From patchwork Sun Apr 26 18:50:20 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 86968 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD981FF8860 for ; Sun, 26 Apr 2026 18:51:05 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.24918.1777229456997327591 for ; Sun, 26 Apr 2026 11:50:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=Pys8NDsy; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-202604261850538b3e2448f90002078b-vapn3r@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202604261850538b3e2448f90002078b for ; Sun, 26 Apr 2026 20:50:54 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=9SIcR24yWguqK+sTjA2cmCY/EJCcEsJLWr48ZKBIBu0=; b=Pys8NDsyn1xtdymYP7ow4CyQDmMRD0CyhKIrUZ2OOnz2uo7oonZrz14eAYYP/GuowQFjxZ UTLryabNNGFZ+/SMNBQWOilCytJPo5rZBJl/IQoA7yo6EEzMlIHkktCDSHe60tQMoCrgUEW4 A9nnp2y2fEgOkDwwrUEIt7GLIrIgPuWDPNuV3Sdz9jvnWNuGnuwCcP8K8Gv3D+c/v0BAq91i zmnBmbz72rxRRTSMXCQOy+qRN1PRnNQcgtXCfd6kQkBZFUsIixHRQWr/SyQ1zLJJOBBo73z6 FS/DUkFIDoM2n5bFB1GjeN71x5RMBusdnK7H6JKT6b/VksrINSQTZ+zA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517 Date: Sun, 26 Apr 2026 20:50:20 +0200 Message-ID: <20260426185025.13217-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 26 Apr 2026 18:51:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235961 From: Peter Marko These CVEs are for sudo-rs, not sudo. It can be easily deducted from first word in NVD descripotion. Also cvelistV5 product is "sudo-re". It looks line that new version of sbom-cve-check matches product with startsWith instead of equals? Signed-off-by: Peter Marko --- meta/recipes-extended/sudo/sudo_1.9.17p2.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-extended/sudo/sudo_1.9.17p2.bb b/meta/recipes-extended/sudo/sudo_1.9.17p2.bb index d6ee881f8c..12f81c5d4a 100644 --- a/meta/recipes-extended/sudo/sudo_1.9.17p2.bb +++ b/meta/recipes-extended/sudo/sudo_1.9.17p2.bb @@ -60,3 +60,6 @@ RDEPENDS:${PN} += "${SUDO_PACKAGES}" FILES:${PN}-sudo = "${bindir}/sudo ${bindir}/sudoedit" FILES:${PN}-lib = "${localstatedir} ${libexecdir} ${sysconfdir} ${libdir} ${nonarch_libdir}" + +CVE_STATUS[CVE-2025-64170] = "cpe-incorrect: this CVE is for sudo-rs" +CVE_STATUS[CVE-2025-64517] = "cpe-incorrect: this CVE is for sudo-rs" From patchwork Sun Apr 26 18:50:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 86966 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B561AFF885E for ; Sun, 26 Apr 2026 18:51:04 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.24921.1777229460259866558 for ; Sun, 26 Apr 2026 11:51:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=Xzkq1sts; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-202604261850579d4abeb572000207f7-e2q4nd@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202604261850579d4abeb572000207f7 for ; Sun, 26 Apr 2026 20:50:57 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=KSTSxHdxBB4YMXP9EJ4giKXcWM8mpx/1ZLcbdJI6tnI=; b=Xzkq1stsO71t4xdcTRWivuq30mu8MaFd5vd/mfgnjx4MygNz0gax38MKIddIBgSvHH5Efy BKI2wOQFkb8pq9uL+v4B0UAph1GKFBegKCjnD36Ta6Ma9CPRB4hwh/90XBbCw9f0XGPJusAw oOUIguGt5DHoSevJ2JLwN1SlsY6/SRFHVwFTYcmL3egG5XiaZzNKXxBjj8g7U9LB1aO67lcG onb9UoGS8yByVT9oPZEE2q8+aSYq9bF6eKhlLRTciYje2da6iImbkOk0Iv7Vcg6Y+BVEH5KH b/fM2vw7A/uKhQIU4GNbWwIqVxjEqpAidJe4cs+KQG5dKRWZ6LNphhwg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 2/6] cargo: set status of CVE-2023-40030 Date: Sun, 26 Apr 2026 20:50:21 +0200 Message-ID: <20260426185025.13217-2-peter.marko@siemens.com> In-Reply-To: <20260426185025.13217-1-peter.marko@siemens.com> References: <20260426185025.13217-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 26 Apr 2026 18:51:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235962 From: Peter Marko sbom-cve-check has problem matching version 1.72. It works only if cvelistV5 is modified to indicate 1.72.0. Signed-off-by: Peter Marko --- meta/recipes-devtools/rust/cargo_1.94.