From patchwork Sun Apr 26 12:02:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 86948 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2CB51FF885D for ; Sun, 26 Apr 2026 12:03:32 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.17131.1777205005642733433 for ; Sun, 26 Apr 2026 05:03:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=RdpR8Fy4; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-202604261203219e3325df0b00020751-qw_d1t@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202604261203219e3325df0b00020751 for ; Sun, 26 Apr 2026 14:03:22 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=HaPiDGDjuS6UY8hHCTWGlRa5N47bO8aB7jvaQNYKlqs=; b=RdpR8Fy4SUwekZWUN+xTen3ETNZBCgN6cPJps4FQmKl0dVXv1ZhIC8xBLGbpfMsJNrBqDr 8NTq1YaaQeCQ14Po0GNamj8KHzcu1YsQzpvO+8f14/wwGpCEuEO6l8RgIEGjJkVkpYjXPKmg NsRVkfvvpWQ/ctxCYySwJJusoL5tzb6Ztyv6ANINiOBRU/l9jQmXC9PO/oZUhHBscHhPJx57 DivsivCGXVyNynIuy8bJuJr6d1QXkJaj2aCysZJps4SvRiLHFBsofkpmNIwiEqHiVafz9tEl 3MHgKTV0G3ix9tY9iz1rZgGvk8v90pGvMcZrn9xeqL7NjQbBmjOECvQQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 1/8] harfbuzz: set status for CVE-2024-56732 Date: Sun, 26 Apr 2026 14:02:46 +0200 Message-ID: <20260426120253.825060-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 26 Apr 2026 12:03:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235952 From: Peter Marko This CVE does not have cpe in NVD DB. In cvelistV5 it shows "version": ">= 8.5.0, <= 10.0.1" which is not parseable with our tooling. Signed-off-by: Peter Marko --- meta/recipes-graphics/harfbuzz/harfbuzz_12.3.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_12.3.2.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_12.3.2.bb index 12bebc4bee..6ce275acb5 100644 --- a/meta/recipes-graphics/harfbuzz/harfbuzz_12.3.2.bb +++ b/meta/recipes-graphics/harfbuzz/harfbuzz_12.3.2.bb @@ -50,3 +50,5 @@ FILES:${PN}-icu-dev = "${libdir}/libharfbuzz-icu.so \ FILES:${PN}-subset = "${libdir}/libharfbuzz-subset.so.*" BBCLASSEXTEND = "native nativesdk" + +CVE_STATUS[CVE-2024-56732] = "fixed-version: affected versions are >= 8.5.0, <= 10.0.1" From patchwork Sun Apr 26 12:02:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 86947 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2DB9AFF8860 for ; Sun, 26 Apr 2026 12:03:32 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.17272.1777205007397147367 for ; Sun, 26 Apr 2026 05:03:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=d0Moe8Mh; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-20260426120325e63d5fae1f00020741-istuvw@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20260426120325e63d5fae1f00020741 for ; Sun, 26 Apr 2026 14:03:25 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=pZfl8XmrfOjBHI5ZvBZ7RQQ1kyo4wUWgL4oWh5wjzYg=; b=d0Moe8MhGjzL0HWiBOlL5Afe8jwtOUKcg8Xo6EpTQ7X6zPve3LWeF7dM+mNimhy2pY1K9b Ci4XCQwYHp9jP1JKkt5KR0nMP4u/H7MCEbqyOP+y/cmhCQpmnHMdRl0R5ER5XbEYLicRZnr4 UvqqQg8M5VsI++s/oRSzFwLx9hn2/2nShGBJ+6VjIV5vevgVAvpvPyF3aiWR+aqmbIWppBxX eDXtb6MiZxdi9l0oiGdjMZsCxfrlXrsAzaGKS8qp/v1mnPD+XWuEqAbe2s31pEoIBKeWmc+i iBALX4yEhglKTHpk23Eljk1pdmpSYB8HHGm/zhufsBcLo6yWjEhK5Z+Q==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 2/8] gnutls: set status for CVE-2026-1584 Date: Sun, 26 Apr 2026 14:02:47 +0200 Message-ID: <20260426120253.825060-2-peter.marko@siemens.com> In-Reply-To: <20260426120253.825060-1-peter.marko@siemens.com> References: <20260426120253.825060-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 26 Apr 2026 12:03:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235953 From: Peter Marko This is a version-less RedHat CVE. Per Debian security tracker [1] this is fixed in 3.8.12. [1] https://security-tracker.debian.org/tracker/CVE-2026-1584 Signed-off-by: Peter Marko --- meta/recipes-support/gnutls/gnutls_3.8.12.