From patchwork Mon Apr 13 21:14:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 85940 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 61280F531D4 for ; Mon, 13 Apr 2026 21:16:08 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3533.1776114964846942084 for ; Mon, 13 Apr 2026 14:16:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=OEJSimgE; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-2026041321160260f9d2cc3800020764-_f7lw8@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 2026041321160260f9d2cc3800020764 for ; Mon, 13 Apr 2026 23:16:02 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=QQMMMdBQn4unY9wLqy81fG2+hKwUlU5f2YChPyizzqM=; b=OEJSimgEPk9EpgUIAmX7Yj5/dY61Pi54Mcb6lXg48EwGxKLecTpfnpZ0IgQiV+ZDvDTEeE i3fNsAobTQz0u3zFsAyFq2aZYFMa93FGRPYKK2BOZvS9KZlMEEIOwKAUdUTp1S5Q8/K73maF rB5F4u/ODV+65qa+Xd2x139dbTcRlHJDx2YQ3Pu6HI2pwiHvpl4UF2OtwlU07Q1wi2otbGET XSZ2q+G+If2Prlw1VQbNbLeYR5zcbvlxzxlnX58XIrWmG5Yj8nMgg3WVcBZZO14baREKw3Vh iTZdQwYrHkonHlXoTEfwHpBbajwredE5zY1ZpK3JgBJMUkNa1Xzn6iFw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 1/6] xdg-utils: set status for CVE-2025-52968 Date: Mon, 13 Apr 2026 23:14:42 +0200 Message-ID: <20260413211447.564257-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Apr 2026 21:16:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235123 From: Peter Marko This CVE has tag "disputed", see [1]. [1] https://github.com/CVEProject/cvelistV5/blob/cve_2026-04-12_1800Z/cves/2025/52xxx/CVE-2025-52968.json#L91 Signed-off-by: Peter Marko --- meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb index 3ee320da5a..e39a65831e 100644 --- a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb +++ b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb @@ -36,3 +36,5 @@ REQUIRED_DISTRO_FEATURES = "x11" DEPENDS = "xmlto-native libxslt-native" RDEPENDS:${PN} += "xprop" + +CVE_STATUS[CVE-2025-52968] = "disputed" From patchwork Mon Apr 13 21:14:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 85939 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5FF24F531D3 for ; Mon, 13 Apr 2026 21:16:08 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3533.1776114964846942084 for ; Mon, 13 Apr 2026 14:16:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=ag8HLF/w; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-202604132116070f315b57e2000207c0-o564rh@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202604132116070f315b57e2000207c0 for ; Mon, 13 Apr 2026 23:16:07 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=BQCVtw1zGxl+Bru1GRftGM7iQUBhUUx21U68uS/ooRs=; b=ag8HLF/wb01D6zsgpX8DdSSHSpcUXCb2vuTiDd7crGg/fzecijAL+LBHiAIsYrSJ69Oyc5 r5wTF0BD+vPd7sNPb1p9zK2PLVzbInQ2yMtr2a835MwPr1WO8kA1s6n0hgVrkCerOLjFj5Nt II6R0nS1qFkOxmjGXulygz59J9pjxYMwMmeST3cPDUTfC3IEHEKAf7Gvtgqpu/4gJT8/SYyv 28/7A6JGylZ4AG39Se8Bl/LdVo9hJa+c+uk1zN0P7BAUmsqnyOHrocPontoiu0roqQfTC9W4 UEikYYS1WzlmLeVFDYg/kHGaNx+IEKgmME31BftxRDlRhEbXkfVFwUeA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 2/6] wic: set CVE_PRODUCT Date: Mon, 13 Apr 2026 23:14:43 +0200 Message-ID: <20260413211447.564257-2-peter.marko@siemens.com> In-Reply-To: <20260413211447.564257-1-peter.marko@siemens.com> References: <20260413211447.564257-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Apr 2026 21:16:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235124 From: Peter Marko Current CVE reports show following CVE-2008-6713 as open. NVD shows CPE as massive_entertainment:wic ([1]). Set vendor as yoctoproject, which is best approximation of possible future CVEs as it is already used for other yocto repositories. [1] https://nvd.nist.gov/vuln/detail/CVE-2008-6713 Signed-off-by: Peter Marko --- meta/recipes-support/wic/wic_0.3.0.