On Mon Jun 29, 2026 at 12:47 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Anil Dongare <[email protected]> > > - CVE-2026-4873 affects curl before 8.20.0 when a connection negotiated with > clear-text IMAP, POP3, or SMTP can later be reused for a TLS-required > transfer. > - In scarthgap, these protocols are optional PACKAGECONFIG entries and are not > enabled by default in `curl_8.7.1.bb`. > - Record this CVE as configuration-not-applicable for the default recipe > configuration instead of carrying the upstream fix unconditionally. > > Reference: > - https://curl.se/docs/CVE-2026-4873.html > - https://nvd.nist.gov/vuln/detail/CVE-2026-4873
Hello, That CVE applies to wrynose, but I don't think I received a equivalent patch. Before sending more scarthgap fixes, do you plan to send the wrynose fixes blocking some of your previous patches? You can see them here: https://patchwork.yoctoproject.org/project/oe-core/list/?submitter=1525&state=8&series=&q=&delegate=&archive=both Regards, > > Signed-off-by: Anil Dongare <[email protected]> > --- > meta/recipes-support/curl/curl_8.7.1.bb | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/recipes-support/curl/curl_8.7.1.bb > b/meta/recipes-support/curl/curl_8.7.1.bb > index 14d63d6373..ad7ceceb69 100644 > --- a/meta/recipes-support/curl/curl_8.7.1.bb > +++ b/meta/recipes-support/curl/curl_8.7.1.bb > @@ -51,6 +51,7 @@ CVE_STATUS[CVE-2024-32928] = "ignored: > CURLOPT_SSL_VERIFYPEER was disabled on go > CVE_STATUS[CVE-2025-0725] = "not-applicable-config: gzip decompression of > content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, > using zlib 1.2.0.3 or older" > CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', > 'openssl', 'not-applicable-config: applicable only with > wolfssl','unpatched',d)}" > CVE_STATUS[CVE-2025-10966] = "${@bb.utils.contains('PACKAGECONFIG', > 'openssl', 'not-applicable-config: applicable only with > wolfssl','unpatched',d)}" > +CVE_STATUS[CVE-2026-4873] = "${@bb.utils.contains_any('PACKAGECONFIG', 'imap > pop3 smtp', 'unpatched', 'not-applicable-config: clear-text imap/pop3/smtp > support is not enabled in PACKAGECONFIG', d)}" > > > inherit autotools pkgconfig binconfig multilib_header ptest -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239759): https://lists.openembedded.org/g/openembedded-core/message/239759 Mute This Topic: https://lists.openembedded.org/mt/120028212/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