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-support/gnutls/gnutls_3.8.12.bb b/meta/recipes-support/gnutls/gnutls_3.8.12.bb index 7218428012..8554ab943d 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.12.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.12.bb @@ -107,3 +107,4 @@ pkg_postinst_ontarget:${PN}-fips () { CVE_STATUS[CVE-2025-32989] = "fixed-version: fixed in version 3.8.10" CVE_STATUS[CVE-2025-32990] = "fixed-version: fixed in version 3.8.10" +CVE_STATUS[CVE-2026-1584] = "fixed-version: fixed in version 3.8.12" From patchwork Sun Apr 26 12:02:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 86949 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 097FFFF885D for ; Sun, 26 Apr 2026 12:03:42 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.17274.1777205011810701718 for ; Sun, 26 Apr 2026 05:03:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=WLB3Ahme; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20260426120329c971408c6100020707-hhmvkz@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20260426120329c971408c6100020707 for ; Sun, 26 Apr 2026 14:03:29 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=8AAqE8X78DjtwSfHeC/IGifFct47ZeJLltFt58E3tFA=; b=WLB3AhmeZzfGM4VOWXBWFwD5KNWjrvbWFJNxxYLxMfFUadbPsRc0dWQk7ZXia0NJH0kQOm ggZWqzocAs4n+rfUY/MV3m8hSYv7ke5LM6+uh2opY3gRNjV9ZSeF3pzeg/ag4kl451gtKG9y rVAdmPvsuA8b7oyZGTn+zpU4G6VXyfSEzwLn1qLqrTv0gblrlfhHQ+QA1VN8S9JbDgGCq47B N4w/Ybf31jQpweXwq6mAdtF3HtS6GPk3XZwyvmaBo66kj5tiD5fUXpjvzuRzJhlrUoZe6HDg eew1GTval2vwDbYcMBR8r+Zw4ZxFtM362NiFSfztuyhVi4YA8bkpluIg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 3/8] cve-extra-exclusions: ignore CVE-2019-2708 Date: Sun, 26 Apr 2026 14:02:48 +0200 Message-ID: <20260426120253.825060-3-peter.marko@siemens.com> In-Reply-To: <20260426120253.825060-1-peter.marko@siemens.com> References: <20260426120253.825060-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 26 Apr 2026 12:03:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235954 From: Peter Marko Yet another CVE for berkeley DB, ignore as all others. Signed-off-by: Peter Marko --- meta/conf/distro/include/cve-extra-exclusions.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index ffbbb7bef1..0685549e00 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -49,7 +49,7 @@ CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-201 CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \ CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \ CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \ -CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981" +CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2019-2708 CVE-2020-2981" CVE_STATUS_DB[status] = "upstream-wontfix: cpe:*:berkeley_db: Since Oracle relicensed bdb, the open source community is slowly but surely \ replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed." From patchwork Sun Apr 26 12:02:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 86950 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F30C0FF885C for ; Sun, 26 Apr 2026 12:03:41 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.17277.1777205016552238237 for ; Sun, 26 Apr 2026 05:03:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=c3AW6PXc; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20260426120334052bf7b2ae00020732-uzow_8@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20260426120334052bf7b2ae00020732 for ; Sun, 26 Apr 2026 14:03:34 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=Tn2Kv7EJhMztk/eGfs5ArWesHiWR4lkf0RC4EiY1su4=; b=c3AW6PXcQGzQ2/cxNyHdqADMsV4EfeWZdCRjs/AUYwjneTEtF43gaYdh0hC3OuUcLu+qgT SPj/lLJ38/kME2jqsIaLHxjLZHZ6ijYQpLe8DLr3F5jE2dhQ2TynBfmpbu1O3eSuvcgiix5G