On Tue Mar 17, 2026 at 7:24 AM CET, Hitendra Prajapati via lists.openembedded.org wrote: > Hi , > Yes before this patches , code is vulnerable. see [1]. > > [1] https://security-tracker.debian.org/tracker/CVE-2025-54770
What makes you say that from that URL? I don't see it. > I just back port the solution from commit from Debian link given in [1]. > > please check it. The way I see it, the CVE states: > This flaw is a Use-after-Free issue, caused because the net_set_vlan > command is not properly unregistered when the network module is unloaded > from memory. But, the net_set_vlan command does not exist in our original code (at least it looks like it because you add it in your CVE-2025-54770-01.patch aptly titled "net/net: Add net_set_vlan command") I still believe our original code is not vulnerable to CVE-2025-54770 and that CVE should only be CVE_CHECK_IGNORE'd. Did I miss something? Regards, -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233313): https://lists.openembedded.org/g/openembedded-core/message/233313 Mute This Topic: https://lists.openembedded.org/mt/118150498/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
