xz: mark several CVEs as fixed

- CVE-2024-47611 was fixed in 5.6.3 and is Windows-specific.
- CVE-2025-31115 was fixed in 5.8.1.
- CVE-2025-58058 is specific to the Go xz module, not this recipe.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-extended/xz/xz_5.8.2.bb b/meta/recipes-extended/xz/xz_5.8.2.bb
index 982f5054c3a56320475f6cfe8f4d7bd796815b28..7ada44d9f582966a23c3ecd6457a0ddff2442d98 100644 (file)
--- a/meta/recipes-extended/xz/xz_5.8.2.bb
+++ b/meta/recipes-extended/xz/xz_5.8.2.bb
@@ -72,3 +72,7 @@ do_install_ptest () {
     ln -s ${bindir}/xzdiff ${D}${PTEST_PATH}/src/scripts/xzdiff
     ln -s ${bindir}/xzgrep ${D}${PTEST_PATH}/src/scripts/xzgrep
 }
+
+CVE_STATUS[CVE-2024-47611] = "fixed-version: fixed in 5.6.3 and Windows-specific"
+CVE_STATUS[CVE-2025-31115] = "fixed-version: fixed in 5.8.1"
+CVE_STATUS[CVE-2025-58058] = "cpe-incorrect: this is specific to the Go xz module"