* [meta-virtualization][PATCH] docker-compose: add CVE_PRODUCT and CVE_STATUS for CVE-2025-62725
@ 2026-07-02 7:44 mark.yang
2026-07-03 13:46 ` Bruce Ashfield
0 siblings, 1 reply; 2+ messages in thread
From: mark.yang @ 2026-07-02 7:44 UTC (permalink / raw)
To: meta-virtualization; +Cc: mark.yang
From: "mark.yang" <mark.yang@lge.com>
Add CVE_PRODUCT to docker-compose that matches CPE.
<vendor>:<product> must be set to docker:compose for proper matching.
CVE-2025-62725 was fixed in 2.40.2, but its record encodes the range as
a plain "< 2.40.2" version string that automated version comparison
cannot use, so mark it as fixed-version.
Signed-off-by: mark.yang <mark.yang@lge.com>
---
recipes-containers/docker-compose/docker-compose_git.bb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/recipes-containers/docker-compose/docker-compose_git.bb b/recipes-containers/docker-compose/docker-compose_git.bb
index d3798e35..5526912b 100644
--- a/recipes-containers/docker-compose/docker-compose_git.bb
+++ b/recipes-containers/docker-compose/docker-compose_git.bb
@@ -33,6 +33,10 @@ GO_IMPORT = "import"
PV = "5.1.4"
+CVE_PRODUCT = "docker:compose"
+
+CVE_STATUS[CVE-2025-62725] = "fixed-version: fixed in 2.40.2"
+
COMPOSE_PKG = "github.com/docker/compose/v2"
# go-mod-discovery configuration
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [meta-virtualization][PATCH] docker-compose: add CVE_PRODUCT and CVE_STATUS for CVE-2025-62725
2026-07-02 7:44 [meta-virtualization][PATCH] docker-compose: add CVE_PRODUCT and CVE_STATUS for CVE-2025-62725 mark.yang
@ 2026-07-03 13:46 ` Bruce Ashfield
0 siblings, 0 replies; 2+ messages in thread
From: Bruce Ashfield @ 2026-07-03 13:46 UTC (permalink / raw)
To: mark.yang; +Cc: meta-virtualization
merged.
Bruce
In message: [meta-virtualization][PATCH] docker-compose: add CVE_PRODUCT and CVE_STATUS for CVE-2025-62725
on 02/07/2026 mark.yang via lists.yoctoproject.org wrote:
> From: "mark.yang" <mark.yang@lge.com>
>
> Add CVE_PRODUCT to docker-compose that matches CPE.
> <vendor>:<product> must be set to docker:compose for proper matching.
>
> CVE-2025-62725 was fixed in 2.40.2, but its record encodes the range as
> a plain "< 2.40.2" version string that automated version comparison
> cannot use, so mark it as fixed-version.
>
> Signed-off-by: mark.yang <mark.yang@lge.com>
> ---
> recipes-containers/docker-compose/docker-compose_git.bb | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/recipes-containers/docker-compose/docker-compose_git.bb b/recipes-containers/docker-compose/docker-compose_git.bb
> index d3798e35..5526912b 100644
> --- a/recipes-containers/docker-compose/docker-compose_git.bb
> +++ b/recipes-containers/docker-compose/docker-compose_git.bb
> @@ -33,6 +33,10 @@ GO_IMPORT = "import"
>
> PV = "5.1.4"
>
> +CVE_PRODUCT = "docker:compose"
> +
> +CVE_STATUS[CVE-2025-62725] = "fixed-version: fixed in 2.40.2"
> +
> COMPOSE_PKG = "github.com/docker/compose/v2"
>
> # go-mod-discovery configuration
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9909): https://lists.yoctoproject.org/g/meta-virtualization/message/9909
> Mute This Topic: https://lists.yoctoproject.org/mt/120079933/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-03 13:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02 7:44 [meta-virtualization][PATCH] docker-compose: add CVE_PRODUCT and CVE_STATUS for CVE-2025-62725 mark.yang
2026-07-03 13:46 ` Bruce Ashfield
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.