subject:"\[OE\-core\] \[poky\]\[dunfell\]\[PATCH\] db\: Whitelist CVEs"

Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs

2021-09-14 Thread Steve Sakoman

On Tue, Sep 14, 2021 at 7:09 AM Saloni Jain  wrote:
>
> Hello Steve, Armin,
>
> I ran a CVE check cycle after reverting the CVE_PRODUCT changes for 
> berkeley_db and no other CVEs were reported in db either in patched or 
> unpatched state.
> Should there be any other patch reporting from db or was my scan successful?

 If you don't get any reported CVE's for db then your scan was
successful.  I've confirmed the same with my testing.

So instead of your original patch we should revert:  db: update
CVE_PRODUCT in master and then cherry-pick into the other branches.

I'll send a patch for this.

Steve

>
> Thanks & Regards,
> Saloni
> 
> From: openembedded-core@lists.openembedded.org 
>  on behalf of saloni via 
> lists.openembedded.org 
> Sent: Monday, September 13, 2021 9:02 PM
> To: Steve Sakoman ; akuster...@gmail.com 
> 
> Cc: Saloni Jain ; Patches and discussions about the 
> oe-core layer ; Khem Raj 
> ; Nisha Parrakat 
> Subject: Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs
>
> Caution: This email originated from outside of the KPIT. Do not click links 
> or open attachments unless you recognize the sender and know the content is 
> safe.
> Hello Armin, Steve,
>
> Thankyou for the review!
> I am triggering a test run after reverting the changes, would update once I 
> have the results 
>
> Thanks & Regards,
> Saloni Jain
> 
> From: Steve Sakoman 
> Sent: Monday, September 13, 2021 8:32 PM
> To: Steve Sakoman 
> Cc: Saloni Jain ; Patches and discussions about the 
> oe-core layer ; Khem Raj 
> ; Nisha Parrakat ; Saloni Jain 
> 
> Subject: Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs
>
> Caution: This email originated from outside of the KPIT. Do not click links 
> or open attachments unless you recognize the sender and know the content is 
> safe.
>
> On Mon, Sep 13, 2021 at 4:56 AM Steve Sakoman via
> lists.openembedded.org 
> wrote:
> >
> > On Mon, Sep 13, 2021 at 2:45 AM Saloni Jain  
> > wrote:
> > >
> > > From: Saloni Jain 
> > >
> > > Below CVE affects only Oracle Berkeley DB as per upstream.
> > > Hence, whitelisted them.
> >
> > I suspect that a cleaner solution might be to revert:
> >
> > db: update CVE_PRODUCT
> > (https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openembedded.org%2Fopenembedded-core%2Fcommit%2F%3Fid%3Dad799b109716ccd2f44dcf7a6a4cfcbd622ea661data=04%7C01%7CSaloni.Jain%40kpit.com%7C467b50be2a1b49fb6bd008d976c79ac7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637671421956436940%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=QMCJw%2FfFm82vPD%2BpDaSck5W7hUutTs39r%2FJKxCUk9U8%3Dreserved=0)
> >
> > which adds berkeley_db to CVE_PRODUCT
> >
> > I did a quick test and this eliminates all of the CVE's below. And of
> > course it makes sense to only check for oracle_berkeley_db since that
> > is the source code we are using.
> >
> > Also, this same issue is present in master, so any fix would need to
> > go there first and I will cherry-pick.
> >
> > Could you confirm that this approach works for you too?
>
> And for those who are wondering why the db CVE's don't show up in the
> weekly reports, it is because the script that Ross provided me many
> moons ago whitelisted db and db-native.
>
> I figured he had a good reason for that, so I left it in for
> consistency with the reports he had run :-)
>
> db and db-native are the only whitelisted packages for those who might
> be wondering.
>
> Steve
>
> > > 1. CVE-2015-2583
> > > Link: 
> > > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2015-2583data=04%7C01%7CSaloni.Jain%40kpit.com%7C467b50be2a1b49fb6bd008d976c79ac7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637671421956436940%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=fSTScw44lUI4qycejRW2jLlbjqQvYZKUQhytyXGlNbQ%3Dreserved=0
> > > 2. CVE-2015-2624
> > > Link: 
> > > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2015-2624data=04%7C01%7CSaloni.Jain%40kpit.com%7C467b50be2a1b49fb6bd008d976c79ac7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637671421956436940%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=xW4VT6muPbocpKxehCFMF4ojU8akMPyWnbxRduTNs6Q%3Dreserved=0
> > > 3. CVE-2015-2626
> > > Link: 
> > > https://apc01.safelinks.protection.out

Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs

2021-09-13 Thread Steve Sakoman

On Mon, Sep 13, 2021 at 4:56 AM Steve Sakoman via
lists.openembedded.org 
wrote:
>
> On Mon, Sep 13, 2021 at 2:45 AM Saloni Jain  wrote:
> >
> > From: Saloni Jain 
> >
> > Below CVE affects only Oracle Berkeley DB as per upstream.
> > Hence, whitelisted them.
>
> I suspect that a cleaner solution might be to revert:
>
> db: update CVE_PRODUCT
> (https://git.openembedded.org/openembedded-core/commit/?id=ad799b109716ccd2f44dcf7a6a4cfcbd622ea661)
>
> which adds berkeley_db to CVE_PRODUCT
>
> I did a quick test and this eliminates all of the CVE's below. And of
> course it makes sense to only check for oracle_berkeley_db since that
> is the source code we are using.
>
> Also, this same issue is present in master, so any fix would need to
> go there first and I will cherry-pick.
>
> Could you confirm that this approach works for you too?

And for those who are wondering why the db CVE's don't show up in the
weekly reports, it is because the script that Ross provided me many
moons ago whitelisted db and db-native.

I figured he had a good reason for that, so I left it in for
consistency with the reports he had run :-)

db and db-native are the only whitelisted packages for those who might
be wondering.

Steve

> > 1. CVE-2015-2583
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-2583
> > 2. CVE-2015-2624
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-2624
> > 3. CVE-2015-2626
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-2626
> > 4. CVE-2015-2640
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-2640
> > 5. CVE-2015-2654
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-2654
> > 6. CVE-2015-2656
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-2656
> > 7. CVE-2015-4754
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4754
> > 8. CVE-2015-4764
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4764
> > 9. CVE-2015-4774
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4774
> > 10. CVE-2015-4775
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4775
> > 11. CVE-2015-4776
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4776
> > 12. CVE-2015-4777
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4777
> > 13. CVE-2015-4778
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4778
> > 14. CVE-2015-4779
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4779
> > 15. CVE-2015-4780
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4780
> > 16. CVE-2015-4781
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4781
> > 17. CVE-2015-4782
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4782
> > 18. CVE-2015-4783
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4783
> > 19. CVE-2015-4784
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4784
> > 20. CVE-2015-4785
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4785
> > 21. CVE-2015-4786
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4786
> > 22. CVE-2015-4787
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4787
> > 23. CVE-2015-4788
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4788
> > 24. CVE-2015-4789
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4789
> > 25. CVE-2015-4790
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4790
> > 26. CVE-2016-0682
> > Link: https://security-tracker.debian.org/tracker/CVE-2016-0682
> > 27. CVE-2016-0689
> > Link: https://security-tracker.debian.org/tracker/CVE-2016-0689
> > 28. CVE-2016-0692
> > Link: https://security-tracker.debian.org/tracker/CVE-2016-0692
> > 29. CVE-2016-0694
> > Link: https://security-tracker.debian.org/tracker/CVE-2016-0694
> > 30. CVE-2016-3418
> > Link: https://security-tracker.debian.org/tracker/CVE-2016-3418
> > 31. CVE-2017-3604
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3604
> > 32. CVE-2017-3605
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3605
> > 33. CVE-2017-3606
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3606
> > 34. CVE-2017-3607
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3607
> > 35. CVE-2017-3608
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3608
> > 36. CVE-2017-3609
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3609
> > 37. CVE-2017-3610
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3610
> > 38. CVE-2017-3611
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3611
> > 39. CVE-2017-3612
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3612
> > 40. CVE-2017-3613
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3613
> > 41. CVE-2017-3614
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3614
> > 42. CVE-2017-3615
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3615
> >

Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs

2021-09-13 Thread Steve Sakoman

On Mon, Sep 13, 2021 at 2:45 AM Saloni Jain  wrote:
>
> From: Saloni Jain 
>
> Below CVE affects only Oracle Berkeley DB as per upstream.
> Hence, whitelisted them.

I suspect that a cleaner solution might be to revert:

db: update CVE_PRODUCT
(https://git.openembedded.org/openembedded-core/commit/?id=ad799b109716ccd2f44dcf7a6a4cfcbd622ea661)

which adds berkeley_db to CVE_PRODUCT

I did a quick test and this eliminates all of the below CVE's. And of
course it makes sense to only check for oracle_berkeley_db since that
is the source code we are using.

