diff options
| author | Peter Marko <peter.marko@siemens.com> | 2025-07-09 20:53:21 +0200 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-07-21 09:07:21 -0700 |
| commit | ae35f06bb16d4fb9d2cb99451bed0e7bda645476 (patch) | |
| tree | 96ca5dbbe209d2cb253215d376af2cbf6e81addf /scripts/lib/recipetool/create_buildsys_python.py | |
| parent | 6d2f2bd3f7bee907b616cd9ed4abc686155da72a (diff) | |
| download | poky-ae35f06bb16d4fb9d2cb99451bed0e7bda645476.tar.gz | |
python3: update CVE product
There are two "new" CVEs reported for python3, their CPEs are:
* CVE-2020-1171: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
* CVE-2020-1192: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
These are for "Visual Studio Code Python extension".
Solve this by addding CVE vendor to python CVE product to avoid
confusion with Microsoft as vendor.
Examining CVE DB for historical python entries shows:
sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython'
...> or product like 'python%3' group by vendor, product;
microsoft|python|2
python|python|1054
python_software_foundation|python|2
Note that this already shows that cpython product is not used, so
CVE-2023-33595 mentioned in 62598e1138f21a16d8b1cdd1cfe902aeed854c5c
was updated.
But let's keep it for future in case new CVE starts with that again.
(From OE-Core rev: 72369cd66f78a371608c3fff205e0e96c248f2b3)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'scripts/lib/recipetool/create_buildsys_python.py')
0 files changed, 0 insertions, 0 deletions