVE-2024-49769

Changelog:
3.0.1:
- Python 3.8 is no longer supported.
- Added support for Python 3.13.
- Fix a bug that would lead to Waitress busy looping on select() on a half-open
  socket due to a race condition that existed when creating a new HTTPChannel.
- No longer strip the header values before passing them to the WSGI environ.
- Fix a race condition in Waitress when `channel_request_lookahead` is enabled
  that could lead to HTTP request smuggling.

3.0.2:
- When using Waitress to process trusted proxy headers, Waitress will now
  update the headers to drop any untrusted values, thereby making sure that
  WSGI apps only get trusted and validated values that Waitress itself used to
  update the environ.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../{python3-waitress_3.0.0.bb => python3-waitress_3.0.2.bb}    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-python/recipes-devtools/python/{python3-waitress_3.0.0.bb => python3-waitress_3.0.2.bb} (82%)

diff --git a/meta-python/recipes-devtools/python/python3-waitress_3.0.0.bb b/meta-python/recipes-devtools/python/python3-waitress_3.0.2.bb
similarity index 82%
rename from meta-python/recipes-devtools/python/python3-waitress_3.0.0.bb
rename to meta-python/recipes-devtools/python/python3-waitress_3.0.2.bb
index 7470fc02a0..b8e90807cf 100644
--- a/meta-python/recipes-devtools/python/python3-waitress_3.0.0.bb
+++ b/meta-python/recipes-devtools/python/python3-waitress_3.0.2.bb
@@ -10,6 +10,6 @@ RDEPENDS:${PN} += " \
         python3-logging \
 "
 
-SRC_URI[sha256sum] = "005da479b04134cdd9dd602d1ee7c49d79de0537610d653674cc6cbde222b8a1"
+SRC_URI[sha256sum] = "682aaaf2af0c44ada4abfb70ded36393f0e307f4ab9456a215ce0020baefc31f"
 
 inherit python_setuptools_build_meta pypi

From patchwork Fri Jan 23 17:02:17 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79529
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 11BE7D7788A
	for <webhook@archiver.kernel.org>; Fri, 23 Jan 2026 17:02:39 +0000 (UTC)
Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com
 [209.85.128.53])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.119.1769187750044508515
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:30 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=L5Mj7fHi;
 spf=pass (domain: gmail.com, ip: 209.85.128.53,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f53.google.com with SMTP id
 5b1f17b1804b1-4801d24d91bso26775415e9.2
