Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs
On Tue, Sep 14, 2021 at 7:09 AM Saloni Jain wrote: > > Hello Steve, Armin, > > I ran a CVE check cycle after reverting the CVE_PRODUCT changes for > berkeley_db and no other CVEs were reported in db either in patched or > unpatched state. > Should there be any other patch reporting from db or was my scan successful? If you don't get any reported CVE's for db then your scan was successful. I've confirmed the same with my testing. So instead of your original patch we should revert: db: update CVE_PRODUCT in master and then cherry-pick into the other branches. I'll send a patch for this. Steve > > Thanks & Regards, > Saloni > > From: openembedded-core@lists.openembedded.org > on behalf of saloni via > lists.openembedded.org > Sent: Monday, September 13, 2021 9:02 PM > To: Steve Sakoman ; akuster...@gmail.com > > Cc: Saloni Jain ; Patches and discussions about the > oe-core layer ; Khem Raj > ; Nisha Parrakat > Subject: Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs > > Caution: This email originated from outside of the KPIT. Do not click links > or open attachments unless you recognize the sender and know the content is > safe. > Hello Armin, Steve, > > Thankyou for the review! > I am triggering a test run after reverting the changes, would update once I > have the results > > Thanks & Regards, > Saloni Jain > > From: Steve Sakoman > Sent: Monday, September 13, 2021 8:32 PM > To: Steve Sakoman > Cc: Saloni Jain ; Patches and discussions about the > oe-core layer ; Khem Raj > ; Nisha Parrakat ; Saloni Jain > > Subject: Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs > > Caution: This email originated from outside of the KPIT. Do not click links > or open attachments unless you recognize the sender and know the content is > safe. > > On Mon, Sep 13, 2021 at 4:56 AM Steve Sakoman via > lists.openembedded.org > wrote: > > > > On Mon, Sep 13, 2021 at 2:45 AM Saloni Jain > > wrote: > > > > > > From: Saloni Jain > > > > > > Below CVE affects only Oracle Berkeley DB as per upstream. > > > Hence, whitelisted them. > > > > I suspect that a cleaner solution might be to revert: > > > > db: update CVE_PRODUCT > > (https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openembedded.org%2Fopenembedded-core%2Fcommit%2F%3Fid%3Dad799b109716ccd2f44dcf7a6a4cfcbd622ea661data=04%7C01%7CSaloni.Jain%40kpit.com%7C467b50be2a1b49fb6bd008d976c79ac7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637671421956436940%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=QMCJw%2FfFm82vPD%2BpDaSck5W7hUutTs39r%2FJKxCUk9U8%3Dreserved=0) > > > > which adds berkeley_db to CVE_PRODUCT > > > > I did a quick test and this eliminates all of the CVE's below. And of > > course it makes sense to only check for oracle_berkeley_db since that > > is the source code we are using. > > > > Also, this same issue is present in master, so any fix would need to > > go there first and I will cherry-pick. > > > > Could you confirm that this approach works for you too? > > And for those who are wondering why the db CVE's don't show up in the > weekly reports, it is because the script that Ross provided me many > moons ago whitelisted db and db-native. > > I figured he had a good reason for that, so I left it in for > consistency with the reports he had run :-) > > db and db-native are the only whitelisted packages for those who might > be wondering. > > Steve > > > > 1. CVE-2015-2583 > > > Link: > > > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2015-2583data=04%7C01%7CSaloni.Jain%40kpit.com%7C467b50be2a1b49fb6bd008d976c79ac7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637671421956436940%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=fSTScw44lUI4qycejRW2jLlbjqQvYZKUQhytyXGlNbQ%3Dreserved=0 > > > 2. CVE-2015-2624 > > > Link: > > > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2015-2624data=04%7C01%7CSaloni.Jain%40kpit.com%7C467b50be2a1b49fb6bd008d976c79ac7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637671421956436940%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=xW4VT6muPbocpKxehCFMF4ojU8akMPyWnbxRduTNs6Q%3Dreserved=0 > > > 3. CVE-2015-2626 > > > Link: > > > https://apc01.safelinks.protection.out
Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs
On Mon, Sep 13, 2021 at 4:56 AM Steve Sakoman via lists.openembedded.org wrote: > > On Mon, Sep 13, 2021 at 2:45 AM Saloni Jain wrote: > > > > From: Saloni Jain > > > > Below CVE affects only Oracle Berkeley DB as per upstream. > > Hence, whitelisted them. > > I suspect that a cleaner solution might be to revert: > > db: update CVE_PRODUCT > (https://git.openembedded.org/openembedded-core/commit/?id=ad799b109716ccd2f44dcf7a6a4cfcbd622ea661) > > which adds berkeley_db to CVE_PRODUCT > > I did a quick test and this eliminates all of the CVE's below. And of > course it makes sense to only check for oracle_berkeley_db since that > is the source code we are using. > > Also, this same issue is present in master, so any fix would need to > go there first and I will cherry-pick. > > Could you confirm that this approach works for you too? And for those who are wondering why the db CVE's don't show up in the weekly reports, it is because the script that Ross provided me many moons ago whitelisted db and db-native. I figured he had a good reason for that, so I left it in for consistency with the reports he had run :-) db and db-native are the only whitelisted packages for those who might be wondering. Steve > > 1. CVE-2015-2583 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-2583 > > 2. CVE-2015-2624 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-2624 > > 3. CVE-2015-2626 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-2626 > > 4. CVE-2015-2640 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-2640 > > 5. CVE-2015-2654 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-2654 > > 6. CVE-2015-2656 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-2656 > > 7. CVE-2015-4754 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4754 > > 8. CVE-2015-4764 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4764 > > 9. CVE-2015-4774 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4774 > > 10. CVE-2015-4775 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4775 > > 11. CVE-2015-4776 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4776 > > 12. CVE-2015-4777 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4777 > > 13. CVE-2015-4778 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4778 > > 14. CVE-2015-4779 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4779 > > 15. CVE-2015-4780 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4780 > > 16. CVE-2015-4781 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4781 > > 17. CVE-2015-4782 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4782 > > 18. CVE-2015-4783 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4783 > > 19. CVE-2015-4784 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4784 > > 20. CVE-2015-4785 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4785 > > 21. CVE-2015-4786 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4786 > > 22. CVE-2015-4787 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4787 > > 23. CVE-2015-4788 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4788 > > 24. CVE-2015-4789 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4789 > > 25. CVE-2015-4790 > > Link: https://security-tracker.debian.org/tracker/CVE-2015-4790 > > 26. CVE-2016-0682 > > Link: https://security-tracker.debian.org/tracker/CVE-2016-0682 > > 27. CVE-2016-0689 > > Link: https://security-tracker.debian.org/tracker/CVE-2016-0689 > > 28. CVE-2016-0692 > > Link: https://security-tracker.debian.org/tracker/CVE-2016-0692 > > 29. CVE-2016-0694 > > Link: