Re: [OE-core] [PATCH] qemu: Set CVE_STATUS for wrong CVEs

Sun, 18 Feb 2024 10:37:46 -0800 

On Sun, 2024-02-18 at 17:42 +0000, Richard Purdie wrote:
> On Sun, 2024-02-18 at 16:52 +0000, Simone Weiß wrote:
> > From: Simone Weiß <simone.p.we...@posteo.com>
> > 
> > All are already fixed in 8.2.1, NVD was informed that cpes are wrong.
> > 
> > Signed-off-by: Simone Weiß <simone.p.we...@posteo.com>
> > ---
> >  meta/recipes-devtools/qemu/qemu.inc | 6 ++++++
> >  1 file changed, 6 insertions(+)
> > 
> > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-
> > devtools/qemu/qemu.inc
> > index 5d953e5ef5..233652fc49 100644
> > --- a/meta/recipes-devtools/qemu/qemu.inc
> > +++ b/meta/recipes-devtools/qemu/qemu.inc
> > @@ -68,6 +68,12 @@ CVE_STATUS[CVE-2023-0664] = "not-applicable-
> > platform: Issue only applies on Wind
> >  # As per https://bugzilla.redhat.com/show_bug.cgi?id=2203387
> >  CVE_STATUS[CVE-2023-2680] = "not-applicable-platform: RHEL specific
> > issue."
> >  
> > +CVE_STATUS[CVE-2023-3019] = "cpe-incorrect: Applies against versions
> > > 8.2.0 only"
> > +
> > +CVE_STATUS[CVE-2023-5088] = "cpe-incorrect: Applies against versions
> > >= 8.2.0 only"
> > +
> > +CVE_STATUS[CVE-2023-6693] = "cpe-incorrect: Applies against versions
> > >= 8.2.0 only"
> > +
> >  COMPATIBLE_HOST:mipsarchn32 = "null"
> >  COMPATIBLE_HOST:mipsarchn64 = "null"
> >  COMPATIBLE_HOST:riscv32 = "null"
> > 
> 
> Thanks for trying to resolve these.  
> 
> I'm struggling a little to read the above since to me that says the CVE
> applies to versions greater than 8.2.0 so 8.2.1 would be affected?
> Should the operators be the other way around, or should we spell it out
> ("applies to versions 8.2.0 and earlier")?
> 
> Cheers,
> 
> Richard
I'll spell it out 
> 
> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#195844): 
https://lists.openembedded.org/g/openembedded-core/message/195844
Mute This Topic: https://lists.openembedded.org/mt/104430283/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to