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/rust/cargo_1.94.1.bb b/meta/recipes-devtools/rust/cargo_1.94.1.bb index fc41a19a25..36ec346113 100644 --- a/meta/recipes-devtools/rust/cargo_1.94.1.bb +++ b/meta/recipes-devtools/rust/cargo_1.94.1.bb @@ -83,3 +83,5 @@ RUSTLIB:append:class-nativesdk = " -L ${STAGING_DIR_HOST}/${SDKPATHNATIVE}/usr/l RUSTLIB_DEP:class-nativesdk = "" BBCLASSEXTEND = "native nativesdk" + +CVE_STATUS[CVE-2023-40030] = "fixed-version: fixed since 1.72" From patchwork Sun Apr 26 18:50:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 86967 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4FCBFF885D for ; Sun, 26 Apr 2026 18:51:04 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.24921.1777229460259866558 for ; Sun, 26 Apr 2026 11:51:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=HCdp24n0; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20260426185102a2ff9fa4c900020737-hjszeg@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20260426185102a2ff9fa4c900020737 for ; Sun, 26 Apr 2026 20:51:02 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=EKJm1kspt3skBbQdxxxhamghCBOi+bgdzH9hhPg4FW8=; b=HCdp24n0t8Z4P/qihTW+onF6HDqqrJ5zT1ugpEY/6Wmf2FcuSmz32L0wdfzu1q2dI17EX8 IW6AFAMgP33dGlX7F/AQnqNk1STSpnS88DXuyZXEitrTta70Q3hkdkCTbyWhGN/pRZew11W7 BAfbrQwmhOFJgbThKWYkD7H8YNbmnzQlUOEyJbr2UnS5H5bkMEuz3bQytuGgx8Qf5Iw7d5VK I1dY6K4zxEdMB31MwIwHBj+OfO7UQMzH8D+XsYkyBgKhzDckB7XEPWombfMVZq96WdJbl5qI SsSPWwieSgg4d6xNUYXWNgrRp0uYagY0TREC7qNkppcyoWj0Nag/YtYA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 3/6] cargo: set CVE_PRODUCT Date: Sun, 26 Apr 2026 20:50:22 +0200 Message-ID: <20260426185025.13217-3-peter.marko@siemens.com> In-Reply-To: <20260426185025.13217-1-peter.marko@siemens.com> References: <20260426185025.13217-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 26 Apr 2026 18:51:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235963 From: Peter Marko This removes mediawiki:cargo CVEs from CVE metrics. * CVE-2026-39837, CVE-2026-39839, CVE-2026-39840, CVE-2026-39841 Signed-off-by: Peter Marko --- meta/recipes-devtools/rust/cargo_1.94.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/rust/cargo_1.94.1.bb b/meta/recipes-devtools/rust/cargo_1.94.1.bb index 36ec346113..f16688fc76 100644 --- a/meta/recipes-devtools/rust/cargo_1.94.1.bb +++ b/meta/recipes-devtools/rust/cargo_1.94.1.bb @@ -17,6 +17,8 @@ require rust-snapshot.inc S = "${RUSTSRC}/src/tools/cargo" CARGO_VENDORING_DIRECTORY = "${RUSTSRC}/vendor" +CVE_PRODUCT = "rust-lang:cargo" + inherit cargo pkgconfig DEBUG_PREFIX_MAP += "-ffile-prefix-map=${RUSTSRC}/vendor=${TARGET_DBGSRC_DIR}" From patchwork Sun Apr 26 18:50:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 86969 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2FF5FF885D for ; Sun, 26 Apr 2026 18:51:14 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.25127.1777229468447189441 for ; Sun, 26 Apr 2026 11:51:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=eW2mQ590; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-20260426185106afc0d15f3900020789-0rfeye@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20260426185106afc0d15f3900020789 for ; Sun, 26 Apr 2026 20:51:06 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=k6yPCQgIwXwOMHrUxCzvtSbKy4ZA23cBvedKXDOKg90=; b=eW2mQ590GU42aSCGlj3MS8QVbDkYhtB7NQ7wMOmQfOf0Bl2BeXe9lgRsxobSR6NWspQgrC RnThKRSQUKqVvXDyZBZzkD66wQBNJOodzzk0zlcy987gB/jeTxSiQVA7aNlr9sX6QdXtwFrK