Hello, That's how LTS releases work in Linux distributions. Versions are not being updated, only patches are being backported. You can deliver spdx/vex information to your users to inform them about patched vulnerabilities. If LTS strategy is not suitable for you, please update to latest Yocto release.
Some background info: https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS https://wiki.yoctoproject.org/wiki/LTS_Background Peter > -----Original Message----- > From: [email protected] <openembedded- > [email protected]> On Behalf Of FA via lists.openembedded.org > Sent: Friday, February 27, 2026 0:47 > To: [email protected] > Subject: [oe] Net-snmp upgrade to 5.9.5 > > Hi, > > I would like to know if there is a plan to upgrade net-snmp to 5.9.5. > > I see that we backporting all the vulnerabilities and important fixes to > 5.9.4 in LTS > branch (scarthgap). > > As per NVD, it recommends upgrading to 5.9.5/5.10.pre2 to address CVE-2025- > 68615. > > https://nvd.nist.gov/vuln/detail/CVE-2025-68615 > > Since vulnerable tools report, net-snmp 5.9.4 is vulnerable to CVE-2025-68615, > despite the fix is backported to 5.9.4, raises a false alarm among users. > > I think it's better we upgrade LTS branch NetSNMP to version 5.9.5. > > > Regards, > Feroz Ahmed
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124694): https://lists.openembedded.org/g/openembedded-devel/message/124694 Mute This Topic: https://lists.openembedded.org/mt/118023216/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
