From 33d90091be1b07f7909803270bf23af63398a44c Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Mon, 8 Dec 2025 12:27:20 +0100 Subject: [PATCH] libmicrohttpd: disable experimental code by default Introduce new packageconfig to explicitly avoid compilation of experimental code. Note that the code was not compiled by default also before this patch, this now makes it explicit and makes it possible to check for the flags in cve-check code. This is less intrusive change than a patch removing the code which was rejected in patch review. This will solve CVE-2025-59777 and CVE-2025-62689 as the vulnerable code is not compiled by default. Set appropriate CVE status for these CVEs based on new packageconfig. (From OE-Core rev: 1d8e646aebe75b8ede51d4de9e0003a822992a33) Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-support/libmicrohttpd/libmicrohttpd_0.9.76.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-support/libmicrohttpd/libmicrohttpd_0.9.76.bb b/meta/recipes-support/libmicrohttpd/libmicrohttpd_0.9.76.bb index ad3c34ab9e..264af6d81a 100644 --- a/meta/recipes-support/libmicrohttpd/libmicrohttpd_0.9.76.bb +++ b/meta/recipes-support/libmicrohttpd/libmicrohttpd_0.9.76.bb @@ -22,9 +22,12 @@ PACKAGECONFIG:append:class-target = "\ PACKAGECONFIG[largefile] = "--enable-largefile,--disable-largefile,," PACKAGECONFIG[curl] = "--enable-curl,--disable-curl,curl," PACKAGECONFIG[https] = "--enable-https,--disable-https,libgcrypt gnutls," +PACKAGECONFIG[experimental] = "--enable-experimental,--disable-experimental," do_compile:append() { sed -i s:-L${STAGING_LIBDIR}::g libmicrohttpd.pc } BBCLASSEXTEND = "native nativesdk" + +CVE_CHECK_IGNORE += "${@bb.utils.contains('PACKAGECONFIG', 'experimental', '', 'CVE-2025-59777 CVE-2025-62689', d)}"