From aef8bc34225cd0a56057749d0db1dfac773b17cb Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Mon, 20 Apr 2026 11:33:18 +0200 Subject: [PATCH] protobuf, python3-protobuf: ignore CVE-2026-6409 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6409 The vulnerability impacts only the PHP library component, not the cpp/python one. Ignore this CVE due to this. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj --- meta-oe/recipes-devtools/protobuf/protobuf_6.33.6.bb | 1 + meta-python/recipes-devtools/python/python3-protobuf_6.33.6.bb | 1 + 2 files changed, 2 insertions(+) diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_6.33.6.bb b/meta-oe/recipes-devtools/protobuf/protobuf_6.33.6.bb index 4af48b0b99..880dd82b1d 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf_6.33.6.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf_6.33.6.bb @@ -29,6 +29,7 @@ UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d\.\d+\.\d+)" CVE_PRODUCT = "google:protobuf protobuf:protobuf google-protobuf protobuf-cpp" CVE_STATUS[CVE-2026-0994] = "cpe-incorrect: the vulnerability affects only python3-protobuf recipe" +CVE_STATUS[CVE-2026-6409] = "cpe-incorrect: the vulnerability affects only the php library" inherit cmake pkgconfig ptest diff --git a/meta-python/recipes-devtools/python/python3-protobuf_6.33.6.bb b/meta-python/recipes-devtools/python/python3-protobuf_6.33.6.bb index bbc713442b..0595ec2a47 100644 --- a/meta-python/recipes-devtools/python/python3-protobuf_6.33.6.bb +++ b/meta-python/recipes-devtools/python/python3-protobuf_6.33.6.bb @@ -14,6 +14,7 @@ SRC_URI[sha256sum] = "a6768d25248312c297558af96a9f9c929e8c4cee0659cb07e780731095 CVE_PRODUCT += "google:protobuf protobuf:protobuf google-protobuf protobuf-python" CVE_STATUS[CVE-2026-0994] = "fixed-version: it is fixed in 6.33.5" +CVE_STATUS[CVE-2026-6409] = "cpe-incorrect: the vulnerability affects only the php library" # http://errors.yoctoproject.org/Errors/Details/184715/ # Can't find required file: ../src/google/protobuf/descriptor.proto