All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Yoann Congal" <yoann.congal@smile.fr>
To: <adongare@cisco.com>, <openembedded-core@lists.openembedded.org>
Cc: <xe-linux-external@cisco.com>
Subject: Re: [OE-core] [scarthgap] [PATCH 1/7] curl: ignore CVE-2026-4873
Date: Mon, 29 Jun 2026 13:53:24 +0200	[thread overview]
Message-ID: <DJLIGNIA29T0.UP5MNHAPJBCH@smile.fr> (raw)
In-Reply-To: <20260629104801.972184-1-adongare@cisco.com>

On Mon Jun 29, 2026 at 12:47 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> - CVE-2026-4873 affects curl before 8.20.0 when a connection negotiated with
>   clear-text IMAP, POP3, or SMTP can later be reused for a TLS-required
>   transfer.
> - In scarthgap, these protocols are optional PACKAGECONFIG entries and are not
>   enabled by default in `curl_8.7.1.bb`.
> - Record this CVE as configuration-not-applicable for the default recipe
>   configuration instead of carrying the upstream fix unconditionally.
>
> Reference:
> - https://curl.se/docs/CVE-2026-4873.html
> - https://nvd.nist.gov/vuln/detail/CVE-2026-4873

Hello,

That CVE applies to wrynose, but I don't think I received a
equivalent patch.

Before sending more scarthgap fixes, do you plan to send the wrynose
fixes blocking some of your previous patches?
You can see them here:
https://patchwork.yoctoproject.org/project/oe-core/list/?submitter=1525&state=8&series=&q=&delegate=&archive=both

Regards,

>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
> ---
>  meta/recipes-support/curl/curl_8.7.1.bb | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
> index 14d63d6373..ad7ceceb69 100644
> --- a/meta/recipes-support/curl/curl_8.7.1.bb
> +++ b/meta/recipes-support/curl/curl_8.7.1.bb
> @@ -51,6 +51,7 @@ CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on go
>  CVE_STATUS[CVE-2025-0725] = "not-applicable-config: gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older"
>  CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}"
>  CVE_STATUS[CVE-2025-10966] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}"
> +CVE_STATUS[CVE-2026-4873] = "${@bb.utils.contains_any('PACKAGECONFIG', 'imap pop3 smtp', 'unpatched', 'not-applicable-config: clear-text imap/pop3/smtp support is not enabled in PACKAGECONFIG', d)}"
>  
>  
>  inherit autotools pkgconfig binconfig multilib_header ptest


-- 
Yoann Congal
Smile ECS



  parent reply	other threads:[~2026-06-29 11:53 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 10:47 [OE-core] [scarthgap] [PATCH 1/7] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 10:47 ` [OE-core] [scarthgap] [PATCH 2/7] curl: fix CVE-2026-5545 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 10:47 ` [OE-core] [scarthgap] [PATCH 3/7] curl: ignore CVE-2026-5773 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 10:47 ` [OE-core] [scarthgap] [PATCH 4/7] curl: fix CVE-2026-6253 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 10:47 ` [OE-core] [scarthgap] [PATCH 5/7] curl: fix CVE-2026-6276 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 10:47 ` [OE-core] [scarthgap] [PATCH 6/7] curl: fix CVE-2026-6429 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 10:47 ` [OE-core] [scarthgap] [PATCH 7/7] curl: fix CVE-2026-7168 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 11:53 ` Yoann Congal [this message]
2026-06-29 12:08   ` [scarthgap] [PATCH 1/7] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 12:19     ` [OE-core] " Yoann Congal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJLIGNIA29T0.UP5MNHAPJBCH@smile.fr \
    --to=yoann.congal@smile.fr \
    --cc=adongare@cisco.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=xe-linux-external@cisco.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.