hG8Po+Mff+TM7vyaqBEp/m0IOlLbbwXl72viT3HaUtb/+PX19RtiUMeJOq0iKeSpXsxvmwP/ OWGRVho5sK7U9JRxj6SklayplAiuloqOEH7FwHtH9tA4U5bEkL+DP9DCcZ10zIJyC5gCc4sR RgIc+TxnRWR7N8X2iw2ZBAICD1bjNiLLnsjlSYOL6kEZZhD1JVy/bLuw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 4/6] git: set status of 5 CVEs Date: Sun, 26 Apr 2026 20:50:23 +0200 Message-ID: <20260426185025.13217-4-peter.marko@siemens.com> In-Reply-To: <20260426185025.13217-1-peter.marko@siemens.com> References: <20260426185025.13217-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 26 Apr 2026 18:51:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235964 From: Peter Marko It is unclear why entries in cvelistV5 cause these CVEs to appear in CVE reports. There is one which should also not be shown per listed CPEs, however it does not have a patch, so it's not added to the list - CVE-2024-52005. The others are set to fixed with version based on which .0 release included patch mentioned in Debian security tracker for respective CVE. Signed-off-by: Peter Marko --- meta/recipes-devtools/git/git_2.53.0.bb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/meta/recipes-devtools/git/git_2.53.0.bb b/meta/recipes-devtools/git/git_2.53.0.bb index 5fe1767e28..5169e93931 100644 --- a/meta/recipes-devtools/git/git_2.53.0.bb +++ b/meta/recipes-devtools/git/git_2.53.0.bb @@ -171,3 +171,9 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \ EXTRA_OEMAKE += "NO_GETTEXT=1" SRC_URI[tarball.sha256sum] = "429dc0f5fe5f14109930cdbbb588c5d6ef5b8528910f0d738040744bebdc6275" + +CVE_STATUS[CVE-2024-32002] = "fixed version: fixed since v2.46.0" +CVE_STATUS[CVE-2024-50349] = "fixed version: fixed since v2.49.0" +CVE_STATUS[CVE-2024-52006] = "fixed version: fixed since v2.49.0" +CVE_STATUS[CVE-2025-48385] = "fixed version: fixed since v2.51.0" +CVE_STATUS[CVE-2025-48386] = "fixed version: fixed since v2.51.0" From patchwork Sun Apr 26 18:50:24 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 86970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6CD3FF885E for ; Sun, 26 Apr 2026 18:51:14 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.25128.1777229472257009533 for ; Sun, 26 Apr 2026 11:51:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=EHEsGgis; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-202604261851104bc62d4a06000207ba-aalzib@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202604261851104bc62d4a06000207ba for ; Sun, 26 Apr 2026 20:51:10 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=eHbpNeYHOmemGxfaYrMIwISxHXTwMHA3Wy5nh08VjgA=; b=EHEsGgisHswkeFa+5EZsnhzzqUf10bkpxLB7xXXP0FVzTZN+Gni0070je8HvzSz4B4BGw4 bVZ6H16eFS1gw9TGIMIYsaxe1HTq0ORhD08v+H4F39YVSIwhHyBvTjRsUsLzNPc2auG0p8HE MWhgZaxXo4BTGS13vYEoh7pvDSJG6e5pb0t0WWk/pxvQVUkQkWYBSKMgcpgzk+HKwz5ebMZs PPhTRsPjKnV0jHUeF0H/0hLQsg1r7vELlGEimcZ452K4fVVOL03LKDlonmH1TLSPYj0jLlA9 C1d8DNZMDU3GNtxNnVPkLDfVQEE+99P+r1MRQ8zUuIX/RishCRTpQvSg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 5/6] ovmf: set status for 7 CVEs Date: Sun, 26 Apr 2026 20:50:24 +0200 Message-ID: <20260426185025.13217-5-peter.marko@siemens.com> In-Reply-To: <20260426185025.13217-1-peter.marko@siemens.com> References: <20260426185025.13217-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 26 Apr 2026 18:51:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235965 From: Peter Marko These reappeared after last update of sbom-cve-check tooling. "fixed-in" release was determined by following links in Debian CVE reports except CVE-2025-2295 which was taken from Yocto master CVE patch. Signed-off-by: Peter Marko --- meta/recipes-core/ovmf/ovmf_git.bb | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index