From: Benjamin Robin <benjamin.robin@bootlin.com>
To: openembedded-core@lists.openembedded.org,
Peter Marko <peter.marko@siemens.com>
Subject: Re: [PATCH 6/6] ffmpeg: set status for 5 CVEs
Date: Mon, 27 Apr 2026 09:44:34 +0200 [thread overview]
Message-ID: <--nPwHMjR5aFgiGiHDM60Q@bootlin.com> (raw)
In-Reply-To: <20260426185025.13217-6-peter.marko@siemens.com>
Hello Peter,
On Sunday, April 26, 2026 at 8:50 PM, Peter Marko wrote:
> From: Peter Marko <peter.marko@siemens.com>
>
> These reappeared after update of sbom-cve-check tooling.
> Fixed version found by links from Debian security tracker.
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
> meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb
> index 7bb7de3d25..9780abe184 100644
> --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb
> +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.1.bb
> @@ -176,6 +176,11 @@ CVE_STATUS_GROUPS = "CVE_STATUS_WRONG_CPE"
> CVE_STATUS_WRONG_CPE = "CVE-2023-51791 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795 CVE-2023-51796 CVE-2023-51797 CVE-2023-51798 CVE-2025-22921"
> CVE_STATUS_WRONG_CPE[status] = "fixed-version: these CVEs are fixed in used version"
>
> +CVE_STATUS[CVE-2022-2566] = "fixed-version: these CVEs are fixed since v5.1.1"
> +CVE_STATUS[CVE-2025-9951] = "fixed-version: these CVEs are fixed since v8.0"
> CVE_STATUS[CVE-2025-25468] = "fixed-version: these CVEs are fixed since v8.0"
> CVE_STATUS[CVE-2025-25469] = "fixed-version: these CVEs are fixed since v8.0"
> CVE_STATUS[CVE-2025-12343] = "fixed-version: this CVE are fixed since v8.0"
> +CVE_STATUS[CVE-2025-59729] = "fixed-version: this CVE are fixed since v8.0"
> +CVE_STATUS[CVE-2025-59730] = "fixed-version: this CVE are fixed since v8.0"
> +CVE_STATUS[CVE-2025-69693] = "fixed-version: this CVE are fixed since v8.1"
Why the CVE-2025-69693 is marked has fixed?
It is affecting the version 8.0.1 which is the current version of the recipe,
as reported by NVD:
https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-69693
{ vulnerable: true, criteria: "cpe:2.3:a:ffmpeg:ffmpeg:8.0.1:*:*:*:*:*:*:*",
matchCriteriaId: "7F5CACA2-6FB6-4D6D-92D0-C9FF0E7CDB14" }
I did not investigate in which version this CVE was fixed.
--
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2026-04-27 7:44 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-26 18:50 [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517 Peter Marko
2026-04-26 18:50 ` [PATCH 2/6] cargo: set status of CVE-2023-40030 Peter Marko
2026-04-26 18:50 ` [PATCH 3/6] cargo: set CVE_PRODUCT Peter Marko
2026-04-26 18:50 ` [PATCH 4/6] git: set status of 5 CVEs Peter Marko
2026-04-26 18:50 ` [PATCH 5/6] ovmf: set status for 7 CVEs Peter Marko
2026-04-26 18:50 ` [PATCH 6/6] ffmpeg: set status for 5 CVEs Peter Marko
2026-04-27 7:44 ` Benjamin Robin [this message]
2026-04-27 10:07 ` Marko, Peter
2026-04-27 10:10 ` [PATCH v2] ffmpeg: set status for 4 CVEs Peter Marko
2026-04-27 16:40 ` Marko, Peter
2026-04-26 19:17 ` [PATCH 1/6] sudo: set status of CVE-2025-64170 and CVE-2025-64517 Marko, Peter
2026-04-27 7:12 ` Benjamin Robin
2026-04-28 16:51 ` Marko, Peter
2026-04-29 7:24 ` Benjamin Robin
2026-04-29 17:13 ` Marko, Peter
2026-04-30 7:21 ` Benjamin Robin
2026-04-30 7:32 ` Benjamin Robin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=--nPwHMjR5aFgiGiHDM60Q@bootlin.com \
--to=benjamin.robin@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=peter.marko@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.