CPEs are registered for iperf_project2:iperf2 in addition to iperf_project:iperf. By changing CVE_PRODUCT to an appends, this ensures that both iperf and iperf2 CPEs are used for CVE matching.
Signed-off-by: Colin Pinnell McAllister <[email protected]> --- Here are the links to see both CPEs registered in the NVD: - https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aiperf_project%3Aiperf - https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&orderBy=2.3&keyword=cpe%3A2.3%3Aa%3Aiperf2_project&status=FINAL meta-oe/recipes-benchmark/iperf2/iperf2_2.2.1.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-benchmark/iperf2/iperf2_2.2.1.bb b/meta-oe/recipes-benchmark/iperf2/iperf2_2.2.1.bb index d31f4ed634..cc7a1561df 100644 --- a/meta-oe/recipes-benchmark/iperf2/iperf2_2.2.1.bb +++ b/meta-oe/recipes-benchmark/iperf2/iperf2_2.2.1.bb @@ -19,7 +19,7 @@ EXTRA_OECONF = "--exec-prefix=${STAGING_DIR_HOST}${layout_exec_prefix}" PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)}" PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," -CVE_PRODUCT = "iperf_project:iperf" +CVE_PRODUCT:append = " iperf_project:iperf" CVE_STATUS[CVE-2025-54349] = "cpe-incorrect: the vulnerability is in iperf3, which is a different project" CVE_STATUS[CVE-2025-54350] = "cpe-incorrect: the vulnerability is in iperf3, which is a different project" CVE_STATUS[CVE-2025-54351] = "cpe-incorrect: the vulnerability is in iperf3, which is a different project" -- 2.53.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124600): https://lists.openembedded.org/g/openembedded-devel/message/124600 Mute This Topic: https://lists.openembedded.org/mt/117983029/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
