[PATCH 0/2] meta: remove reference in patches to rejected CVE

[PATCH 0/2] meta: remove reference in patches to rejected CVE

[Benjamin Robin (Schneider Electric)]

Remove the reference of 2 CVE identifiers in patch files, since the
CVEs are rejected. Remove reference to CVE-2025-62813 and to
CVE-2021-3502.

These 2 issues were found by using sbom-cve-check on the whole layer.

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
Benjamin Robin (Schneider Electric) (2):
      meta: update avahi patch to remove ref to rejected CVE
      meta: in lz4 remove reference to rejected CVE-2025-62813

 meta/recipes-connectivity/avahi/files/local-ping.patch                  | 1 -
 .../lz4/lz4/{CVE-2025-62813.patch => fix-null-error-handling.patch}     | 1 -
 meta/recipes-support/lz4/lz4_1.10.0.bb                                  | 2 +-
 3 files changed, 1 insertion(+), 3 deletions(-)
---
base-commit: 74ba238ff1ba1e9b612aece1989b828f3a8f8770
change-id: 20260220-update-patch-with-rejected-cve-13cd13bb3e4f

Best regards,
-- 
Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>

[PATCH 1/2] meta: update avahi patch to remove ref to rejected CVE

[Benjamin Robin (Schneider Electric)]

CVE-2021-36217 is rejected, and should no longer be referenced.
CVE-2021-36217 is a duplicate of CVE-2021-3502 which is already
referenced in the local-ping.patch.

The CVE database indicates the following reason:
  ConsultIDs: CVE-2021-3502. Reason: This candidate is a duplicate of
  CVE-2021-3502. Notes: All CVE users should reference CVE-2021-3502
  instead of this candidate. All references and descriptions in this
  candidate have been removed to prevent accidental usage.

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
 meta/recipes-connectivity/avahi/files/local-ping.patch | 1 -
 1 file changed, 1 deletion(-)

diff --git a/meta/recipes-connectivity/avahi/files/local-ping.patch b/meta/recipes-connectivity/avahi/files/local-ping.patch
index 29c192d296e0..8f102815df04 100644
--- a/meta/recipes-connectivity/avahi/files/local-ping.patch
+++ b/meta/recipes-connectivity/avahi/files/local-ping.patch
@@ -1,4 +1,3 @@
-CVE: CVE-2021-36217
 CVE: CVE-2021-3502
 Upstream-Status: Backport
 Signed-off-by: Ross Burton <ross.burton@arm.com>

-- 
2.52.0

[PATCH 2/2] meta: in lz4 remove reference to rejected CVE-2025-62813

[Benjamin Robin (Schneider Electric)]

The CVE-2025-62813 is rejected so do not reference it anymore.
So keep the patch but without referencing the CVE identifier.

The CVE database indicates the following reason:
  This candidate was withdrawn by its CNA. Further investigation
  showed that it was not a security issue.

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
 .../lz4/lz4/{CVE-2025-62813.patch => fix-null-error-handling.patch}     | 1 -
 meta/recipes-support/lz4/lz4_1.10.0.bb                                  | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/meta/recipes-support/lz4/lz4/CVE-2025-62813.patch b/meta/recipes-support/lz4/lz4/fix-null-error-handling.patch
similarity index 99%
rename from meta/recipes-support/lz4/lz4/CVE-2025-62813.patch
rename to meta/recipes-support/lz4/lz4/fix-null-error-handling.patch
index 4fa0373ff778..1527cc759124 100644
--- a/meta/recipes-support/lz4/lz4/CVE-2025-62813.patch
+++ b/meta/recipes-support/lz4/lz4/fix-null-error-handling.patch
@@ -4,7 +4,6 @@ Date: Mon, 31 Mar 2025 20:48:52 +0200
 Subject: [PATCH] fix(null) : improve error handlings when passing a null
  pointer to some functions from lz4frame
 
-CVE: CVE-2025-62813
 Upstream-Status: Backport [https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82]
 Signed-off-by: Peter Marko <peter.marko@siemens.com>
 ---
diff --git a/meta/recipes-support/lz4/lz4_1.10.0.bb b/meta/recipes-support/lz4/lz4_1.10.0.bb
index f2a86036b56a..fae5796c2b9a 100644
--- a/meta/recipes-support/lz4/lz4_1.10.0.bb
+++ b/meta/recipes-support/lz4/lz4_1.10.0.bb
@@ -15,7 +15,7 @@ SRCREV = "ebb370ca83af193212df4dcbadcc5d87bc0de2f0"
 SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https \
            file://reproducibility.patch \
            file://run-ptest \
-           file://CVE-2025-62813.patch \
+           file://fix-null-error-handling.patch \
 "
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
 

-- 
2.52.0

RE: [OE-core] [PATCH 1/2] meta: update avahi patch to remove ref to rejected CVE

[Peter Kjellerstedt]

