From patchwork Mon Jul 13 23:44:14 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "mark.yang" X-Patchwork-Id: 92390 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 171F8C44508 for ; Mon, 13 Jul 2026 23:44:39 +0000 (UTC) Received: from lgeamrelo12.lge.com (lgeamrelo12.lge.com [156.147.23.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9087.1783986272317420930 for ; Mon, 13 Jul 2026 16:44:32 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: lge.com, ip: 156.147.23.52, mailfrom: mark.yang@lge.com) Received: from unknown (HELO lgeamrelo04.lge.com) (156.147.1.127) by 156.147.23.52 with ESMTP; 14 Jul 2026 08:44:28 +0900 X-Original-SENDERIP: 156.147.1.127 X-Original-MAILFROM: mark.yang@lge.com Received: from unknown (HELO markyang..) (10.177.127.86) by 156.147.1.127 with ESMTP; 14 Jul 2026 08:44:28 +0900 X-Original-SENDERIP: 10.177.127.86 X-Original-MAILFROM: mark.yang@lge.com From: mark.yang@lge.com To: openembedded-core@lists.openembedded.org Cc: "mark.yang" , Ross Burton Subject: [PATCH v2 1/4] python3-cryptography: set CVE_PRODUCT Date: Tue, 14 Jul 2026 08:44:14 +0900 Message-ID: <20260713234417.4071754-1-mark.yang@lge.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Jul 2026 23:44:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240858 From: "mark.yang" NVD lists it as cryptography.io:cryptography and CNA lists it as pyca:cryptography, so set both vendor:product pairs to match correctly and precisely. Suggested-by: Ross Burton Signed-off-by: mark.yang --- v2: use explicit vendor:product list meta/recipes-devtools/python/python3-cryptography.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/python/python3-cryptography.bb b/meta/recipes-devtools/python/python3-cryptography.bb index 4730c34997..4672f47520 100644 --- a/meta/recipes-devtools/python/python3-cryptography.bb +++ b/meta/recipes-devtools/python/python3-cryptography.bb @@ -71,4 +71,6 @@ do_install_ptest() { cp -r ${S}/pyproject.toml ${D}${PTEST_PATH}/ } +CVE_PRODUCT = "cryptography.io:cryptography pyca:cryptography" + BBCLASSEXTEND = "native nativesdk" From patchwork Mon Jul 13 23:44:15 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "mark.yang" X-Patchwork-Id: 92389 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 39AC2C44509 for ; Mon, 13 Jul 2026 23:44:40 +0000 (UTC) Received: from lgeamrelo11.lge.com (lgeamrelo11.lge.com [156.147.23.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8966.1783986271721842357 for ; Mon, 13 Jul 2026 16:44:32 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: lge.com, ip: 156.147.23.51, mailfrom: mark.yang@lge.com) Received: from unknown (HELO lgeamrelo04.lge.com) (156.147.1.127) by 156.147.23.51 with ESMTP; 14 Jul 2026 08:44:28 +0900 X-Original-SENDERIP: 156.147.1.127 X-Original-MAILFROM: mark.yang@lge.com Received: from unknown (HELO markyang..) (10.177.127.86) by 156.147.1.127 with ESMTP; 14 Jul 2026 08:44:28 +0900 X-Original-SENDERIP: 10.177.127.86 X-Original-MAILFROM: mark.yang@lge.com From: mark.yang@lge.com To: openembedded-core@lists.openembedded.org Cc: "mark.yang" , Paul Barker Subject: [PATCH v2 2/4] python3-ply: set CVE_PRODUCT Date: Tue, 14 Jul 2026 08:44:15 +0900 Message-ID: <20260713234417.4071754-2-mark.yang@lge.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260713234417.4071754-1-mark.yang@lge.com> References: <20260713234417.4071754-1-mark.yang@lge.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Jul 2026 23:44:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240855 From: "mark.yang" NVD registers ply as dabeaz:ply, so the default python:ply vendor prefix never matches and no CVEs are reported. Use the exact vendor:product pair. CVE-2025-56005 will then show as unpatched; no fixed release exists. Suggested-by: Paul Barker Signed-off-by: mark.yang --- v2: use exact vendor:product pair; drop CVE_STATUS meta/recipes-devtools/python/python3-ply_3.11.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/python/python3-ply_3.11.bb b/meta/recipes-devtools/python/python3-ply_3.11.bb index 2c5fa3f215..06393ac4fe 100644 --- a/meta/recipes-devtools/python/python3-ply_3.11.bb +++ b/meta/recipes-devtools/python/python3-ply_3.11.bb @@ -14,4 +14,6 @@ RDEPENDS:${PN}:class-target += "\ python3-shell \ " +CVE_PRODUCT = "dabeaz:ply" + BBCLASSEXTEND = "native nativesdk" From patchwork Mon Jul 13 23:44:16 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "mark.yang" X-Patchwork-Id: 92387 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EFC1BC44507 for ; Mon, 13 Jul 2026 23:44:38 +0000 (UTC) Received: from lgeamrelo12.lge.com (lgeamrelo12.lge.com [156.147.23.