On Sat Jun 13, 2026 at 12:25 PM CEST, Sudhir Dumbhare via 
lists.openembedded.org wrote:
> From: Sudhir Dumbhare <[email protected]>
>
> Analysis:
>   - CVE-2026-3832 affects GnuTLS OCSP multi-record response handling.
>   - The vulnerable OCSP response handling code was introduced in GnuTLS 3.8.8.
>   - This vulnerable code is not present in the current GnuTLS 3.8.4.
>   - Hence ignoring the CVE for this version.
>
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2026-3832
> https://security-tracker.debian.org/tracker/CVE-2026-3832
> https://gitlab.com/gnutls/gnutls/-/issues/1801
>
> Signed-off-by: Sudhir Dumbhare <[email protected]>
> ---

I think the CVE applies to wrynose. Can you send a fix there, and then,
ping back here?

Thanks!

>  meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb 
> b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> index ccb6a2b4b2..6d43c58df2 100644
> --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> @@ -124,3 +124,5 @@ pkg_postinst_ontarget:${PN}-fips () {
>          ${bindir}/fipshmac ${libdir}/libhogweed.so.6.* > 
> ${libdir}/.libhogweed.so.6.hmac
>      fi
>  }
> +
> +CVE_STATUS[CVE-2026-3832] = "fixed-version: vulnerable multi-record OCSP 
> response handling was introduced in 3.8.8 and is not present in 3.8.4"


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239305): 
https://lists.openembedded.org/g/openembedded-core/message/239305
Mute This Topic: https://lists.openembedded.org/mt/119786186/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to