On 12/5/25 11:41, Anuj Mittal wrote:
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know
the content is safe.
On Fri, Dec 5, 2025 at 8:22 AM Changqing Li via lists.openembedded.org
<[email protected]> wrote:
On 12/5/25 01:59, Steve Sakoman wrote:
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know
the content is safe.
On Wed, Dec 3, 2025 at 12:25 AM Gyorgy Sarvari<[email protected]> wrote:
This is quite a big change in the middle of an LTS release... not that I
have a better solution. But maybe a warning in the docs would be
appropriate about this removed feature and its reason (not sure who
takes care of these).
You are quite correct, this is a large change and deserves further
discussion since it is removing a (admittedly experimental) feature.
I will remove this from this series pending further discussion on list.
Hi,
This vulnerability exists in libmicrohttpd_ws.so, which is generated when
building with the --enable-experimental option, rather than in widely used
libmicrohttpd.so.
We don't enable this option by default, also we don't provide PACKAGECONFIG
for it.
How about we still keep the patch for fixing CVE-2025-59777, CVE-2025-62689,
and add the following warning in libmicrohttpd_1.0.2.bb
+python do_warn_experimental() {
+ if '--enable-experimental' in d.getVar('EXTRA_OECONF') and
'0001-Remove-broken-experimental-code.patch' in d.getVar('SRC_URI'):
+ bb.warn("This option is removed for CVE-2025-59777, CVE-2025-62689, if you
insist to use it, please remove patch 0001-Remove-broken-experimental-code.patch")
+}
+addtask warn_experimental before do_configure
+
if the user enable '--enable-experimental' , warning is it removed. if user
insist to use it, they can remove patch
0001-Remove-broken-experimental-code.patch locally, then
warning will disappear.
I think it should be the other way around. If we don't enable the
option and don't have a tunable PACKAGECONFIG for it, why complicate
and patch? If someone did enable it knowingly, they should fix it in
their append or recipe.
if we don't patch it, should we add function like do_warn_experimental
to remind user about the CVE?
it is possible that user enable experimental, but they don't know the
existence of CVE-2025-59777, CVE-2025-62689.
Thanks
//Changqing
Thanks,
Anuj
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#227377):
https://lists.openembedded.org/g/openembedded-core/message/227377
Mute This Topic: https://lists.openembedded.org/mt/116585220/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