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769187748; x=1769792548;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=1gOOsdcu51ZCsZU0kL01cADSF0/lo9kCrdLeJiytWF8=;
        b=L5Mj7fHiTxEcXRrxg0AkEZjZT8HDrzABDPf6CMuuUwF4YZjvdsjDbkfrvnDYbBCaGS
         9xLQTVZ5DlV/ZKEXXaB0WR3J5WnHzEWdgFJPrT1dKD7NlQJM3VGkQRblGiD298ny4ut1
         LhceeSZP8hPkzYdV82Elzhdt22Ko/0IA613RLseT6U/cY6IbFDhpXhXugql57S5jK8rN
         vI4B6FW9GY+GaIDzMn8n34F6LvDq2fNPcWBMuyXebdMJ2cpJyRWE04gArLk56Govo74b
         /BQq5mjwApWQvE17fzjEijxCdJMr+AitKiWE75HrnTHtBQH498D5OfnOjjRGm1OWTzwX
         UGog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769187748; x=1769792548;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=1gOOsdcu51ZCsZU0kL01cADSF0/lo9kCrdLeJiytWF8=;
        b=q2iWTWupBntCiSvC+5pqZbxOwgovoeXfInJfc7EogqhH9+0X9RfgbxDyxwZIfSUcsy
         82i5YXEbHjIVJE5GYtMxDuA6csSFH89E+9AahJ1DOpauWrFZ5KESmK1il6Tv3+z130ax
         ReLu8PiJtKZQVvi2HWtAQaKwey6nQqQxcm8vMLgfXvleSTPswtk/1ckSh1bnAe1FTihz
         LVO258O6HOZgyIugsuOQ/2MP8G0hUEoWrqS6Ge6nblN7Q/BNQSkIqy3aFxmzSTipQ6y6
         EUaQv2LXfqaXYS6bkcCXc7z8Z+DIUflyzsOqSEKWyD5333ccgRJotmjnfvaaVfrb27wD
         O73A==
X-Gm-Message-State: AOJu0YznqgrXR1QufwmD0T0IBm6JOghNh2ciO//N1Jp9UPXYYs1KjlOL
	3z6wkD5thnnj8LLBSbwqWjHtaUm1Igxlk7tjcpzyNHsQbzC/uIKBh0eGwsQrkQ==
X-Gm-Gg: AZuq6aJiG+DN8gmxQNnDw4yHN6GHUGpkCqYjW1u+qzmkXPtKQb6uSGbZbzFSUpLKSZi
	6DkyOuKa01jpu4SKCO8j/ZIMY52xMF1O7l9zzWKOt/bvtl1EVVpIUtWTfKYQ132RDAZ3mXR9vOB
	p1uXvRPqhLe3qY7hYGokCX7yiReo+nNPneVibW3v4sz0QqAWCMPoRF+QndwlLNsiAGiuKOsDjb+
	TDnnzrRioc5DZTrDR1/msZXtNkW6UP8NJuKvgV2azIWueJi7df4qsNAeDy+7dK+d/mP377ZcOUw
	5GjKmRVXe7Xi1hviNqX7xzCN1PqCatjsd+/XXee+aLedC2LFklJ0zMbfJ6Xoey4BNTT72DMlvXE
	m6SltuxFXkPpXydv3owI/sVfPmX7VSJlgOR361q4BXrG9rS3FNts2NXF0y7pDyRFoD9Ggv1fn/G
	U9vFCEWnHWGpeAzIt0uY0=
X-Received: by 2002:a05:600c:828f:b0:477:1af2:f40a with SMTP id
 5b1f17b1804b1-4804c9b2333mr64108925e9.17.1769187748138;
        Fri, 23 Jan 2026 09:02:28 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4804dbd4630sm25455165e9.17.2026.01.23.09.02.26
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 09:02:27 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][scarthgap][PATCH 06/10] python3-twitter: mark
 CVE-2012-5825 patched
Date: Fri, 23 Jan 2026 18:02:17 +0100
Message-ID: <20260123170221.671471-6-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260123170221.671471-1-skandigraun@gmail.com>
References: <20260123170221.671471-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 23 Jan 2026 17:02:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123791