Also, this same issue is present in master, so any fix would need to
go there first and I will cherry-pick.

Could you confirm that this approach works for you too?

Steve

>
> 1. CVE-2015-2583
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2583
> 2. CVE-2015-2624
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2624
> 3. CVE-2015-2626
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2626
> 4. CVE-2015-2640
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2640
> 5. CVE-2015-2654
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2654
> 6. CVE-2015-2656
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2656
> 7. CVE-2015-4754
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4754
> 8. CVE-2015-4764
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4764
> 9. CVE-2015-4774
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4774
> 10. CVE-2015-4775
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4775
> 11. CVE-2015-4776
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4776
> 12. CVE-2015-4777
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4777
> 13. CVE-2015-4778
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4778
> 14. CVE-2015-4779
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4779
> 15. CVE-2015-4780
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4780
> 16. CVE-2015-4781
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4781
> 17. CVE-2015-4782
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4782
> 18. CVE-2015-4783
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4783
> 19. CVE-2015-4784
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4784
> 20. CVE-2015-4785
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4785
> 21. CVE-2015-4786
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4786
> 22. CVE-2015-4787
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4787
> 23. CVE-2015-4788
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4788
> 24. CVE-2015-4789
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4789
> 25. CVE-2015-4790
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4790
> 26. CVE-2016-0682
> Link: https://security-tracker.debian.org/tracker/CVE-2016-0682
> 27. CVE-2016-0689
> Link: https://security-tracker.debian.org/tracker/CVE-2016-0689
> 28. CVE-2016-0692
> Link: https://security-tracker.debian.org/tracker/CVE-2016-0692
> 29. CVE-2016-0694
> Link: https://security-tracker.debian.org/tracker/CVE-2016-0694
> 30. CVE-2016-3418
> Link: https://security-tracker.debian.org/tracker/CVE-2016-3418
> 31. CVE-2017-3604
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3604
> 32. CVE-2017-3605
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3605
> 33. CVE-2017-3606
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3606
> 34. CVE-2017-3607
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3607
> 35. CVE-2017-3608
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3608
> 36. CVE-2017-3609
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3609
> 37. CVE-2017-3610
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3610
> 38. CVE-2017-3611
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3611
> 39. CVE-2017-3612
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3612
> 40. CVE-2017-3613
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3613
> 41. CVE-2017-3614
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3614
> 42. CVE-2017-3615
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3615
> 43. CVE-2017-3616
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3616
> 44. CVE-2017-3617
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3617
> 45. CVE-2020-2981
> Link: https://security-tracker.debian.org/tracker/CVE-2020-2981
>
> Signed-off-by: Saloni 
> ---
>  meta/recipes-support/db/db_5.3.28.bb | 92 
>  1 file changed, 92 insertions(+)
>
> diff --git a/meta/recipes-support/db/db_5.3.28.bb 
> b/meta/recipes-support/db/db_5.3.28.bb
> index b2ae98f05c..000e9ef468 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -39,6 +39,98 @@

Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs

2021-09-13 Thread Armin Kuster

Saloni,

Thanks for the CVE cleanup.

On 9/13/21 5:45 AM, Saloni Jain wrote:
> From: Saloni Jain 
>
> Below CVE affects only Oracle Berkeley DB as per upstream.
> Hence, whitelisted them.

This situation will happen more frequently than one thinks including
with mariadb recipe.  I wounder if a "${PN}_cve_ exclude.inc"  like
scheme may help keep the recipe from getting hard to read if the listing
gets out of control?

