diff options
| author | Peter Marko <peter.marko@siemens.com> | 2025-08-24 18:55:22 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2025-08-28 10:47:08 +0100 |
| commit | ec1ae11f7860da56b0692b265b649bfc62907ef1 (patch) | |
| tree | 4e6d4bbed61d22c2b5c833c9400e04a3a41acf4d /meta/recipes-devtools/python | |
| parent | ef86bd89796addb332c1f81a128ff71bcd57177b (diff) | |
| download | poky-ec1ae11f7860da56b0692b265b649bfc62907ef1.tar.gz | |
recipes: cleanup CVE_STATUS which are resolved now
The don't show up in CVE metrics anymore since they were either fixed
upstream or recipe version was upgraded meanwhile.
* bind CVE-2019-6470: cpe got corrected in nvd db
* libxml2 CVE-2023-45322: version is now higher than NVD cpe
* zlib CVE-2023-45853: version is now higher than NVD cpe
* gcc CVE-2021-37322: version is now higher than NVD cpe
* python3
* CVE-2007-4559: version is now higher than NVD cpe
* CVE-2019-18348: version is now higher than NVD cpe
* CVE-2020-15523: version is now higher than NVD cpe
* CVE-2022-26488: version is now higher than NVD cpe
* CVE-2015-20107: version is now higher than NVD cpe
* CVE-2023-36632: version is now higher than NVD cpe
* rust
* CVE-2024-24576: NVD has no cpe, but we have newer version as fix
* CVE-2024-43402: version is now higher than NVD cpe
* cups CVE-2021-25317: version is now higher than NVD cpe
* ghostscript CVE-2023-38559: version is now higher than NVD cpe
* libtirpc CVE-2021-46828: version is now higher than NVD cpe
* unzip CVE-2008-0888: version is now higher than NVD cpe
* ffmpeg CVE-2023-39018: cpe got corrected in nvd db
* libxslt CVE-2022-29824: version is now higher than NVD cpe
* libyaml
* CVE-2024-35325: CVE is now rejected in NVD DB
* CVE-2024-35326: CVE is now rejected in NVD DB
* CVE-2024-35328: CVE is now rejected in NVD DB
Also add comment for iputils regarding reports for FKIE/NVD2.
Also remove some trailing spaces in python recipe.
(From OE-Core rev: 73ee9789183aa95072af2b51ac9e08203f4e33f9)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/python')
| -rw-r--r-- | meta/recipes-devtools/python/python3_3.13.7.bb | 14 |
1 files changed, 3 insertions, 11 deletions
diff --git a/meta/recipes-devtools/python/python3_3.13.7.bb b/meta/recipes-devtools/python/python3_3.13.7.bb index 2fe0ae1a8f..a42b2c2a2d 100644 --- a/meta/recipes-devtools/python/python3_3.13.7.bb +++ b/meta/recipes-devtools/python/python3_3.13.7.bb | |||
| @@ -45,14 +45,6 @@ UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" | |||
| 45 | 45 | ||
| 46 | CVE_PRODUCT = "python:python python_software_foundation:python cpython" | 46 | CVE_PRODUCT = "python:python python_software_foundation:python cpython" |
| 47 | 47 | ||
| 48 | CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour" | ||
| 49 | CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed" | ||
| 50 | CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows" | ||
| 51 | CVE_STATUS[CVE-2022-26488] = "not-applicable-platform: Issue only applies on Windows" | ||
| 52 | # The module will be removed in the future and flaws documented. | ||
| 53 | CVE_STATUS[CVE-2015-20107] = "upstream-wontfix: The mailcap module is insecure by design, so this can't be fixed in a meaningful way" | ||
| 54 | CVE_STATUS[CVE-2023-36632] = "disputed: Not an issue, in fact expected behaviour" | ||
| 55 | |||
| 56 | PYTHON_MAJMIN = "3.13" | 48 | PYTHON_MAJMIN = "3.13" |
| 57 | 49 | ||
| 58 | S = "${UNPACKDIR}/Python-${PV}" | 50 | S = "${UNPACKDIR}/Python-${PV}" |
| @@ -201,14 +193,14 @@ do_install:append:class-native() { | |||
| 201 | # when they're only used for python called with -O or -OO. | 193 | # when they're only used for python called with -O or -OO. |
| 202 | #find ${D} -name *opt-*.pyc -delete | 194 | #find ${D} -name *opt-*.pyc -delete |
| 203 | # Remove all pyc files. There are a ton of them and it is probably faster to let | 195 | # Remove all pyc files. There are a ton of them and it is probably faster to let |
| 204 | # python create the ones it wants at runtime rather than manage in the sstate | 196 | # python create the ones it wants at runtime rather than manage in the sstate |
| 205 | # tarballs and sysroot creation. | 197 | # tarballs and sysroot creation. |
| 206 | find ${D} -name *.pyc -delete | 198 | find ${D} -name *.pyc -delete |
| 207 | 199 | ||
| 208 | # Nothing should be looking into ${B} for python3-native | 200 | # Nothing should be looking into ${B} for python3-native |
| 209 | sed -i -e 's:${B}:/build/path/unavailable/:g' \ | 201 | sed -i -e 's:${B}:/build/path/unavailable/:g' \ |
| 210 | ${D}/${libdir}/python${PYTHON_MAJMIN}/config-${PYTHON_MAJMIN}${PYTHON_ABI}*/Makefile | 202 | ${D}/${libdir}/python${PYTHON_MAJMIN}/config-${PYTHON_MAJMIN}${PYTHON_ABI}*/Makefile |
| 211 | 203 | ||
| 212 | # disable the lookup in user's site-packages globally | 204 | # disable the lookup in user's site-packages globally |
| 213 | sed -i 's#ENABLE_USER_SITE = None#ENABLE_USER_SITE = False#' ${D}${libdir}/python${PYTHON_MAJMIN}/site.py | 205 | sed -i 's#ENABLE_USER_SITE = None#ENABLE_USER_SITE = False#' ${D}${libdir}/python${PYTHON_MAJMIN}/site.py |
| 214 | 206 | ||
| @@ -306,7 +298,7 @@ py_package_preprocess () { | |||
| 306 | cd - | 298 | cd - |
| 307 | 299 | ||
| 308 | mv ${PKGD}/${bindir}/python${PYTHON_MAJMIN}-config ${PKGD}/${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX} | 300 | mv ${PKGD}/${bindir}/python${PYTHON_MAJMIN}-config ${PKGD}/${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX} |
| 309 | 301 | ||
| 310 | #Remove the unneeded copy of target sysconfig data | 302 | #Remove the unneeded copy of target sysconfig data |
| 311 | rm -rf ${PKGD}/${libdir}/python-sysconfigdata | 303 | rm -rf ${PKGD}/${libdir}/python-sysconfigdata |
| 312 | } | 304 | } |