On Sat, Feb 24, 2024 at 3:40 AM Peter Marko via lists.openembedded.org <peter.marko=siemens....@lists.openembedded.org> wrote:
> From: Peter Marko <peter.ma...@siemens.com> > > Last commit tried to convert CVE_CHECK_IGNORE to CVE_STATUS, > however it was done in wrong way and caused the CVEs > to be reported as open again. > > This fixes CVE_STATUS syntax. > > Merged. Thank you. (Especially thank you for fixing MY mistakes) NOTE: both jsched and xerces-j have newer CVEs so if you have time to investigate upgrades to fix them, it would be appreciated: https://nvd.nist.gov/vuln/detail/CVE-2022-23437 https://nvd.nist.gov/vuln/detail/CVE-2023-48795 > Signed-off-by: Peter Marko <peter.ma...@siemens.com> > --- > recipes-core/jcraft/jsch_0.1.40.bb | 3 +-- > recipes-core/xerces-j/xerces-j_2.11.0.bb | 2 +- > 2 files changed, 2 insertions(+), 3 deletions(-) > > diff --git a/recipes-core/jcraft/jsch_0.1.40.bb b/recipes-core/jcraft/ > jsch_0.1.40.bb > index 8ef5c85..aeb04b4 100644 > --- a/recipes-core/jcraft/jsch_0.1.40.bb > +++ b/recipes-core/jcraft/jsch_0.1.40.bb > @@ -25,8 +25,7 @@ do_compile() { > SRC_URI[md5sum] = "b59cec19a487e95aed68378976b4b566" > SRC_URI[sha256sum] = > "ca9d2ae08fd7a8983fb00d04f0f0c216a985218a5eb364ff9bee73870f28e097" > > -# Ignore the CVE because it only affects Windows platforms > -CVE_STATUS += "CVE-2016-5725" > +CVE_STATUS[CVE-2016-5725] = "not-applicable-platform: Issue only applies > on Windows" > > BBCLASSEXTEND = "native" > > diff --git a/recipes-core/xerces-j/xerces-j_2.11.0.bb > b/recipes-core/xerces-j/xerces-j_2.11.0.bb > index c7a54ab..45d3c43 100644 > --- a/recipes-core/xerces-j/xerces-j_2.11.0.bb > +++ b/recipes-core/xerces-j/xerces-j_2.11.0.bb > @@ -18,7 +18,7 @@ SRC_URI = " > http://archive.apache.org/dist/xerces/j/source/Xerces-J-src.${PV}.tar > # Already fixed with updates and closed. > # https://access.redhat.com/security/cve/CVE-2018-2799 > # https://bugzilla.redhat.com/show_bug.cgi?id=1567542 > -CVE_STATUS += "CVE-2018-2799" > +CVE_STATUS[CVE-2018-2799] = "not-applicable-platform: Issue only applies > on some Oracle Java SE and Red Hat Enterprise Linux versions" > > S = "${WORKDIR}/xerces-2_11_0" > > -- > 2.30.2 > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109036): https://lists.openembedded.org/g/openembedded-devel/message/109036 Mute This Topic: https://lists.openembedded.org/mt/104544794/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