- Armin


>
> 1. CVE-2015-2583
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2583
> 2. CVE-2015-2624
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2624
> 3. CVE-2015-2626
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2626
> 4. CVE-2015-2640
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2640
> 5. CVE-2015-2654
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2654
> 6. CVE-2015-2656
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2656
> 7. CVE-2015-4754
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4754
> 8. CVE-2015-4764
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4764
> 9. CVE-2015-4774
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4774
> 10. CVE-2015-4775
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4775
> 11. CVE-2015-4776
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4776
> 12. CVE-2015-4777
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4777
> 13. CVE-2015-4778
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4778
> 14. CVE-2015-4779
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4779
> 15. CVE-2015-4780
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4780
> 16. CVE-2015-4781
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4781
> 17. CVE-2015-4782
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4782
> 18. CVE-2015-4783
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4783
> 19. CVE-2015-4784
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4784
> 20. CVE-2015-4785
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4785
> 21. CVE-2015-4786
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4786
> 22. CVE-2015-4787
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4787
> 23. CVE-2015-4788
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4788
> 24. CVE-2015-4789
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4789
> 25. CVE-2015-4790
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4790
> 26. CVE-2016-0682
> Link: https://security-tracker.debian.org/tracker/CVE-2016-0682
> 27. CVE-2016-0689
> Link: https://security-tracker.debian.org/tracker/CVE-2016-0689
> 28. CVE-2016-0692
> Link: https://security-tracker.debian.org/tracker/CVE-2016-0692
> 29. CVE-2016-0694
> Link: https://security-tracker.debian.org/tracker/CVE-2016-0694
> 30. CVE-2016-3418
> Link: https://security-tracker.debian.org/tracker/CVE-2016-3418
> 31. CVE-2017-3604
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3604
> 32. CVE-2017-3605
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3605
> 33. CVE-2017-3606
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3606
> 34. CVE-2017-3607
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3607
> 35. CVE-2017-3608
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3608
> 36. CVE-2017-3609
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3609
> 37. CVE-2017-3610
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3610
> 38. CVE-2017-3611
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3611
> 39. CVE-2017-3612
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3612
> 40. CVE-2017-3613
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3613
> 41. CVE-2017-3614
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3614
> 42. CVE-2017-3615
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3615
> 43. CVE-2017-3616
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3616
> 44. CVE-2017-3617
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3617
> 45. CVE-2020-2981
> Link: https://security-tracker.debian.org/tracker/CVE-2020-2981
>
> Signed-off-by: Saloni 
> ---
>  meta/recipes-support/db/db_5.3.28.bb | 92 
>  1 file changed, 92 insertions(+)
>
> diff --git a/meta/recipes-support/db/db_5.3.28.bb 
> b/meta/recipes-support/db/db_5.3.28.bb
> index b2ae98f05c..000e9ef468 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -39,6 +39,98 @@ SRC_URI[sha256sum] = 
> "e0a992d740709892e81f9d93f06daf305cf73fb81b545afe7247804317
>  
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=ed1158e31437f4f87cdd4ab2b8613955"
>  
> +# Below CVEs affects only Oracle Berkeley DB as per upstream.
> +# https://security-tracker.debian.org/tracker/CVE-2015-2583
>

[OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs

2021-09-13 Thread Saloni Jain

From: Saloni Jain 

Below CVE affects only Oracle Berkeley DB as per upstream.
Hence, whitelisted them.