https://security-tracker.debian.org/tracker/CVE-2016-0694 > > 30. CVE-2016-3418 > > Link: https://security-tracker.debian.org/tracker/CVE-2016-3418 > > 31. CVE-2017-3604 > > Link: https://security-tracker.debian.org/tracker/CVE-2017-3604 > > 32. CVE-2017-3605 > > Link: https://security-tracker.debian.org/tracker/CVE-2017-3605 > > 33. CVE-2017-3606 > > Link: https://security-tracker.debian.org/tracker/CVE-2017-3606 > > 34. CVE-2017-3607 > > Link: https://security-tracker.debian.org/tracker/CVE-2017-3607 > > 35. CVE-2017-3608 > > Link: https://security-tracker.debian.org/tracker/CVE-2017-3608 > > 36. CVE-2017-3609 > > Link: https://security-tracker.debian.org/tracker/CVE-2017-3609 > > 37. CVE-2017-3610 > > Link: https://security-tracker.debian.org/tracker/CVE-2017-3610 > > 38. CVE-2017-3611 > > Link: https://security-tracker.debian.org/tracker/CVE-2017-3611 > > 39. CVE-2017-3612 > > Link: https://security-tracker.debian.org/tracker/CVE-2017-3612 > > 40. CVE-2017-3613 > > Link: https://security-tracker.debian.org/tracker/CVE-2017-3613 > > 41. CVE-2017-3614 > > Link: https://security-tracker.debian.org/tracker/CVE-2017-3614 > > 42. CVE-2017-3615 > > Link: https://security-tracker.debian.org/tracker/CVE-2017-3615 > >
Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs
On Mon, Sep 13, 2021 at 2:45 AM Saloni Jain wrote: > > From: Saloni Jain > > Below CVE affects only Oracle Berkeley DB as per upstream. > Hence, whitelisted them. I suspect that a cleaner solution might be to revert: db: update CVE_PRODUCT (https://git.openembedded.org/openembedded-core/commit/?id=ad799b109716ccd2f44dcf7a6a4cfcbd622ea661) which adds berkeley_db to CVE_PRODUCT I did a quick test and this eliminates all of the below CVE's. And of course it makes sense to only check for oracle_berkeley_db since that is the source code we are using. Also, this same issue is present in master, so any fix would need to go there first and I will cherry-pick. Could you confirm that this approach works for you too? Steve > > 1. CVE-2015-2583 > Link: https://security-tracker.debian.org/tracker/CVE-2015-2583 > 2. CVE-2015-2624 > Link: https://security-tracker.debian.org/tracker/CVE-2015-2624 > 3. CVE-2015-2626 > Link: https://security-tracker.debian.org/tracker/CVE-2015-2626 > 4. CVE-2015-2640 > Link: https://security-tracker.debian.org/tracker/CVE-2015-2640 > 5. CVE-2015-2654 > Link: https://security-tracker.debian.org/tracker/CVE-2015-2654 > 6. CVE-2015-2656 > Link: https://security-tracker.debian.org/tracker/CVE-2015-2656 > 7. CVE-2015-4754 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4754 > 8. CVE-2015-4764 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4764 > 9. CVE-2015-4774 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4774 > 10. CVE-2015-4775 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4775 > 11. CVE-2015-4776 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4776 > 12. CVE-2015-4777 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4777 > 13. CVE-2015-4778 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4778 > 14. CVE-2015-4779 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4779 > 15. CVE-2015-4780 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4780 > 16. CVE-2015-4781 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4781 > 17. CVE-2015-4782 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4782 > 18. CVE-2015-4783 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4783 > 19. CVE-2015-4784 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4784 > 20. CVE-2015-4785 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4785 > 21. CVE-2015-4786 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4786 > 22. CVE-2015-4787 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4787 > 23. CVE-2015-4788 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4788 > 24. CVE-2015-4789 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4789 > 