BDhhaf/RJ9F7+SahuG/AqK011IbtkWbtsbcsVkP/5buws5dm70/qXK5pctAKy3KnO1aF7dSo xVzXihB/M9FgXwhjF21r6LXnSiA4eZauOM1GIs/Sfaq6kmfudEwWrYA8v9x6p2KmAbZbYXQ6 AjYH93GRXwnTbq/HpDhd5Q/OwHfkR1ZpEK0Svwmk+uXzHslOg+paR3yw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 4/8] bind: set status for CVE-2017-3139 Date: Sun, 26 Apr 2026 14:02:49 +0200 Message-ID: <20260426120253.825060-4-peter.marko@siemens.com> In-Reply-To: <20260426120253.825060-1-peter.marko@siemens.com> References: <20260426120253.825060-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 26 Apr 2026 12:03:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235955 From: Peter Marko NVD [1] has only redhat cpes. Debian [2] says RHEL6 specific. cvelistV5 [3] has unparseable (so assumes affected): "version": "shipped in Red Hat Enterprise Linux 6" [1] https://nvd.nist.gov/vuln/detail/CVE-2017-3139 [2] https://security-tracker.debian.org/tracker/CVE-2017-3139 [3] https://github.com/CVEProject/cvelistV5/blob/main/cves/2017/3xxx/CVE-2017-3139.json Signed-off-by: Peter Marko --- meta/recipes-connectivity/bind/bind_9.20.22.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-connectivity/bind/bind_9.20.22.bb b/meta/recipes-connectivity/bind/bind_9.20.22.bb index c459cf28c9..318412a62c 100644 --- a/meta/recipes-connectivity/bind/bind_9.20.22.bb +++ b/meta/recipes-connectivity/bind/bind_9.20.22.bb @@ -108,3 +108,5 @@ FILES_SOLIBSDEV = "${libdir}/*[!0-9].so ${libdir}/libbind9.so" FILES:${PN}-libs = "${libdir}/named/*.so* ${libdir}/*-${PV}.so" DEV_PKG_DEPENDENCY = "" + +CVE_STATUS[CVE-2017-3139] = "not-applicable-platform: RedHat specific issue" From patchwork Sun Apr 26 12:02:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 86953 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 089FFFF8860 for ; Sun, 26 Apr 2026 12:03:52 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.17279.1777205022226187826 for ; Sun, 26 Apr 2026 05:03:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=Mv+J5PQc; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-2026042612033994e59179110002071f-obla65@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 2026042612033994e59179110002071f for ; Sun, 26 Apr 2026 14:03:39 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=NK/K5WAdf1zNw3vYc+96fVL7Wpbq7G/vbfqAmLt6qj0=; b=Mv+J5PQc37CCoKvIPrm4VghhvKmYTaI5jk/n197WlOx8LCp5aq5U/glgRusFNvArHy7Arl 5JRok/6NJRXIWw8cyo/T4+IKWh8C3qqDGKrZYYvSdxh2qMSj29ySJzsGEZhN6N1LivFrPyPD ++h9c0JgwPe6/Hr536G2bLyfe8u29wF0CZtoUIyHmDk0ReT+Ek00nsRDW1MZuKnEjOnXBf4u ei0FUqYS2nCzM+1bmdVA2T23NAo7S/c5xZBxy0wVrf+jtZudHTF4trAWMvXt405jmVZ0zNDj emdSKm8OLAX35EG324hhAHxxHA1TrD/3ZLyI5Nv/nFW1q2sptE0cB4uQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 5/8] base-files: set status for CVE-2018-6557 Date: Sun, 26 Apr 2026 14:02:50 +0200 Message-ID: <20260426120253.825060-5-peter.marko@siemens.com> In-Reply-To: <20260426120253.825060-1-peter.marko@siemens.com> References: <20260426120253.825060-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 26 Apr 2026 12:03:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235956 From: Peter Marko CPE in NVD [1] shows ubuntu. Debian [1] says "Ubuntu specific motd update code". cvelistV5 has unparseable CPE so it sbom-cve-check assumes vulnerable ("lessThan": "10.1ubuntu2.2"). Signed-off-by: Peter Marko --- meta/recipes-core/base-files/base-files_3.0.14.