From ec1ae11f7860da56b0692b265b649bfc62907ef1 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 24 Aug 2025 18:55:22 +0200 Subject: recipes: cleanup CVE_STATUS which are resolved now The don't show up in CVE metrics anymore since they were either fixed upstream or recipe version was upgraded meanwhile. * bind CVE-2019-6470: cpe got corrected in nvd db * libxml2 CVE-2023-45322: version is now higher than NVD cpe * zlib CVE-2023-45853: version is now higher than NVD cpe * gcc CVE-2021-37322: version is now higher than NVD cpe * python3 * CVE-2007-4559: version is now higher than NVD cpe * CVE-2019-18348: version is now higher than NVD cpe * CVE-2020-15523: version is now higher than NVD cpe * CVE-2022-26488: version is now higher than NVD cpe * CVE-2015-20107: version is now higher than NVD cpe * CVE-2023-36632: version is now higher than NVD cpe * rust * CVE-2024-24576: NVD has no cpe, but we have newer version as fix * CVE-2024-43402: version is now higher than NVD cpe * cups CVE-2021-25317: version is now higher than NVD cpe * ghostscript CVE-2023-38559: version is now higher than NVD cpe * libtirpc CVE-2021-46828: version is now higher than NVD cpe * unzip CVE-2008-0888: version is now higher than NVD cpe * ffmpeg CVE-2023-39018: cpe got corrected in nvd db * libxslt CVE-2022-29824: version is now higher than NVD cpe * libyaml * CVE-2024-35325: CVE is now rejected in NVD DB * CVE-2024-35326: CVE is now rejected in NVD DB * CVE-2024-35328: CVE is now rejected in NVD DB Also add comment for iputils regarding reports for FKIE/NVD2. Also remove some trailing spaces in python recipe. (From OE-Core rev: 73ee9789183aa95072af2b51ac9e08203f4e33f9) Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie --- meta/recipes-devtools/python/python3_3.13.7.bb | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) (limited to 'meta/recipes-devtools/python') diff --git a/meta/recipes-devtools/python/python3_3.13.7.bb b/meta/recipes-devtools/python/python3_3.13.7.bb index 2fe0ae1a8f..a42b2c2a2d 100644 --- a/meta/recipes-devtools/python/python3_3.13.7.bb +++ b/meta/recipes-devtools/python/python3_3.13.7.bb @@ -45,14 +45,6 @@ UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P\d+(\.\d+)+).tar" CVE_PRODUCT = "python:python python_software_foundation:python cpython" -CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour" -CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed" -CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows" -CVE_STATUS[CVE-2022-26488] = "not-applicable-platform: Issue only applies on Windows" -# The module will be removed in the future and flaws documented. -CVE_STATUS[CVE-2015-20107] = "upstream-wontfix: The mailcap module is insecure by design, so this can't be fixed in a meaningful way" -CVE_STATUS[CVE-2023-36632] = "disputed: Not an issue, in fact expected behaviour" - PYTHON_MAJMIN = "3.13" S = "${UNPACKDIR}/Python-${PV}" @@ -201,14 +193,14 @@ do_install:append:class-native() { # when they're only used for python called with -O or -OO. #find ${D} -name *opt-*.pyc -delete # Remove all pyc files. There are a ton of them and it is probably faster to let - # python create the ones it wants at runtime rather than manage in the sstate + # python create the ones it wants at runtime rather than manage in the sstate # tarballs and sysroot creation. find ${D} -name *.pyc -delete # Nothing should be looking into ${B} for python3-native sed -i -e 's:${B}:/build/path/unavailable/:g' \ ${D}/${libdir}/python${PYTHON_MAJMIN}/config-${PYTHON_MAJMIN}${PYTHON_ABI}*/Makefile - + # disable the lookup in user's site-packages globally sed -i 's#ENABLE_USER_SITE = None#ENABLE_USER_SITE = False#' ${D}${libdir}/python${PYTHON_MAJMIN}/site.py @@ -306,7 +298,7 @@ py_package_preprocess () { cd - mv ${PKGD}/${bindir}/python${PYTHON_MAJMIN}-config ${PKGD}/${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX} - + #Remove the unneeded copy of target sysconfig data rm -rf ${PKGD}/${libdir}/python-sysconfigdata } -- cgit v1.2.3-54-g00ecf