Hello! "OE-core CVE metrics for kirkstone on Sun 09 Jun 2024 02:00:01 AM HST" reports CVE-2022-3515<https://nvd.nist.gov/vuln/detail/CVE-2022-3515> as "unpatched", as do local builds with "cve-check".
NIST lists GnuPG as vulnerable from 2.3.0 to 2.4.0, which is why this is reported as a CVE. This vulnerability was fixed in Libksba 1.6.2 (upstream issue<https://dev.gnupg.org/T6230>, upstream patch<https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b>). meta/recipes-support/gnupg/gnupg_2.3.7.bb<https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/gnupg/gnupg_2.3.7.bb?h=kirkstone> DEPENDS libksba meta/recipes-support/libksba/libksba_1.6.4.bb<https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/libksba/libksba_1.6.4.bb?h=kirkstone> I manually verified the upstream patch exists in the fetched libksba-1.6.4.tar.bz2. $ sed -n '185,190p' libksba-1.6.4/src/ber-help.c Should this CVE be added to meta/conf/distro/include/cve-extra-exclusions.inc? Thank you! NB: This is my first time interacting. Please feel free to provide additional feedback such as typical processes or procedures. -- Clayton Casciato
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200642): https://lists.openembedded.org/g/openembedded-core/message/200642 Mute This Topic: https://lists.openembedded.org/mt/106661542/21656 Mute #kirkstone:https://lists.openembedded.org/g/openembedded-core/mutehashtag/kirkstone Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-