d731bca7f2..19bcc4a96f 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -48,6 +48,13 @@ CVE_STATUS[CVE-2019-14575] = "fixed-version: The CPE in the NVD database doesn't CVE_STATUS[CVE-2019-14586] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." CVE_STATUS[CVE-2019-14587] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." CVE_STATUS[CVE-2024-1298] = "fixed-version: fixed since edk2-stable202405" +CVE_STATUS[CVE-2024-38796] = "fixed-version: fixed since edk2-stable202411" +CVE_STATUS[CVE-2024-38797] = "fixed-version: fixed since edk2-stable202502" +CVE_STATUS[CVE-2024-38798] = "fixed-version: fixed since edk2-stable202511" +CVE_STATUS[CVE-2024-38805] = "fixed-version: fixed since edk2-stabe202508" +CVE_STATUS[CVE-2025-2295] = "fixed-version: fixed since edk2-stable202505" +CVE_STATUS[CVE-2025-2296] = "fixed-version: fixed since edk2-stable202505" +CVE_STATUS[CVE-2025-3770] = "fixed-version: fixed since edk2-stable202508" inherit deploy From patchwork Sun Apr 26 18:50:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 86971 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B23D8FF885E for ; Sun, 26 Apr 2026 18:51:24 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.25131.1777229475867452063 for ; Sun, 26 Apr 2026 11:51:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=Uo7Ovg9T; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-202604261851145562a10bc7000207ea-6gyq0d@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202604261851145562a10bc7000207ea for ; Sun, 26 Apr 2026 20:51:14 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=jV3phYW+SzkzlpW7wQQma/VrIcuq6cbZmIx+MbJmg/w=; b=Uo7Ovg9TZD+i3sd5BA2Dd2DAE+N9Kyve40gsIk9FhgtFTd+CHdlu9cUKane2+Sp+SEZoHP Hj4FvjRL8rV5T0YnnJRmJsTRzI5hXiHcuXvgxC/4H1mr2jhdyilz/QzgtpYhNVWsnuAGqeqK bVzMENWCYr0XRXTaVdMtutFH7RauClsAi5JfjyuT0ChbEmNMjI/UcvzR5B+JTBTTy88WnG2S F9lejfJKAy9olHqz7UmSraNgNWcfSGL4pBWVKARZMrslFrhOO8kSJVAkfuwV3n3SNJX1GhdR ++8a9R2pHalVmU8bJXctYtAt0qN568yC/DVBq83RR6kIHWI4KuOgDHqg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 6/6] ffmpeg: set status for 5 CVEs Date: Sun, 26 Apr 2026 20:50:25 +0200 Message-ID: <20260426185025.13217-6-peter.marko@siemens.com> In-Reply-To: <20260426185025.13217-1-peter.marko@siemens.com> References: <20260426185025.13217-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 26 Apr 2026 18:51:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235966 From: Peter Marko These reappeared after update of sbom-cve-check tooling. Fixed version found by links from Debian security tracker. Signed-off-by: Peter Marko --- meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb index 7bb7de3d25..9780abe184 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb @@ -176,6 +176,11 @@ CVE_STATUS_GROUPS = "CVE_STATUS_WRONG_CPE" CVE_STATUS_WRONG_CPE = "CVE-2023-51791 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795 CVE-2023-51796 CVE-2023-51797 CVE-2023-51798 CVE-2025-22921" CVE_STATUS_WRONG_CPE[status] = "fixed-version: these CVEs are fixed in used version" +CVE_STATUS[CVE-2022-2566] = "fixed-version: these CVEs are fixed since v5.1.1" +CVE_STATUS[CVE-2025-9951] = "fixed-version: these CVEs are fixed since v8.0" CVE_STATUS[CVE-2025-25468] = "fixed-version: these CVEs are fixed since v8.0" CVE_STATUS[CVE-2025-25469] = "fixed-version: these CVEs are fixed since v8.0" CVE_STATUS[CVE-2025-12343] = "fixed-version: this CVE are fixed since v8.0" +CVE_STATUS[CVE-2025-59729] = "fixed-version: this CVE are fixed since v8.0" +CVE_STATUS[CVE-2025-59730] = "fixed-version: this CVE are fixed since v8.0" +CVE_STATUS[CVE-2025-69693] = "fixed-version: this CVE are fixed since v8.1"