On Thu, 2026-05-14 at 03:33 -0700, Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote: > From: Ross Burton <[email protected]> > > The perl module Compress-Raw-Zlib defaults to using a vendored copy of > the zlib sources which has a number of CVEs. A newer version of perl > updates this to zlib 1.3.2 to resolve them, but we should be linking to > our zlib recipe instead of the vendored code. > > This mitigates CVE-2026-4176 so mark it as not appropriate. > > Signed-off-by: Ross Burton <[email protected]> > Signed-off-by: Richard Purdie <[email protected]> > (cherry picked from commit bf515229043685d4f00c965eb3e0236c37b6b403) > Signed-off-by: Sudhir Dumbhare <[email protected]>
Hi Sudhir, The description in the commit message applies to Perl 5.42.0 in our master branch, have you confirmed this this is also valid for Perl 5.38.x on Scarthgap? Thanks, -- Paul Barker
signature.asc
Description: This is a digitally signed message part
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237025): https://lists.openembedded.org/g/openembedded-core/message/237025 Mute This Topic: https://lists.openembedded.org/mt/119310882/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
