mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-17 16:47:13 +00:00
0eda0f3c55
Analysis: - The Mbed TLS advisory states the issue occurs when LLVM select-optimize is enabled. [1] - The same advisory also states that Arm/x86 builds with MBEDTLS_HAVE_ASM enabled are not affected. The default mbedtls configuration in this branch enables MBEDTLS_HAVE_ASM. - NVD also describes the issue as occurring only with LLVM's select-optimize feature. [2] - The mbedtls recipes now evaluate the effective build flags across target, native, and nativesdk variants, handle the supported -mllvm spellings, and only mark the CVE unpatched when the vulnerable LLVM option combination is explicitly enabled and the Arm/x86 MBEDTLS_HAVE_ASM carve-out does not apply. - When those conditions are not met, the current mbedtls build configuration is not affected. - Hence ignoring/deferred the CVE for now. Reference: [1] https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/ [2] https://nvd.nist.gov/vuln/detail/CVE-2025-66442 Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>