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-support/wic/wic_0.3.0.bb b/meta/recipes-support/wic/wic_0.3.0.bb index a0a2773c76..c9732a359a 100644 --- a/meta/recipes-support/wic/wic_0.3.0.bb +++ b/meta/recipes-support/wic/wic_0.3.0.bb @@ -8,6 +8,9 @@ SRCREV = "5974ade11032f218841d9f449ef0efeee3f9a2ca" inherit python_hatchling +# do not report CVEs for other wic tools +CVE_PRODUCT = "yoctoproject:wic" + RDEPENDS:${PN} += " \ python3-core \ python3-json \ From patchwork Mon Apr 13 21:14:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 85941 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3DB06F531D4 for ; Mon, 13 Apr 2026 21:16:18 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.3546.1776114974254523384 for ; Mon, 13 Apr 2026 14:16:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=HYiPsDwS; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-256628-202604132116129a610b8d7400020769-uxzccq@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 202604132116129a610b8d7400020769 for ; Mon, 13 Apr 2026 23:16:12 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=EltZknP0wGUFRz2WVl+sEpjDP+kXaNv8fsq+5LEyp+A=; b=HYiPsDwSRd4E6GZ1AqhUVkKlfAgLahwi9AcL45lch9s0O04bXvvHBT0DURRdZYixVxFYR7 4H9EVdaxHeO2YIoxtVvooHjceg415HHTT+o9oMhoUMS6ZZiz9/Swb0KG7KTOugladqBRFunJ wxdW3L48vhfn6rMIowyE5R9An2juXwdDnqhzsbPQkDpOpPR96FDOMTliOol8OZ2xLBAfJw9h JFtqBZbicqxSEipd92J/ZjWkC6d06w3DPOj/RJp2sPgS5u2EClg2isa+J2WWaHGesaaGbv1i A3otCpW0V2FRC8ea6BZgeVHkvzuSGzx4C5edzQxi7fnjyxNRi501qcAQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 3/6] tar: set status for CVE-2025-45582 Date: Mon, 13 Apr 2026 23:14:44 +0200 Message-ID: <20260413211447.564257-3-peter.marko@siemens.com> In-Reply-To: <20260413211447.564257-1-peter.marko@siemens.com> References: <20260413211447.564257-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Apr 2026 21:16:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235125 From: Peter Marko This CVE is disputed by tar maintainers as documented in [1]. The same link is present in NVD and cvelistV5. Also Debian says "disputed" in [2]. [1] https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html [2] https://security-tracker.debian.org/tracker/CVE-2025-45582 Signed-off-by: Peter Marko --- meta/recipes-extended/tar/tar_1.35.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-extended/tar/tar_1.35.bb b/meta/recipes-extended/tar/tar_1.35.bb index d463eff97d..042baa035c 100644 --- a/meta/recipes-extended/tar/tar_1.35.bb +++ b/meta/recipes-extended/tar/tar_1.35.bb @@ -95,6 +95,8 @@ BBCLASSEXTEND = "native nativesdk" # For example CVE-2021-{32803,32804,37701,37712,37713} CVE_PRODUCT = "gnu:tar" +CVE_STATUS[CVE-2025-45582] = "disputed" + # A test uses cmp to compare two 8GB files. Busybox's cmp does the job usually, but it is much slower than # diffutils' cmp, and the test times out when there is a high load on the host machine. RDEPENDS:${PN}-ptest += "diffutils" From patchwork Mon Apr 13 21:14:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 85944 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5B459F531D6 for ; Mon, 13 Apr 2026 21:16:28 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3543.1776114978132225658 