Details: https://nvd.nist.gov/vuln/detail/CVE-2012-5825

The Debian bugtracker[1] indicated that the issue is tracked by
upstream in github[2] (with a difference CVE ID, but same issue),
where the vulnerability was confirmed. Later in the same github issue
the solution is confirmed: the project switched to use the requests
library, which doesn't suffer from this vulnerability.

Due to this mark the CVE as patched.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692444
[2]: https://github.com/tweepy/tweepy/issues/279

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 3ee544e7591b36a49550a263a0ec4d64b5e490e8)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-python/recipes-devtools/python/python3-twitter_4.14.0.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-python/recipes-devtools/python/python3-twitter_4.14.0.bb b/meta-python/recipes-devtools/python/python3-twitter_4.14.0.bb
index 23ea996258..2ab6460626 100644
--- a/meta-python/recipes-devtools/python/python3-twitter_4.14.0.bb
+++ b/meta-python/recipes-devtools/python/python3-twitter_4.14.0.bb
@@ -17,3 +17,5 @@ RDEPENDS:${PN} += "\
     python3-requests-oauthlib \
     python3-six \
 "
+
+CVE_STATUS[CVE-2012-5825] = "fixed-version: The vulnerability has been fixed since v3.1.0"

From patchwork Fri Jan 23 17:02:18 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79527
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 19DEED7788E
	for <webhook@archiver.kernel.org>; Fri, 23 Jan 2026 17:02:39 +0000 (UTC)
Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com
 [209.85.128.46])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.116.1769187750758132811
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:31 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=LwPJ5zJ/;
 spf=pass (domain: gmail.com, ip: 209.85.128.46,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f46.google.com with SMTP id
 5b1f17b1804b1-47ee4338e01so14056375e9.2
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769187749; x=1769792549;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=+Di9+mQIqHJ1YJTK1OxHgyqkC5huXiZnL0+/JHQ1T0Y=;
        b=LwPJ5zJ/jHKHGw/abQ8Z1BzQ/gfJIgZI/8zGYwQjz9PAy1fr2kx1sr13s3+PM3R1/M
         +gmWIDmbZSvkVIyaQh00oMM7ImW/nuCHXNXERep56VwkbGYPQC98lH7F0E+eZPqbgnRI
         cQSRUL/DrrRx3PuWvDg/lmLhH2Plr43Z8nulZwENWyNBo7tTZeAHeJz4UGLsGXix+5XS
         j1GdWlQlkKwTLHmP8gEBfCwkAKKiJ069H0JRD+oFteGAvUvLkIOJFMvpTghdxLVeZACu
         U2xdAzGMYtP4lIAh1zKL2MPswyqNWzEUZYcdnZJv6mNDWvfWcb6gC6TpX9IsMnyw7Lou
         2pfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769187749; x=1769792549;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=+Di9+mQIqHJ1YJTK1OxHgyqkC5huXiZnL0+/JHQ1T0Y=;
        b=J6o2gbRDXwrElM32XxbTOdWUDRVjphzwg6Pr4jsFwiGLUmt1TuI/lg6r5Mc19+rZ9L
         h7yCRYErBblW+BBR9Ovw2ZtiDU7HdqCu/fhIMn3cGPrj71ooHsspBNULOooJ3u/0lxq3
         OqHnMzQ0lslx3ELRWzj09beFycOzLXTnrmozjkqea9/WEj2l8AveKLFCfirHb41VXv/n
         /11JhBjcM27A1mhrM8X4Pny44lAjN9LL1H5+juZ2K7gQ0jMr5C+s1kN0RZbVZnvoTMdK
         YYdvbYb+qqXEUb5GZNuN2Yhq5mZIf6alnUrX8Htsj5LzwFTqBUuYexox2mF2MXNYosZL
         w8Jw==
X-Gm-Message-State: AOJu0Yy7Yr1XjTMVZXdMqOeEBPP9bxEJ3PBnoi+6q1fr3vM6IfAf+OW1
	rv6KGL61w697FV3GUY4RvhHLsDtZYFwyxtzIKGPMQprN2TMI/zfcNaURlaiKzw==
X-Gm-Gg: AZuq6aKkcAqzOYGrPfImdiytUHJu/xTHuBqmfBKKFbGBavDH9T4L0ELnfW75d45rUoe
	kDnw/z+jMWxr4xsUcIxSef96Jw/gk2xVDV2VTbKPXhmXOqeXedgs7c0TYWY3+5ktUwazBAU2FYy
	9CLz7lNqt7l2ZiKReuKkJUYHM2v7xTuNA8D7O2y1m9UphPHFZhuGuvGbDpD3qTWgNRTbpKpLHee
	THXXf36rh08y9cteNH5Miod177D0fttnu3K73DGiQx/mApaatSHlbpehRWjFrtuShMgWZ55gNQo
	g+l+pm9NRjHP2EgKF9z7kN53AYLKWF8Pa/2HTZth28BYuFaE7GTHsByQEv7CXOkM0K0P059/fDc
	j32afeATddpquK2HVvPVX0PFmrU+E2ROIaCa7W07pT/K++E5nl/DsZeCGLIC8/dvyhik+pN+qQI
	kmlWj9rWAs
X-Received: by 2002:a05:600c:3b0d:b0:459:db7b:988e with SMTP id
 5b1f17b1804b1-4804c959a1fmr53627855e9.13.1769187748881;
        Fri, 23 Jan 2026 09:02:28 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4804dbd4630sm25455165e9.17.2026.01.23.09.02.28
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 09:02:28 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][scarthgap][PATCH 07/10] python3-m2crypto: ignore
 CVE-2009-0127
Date: Fri, 23 Jan 2026 18:02:18 +0100
Message-ID: <20260123170221.671471-7-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260123170221.671471-1-skandigraun@gmail.com>
References: <20260123170221.671471-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 23 Jan 2026 17:02:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123792

Details: https://nvd.nist.gov/vuln/detail/CVE-2009-0127

The vulnerability is disputed[1] by upstream:
"There is no vulnerability in M2Crypto. Nowhere in the functions
are the return values of OpenSSL functions interpreted incorrectly.
The functions provide an interface to their users that may be
considered confusing, but is not incorrect, nor it is a vulnerability."

