All of lore.kernel.org
 help / color / mirror / Atom feed
* [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873
@ 2026-06-29 13:14 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
  2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
                   ` (4 more replies)
  0 siblings, 5 replies; 8+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 13:14 UTC (permalink / raw)
  To: openembedded-core; +Cc: xe-linux-external, Anil Dongare

From: Anil Dongare <adongare@cisco.com>

- CVE-2026-4873 affects curl before 8.20.0 when a connection negotiated with
  clear-text IMAP, POP3, or SMTP can later be reused for a TLS-required
  transfer.
- In wrynose, these protocols are optional PACKAGECONFIG entries and are not
  enabled by default in curl_8.19.0.bb, so record this CVE as configuration-not-applicable
  for the default recipe configuration.

Reference:
- https://curl.se/docs/CVE-2026-4873.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-4873

Signed-off-by: Anil Dongare <adongare@cisco.com>
---
 meta/recipes-support/curl/curl_8.19.0.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index d58b774011..41e6888977 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -27,6 +27,7 @@ SRC_URI[sha256sum] = "4eb41489790d19e190d7ac7e18e82857cdd68af8f4e66b292ced562d33
 # Curl has used many names over the years...
 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
 CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack"
+CVE_STATUS[CVE-2026-4873] = "${@bb.utils.contains_any('PACKAGECONFIG', 'imap pop3 smtp', 'unpatched', 'not-applicable-config: clear-text imap/pop3/smtp support is not enabled in PACKAGECONFIG', d)}"
 
 inherit autotools pkgconfig binconfig multilib_header ptest
 
-- 
2.51.0



^ permalink raw reply related	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2026-07-03  9:38 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-29 13:14 [OE-core] [wrynose] [PATCH 1/6] curl: ignore CVE-2026-4873 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 2/6] curl: fix CVE-2026-5545 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 3/6] curl: ignore CVE-2026-5773 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03  8:55   ` Yoann Congal
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 4/6] curl: fix CVE-2026-6253 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 5/6] curl: fix CVE-2026-6429 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-03  9:38   ` Yoann Congal
2026-06-29 13:14 ` [OE-core] [wrynose] [PATCH 6/6] curl: fix CVE-2026-7168 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.