From 11fc309ae95bc221d44fb85515ab5df7afd59c26 Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Sat, 4 Oct 2025 20:30:23 +0200 Subject: [PATCH] apache2: ignore CVE-2025-3891 The vulnerability was reported against mod_auth_openidc, which module is a 3rd party one, and not part of the apache2 source distribution. The affected module is not part of the meta-oe universe currently, so ignore the CVE. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj --- meta-webserver/recipes-httpd/apache2/apache2_2.4.65.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.65.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.65.bb index fef1f5ecec..58b324795e 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.65.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.65.bb @@ -48,6 +48,7 @@ CVE_STATUS[CVE-2007-6422] = "cpe-incorrect: The current version is not affected CVE_STATUS[CVE-2007-6423] = "cpe-incorrect: The current version is not affected by the CVE which affects versions from 2.2.x to 2.2.7-dev" CVE_STATUS[CVE-2008-2168] = "cpe-incorrect: The current version is not affected by the CVE which affects versions up to 2.2.6 (excl.)" CVE_STATUS[CVE-2010-0425] = "not-applicable-platform: The current version is not affected. It only applies for Windows." +CVE_STATUS[CVE-2025-3891] = "cpe-incorrect: The CVE is for a 3rd party module, which is not part of the Apache source distribution" SSTATE_SCAN_FILES += "apxs config_vars.mk config.nice"