25. CVE-2015-4790 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4790 > 26. CVE-2016-0682 > Link: https://security-tracker.debian.org/tracker/CVE-2016-0682 > 27. CVE-2016-0689 > Link: https://security-tracker.debian.org/tracker/CVE-2016-0689 > 28. CVE-2016-0692 > Link: https://security-tracker.debian.org/tracker/CVE-2016-0692 > 29. CVE-2016-0694 > Link: https://security-tracker.debian.org/tracker/CVE-2016-0694 > 30. CVE-2016-3418 > Link: https://security-tracker.debian.org/tracker/CVE-2016-3418 > 31. CVE-2017-3604 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3604 > 32. CVE-2017-3605 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3605 > 33. CVE-2017-3606 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3606 > 34. CVE-2017-3607 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3607 > 35. CVE-2017-3608 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3608 > 36. CVE-2017-3609 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3609 > 37. CVE-2017-3610 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3610 > 38. CVE-2017-3611 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3611 > 39. CVE-2017-3612 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3612 > 40. CVE-2017-3613 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3613 > 41. CVE-2017-3614 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3614 > 42. CVE-2017-3615 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3615 > 43. CVE-2017-3616 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3616 > 44. CVE-2017-3617 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3617 > 45. CVE-2020-2981 > Link: https://security-tracker.debian.org/tracker/CVE-2020-2981 > > Signed-off-by: Saloni > --- > meta/recipes-support/db/db_5.3.28.bb | 92 > 1 file changed, 92 insertions(+) > > diff --git a/meta/recipes-support/db/db_5.3.28.bb > b/meta/recipes-support/db/db_5.3.28.bb > index b2ae98f05c..000e9ef468 100644 > --- a/meta/recipes-support/db/db_5.3.28.bb > +++ b/meta/recipes-support/db/db_5.3.28.bb > @@ -39,6 +39,98 @@
Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs
Saloni, Thanks for the CVE cleanup. On 9/13/21 5:45 AM, Saloni Jain wrote: > From: Saloni Jain > > Below CVE affects only Oracle Berkeley DB as per upstream. > Hence, whitelisted them. This situation will happen more frequently than one thinks including with mariadb recipe. I wounder if a "${PN}_cve_ exclude.inc" like scheme may help keep the recipe from getting hard to read if the listing gets out of control? - Armin > > 1. CVE-2015-2583 > Link: https://security-tracker.debian.org/tracker/CVE-2015-2583 > 2. CVE-2015-2624 > Link: https://security-tracker.debian.org/tracker/CVE-2015-2624 > 3. CVE-2015-2626 > Link: https://security-tracker.debian.org/tracker/CVE-2015-2626 > 4. CVE-2015-2640 > Link: https://security-tracker.debian.org/tracker/CVE-2015-2640 > 5. CVE-2015-2654 > Link: https://security-tracker.debian.org/tracker/CVE-2015-2654 > 6. CVE-2015-2656 > Link: https://security-tracker.debian.org/tracker/CVE-2015-2656 > 7. CVE-2015-4754 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4754 > 8. CVE-2015-4764 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4764 > 9. CVE-2015-4774 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4774 > 10. CVE-2015-4775 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4775 > 11. CVE-2015-4776 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4776 > 12. CVE-2015-4777 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4777 > 13. CVE-2015-4778 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4778 > 14. CVE-2015-4779 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4779 > 15. CVE-2015-4780 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4780 > 16. CVE-2015-4781 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4781 > 17. CVE-2015-4782 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4782 > 18. CVE-2015-4783 