From: Peter Marko <peter.marko@siemens.com>
Date: Wed, 15 Apr 2026 20:14:42 +0000 (+0200)
Subject: grub: set status for 6 CVEs fixed in 2.14
X-Git-Tag: yocto-6.0~108
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ea4d22bfea411bfe9aeb30b36c484efef84a9c81;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git

grub: set status for 6 CVEs fixed in 2.14

These CVEs were fixed in 2.14, however Redhat CNA does not fill any
version to CPEs.
References for fixes are in Debian security tracker:
* https://security-tracker.debian.org/tracker/CVE-2025-54770
* https://security-tracker.debian.org/tracker/CVE-2025-54771
* https://security-tracker.debian.org/tracker/CVE-2025-61661
* https://security-tracker.debian.org/tracker/CVE-2025-61662
* https://security-tracker.debian.org/tracker/CVE-2025-61663
* https://security-tracker.debian.org/tracker/CVE-2025-61664

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index da67975290..0656489ead 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -28,6 +28,12 @@ CVE_STATUS[CVE-2023-4001]  = "not-applicable-platform: Applies only to RHEL/Fedo
 CVE_STATUS[CVE-2024-1048]  = "not-applicable-platform: Applies only to RHEL/Fedora"
 CVE_STATUS[CVE-2024-2312]  = "not-applicable-platform: Applies only to Ubuntu"
 CVE_STATUS[CVE-2024-49504] = "not-applicable-platform: Applies only to SUSE"
+CVE_STATUS[CVE-2025-54770] = "fixed-version: fixed since 2.14"
+CVE_STATUS[CVE-2025-54771] = "fixed-version: fixed since 2.14"
+CVE_STATUS[CVE-2025-61661] = "fixed-version: fixed since 2.14"
+CVE_STATUS[CVE-2025-61662] = "fixed-version: fixed since 2.14"
+CVE_STATUS[CVE-2025-61663] = "fixed-version: fixed since 2.14"
+CVE_STATUS[CVE-2025-61664] = "fixed-version: fixed since 2.14"
 
 DEPENDS = "flex-native bison-native gettext-native gawk-replacement-native"