1. CVE-2015-2583
Link: https://security-tracker.debian.org/tracker/CVE-2015-2583
2. CVE-2015-2624
Link: https://security-tracker.debian.org/tracker/CVE-2015-2624
3. CVE-2015-2626
Link: https://security-tracker.debian.org/tracker/CVE-2015-2626
4. CVE-2015-2640
Link: https://security-tracker.debian.org/tracker/CVE-2015-2640
5. CVE-2015-2654
Link: https://security-tracker.debian.org/tracker/CVE-2015-2654
6. CVE-2015-2656
Link: https://security-tracker.debian.org/tracker/CVE-2015-2656
7. CVE-2015-4754
Link: https://security-tracker.debian.org/tracker/CVE-2015-4754
8. CVE-2015-4764
Link: https://security-tracker.debian.org/tracker/CVE-2015-4764
9. CVE-2015-4774
Link: https://security-tracker.debian.org/tracker/CVE-2015-4774
10. CVE-2015-4775
Link: https://security-tracker.debian.org/tracker/CVE-2015-4775
11. CVE-2015-4776
Link: https://security-tracker.debian.org/tracker/CVE-2015-4776
12. CVE-2015-4777
Link: https://security-tracker.debian.org/tracker/CVE-2015-4777
13. CVE-2015-4778
Link: https://security-tracker.debian.org/tracker/CVE-2015-4778
14. CVE-2015-4779
Link: https://security-tracker.debian.org/tracker/CVE-2015-4779
15. CVE-2015-4780
Link: https://security-tracker.debian.org/tracker/CVE-2015-4780
16. CVE-2015-4781
Link: https://security-tracker.debian.org/tracker/CVE-2015-4781
17. CVE-2015-4782
Link: https://security-tracker.debian.org/tracker/CVE-2015-4782
18. CVE-2015-4783
Link: https://security-tracker.debian.org/tracker/CVE-2015-4783
19. CVE-2015-4784
Link: https://security-tracker.debian.org/tracker/CVE-2015-4784
20. CVE-2015-4785
Link: https://security-tracker.debian.org/tracker/CVE-2015-4785
21. CVE-2015-4786
Link: https://security-tracker.debian.org/tracker/CVE-2015-4786
22. CVE-2015-4787
Link: https://security-tracker.debian.org/tracker/CVE-2015-4787
23. CVE-2015-4788
Link: https://security-tracker.debian.org/tracker/CVE-2015-4788
24. CVE-2015-4789
Link: https://security-tracker.debian.org/tracker/CVE-2015-4789
25. CVE-2015-4790
Link: https://security-tracker.debian.org/tracker/CVE-2015-4790
26. CVE-2016-0682
Link: https://security-tracker.debian.org/tracker/CVE-2016-0682
27. CVE-2016-0689
Link: https://security-tracker.debian.org/tracker/CVE-2016-0689
28. CVE-2016-0692
Link: https://security-tracker.debian.org/tracker/CVE-2016-0692
29. CVE-2016-0694
Link: https://security-tracker.debian.org/tracker/CVE-2016-0694
30. CVE-2016-3418
Link: https://security-tracker.debian.org/tracker/CVE-2016-3418
31. CVE-2017-3604
Link: https://security-tracker.debian.org/tracker/CVE-2017-3604
32. CVE-2017-3605
Link: https://security-tracker.debian.org/tracker/CVE-2017-3605
33. CVE-2017-3606
Link: https://security-tracker.debian.org/tracker/CVE-2017-3606
34. CVE-2017-3607
Link: https://security-tracker.debian.org/tracker/CVE-2017-3607
35. CVE-2017-3608
Link: https://security-tracker.debian.org/tracker/CVE-2017-3608
36. CVE-2017-3609
Link: https://security-tracker.debian.org/tracker/CVE-2017-3609
37. CVE-2017-3610
Link: https://security-tracker.debian.org/tracker/CVE-2017-3610
38. CVE-2017-3611
Link: https://security-tracker.debian.org/tracker/CVE-2017-3611
39. CVE-2017-3612
Link: https://security-tracker.debian.org/tracker/CVE-2017-3612
40. CVE-2017-3613
Link: https://security-tracker.debian.org/tracker/CVE-2017-3613
41. CVE-2017-3614
Link: https://security-tracker.debian.org/tracker/CVE-2017-3614
42. CVE-2017-3615
Link: https://security-tracker.debian.org/tracker/CVE-2017-3615
43. CVE-2017-3616
Link: https://security-tracker.debian.org/tracker/CVE-2017-3616
44. CVE-2017-3617
Link: https://security-tracker.debian.org/tracker/CVE-2017-3617
45. CVE-2020-2981
Link: https://security-tracker.debian.org/tracker/CVE-2020-2981

Signed-off-by: Saloni 
---
 meta/recipes-support/db/db_5.3.28.bb | 92 
 1 file changed, 92 insertions(+)

diff --git a/meta/recipes-support/db/db_5.3.28.bb 
b/meta/recipes-support/db/db_5.3.28.bb
index b2ae98f05c..000e9ef468 100644
--- a/meta/recipes-support/db/db_5.3.28.bb
+++ b/meta/recipes-support/db/db_5.3.28.bb
@@ -39,6 +39,98 @@ SRC_URI[sha256sum] = 
"e0a992d740709892e81f9d93f06daf305cf73fb81b545afe7247804317
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=ed1158e31437f4f87cdd4ab2b8613955"
 
+# Below CVEs affects only Oracle Berkeley DB as per upstream.
+# https://security-tracker.debian.org/tracker/CVE-2015-2583
+CVE_CHECK_WHITELIST += "CVE-2015-2583"
+# https://security-tracker.debian.org/tracker/CVE-2015-2624
+CVE_CHECK_WHITELIST += "CVE-2015-2624"
+# https://security-tracker.debian.org/tracker/CVE-2015-2626
+CVE_CHECK_WHITELIST += "CVE-2015-2626"
+# https://security-tracker.debian.org/tracker/CVE-2015-2640
+CVE_CHECK_WHITELIST += "CVE-2015-2640"
+# https://security-tracker.debian.org/tracker/CVE-2015-2654
+CVE_CHECK_WHITELIST += "CVE-2015-2654"
+# https://security-tracker.debian.org/tracker/CVE-2015-2656
+CVE_CHECK_WHITELIST += "CVE-2015-2656"
+#

Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs

Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs

Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs

Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs

[OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs

5 matches

Site Navigation

Mail list logo

Footer information