From d9b69d0a2d69e003b9432e1473830a89ff5a06c4 Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@arm.com>
Date: Thu, 16 Apr 2026 11:30:59 +0100
Subject: [PATCH] libsoup: mark CVEs which have been resolved upstream

These issues have all been fixed in the 3.6.6 release that we have, but
the CPEs are unversioned. I've contacted NIST to update the database but
until that happens we can mark them as fixed.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-support/libsoup/libsoup_3.6.6.bb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/recipes-support/libsoup/libsoup_3.6.6.bb b/meta/recipes-support/libsoup/libsoup_3.6.6.bb
index b51368adb6..9bc3f2f86f 100644
--- a/meta/recipes-support/libsoup/libsoup_3.6.6.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.6.6.bb
@@ -58,3 +58,8 @@ DEBIAN_NOAUTONAME:${PN} = "1"
 RRECOMMENDS:${PN} = "glib-networking"
 
 BBCLASSEXTEND = "native nativesdk"
+
+CVE_STATUS[CVE-2026-1467] = "fixed-version: fixed in 3.6.6"
+CVE_STATUS[CVE-2026-1536] = "fixed-version: fixed in 3.6.6"
+CVE_STATUS[CVE-2026-1801] = "fixed-version: fixed in 3.6.6"
+CVE_STATUS[CVE-2026-2443] = "fixed-version: fixed in 3.6.6"
-- 
2.47.3