From 843820d9e41afef1ca550074077e48828f55edb7 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Wed, 9 Jul 2025 20:54:09 +0200 Subject: python3: update CVE product There are two "new" CVEs reported for python3, their CPEs are: * CVE-2020-1171: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0) * CVE-2020-1192: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0) These are for "Visual Studio Code Python extension". Solve this by addding CVE vendor to python CVE product to avoid confusion with Microsoft as vendor. Examining CVE DB for historical python entries shows: sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython' ...> or product like 'python%3' group by vendor, product; microsoft|python|2 python|python|1054 python_software_foundation|python|2 (From OE-Core rev: 06f615e6939a22bc8f12b30d8dea582ab3ccebe6) Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-devtools/python/python3_3.10.18.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/python/python3_3.10.18.bb b/meta/recipes-devtools/python/python3_3.10.18.bb index 0b57a0ebee..875b52cde9 100644 --- a/meta/recipes-devtools/python/python3_3.10.18.bb +++ b/meta/recipes-devtools/python/python3_3.10.18.bb @@ -51,7 +51,7 @@ SRC_URI[sha256sum] = "ae665bc678abd9ab6a6e1573d2481625a53719bc517e9a634ed2b9fefa UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P\d+(\.\d+)+).tar" UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/" -CVE_PRODUCT = "python" +CVE_PRODUCT = "python:python python_software_foundation:python" # Upstream consider this expected behaviour CVE_CHECK_IGNORE += "CVE-2007-4559" -- cgit v1.2.3-54-g00ecf