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-core/base-files/base-files_3.0.14.bb b/meta/recipes-core/base-files/base-files_3.0.14.bb index 3f01bb35d9..d4d777b485 100644 --- a/meta/recipes-core/base-files/base-files_3.0.14.bb +++ b/meta/recipes-core/base-files/base-files_3.0.14.bb @@ -167,3 +167,5 @@ CONFFILES:${PN} = "${sysconfdir}/fstab ${@['', '${sysconfdir}/hostname ${sysconf CONFFILES:${PN} += "${sysconfdir}/motd ${sysconfdir}/nsswitch.conf ${sysconfdir}/profile" INSANE_SKIP:${PN} += "empty-dirs" + +CVE_STATUS[CVE-2018-6557] = "not-applicable-platform: Ubuntu specific motd update code" From patchwork Sun Apr 26 12:02:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 86951 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1D39FF885C for ; Sun, 26 Apr 2026 12:03:51 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.17137.1777205026838585745 for ; Sun, 26 Apr 2026 05:03:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=RXTRsOiV; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-202604261203453ecf4c2a5000020751-3u29al@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202604261203453ecf4c2a5000020751 for ; Sun, 26 Apr 2026 14:03:45 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=B7Pe/vh25nldoJj3p259kZeBT8/6/IN4XbjcTu3YXSc=; b=RXTRsOiVcrE2aGfpQpGHkjeV/Y6cZ7EwTrFk15K4XrCLawYqYnxhsyTwaVIWxOTzt3vtR4 7tHVe1Xp3jdOlFKRSGEo0dGKmMHA/7t9FT+nC8G7eY+wm3ZmBaYwZ02nZQXibjgD416omEjJ zQTg/a/bNSCavVr+5csw0QB7ZUAA4I1VF8Wh9+BForDczkm7VozSWO0kBKGiAUXy9X3CSLNS 927ZEdiyzlBU2RQkD4lC36o+g+S/CA5T98tLLLY+P1k7I07WhemHqMkfj8XCM7Pz8hOX9LW6 3EmCP+y1sz1t0WNZhJX+Za1/ErM4j+KF2dCT3xLomhdeTMrXaNJFFJZw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 6/8] rsync: set status for CVE-2024-12084 Date: Sun, 26 Apr 2026 14:02:51 +0200 Message-ID: <20260426120253.825060-6-peter.marko@siemens.com> In-Reply-To: <20260426120253.825060-1-peter.marko@siemens.com> References: <20260426120253.825060-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 26 Apr 2026 12:03:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235957 From: Peter Marko Debian security tracker [1] says it's fixed in v3.4.0. NVD [2] does not say that our version is vulnerable. The CVE is reported probably because cvelistV5 has many CPE groups and some of them are unparseable (so assumes vulnerable). [1] https://security-tracker.debian.org/tracker/CVE-2024-12084 [2] https://nvd.nist.gov/vuln/detail/CVE-2024-12084 Signed-off-by: Peter Marko --- meta/recipes-devtools/rsync/rsync_3.4.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/rsync/rsync_3.4.1.bb b/meta/recipes-devtools/rsync/rsync_3.4.1.bb index 697cdee829..509be486b8 100644 --- a/meta/recipes-devtools/rsync/rsync_3.4.1.bb +++ b/meta/recipes-devtools/rsync/rsync_3.4.1.bb @@ -64,3 +64,5 @@ do_install:append() { } BBCLASSEXTEND = "native nativesdk" + +CVE_STATUS[CVE-2024-12084] = "fixed-version: fixed since v3.4.0" From patchwork Sun Apr 26 12:02:52 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 86952 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E39B2FF885D for ; Sun, 26 Apr 2026 12:03:51 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.17137.1777205026838585745 for ; Sun, 26 Apr 2026 05:03:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=gnAf2jE2; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20260426120349a97f094d4d000207d5-w0x9by@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20260426120349a97f094d4d000207d5 for ; Sun, 26 Apr 2026 14:03:49 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=+A4XGh8wcDYhRAPrn77Sbu514+vOVmfEMoe06HEfx5o=; b=gnAf2jE2ZU1vwyykyszUUt1BnZvQgCPLnlkcEgYMqfrINFgTLLFMOKZL/u5lW0mqbR9MZr KxGn+F/wBod1/GTK8SPaKgj/AxY7AwWuTMAF/WeYFMfvUYMn0dVq5Goo8759NRc3HZCJXPQZ 4d/ni+LXKhslygDqe02be5SKqQpvnDsl4p6fdqXfsQlQXAKUYyVfRpBzP9H6og51NVesNz8M JGYCY63EF0DHMtQJLDvaloAdq3mOdqbYb6I7cRK95CC1jI7mXhgGgwWHwEOqDkXvwziBMUT9 UxtWcCvx3+1UXbeXUYGh9EfBG+pwaoj7t9OH8JyyD6YRf4F3bl9GDr7g==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 7/8] python3-requests: set status for CVE-2024-35195 Date: Sun, 26 Apr 2026 14:02:52 +0200 Message-ID: <20260426120253.825060-7-peter.marko@siemens.com> In-Reply-To: <20260426120253.825060-1-peter.marko@siemens.com> References: <20260426120253.825060-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 26 Apr 2026 12:03:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235958 From: Peter Marko NVD [1] does not have CPE set. Debian [2] shows comit from v2.32.0 as fix. cvelistV5 [3] also says "< 2.32.0", posibly "defaultStatus": "unknown" is causing it to appear in CVE metrics... [1] https://nvd.nist.gov/vuln/detail/CVE-2024-35195 [2] https://security-tracker.debian.org/tracker/CVE-2024-35195 [3] https://github.com/CVEProject/cvelistV5/blob/main/cves/2024/35xxx/CVE-2024-35195.json Signed-off-by: Peter Marko --- meta/recipes-devtools/python/python3-requests_2.32.5.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/python/python3-requests_2.32.5.bb b/meta/recipes-devtools/python/python3-requests_2.32.5.bb index 0eb9765b63..afcf1a99b3 100644 --- a/meta/recipes-devtools/python/python3-requests_2.32.5.bb +++ b/meta/recipes-devtools/python/python3-requests_2.32.5.bb @@ -32,3 +32,5 @@ FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/pyth CVE_PRODUCT = "requests" BBCLASSEXTEND = "native nativesdk" + +CVE_STATUS[CVE-2024-35195] = "fixed-version: fixed since 2.32.0" From patchwork Sun Apr 26 12:02:53 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 86954 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 07DDDFF885C for ; Sun, 26 Apr 2026 12:04:02 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.17281.1777205036475709960 for ; Sun, 26 Apr 2026 05:03:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=M/nfJsXI; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-256628-2026042612035413818e3eff000207ba-j1fecn@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 2026042612035413818e3eff000207ba for ; Sun, 26 Apr 2026 14:03:54 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=np0677kp/PREKlIN37nBkP4rvHaAhCnmPQwiao005xE=; b=M/nfJsXIsSetYlVc/fqRf21MNFC3V0siOnjaGY39Mhw1fXS63jzlzWIvWsVFLLXfng6My5 lCb3ogXHWY24jGH6XpcPsTDv6BLiUeq9wH1EAkd1Aq6eZwJUiJ3anYViYh3ce3rszHG4Iu+e nm+PQZBwosZYkrV9EtnIMstrVoE2H+/pe3poYQNyBmVKCPBUC0kTihwY4yHM19Fk+9Ku/MyB MULsRikMXFeo5yx+9Q4khJuVCmY6dOra/FL/WXuxsONYkoz0fLd2Nhxlb/V1MGld83nkTbrg Vtq3IeXmkBcKSYHiZb4d+mE+20OLziq+o4viIeYzHyVBaEguScGfak1w==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 8/8] python3-requests: set status for CVE-2024-47081 Date: Sun, 26 Apr 2026 14:02:53 +0200 Message-ID: <20260426120253.825060-8-peter.marko@siemens.com> In-Reply-To: <20260426120253.825060-1-peter.marko@siemens.com> References: <20260426120253.825060-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 26 Apr 2026 12:04:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235959 From: Peter Marko NVD [1] does not have CPE set. Debian [2] shows comit from v2.32.4 as fix. cvelistV5 [3] also says "< 2.32.4" however for cpe psf:requests. Not sure why this is shown in CVE metrics. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-47081 [2] https://security-tracker.debian.org/tracker/CVE-2024-47081 [3] https://github.com/CVEProject/cvelistV5/blob/main/cves/2024/47xxx/CVE-2024-47081.json Signed-off-by: Peter Marko --- meta/recipes-devtools/python/python3-requests_2.32.5.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/python/python3-requests_2.32.5.bb b/meta/recipes-devtools/python/python3-requests_2.32.5.bb index afcf1a99b3..3477a5d83e 100644 --- a/meta/recipes-devtools/python/python3-requests_2.32.5.bb +++ b/meta/recipes-devtools/python/python3-requests_2.32.5.bb @@ -34,3 +34,4 @@ CVE_PRODUCT = "requests" BBCLASSEXTEND = "native nativesdk" CVE_STATUS[CVE-2024-35195] = "fixed-version: fixed since 2.32.0" +CVE_STATUS[CVE-2024-47081] = "fixed-version: fixed since 2.32.4"