From: "mark.yang" <[email protected]> For python3-ply, the CVE_PRODUCT should be set to ply, not python:ply. NVD registers ply as dabeaz:ply, so the default python:ply vendor prefix never matches and no CVEs are reported.
CVE-2025-56005 is disputed. See https://nvd.nist.gov/vuln/detail/CVE-2025-56005 Signed-off-by: mark.yang <[email protected]> --- meta/recipes-devtools/python/python3-ply_3.11.bb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta/recipes-devtools/python/python3-ply_3.11.bb b/meta/recipes-devtools/python/python3-ply_3.11.bb index 2c5fa3f215..ce45bbc1bd 100644 --- a/meta/recipes-devtools/python/python3-ply_3.11.bb +++ b/meta/recipes-devtools/python/python3-ply_3.11.bb @@ -14,4 +14,8 @@ RDEPENDS:${PN}:class-target += "\ python3-shell \ " +CVE_PRODUCT = "ply" +# https://nvd.nist.gov/vuln/detail/CVE-2025-56005 Disputed +CVE_STATUS[CVE-2025-56005] = "disputed: PoC fails to demonstrate code execution; picklefile is a developer-controlled parser-table cache parameter" + BBCLASSEXTEND = "native nativesdk"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240601): https://lists.openembedded.org/g/openembedded-core/message/240601 Mute This Topic: https://lists.openembedded.org/mt/120203223/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
