Please note that 7zip provides also a library, so it’s probably not safe to do this upgrade in LTS. It may be however possible to do it as alternative opt-in recipe.
Peter From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> On Behalf Of hongxu via lists.openembedded.org Sent: Sunday, December 22, 2024 9:30 To: openembedded-devel@lists.openembedded.org Subject: Re: [oe] [meta-oe][scarthgap][PATCH 1/4] Use 7zip 24.09 to replace p7zip 16.02 Hi Armin, The p7zip is too old and dead since 2016 and has many vulnerable CVEs, such as: CVE-2024-11612 CVE-2024-11477 CVE-2023-52169 CVE-2023-52168 CVE-2023-40481 CVE-2023-31102 CVE-2023-1576 CVE-2022-47069 The 7z is a standalone command, and the version of all affected recipes (android-tools, python3-rarfile, xarchiver) has no change between master and scarthgap so I back ported the new 7zip recipe to scarthgap to instead of p7zip, I think the regression is little //Hongxu
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#114472): https://lists.openembedded.org/g/openembedded-devel/message/114472 Mute This Topic: https://lists.openembedded.org/mt/110240687/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
