On Fri May 8, 2026 at 1:01 AM CEST, Yoann Congal wrote: > On Mon Apr 27, 2026 at 8:04 AM CEST, Jiaying (CN) Song wrote: >> Hi Yoann, >> >> This patch is for scarthgap where pyasn1 is at 0.5.1. The 0.6.2 -> 0.6.3 >> upgrade would only apply to master. According to >> https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r , >> all versions <= 0.6.2 are affected, so for scarthgap, this patch is still >> needed to fix the CVE. > > Yes, agreed but the trouble was that is was not fixed on master and, > therefore, could not be fixed on scarthgap. > > Now the situation has changed, it is fixed on master by upgrading to > 0.6.3 but wrynose is now vulnerable. > Can you send a fix to wrynose? I can't merge a fix to scarthgap without > one for wrynose.
Hello, I will now drop this patch. If the above situation changes, please send a new patch. Regards, -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240239): https://lists.openembedded.org/g/openembedded-core/message/240239 Mute This Topic: https://lists.openembedded.org/mt/118738401/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