for ; Mon, 13 Apr 2026 14:16:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=iPrbmVd3; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-202604132116167db5b6cbfb00020729-f7fu5h@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202604132116167db5b6cbfb00020729 for ; Mon, 13 Apr 2026 23:16:16 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=7ZHPUstQTVI6uG2LhgkV15alJlteJ13TE/aklkCzlBo=; b=iPrbmVd3S51BW0Hep25eBrZtUp+/Ccla4fAOVkO/IxQyA0V81w90LDdJ4TcymIUi9xHTYw /73o03iK9GylU5w6j5I6TxdwF/pkMQj8nT3EBQlT6MvAxkg1gM28KvnndhMXVz41g2VifLq3 LvY6q5MSHIJgaYOHOqht+KOXPnjaKeplIHizOrUucUfHe5QF2DizTNCdVrSIgbEAtGbvC57U pbTdLTeg4UnPb+soLW0sFfF7nhIU6smJHvWjlWdEl2c0C52niRvin0PaSatPRGDAUOGqH2Tg sKEzwnfbgoB0LVVcWnKAnjittwBHx/M49VQIfzBIu1OCcCMmROGlrpDA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 4/6] screen: set status for CVE-2025-46802 Date: Mon, 13 Apr 2026 23:14:45 +0200 Message-ID: <20260413211447.564257-4-peter.marko@siemens.com> In-Reply-To: <20260413211447.564257-1-peter.marko@siemens.com> References: <20260413211447.564257-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Apr 2026 21:16:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235126 From: Peter Marko This CVE is showing in the new sbom CVE reports. It is fixed via [1] which is included in: $git tag --contains d10eb5b2f7eebaa347f09c010bd391373fdd1695 v.5.0.1 [1] https://cgit.git.savannah.gnu.org/cgit/screen.git/commit/?id=d10eb5b2f7eebaa347f09c010bd391373fdd1695 Signed-off-by: Peter Marko --- meta/recipes-extended/screen/screen_5.0.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-extended/screen/screen_5.0.1.bb b/meta/recipes-extended/screen/screen_5.0.1.bb index 69f4098519..0155ece374 100644 --- a/meta/recipes-extended/screen/screen_5.0.1.bb +++ b/meta/recipes-extended/screen/screen_5.0.1.bb @@ -44,3 +44,5 @@ pkg_postinst:${PN} () { pkg_postrm:${PN} () { printf "$(grep -v "^${bindir}/screen$" $D${sysconfdir}/shells)\n" > $D${sysconfdir}/shells } + +CVE_STATUS[CVE-2025-46802] = "fixed-version: fixed since 5.0.1" From patchwork Mon Apr 13 21:14:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 85943 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D2BAF531D5 for ; Mon, 13 Apr 2026 21:16:28 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3543.1776114978132225658 for ; Mon, 13 Apr 2026 14:16:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=LrFrQeHD; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-202604132116186569657ae3000207f2-3fvg0b@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202604132116186569657ae3000207f2 for ; Mon, 13 Apr 2026 23:16:19 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=Yzq69h9gDZJQ2c1k7ZvYXw6gYAJFL69ams78kIAAJFM=; b=LrFrQeHDPexmot5KgKHF6xBaZFhFJSqIktGY4wd+YwcyV9DjXVY9Dqo2nXjPajbrLMEKjz KYSB1TISMFVpbJigD6gwrwAtFg/dxVZeK19GrXUWrBi7afa3lt3SKhFRDaLtAn7v3ugKKURu kQLtKd3hrLSASoo8fey1ZsE5pRe4avs9V0I+5JNIx5pCGexO+5Mbt/WU2gLN0d1kLyzZIfMn Gqey584vKzRatlJQBkUdFHIC+dRYZa3XYepcy6OZkr1T5HOpcq6iJIOwt98/YEFEa/xXRLwr xQ14Ay7MzSRnKRBVry8mHtF6c+7eC8p5dKtfgxj6Tf7Gms16kJAc+fXA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 5/6] ovmf: set status for CVE-2024-1298 Date: Mon, 13 Apr 2026 23:14:46 +0200 Message-ID: <20260413211447.564257-5-peter.marko@siemens.com> In-Reply-To: <20260413211447.564257-1-peter.marko@siemens.com> References: <20260413211447.564257-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Apr 2026 21:16:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235127 From: Peter Marko cvelistV5 uses full tag name (edk2-stable202405) while NVD uses only version (202405). Since NVD CPE is not yet available, cvelistV5 marks it at not patched yet because the string sorts after the version. Signed-off-by: Peter Marko --- meta/recipes-core/ovmf/ovmf_git.