On Fri, Dec 5, 2025 at 8:22 AM Changqing Li via lists.openembedded.org <[email protected]> wrote: > > > On 12/5/25 01:59, Steve Sakoman wrote: > > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and > know the content is safe. > > On Wed, Dec 3, 2025 at 12:25 AM Gyorgy Sarvari <[email protected]> wrote: > > This is quite a big change in the middle of an LTS release... not that I > have a better solution. But maybe a warning in the docs would be > appropriate about this removed feature and its reason (not sure who > takes care of these). > > You are quite correct, this is a large change and deserves further > discussion since it is removing a (admittedly experimental) feature. > > I will remove this from this series pending further discussion on list. > > Hi, > > This vulnerability exists in libmicrohttpd_ws.so, which is generated when > building with the --enable-experimental option, rather than in widely used > libmicrohttpd.so. > > We don't enable this option by default, also we don't provide PACKAGECONFIG > for it. > > How about we still keep the patch for fixing CVE-2025-59777, CVE-2025-62689, > and add the following warning in libmicrohttpd_1.0.2.bb > > +python do_warn_experimental() { > + if '--enable-experimental' in d.getVar('EXTRA_OECONF') and > '0001-Remove-broken-experimental-code.patch' in d.getVar('SRC_URI'): > + bb.warn("This option is removed for CVE-2025-59777, CVE-2025-62689, > if you insist to use it, please remove patch > 0001-Remove-broken-experimental-code.patch") > +} > +addtask warn_experimental before do_configure > + > > if the user enable '--enable-experimental' , warning is it removed. if user > insist to use it, they can remove patch > 0001-Remove-broken-experimental-code.patch locally, then > > warning will disappear.
I think it should be the other way around. If we don't enable the option and don't have a tunable PACKAGECONFIG for it, why complicate and patch? If someone did enable it knowingly, they should fix it in their append or recipe. Thanks, Anuj
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#227330): https://lists.openembedded.org/g/openembedded-core/message/227330 Mute This Topic: https://lists.openembedded.org/mt/116585220/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
