From: "mark.yang" <[email protected]>

For python3-ply, the CVE_PRODUCT should be set to ply, not python:ply.
NVD registers ply as dabeaz:ply, so the default python:ply vendor prefix never 
matches and no CVEs are reported.

CVE-2025-56005 is disputed.
See https://nvd.nist.gov/vuln/detail/CVE-2025-56005

Signed-off-by: mark.yang <[email protected]>
---
 meta/recipes-devtools/python/python3-ply_3.11.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-ply_3.11.bb 
b/meta/recipes-devtools/python/python3-ply_3.11.bb
index 2c5fa3f215..ce45bbc1bd 100644
--- a/meta/recipes-devtools/python/python3-ply_3.11.bb
+++ b/meta/recipes-devtools/python/python3-ply_3.11.bb
@@ -14,4 +14,8 @@ RDEPENDS:${PN}:class-target += "\
     python3-shell \
 "
 
+CVE_PRODUCT = "ply"
+# https://nvd.nist.gov/vuln/detail/CVE-2025-56005 Disputed
+CVE_STATUS[CVE-2025-56005] = "disputed: PoC fails to demonstrate code 
execution; picklefile is a developer-controlled parser-table cache parameter"
+
 BBCLASSEXTEND = "native nativesdk"
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240601): 
https://lists.openembedded.org/g/openembedded-core/message/240601
Mute This Topic: https://lists.openembedded.org/mt/120203223/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to