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b46a5452a1c1a417f2971e494e151fa1f4022e36)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-python/recipes-devtools/python/python3-m2crypto_0.40.1.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.40.1.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.40.1.bb
index 1d8c22d196..95c57d5d48 100644
--- a/meta-python/recipes-devtools/python/python3-m2crypto_0.40.1.bb
+++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.40.1.bb
@@ -16,6 +16,8 @@ SRC_URI[sha256sum] = "bbfd113ec55708c05816252a4f09e4237df4f3bbfc8171cbbc33057d25
 PYPI_PACKAGE = "M2Crypto"
 inherit pypi siteinfo setuptools3
 
+CVE_STATUS[CVE-2009-0127] = "disputed: upstream claims there is no bug"
+
 DEPENDS += "openssl swig-native"
 RDEPENDS:${PN} += "\
   python3-datetime \

From patchwork Fri Jan 23 17:02:19 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79531
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1DA25D7788C
	for <webhook@archiver.kernel.org>; Fri, 23 Jan 2026 17:02:39 +0000 (UTC)
Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com
 [209.85.128.42])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.117.1769187751381531048
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:31 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=CH5AuKho;
 spf=pass (domain: gmail.com, ip: 209.85.128.42,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f42.google.com with SMTP id
 5b1f17b1804b1-47ee4539adfso26381265e9.3
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769187750; x=1769792550;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=K1NMCFHW+cpRclBn3AxC8comnPFaU5ZvS3aph2AzpD0=;
        b=CH5AuKhobkPaZwXkhncdXds1523eAdiR+ONIkjNfNw69fJR4y0frm2uR7iJX+jVxH9
         lwTQ8KDvdHDULwm7eoXGXk1sygWyFlU8+WAOqs0JGnIgBCm/tpHI7Hrf/4CCQ5snMWhK
         kQZjXon74S+aHwwE0zhaZkh4HPpkhMnR9Ld6ABOcAZCSIoc1VRvm9cjyMCOaXFWzAtHA
         uIGYCeBr66eYitVCrAiUSQmS0va7tzhHXm/M+Go47bWejWzo0hNAzK96AUWnlSvyX7wX
         KXgijkjk0yf6a1V7VIf3j7KLExC5hVKDoOzmOVDH3EKJTzgSKIgKw8SHCF11MSOmq8Wz
         XmHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769187750; x=1769792550;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=K1NMCFHW+cpRclBn3AxC8comnPFaU5ZvS3aph2AzpD0=;
        b=IS/zYccYxX1xh9ifZ9xDbX4R4/K7R/2yxq+FgN64tpU95tB0rexvP53gLKnVYJsJhe
         hqSZzDJFnfq0bSGjFljsuh60gWxPLf5YTOdZ/M5cj4LsRiR9GRk/yCVKe6wA3a0FO/KH
         Gdvuwff9cPkW+qzuu498Bte5olqO7yw60+t1IdRtjqafrfyQhfgsQnkpU4oTCDe8Mf4v
         n3tKxgTh7++J14fCJ12jJ5eJrnK/lk994gqpVwCJfKmJgsokFFv0+TECS43C4hulQfDO
         tSpDTNulk2JIVuAVDtclXARjLaVZzIYYoOotC0j4nsylBYtsWdTZx3bS5eVz70vPhDx+
         L4pA==
X-Gm-Message-State: AOJu0YwCL2BjtDG8p0BIqiWdzaqsfY/1YuXadzQuAZ3zO/igxoDLxfFC
	V/uDGPeY/PV24awWSmCyuCCOuRdqcragIXYvL9rlLg4Sv+CYzUqu19/Yf5NOJA==
X-Gm-Gg: AZuq6aJFqteaJqzLpCDs+Vorl9CqUuzQMrA5v3DZ+g4L1HmpzeMeHljU4PJaZfJUSyM
	Uljiip4NOcQdiXDLqj8m+YgngvzFSzveuZjfAKlNxNnCWfc0Pt1usiBsFXOYnzyRN5thZ+kPTg2
	H5o5uP1Gm6QAR6p5cTCb39foHBu2HVbsVnUwfNedphyi+0djkc+22ab2A+s2r8N/eKpaacJSA5/
	/qLaa8/4iRcVI0r7RLjitUUIqn2SK4faOiP+QxjZfceXL4FM8cykVUm8vm3D9ockbKQU6HgCkmE
	pacwkS3yLO/MFC+SCKbrA//wHiuX/JBngEJ4Pipy5lW8Y/auxg76qJADNQPrwupUj880i182oQs
	Z3qfRCVT60kTeQwd3mHeIoprJLVDqeLrrfMiEtkwXCXzp1xJ+dnh1cH/gCmwzDNPuulQqSXiVJ1
	KaN25i3ZR0
X-Received: by 2002:a05:600c:3b0c:b0:475:e067:f23d with SMTP id
 5b1f17b1804b1-4804c9c09bfmr59497395e9.25.1769187749579;
        Fri, 23 Jan 2026 09:02:29 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4804dbd4630sm25455165e9.17.2026.01.23.09.02.28
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 09:02:29 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][scarthgap][PATCH 08/10] python3-m2crypto: mark
 CVE-2020-25657 as patched
Date: Fri, 23 Jan 2026 18:02:19 +0100
Message-ID: <20260123170221.671471-8-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260123170221.671471-1-skandigraun@gmail.com>
References: <20260123170221.671471-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 23 Jan 2026 17:02:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123793