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Benjamin Robin via lists.openembedded.org
> Sent: den 20 februari 2026 12:02
> To: openembedded-core@lists.openembedded.org
> Cc: ross.burton@arm.com; thomas.petazzoni@bootlin.com; mathieu.dubois-briand@bootlin.com; antonin.godard@bootlin.com; jpewhacker@gmail.com; Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
> Subject: [OE-core] [PATCH 1/2] meta: update avahi patch to remove ref to rejected CVE

Please use the recipe name as prefix, e.g.:

avahi: Remove a reference to the rejected CVE-2021-36217

> 
> CVE-2021-36217 is rejected, and should no longer be referenced.
> CVE-2021-36217 is a duplicate of CVE-2021-3502 which is already
> referenced in the local-ping.patch.
> 
> The CVE database indicates the following reason:
>   ConsultIDs: CVE-2021-3502. Reason: This candidate is a duplicate of
>   CVE-2021-3502. Notes: All CVE users should reference CVE-2021-3502
>   instead of this candidate. All references and descriptions in this
>   candidate have been removed to prevent accidental usage.
> 
> Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
> ---
>  meta/recipes-connectivity/avahi/files/local-ping.patch | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/meta/recipes-connectivity/avahi/files/local-ping.patch b/meta/recipes-connectivity/avahi/files/local-ping.patch
> index 29c192d296e0..8f102815df04 100644
> --- a/meta/recipes-connectivity/avahi/files/local-ping.patch
> +++ b/meta/recipes-connectivity/avahi/files/local-ping.patch
> @@ -1,4 +1,3 @@
> -CVE: CVE-2021-36217
>  CVE: CVE-2021-3502
>  Upstream-Status: Backport
>  Signed-off-by: Ross Burton <ross.burton@arm.com>
> 
> --
> 2.52.0

RE: [OE-core] [PATCH 2/2] meta: in lz4 remove reference to rejected CVE-2025-62813

[Peter Kjellerstedt]

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Benjamin Robin via lists.openembedded.org
> Sent: den 20 februari 2026 12:02
> To: openembedded-core@lists.openembedded.org
> Cc: ross.burton@arm.com; thomas.petazzoni@bootlin.com; mathieu.dubois-briand@bootlin.com; antonin.godard@bootlin.com; jpewhacker@gmail.com; Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>; Peter
> Marko <peter.marko@siemens.com>
> Subject: [OE-core] [PATCH 2/2] meta: in lz4 remove reference to rejected CVE-2025-62813

Please use the recipe name as prefix, e.g.:

lz4: Remove a reference to the rejected CVE-2025-62813

> 
> The CVE-2025-62813 is rejected so do not reference it anymore.
> So keep the patch but without referencing the CVE identifier.
> 
> The CVE database indicates the following reason:
>   This candidate was withdrawn by its CNA. Further investigation
>   showed that it was not a security issue.
> 
> Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
> ---
>  .../lz4/lz4/{CVE-2025-62813.patch => fix-null-error-handling.patch}     | 1 -
>  meta/recipes-support/lz4/lz4_1.10.0.bb                                  | 2 +-
>  2 files changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/meta/recipes-support/lz4/lz4/CVE-2025-62813.patch b/meta/recipes-support/lz4/lz4/fix-null-error-handling.patch
> similarity index 99%
> rename from meta/recipes-support/lz4/lz4/CVE-2025-62813.patch
> rename to meta/recipes-support/lz4/lz4/fix-null-error-handling.patch
> index 4fa0373ff778..1527cc759124 100644
> --- a/meta/recipes-support/lz4/lz4/CVE-2025-62813.patch
> +++ b/meta/recipes-support/lz4/lz4/fix-null-error-handling.patch
> @@ -4,7 +4,6 @@ Date: Mon, 31 Mar 2025 20:48:52 +0200
>  Subject: [PATCH] fix(null) : improve error handlings when passing a null
>   pointer to some functions from lz4frame
> 
> -CVE: CVE-2025-62813
>  Upstream-Status: Backport [https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82]
>  Signed-off-by: Peter Marko <peter.marko@siemens.com>
>  ---
> diff --git a/meta/recipes-support/lz4/lz4_1.10.0.bb b/meta/recipes-support/lz4/lz4_1.10.0.bb
> index f2a86036b56a..fae5796c2b9a 100644
> --- a/meta/recipes-support/lz4/lz4_1.10.0.bb
> +++ b/meta/recipes-support/lz4/lz4_1.10.0.bb
> @@ -15,7 +15,7 @@ SRCREV = "ebb370ca83af193212df4dcbadcc5d87bc0de2f0"
>  SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https \
>             file://reproducibility.patch \
>             file://run-ptest \
> -           file://CVE-2025-62813.patch \
> +           file://fix-null-error-handling.patch \
>  "
>  UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
> 
> 
> --
> 2.52.0

Re: [OE-core] [PATCH 1/2] meta: update avahi patch to remove ref to rejected CVE

[Benjamin ROBIN]

On Friday, February 20, 2026 at 4:46 PM, Peter Kjellerstedt wrote:
> Please use the recipe name as prefix, e.g.:
> 
> avahi: Remove a reference to the rejected CVE-2021-36217

Thank you for the feedback. I will send a v2 on Monday.

-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com