On Fri, Jun 14, 2024 at 12:51 AM Clayton Casciato via lists.openembedded.org <ccasciato=21sw...@lists.openembedded.org> wrote:
> Hello! > > "OE-core CVE metrics for kirkstone on Sun 09 Jun 2024 02:00:01 AM HST" > reports CVE-2022-3515 <https://nvd.nist.gov/vuln/detail/CVE-2022-3515> as > "unpatched", as do local builds with "cve-check". > > NIST lists GnuPG as vulnerable from 2.3.0 to 2.4.0, which is why this is > reported as a CVE. > > This vulnerability was fixed in Libksba 1.6.2 (upstream issue > <https://dev.gnupg.org/T6230>, upstream patch > <https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b>). > > meta/recipes-support/gnupg/gnupg_2.3.7.bb > <https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/gnupg/gnupg_2.3.7.bb?h=kirkstone> > DEPENDS > libksba > > meta/recipes-support/libksba/libksba_1.6.4.bb > <https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/libksba/libksba_1.6.4.bb?h=kirkstone> > > I manually verified the upstream patch exists in the fetched > libksba-1.6.4.tar.bz2. > $ sed -n '185,190p' libksba-1.6.4/src/ber-help.c > > Should this CVE be added to > meta/conf/distro/include/cve-extra-exclusions.inc? > > Hello, >From what I see, this is the NVD entry that is wrong, as it mentions this CVE for gnupg, while the original advisory mentions libksba only. And so does the direct CVE entry. For now, use CVE_STATUS, but only in your gnupg recipe. We do not need this one to be visible globally, and the NVD entry for the libksba is correct. You can notify NVD that the entry is wrong by writing at the address that is linked at https://nvd.nist.gov/vuln/detail/CVE-2022-3515 in the Are we missing a CPE here? Please let us know <cpe_diction...@nist.gov>. part. I've fixed in the overrides repo. Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200870): https://lists.openembedded.org/g/openembedded-core/message/200870 Mute This Topic: https://lists.openembedded.org/mt/106661542/21656 Mute #kirkstone:https://lists.openembedded.org/g/openembedded-core/mutehashtag/kirkstone Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-