Details: https://nvd.nist.gov/vuln/detail/CVE-2020-25657

The commit[1] that fixes the vulnerability has been part of the
package since version 0.39.0

[1]: https://git.sr.ht/~mcepl/m2crypto/commit/84c53958def0f510e92119fca14d74f94215827a

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ba6468f7a09bf8e268ea5ac7939925c362ead876)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-python/recipes-devtools/python/python3-m2crypto_0.40.1.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.40.1.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.40.1.bb
index 95c57d5d48..736399c9d2 100644
--- a/meta-python/recipes-devtools/python/python3-m2crypto_0.40.1.bb
+++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.40.1.bb
@@ -17,6 +17,7 @@ PYPI_PACKAGE = "M2Crypto"
 inherit pypi siteinfo setuptools3
 
 CVE_STATUS[CVE-2009-0127] = "disputed: upstream claims there is no bug"
+CVE_STATUS[CVE-2020-25657] = "fixed-version: the used version (0.40.1) contains the fix already"
 
 DEPENDS += "openssl swig-native"
 RDEPENDS:${PN} += "\

From patchwork Fri Jan 23 17:02:20 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79530
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 261D3D7788F
	for <webhook@archiver.kernel.org>; Fri, 23 Jan 2026 17:02:39 +0000 (UTC)
Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com
 [209.85.128.47])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.120.1769187753723563858
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:34 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=m5VBNxlc;
 spf=pass (domain: gmail.com, ip: 209.85.128.47,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f47.google.com with SMTP id
 5b1f17b1804b1-4801d7c72a5so18003175e9.0
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769187752; x=1769792552;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=7tYZ6ixuJutWhTjTK0iZt2xwVMzy5mZqBOpgxeJU/VM=;
        b=m5VBNxlcfQrFjnJBgV4Oh9dLcBaTu/hNFWnQHkMojPQMVBRLEXpRHSoV14U8J3KLHD
         iv6a4artnrfQ0IUz1VJ/oZVWaYHndWMpf0m4DUSWmWZIOCoeso4RCwTklwKzhZ/aJ3Nv
         j060fAh3ejrW2ILcb6yRi7ZjEOdx0trPQNk0arMy/ZF9poD6WaU+moTk5JZIxcvx6EHn
         rAQvTs0lhxY5F4Dr2XnD+ypBWW6mB0TOMZpYEnbrxy5AzPZah13QaXi5idp9wVQe+Tj+
         /WA0g2IIpV1ofmXMf+2fSJQFB7Dvhx2znUi6h4o95db6rQzjnbhpikZ3UPqObRVHfRCI
         Z+zg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769187752; x=1769792552;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=7tYZ6ixuJutWhTjTK0iZt2xwVMzy5mZqBOpgxeJU/VM=;
        b=aVrh8iP3YJ8jXFqJ72eraFLBSVn/n4l8RBBNboyfolTihyMB37x0IbCrcuVJLKayTi
         XAiU98HHSfgqtyNFKM8qgE+QRUYFDAut/a/+iYhXfWCC6FyXd4mNY503kxKD796lQU5j
         PxH0sM9MoXvzEhqVK1IbQcZEjhFEKQG2jv4EZjCjblPfgJYKw8fiEyHefD9a/7lOb2Gn
         +uEWlC6zfN42BzrImEKYhguZBGXowtVb7JD/eDax04qMQFBVqCPzkuL678+Rmt/Yx+u0
         onavHOY0ECiHzpj6rD3VigpuSQignLOpUmEHFo+Ey2Uu3WNcxoVffA3NpKIAFIYN/Y9m
         5YLg==
X-Gm-Message-State: AOJu0YzEugeMKjtvOYsZUV6Wt+eJH97jO/BPly6S0xFS6m/eER632uMR
	VPzdCFkiR+FnWxN6x6FQxbT4wTe247Sup3rz8+d8kSA3GM2mR0a+xZfxo18n/g==
X-Gm-Gg: AZuq6aKpXPsDcdbI7/UyCV+RStKR0ErGgEBZZCTga9BrBbqNn35xkSnqkLqWivuzDT+
	LjgeMuwV9WfeKevbFE0TkUdsUTXOVmJY1saDGQJiOXqRQJu1QSr3Czt2c8fHQ93qMCHQpHf0dxP
	89iXhPJzAceQrKoUPTUISgs75dk5jvy4nFszViMp9KD++UA1skqUS2xQF/BJ+ni6Mf2xCiPqb9w
	bue39k+pzPVx7/HkTl54OuQmx8cB9kmNqMypqI8g+j5l+gO78FgznZH0natOIb0VkwYom+v6z9R
	zJbLN28OfylHNXhD8vbIAVB1h3Hv7q+hDws+8iFxGiZPDXZK4nQL8wcLWxYknBm3fNWMN3ePk5h
	ZAt8lE2IEsCWDhjER/9ohRWaBwFGHN7c6uiiXKP4OheDj9pySU/ieb6QgFjXhH1J/qXMNolhJhu
	iOm79rSScD
X-Received: by 2002:a05:600c:64c6:b0:47e:de23:dd6f with SMTP id
 5b1f17b1804b1-48050d6aebfmr39479435e9.12.1769187750346;
        Fri, 23 Jan 2026 09:02:30 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4804dbd4630sm25455165e9.17.2026.01.23.09.02.29
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 09:02:29 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][scarthgap][PATCH 09/10] openvpn: ignore CVE-2025-13751
Date: Fri, 23 Jan 2026 18:02:20 +0100
Message-ID: <20260123170221.671471-9-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260123170221.671471-1-skandigraun@gmail.com>
References: <20260123170221.671471-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 23 Jan 2026 17:02:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123794

