On Mon Jun 29, 2026 at 12:47 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS 
PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <[email protected]>
>
> - CVE-2026-4873 affects curl before 8.20.0 when a connection negotiated with
>   clear-text IMAP, POP3, or SMTP can later be reused for a TLS-required
>   transfer.
> - In scarthgap, these protocols are optional PACKAGECONFIG entries and are not
>   enabled by default in `curl_8.7.1.bb`.
> - Record this CVE as configuration-not-applicable for the default recipe
>   configuration instead of carrying the upstream fix unconditionally.
>
> Reference:
> - https://curl.se/docs/CVE-2026-4873.html
> - https://nvd.nist.gov/vuln/detail/CVE-2026-4873

Hello,

That CVE applies to wrynose, but I don't think I received a
equivalent patch.

Before sending more scarthgap fixes, do you plan to send the wrynose
fixes blocking some of your previous patches?
You can see them here:
https://patchwork.yoctoproject.org/project/oe-core/list/?submitter=1525&state=8&series=&q=&delegate=&archive=both

Regards,

>
> Signed-off-by: Anil Dongare <[email protected]>
> ---
>  meta/recipes-support/curl/curl_8.7.1.bb | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-support/curl/curl_8.7.1.bb 
> b/meta/recipes-support/curl/curl_8.7.1.bb
> index 14d63d6373..ad7ceceb69 100644
> --- a/meta/recipes-support/curl/curl_8.7.1.bb
> +++ b/meta/recipes-support/curl/curl_8.7.1.bb
> @@ -51,6 +51,7 @@ CVE_STATUS[CVE-2024-32928] = "ignored: 
> CURLOPT_SSL_VERIFYPEER was disabled on go
>  CVE_STATUS[CVE-2025-0725] = "not-applicable-config: gzip decompression of 
> content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, 
> using zlib 1.2.0.3 or older"
>  CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', 
> 'openssl', 'not-applicable-config: applicable only with 
> wolfssl','unpatched',d)}"
>  CVE_STATUS[CVE-2025-10966] = "${@bb.utils.contains('PACKAGECONFIG', 
> 'openssl', 'not-applicable-config: applicable only with 
> wolfssl','unpatched',d)}"
> +CVE_STATUS[CVE-2026-4873] = "${@bb.utils.contains_any('PACKAGECONFIG', 'imap 
> pop3 smtp', 'unpatched', 'not-applicable-config: clear-text imap/pop3/smtp 
> support is not enabled in PACKAGECONFIG', d)}"
>  
>  
>  inherit autotools pkgconfig binconfig multilib_header ptest


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239759): 
https://lists.openembedded.org/g/openembedded-core/message/239759
Mute This Topic: https://lists.openembedded.org/mt/120028212/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

  • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Yoann Congal via lists.openembedded.org
      • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
        • ... Yoann Congal via lists.openembedded.org

Reply via email to