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index ec6c3b516c..150e2d47e0 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -45,6 +45,7 @@ CVE_STATUS[CVE-2019-14563] = "fixed-version: The CPE in the NVD database doesn't CVE_STATUS[CVE-2019-14575] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." CVE_STATUS[CVE-2019-14586] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." CVE_STATUS[CVE-2019-14587] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." +CVE_STATUS[CVE-2024-1298] = "fixed-version: fixed since edk2-stable202405" inherit deploy From patchwork Mon Apr 13 21:14:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 85942 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B672F531D7 for ; Mon, 13 Apr 2026 21:16:28 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.3553.1776114984393734272 for ; Mon, 13 Apr 2026 14:16:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=RADfGxXL; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20260413211622fbea9ae96600020748-gkclnu@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20260413211622fbea9ae96600020748 for ; Mon, 13 Apr 2026 23:16:22 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=VCshL7PyVqgN+6+1fSbt1KryBt83juIyzsp0vNz/GJE=; b=RADfGxXL8rdWGGgYmSLjb9Tg2FWtwEbGs/QMWPl+XWCeFOZf6VZ9Ec6rGb/pf2Qj+igZ9x TbEXok87WH702104JAR/5nc52uayCFyEEbHiKcCQL7kR3ir7lACVS7JN+B6vDZcwsQVqqejo jSSwJWAek2M8VBvfzij5VT1BnJALy8uQKTmur7Me0JjJwmkRp2hjlHI0lTXnayDNFYS4G66i T08nF3NcM3yEnpUNoRlkU2zr6ikdF2d84YegS0Y3qyj7zV4oCrg637V3I1+jpsLJ2SijE60K EbpgflyPrHgjRprjwFlfnQimpn++FHcxYDbMqiYBvKmEdC2sHfzLp9jg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 6/6] mpg123: set status for CVE-2006-3355 Date: Mon, 13 Apr 2026 23:14:47 +0200 Message-ID: <20260413211447.564257-6-peter.marko@siemens.com> In-Reply-To: <20260413211447.564257-1-peter.marko@siemens.com> References: <20260413211447.564257-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Apr 2026 21:16:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235128 From: Peter Marko This seems to be a bug in sbom-cve-check. I could get a clean report with following fkie change: "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:mpg123:mpg123:0.59r:*:*:*:*:*:*:*", + "matchCriteriaId": "1F8EEF7E-C6BB-4669-81D2-68AABF8A7686" + }, { "vulnerable": true, "criteria": "cpe:2.3:a:mpg123:mpg123:pre0.59s_r11:*:*:*:*:*:*:*", "matchCriteriaId": "9765C6AD-E1F0-421C-B7B1-C09AD83A3DB7" } ] However I'm not sure why adding another vulnerable version should switch the vulnerability flag from true to false... Signed-off-by: Peter Marko --- meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb b/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb index 648eb21500..dd5f8a53f5 100644 --- a/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb +++ b/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb @@ -53,3 +53,5 @@ EXTRA_OECONF = " \ #| make[3]: *** [equalizer.lo] Error 1 ARM_INSTRUCTION_SET:armv4 = "arm" ARM_INSTRUCTION_SET:armv5 = "arm" + +CVE_STATUS[CVE-2006-3355] = "fixed-version: fixed since pre0.59s_r11"