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-13751

The vulnerability is Windows specific, can be ignored.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-networking/recipes-support/openvpn/openvpn_2.6.14.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.14.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.14.bb
index 305a69bec4..d9c3a4e719 100644
--- a/meta-networking/recipes-support/openvpn/openvpn_2.6.14.bb
+++ b/meta-networking/recipes-support/openvpn/openvpn_2.6.14.bb
@@ -18,6 +18,7 @@ UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"
 SRC_URI[sha256sum] = "9eb6a6618352f9e7b771a9d38ae1631b5edfeed6d40233e243e602ddf2195e7a"
 
 CVE_STATUS[CVE-2020-27569] = "not-applicable-config: Applies only Aviatrix OpenVPN client, not openvpn"
+CVE_STATUS[CVE-2025-13751] = "not-applicable-platform: The vulnerability is Windows specific"
 
 INITSCRIPT_PACKAGES = "${PN}"
 INITSCRIPT_NAME:${PN} = "openvpn"

From patchwork Fri Jan 23 17:02:21 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79528
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 11BB2D77888
	for <webhook@archiver.kernel.org>; Fri, 23 Jan 2026 17:02:39 +0000 (UTC)
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com
 [209.85.128.44])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.122.1769187754519695843
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:34 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=FBvvKmha;
 spf=pass (domain: gmail.com, ip: 209.85.128.44,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f44.google.com with SMTP id
 5b1f17b1804b1-4801bc328easo27954905e9.3
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 09:02:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769187753; x=1769792553;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=iIcPUPA5ewHW3FVc5dtfnr2MFGg8ZJ1cRTub1dMXOTA=;
        b=FBvvKmhavTTieQls7Yk7ONcXi02sWY5KVAcJ4QAbQD+RTCiAJIQlXo2kw2x3znFy/V
         e0rwvM81j1regp3VvQldTDjmVjgxikw+GKVoHCI8EFDXzMrsZPfjkW8HZmx7wri3ENCP
         jkEffkI4o+8X1EY0amSHV+r+DMTf5kZvm5brGJTKTp+I8E91X15dceXDS6cS35+dOLEH
         Qql/PdRN2R7Om8QocGLiQ+chmY73seXvCuAtTGRx1c5g3H5KbjH7wRTcpuP71U6aTBP7
         KgWpNw8gZdfFS5bWD5XNkX4RGAMTTa0rDScq/PkNUtyo5uhUdHF2hUraPbOavAhSsE47
         u8GA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769187753; x=1769792553;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=iIcPUPA5ewHW3FVc5dtfnr2MFGg8ZJ1cRTub1dMXOTA=;
        b=Qo3Qv5/zQ1/xrNYExRApqZdv2C+COQwyvjIY3IPzmGwLz7wdnlfwEpZpOo2C761roj