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4783 > 19. CVE-2015-4784 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4784 > 20. CVE-2015-4785 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4785 > 21. CVE-2015-4786 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4786 > 22. CVE-2015-4787 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4787 > 23. CVE-2015-4788 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4788 > 24. CVE-2015-4789 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4789 > 25. CVE-2015-4790 > Link: https://security-tracker.debian.org/tracker/CVE-2015-4790 > 26. CVE-2016-0682 > Link: https://security-tracker.debian.org/tracker/CVE-2016-0682 > 27. CVE-2016-0689 > Link: https://security-tracker.debian.org/tracker/CVE-2016-0689 > 28. CVE-2016-0692 > Link: https://security-tracker.debian.org/tracker/CVE-2016-0692 > 29. CVE-2016-0694 > Link: https://security-tracker.debian.org/tracker/CVE-2016-0694 > 30. CVE-2016-3418 > Link: https://security-tracker.debian.org/tracker/CVE-2016-3418 > 31. CVE-2017-3604 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3604 > 32. CVE-2017-3605 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3605 > 33. CVE-2017-3606 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3606 > 34. CVE-2017-3607 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3607 > 35. CVE-2017-3608 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3608 > 36. CVE-2017-3609 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3609 > 37. CVE-2017-3610 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3610 > 38. CVE-2017-3611 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3611 > 39. CVE-2017-3612 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3612 > 40. CVE-2017-3613 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3613 > 41. CVE-2017-3614 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3614 > 42. CVE-2017-3615 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3615 > 43. CVE-2017-3616 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3616 > 44. CVE-2017-3617 > Link: https://security-tracker.debian.org/tracker/CVE-2017-3617 > 45. CVE-2020-2981 > Link: https://security-tracker.debian.org/tracker/CVE-2020-2981 > > Signed-off-by: Saloni > --- > meta/recipes-support/db/db_5.3.28.bb | 92 > 1 file changed, 92 insertions(+) > > diff --git a/meta/recipes-support/db/db_5.3.28.bb > b/meta/recipes-support/db/db_5.3.28.bb > index b2ae98f05c..000e9ef468 100644 > --- a/meta/recipes-support/db/db_5.3.28.bb > +++ b/meta/recipes-support/db/db_5.3.28.bb > @@ -39,6 +39,98 @@ SRC_URI[sha256sum] = > "e0a992d740709892e81f9d93f06daf305cf73fb81b545afe7247804317 > > LIC_FILES_CHKSUM = "file://LICENSE;md5=ed1158e31437f4f87cdd4ab2b8613955" > > +# Below CVEs affects only Oracle Berkeley DB as per upstream. > +# https://security-tracker.debian.org/tracker/CVE-2015-2583 >
[OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs
From: Saloni Jain Below CVE affects only Oracle Berkeley DB as per upstream. Hence, whitelisted them. 1. CVE-2015-2583 Link: https://security-tracker.debian.org/tracker/CVE-2015-2583 2. CVE-2015-2624 Link: https://security-tracker.debian.org/tracker/CVE-2015-2624 3. CVE-2015-2626 Link: https://security-tracker.debian.org/tracker/CVE-2015-2626 4. CVE-2015-2640 Link: https://security-tracker.debian.org/tracker/CVE-2015-2640 5. CVE-2015-2654 Link: https://security-tracker.debian.org/tracker/CVE-2015-2654 6. CVE-2015-2656 Link: https://security-tracker.debian.org/tracker/CVE-2015-2656 7. CVE-2015-4754 Link: https://security-tracker.debian.org/tracker/CVE-2015-4754 8. CVE-2015-4764 Link: https://security-tracker.debian.org/tracker/CVE-2015-4764 9. CVE-2015-4774 Link: https://security-tracker.debian.org/tracker/CVE-2015-4774 10. CVE-2015-4775 Link: https://security-tracker.debian.org/tracker/CVE-2015-4775 11. CVE-2015-4776 Link: https://security-tracker.debian.org/tracker/CVE-2015-4776 