From: Ross Burton <ross.burton@arm.com>
Date: Mon, 20 Apr 2026 19:07:45 +0000 (+0100)
Subject: bluez5: mark two CVEs as being in the wrong product
X-Git-Tag: yocto-6.0~38
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6cbf55abe401ddec81630e85bb0151f1f693c78b;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git

bluez5: mark two CVEs as being in the wrong product

CVE-2020-12351 and CVE-2020-12352 ("BleedingTooth") are actually issues
in the Linux kernel, not BlueZ as reported in the CVE.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.86.bb b/meta/recipes-connectivity/bluez5/bluez5_5.86.bb
index 2d56fc642d..8974a2c69c 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.86.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.86.bb
@@ -5,6 +5,8 @@ LDFLAGS += " ${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-lld', '-Wl,-z,nostar
 SRC_URI[sha256sum] = "99f144540c6070591e4c53bcb977eb42664c62b7b36cb35a29cf72ded339621d"
 
 CVE_STATUS[CVE-2020-24490] = "cpe-incorrect: This issue has kernel fixes rather than bluez fixes"
+CVE_STATUS[CVE-2020-12351] = "cpe-incorrect: This issue has kernel fixes rather than bluez fixes"
+CVE_STATUS[CVE-2020-12352] = "cpe-incorrect: This issue has kernel fixes rather than bluez fixes"
 
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support