         cMwKvQgmEIviKRpdzrtFBbwpXQLRDtDSAPUmDOdzetDHsQfPqxqG2rqVH+wFfHfHAU+h
         F0PQi/QZjoVr61Djv6D/LUm1a6im3uhN7Br7LPqOnj53P4VhRgeDhOVrbjwL6ehsDHqy
         FF7N9zZ57fTEyQ7bx+Z+VTMGSwHaqZ0afX9Tk2Nn5+0SR6ewmFwn/ZTcWo3/t695eq0i
         c+KygpDr8ibL7iZLWkkshZo+bWtD78QaLX3+RMldMtvCZ1++CMbAdxG3s/MTaFYo+UTE
         PBgQ==
X-Gm-Message-State: AOJu0YzYyVEEqC6Y0MLLNXfPqKvuNpDjDzzV/Kh0Wj0LK+TW+jf1N218
	oNd9YnXxG78RXg4iTEjG434q0dbP1770tQxUnZKCdXJ426qxSd7z3bXpJAzgJQ==
X-Gm-Gg: AZuq6aK/T09u2YDuxINpms9oE6L3k+tglk25/l4dHAoFfzL6OApOSe4Sf9+t2CEYoC9
	y+ZAj7YavZkFpn1BSQymPOqJHOMTeAX96bwZG7E8P1PplwkgTRtmng7IRIBexVvROsqiQbEHfUS
	OInEi6Yg1+0ca5t670ibAI8UB7gZrtGd8koB9yNBh4Parg+EbhMu2uEzfjPBxA/cHw6DaaWAhID
	A1/GNwrsfTBXiOnQSvnZd5422W90wnpuWfH3NRetzSaEAPb3YkV7uvGpwOT8pmgutIhVe/xB6+h
	siR8kue1U5HN+Es2MhZKacAW3IfmxVOCgHLmbRI1uqiRX21/BSdcykYoqscLV+1xuf68hFs71GX
	2eyjmx9S9qnmz+j4sj6S0IrJ9d8gUErAK6QRLfmgrCJwfAQ2tMB8eubLHvYoClxZ6hn0fMI/puv
	kBaUDlkXrZ
X-Received: by 2002:a05:600c:609b:b0:47d:403e:4eaf with SMTP id
 5b1f17b1804b1-4804c9596bcmr67030175e9.10.1769187752671;
        Fri, 23 Jan 2026 09:02:32 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4804dbd4630sm25455165e9.17.2026.01.23.09.02.32
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 09:02:32 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][scarthgap][PATCH 10/10] libmad: ignore CVE-2017-11552 and
 CVE-2018-7263
Date: Fri, 23 Jan 2026 18:02:21 +0100
Message-ID: <20260123170221.671471-10-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260123170221.671471-1-skandigraun@gmail.com>
References: <20260123170221.671471-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 23 Jan 2026 17:02:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123795

From: Peter Marko <peter.marko@siemens.com>

These CVEs are for mpg321, not libmad.
See Debian assessment:
* https://security-tracker.debian.org/tracker/CVE-2017-11552
* https://security-tracker.debian.org/tracker/CVE-2018-7263

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit fee86a312fbcaef7aaad66fe2f6756bd7e57d585)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb b/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb
index e70c8e3ed1..060fde0403 100644
--- a/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb
+++ b/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb
@@ -34,3 +34,6 @@ do_configure:prepend () {
 }
 
 ARM_INSTRUCTION_SET = "arm"
+
+CVE_STATUS[CVE-2017-11552] = "cpe-incorrect: this CVE is for mpg321, not libmad"
+CVE_STATUS[CVE-2018-7263] = "cpe-incorrect: this CVE is for mpg321, not libmad"