12. CVE-2015-4777 Link: https://security-tracker.debian.org/tracker/CVE-2015-4777 13. CVE-2015-4778 Link: https://security-tracker.debian.org/tracker/CVE-2015-4778 14. CVE-2015-4779 Link: https://security-tracker.debian.org/tracker/CVE-2015-4779 15. CVE-2015-4780 Link: https://security-tracker.debian.org/tracker/CVE-2015-4780 16. CVE-2015-4781 Link: https://security-tracker.debian.org/tracker/CVE-2015-4781 17. CVE-2015-4782 Link: https://security-tracker.debian.org/tracker/CVE-2015-4782 18. CVE-2015-4783 Link: https://security-tracker.debian.org/tracker/CVE-2015-4783 19. CVE-2015-4784 Link: https://security-tracker.debian.org/tracker/CVE-2015-4784 20. CVE-2015-4785 Link: https://security-tracker.debian.org/tracker/CVE-2015-4785 21. CVE-2015-4786 Link: https://security-tracker.debian.org/tracker/CVE-2015-4786 22. CVE-2015-4787 Link: https://security-tracker.debian.org/tracker/CVE-2015-4787 23. CVE-2015-4788 Link: https://security-tracker.debian.org/tracker/CVE-2015-4788 24. CVE-2015-4789 Link: https://security-tracker.debian.org/tracker/CVE-2015-4789 25. CVE-2015-4790 Link: https://security-tracker.debian.org/tracker/CVE-2015-4790 26. CVE-2016-0682 Link: https://security-tracker.debian.org/tracker/CVE-2016-0682 27. CVE-2016-0689 Link: https://security-tracker.debian.org/tracker/CVE-2016-0689 28. CVE-2016-0692 Link: https://security-tracker.debian.org/tracker/CVE-2016-0692 29. CVE-2016-0694 Link: https://security-tracker.debian.org/tracker/CVE-2016-0694 30. CVE-2016-3418 Link: https://security-tracker.debian.org/tracker/CVE-2016-3418 31. CVE-2017-3604 Link: https://security-tracker.debian.org/tracker/CVE-2017-3604 32. CVE-2017-3605 Link: https://security-tracker.debian.org/tracker/CVE-2017-3605 33. CVE-2017-3606 Link: https://security-tracker.debian.org/tracker/CVE-2017-3606 34. CVE-2017-3607 Link: https://security-tracker.debian.org/tracker/CVE-2017-3607 35. CVE-2017-3608 Link: https://security-tracker.debian.org/tracker/CVE-2017-3608 36. CVE-2017-3609 Link: https://security-tracker.debian.org/tracker/CVE-2017-3609 37. CVE-2017-3610 Link: https://security-tracker.debian.org/tracker/CVE-2017-3610 38. CVE-2017-3611 Link: https://security-tracker.debian.org/tracker/CVE-2017-3611 39. CVE-2017-3612 Link: https://security-tracker.debian.org/tracker/CVE-2017-3612 40. CVE-2017-3613 Link: https://security-tracker.debian.org/tracker/CVE-2017-3613 41. CVE-2017-3614 Link: https://security-tracker.debian.org/tracker/CVE-2017-3614 42. CVE-2017-3615 Link: https://security-tracker.debian.org/tracker/CVE-2017-3615 43. CVE-2017-3616 Link: https://security-tracker.debian.org/tracker/CVE-2017-3616 44. CVE-2017-3617 Link: https://security-tracker.debian.org/tracker/CVE-2017-3617 45. CVE-2020-2981 Link: https://security-tracker.debian.org/tracker/CVE-2020-2981 Signed-off-by: Saloni --- meta/recipes-support/db/db_5.3.28.bb | 92 1 file changed, 92 insertions(+) diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb index b2ae98f05c..000e9ef468 100644 --- a/meta/recipes-support/db/db_5.3.28.bb +++ b/meta/recipes-support/db/db_5.3.28.bb @@ -39,6 +39,98 @@ SRC_URI[sha256sum] = "e0a992d740709892e81f9d93f06daf305cf73fb81b545afe7247804317 LIC_FILES_CHKSUM = "file://LICENSE;md5=ed1158e31437f4f87cdd4ab2b8613955" +# Below CVEs affects only Oracle Berkeley DB as per upstream. +# https://security-tracker.debian.org/tracker/CVE-2015-2583 +CVE_CHECK_WHITELIST += "CVE-2015-2583" +# https://security-tracker.debian.org/tracker/CVE-2015-2624 +CVE_CHECK_WHITELIST += "CVE-2015-2624" +# https://security-tracker.debian.org/tracker/CVE-2015-2626 +CVE_CHECK_WHITELIST += "CVE-2015-2626" +# https://security-tracker.debian.org/tracker/CVE-2015-2640 +CVE_CHECK_WHITELIST += "CVE-2015-2640" +# https://security-tracker.debian.org/tracker/CVE-2015-2654 +CVE_CHECK_WHITELIST += "CVE-2015-2654" +# https://security-tracker.debian.org/tracker/CVE-2015-2656 +CVE_CHECK_WHITELIST += "CVE-2015-2656" +#