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9088.1783986272317864636 for ; Mon, 13 Jul 2026 16:44:32 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: lge.com, ip: 156.147.23.52, mailfrom: mark.yang@lge.com) Received: from unknown (HELO lgeamrelo04.lge.com) (156.147.1.127) by 156.147.23.52 with ESMTP; 14 Jul 2026 08:44:29 +0900 X-Original-SENDERIP: 156.147.1.127 X-Original-MAILFROM: mark.yang@lge.com Received: from unknown (HELO markyang..) (10.177.127.86) by 156.147.1.127 with ESMTP; 14 Jul 2026 08:44:28 +0900 X-Original-SENDERIP: 10.177.127.86 X-Original-MAILFROM: mark.yang@lge.com From: mark.yang@lge.com To: openembedded-core@lists.openembedded.org Cc: "mark.yang" , Ross Burton Subject: [PATCH v2 3/4] python3-pyasn1: set CVE_PRODUCT Date: Tue, 14 Jul 2026 08:44:16 +0900 Message-ID: <20260713234417.4071754-3-mark.yang@lge.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260713234417.4071754-1-mark.yang@lge.com> References: <20260713234417.4071754-1-mark.yang@lge.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Jul 2026 23:44:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240857 From: "mark.yang" The default python:pyasn1 does not match the NVD/CNA entries which use pyasn1 as vendor, so CVEs like CVE-2026-30922 are never reported. Use the exact pyasn1:pyasn1 pair. Suggested-by: Ross Burton Signed-off-by: mark.yang --- v2: use exact vendor:product pair meta/recipes-devtools/python/python3-pyasn1_0.6.3.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/python/python3-pyasn1_0.6.3.bb b/meta/recipes-devtools/python/python3-pyasn1_0.6.3.bb index fb572d9da4..60b38c57c5 100644 --- a/meta/recipes-devtools/python/python3-pyasn1_0.6.3.bb +++ b/meta/recipes-devtools/python/python3-pyasn1_0.6.3.bb @@ -14,4 +14,6 @@ RDEPENDS:${PN}:class-target += " \ python3-shell \ " +CVE_PRODUCT = "pyasn1:pyasn1" + BBCLASSEXTEND = "native nativesdk" From patchwork Mon Jul 13 23:44:17 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "mark.yang" X-Patchwork-Id: 92388 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA4F3C43458 for ; Mon, 13 Jul 2026 23:44:38 +0000 (UTC) Received: from lgeamrelo13.lge.com (lgeamrelo13.lge.com [156.147.23.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9086.1783986272255142971 for ; Mon, 13 Jul 2026 16:44:32 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: lge.com, ip: 156.147.23.53, mailfrom: mark.yang@lge.com) Received: from unknown (HELO lgeamrelo04.lge.com) (156.147.1.127) by 156.147.23.53 with ESMTP; 14 Jul 2026 08:44:29 +0900 X-Original-SENDERIP: 156.147.1.127 X-Original-MAILFROM: mark.yang@lge.com Received: from unknown (HELO markyang..) (10.177.127.86) by 156.147.1.127 with ESMTP; 14 Jul 2026 08:44:29 +0900 X-Original-SENDERIP: 10.177.127.86 X-Original-MAILFROM: mark.yang@lge.com From: mark.yang@lge.com To: openembedded-core@lists.openembedded.org Cc: "mark.yang" Subject: [PATCH v2 4/4] libx11-compose-data: set CVE_PRODUCT to empty value Date: Tue, 14 Jul 2026 08:44:17 +0900 Message-ID: <20260713234417.4071754-4-mark.yang@lge.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260713234417.4071754-1-mark.yang@lge.com> References: <20260713234417.4071754-1-mark.yang@lge.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 13 Jul 2026 23:44:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240856 From: "mark.yang" This recipe only builds and installs the compose data files (nls/) from the libX11 sources and contains no compiled libX11 code, so libx11 CVEs do not apply to it. When the x11 DISTRO_FEATURE is enabled this recipe is skipped and libx11 itself is built and scanned instead. Referred glibc-locale case: https://github.com/openembedded/openembedded-core/commit/1f9a963b9ff7ebe052ba54b9fcbdf7d09478dd17 Signed-off-by: mark.yang --- v2: no changes .../recipes-graphics/xorg-lib/libx11-compose-data_1.8.12.bb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.12.bb b/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.12.bb index 562a8cbf16..4bf9f07aba 100644 --- a/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.12.bb +++ b/meta/recipes-graphics/xorg-lib/libx11-compose-data_1.8.12.bb @@ -29,3 +29,9 @@ do_install() { PACKAGES = "${PN}" FILES:${PN} = "${datadir}/X11/locale ${libdir}/X11/locale" + +# This recipe only builds and installs the compose data files (nls/) from +# the libX11 sources and contains no compiled libX11 code, so libx11 CVEs +# do not apply to it. When the x11 DISTRO_FEATURE is enabled this recipe +# is skipped and libx11 itself is built and scanned instead. +CVE_PRODUCT = ""