Re: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status
Thanks Peter for sharing the details. Shall I leave the patches as is then? or do I need to update the commit details? I've been going through the CVE list and will post patches for any other invalid ones. It's a long clean up process but hopefully we'll get there:) Ninette On Thu, Apr 11, 2024 at 9:46 PM Marko, Peter wrote: > Hello Ninette, > > > > Yocto currently supports CVE statuses listed in this file > > > https://git.openembedded.org/openembedded-core/tree/meta/conf/cve-check-map.conf > > In most cases you just want to add a status and description why the CVE is > ignored. > > If you want a different or more specialized status, you need to add it > there first. > > But imho cpe-incorrect is good enough as there is also description which > gives more detail about it. > > > > If you want to start working on open CVEs in meta-openembedded, here is a > looong list to work on > > and many of them are invalid, e.g. to be ignored for similar reasons you > tried to fix: > > > https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt > > > > Peter > > > > *From:* Ninette Adhikari > *Sent:* Thursday, April 11, 2024 18:19 > *To:* Marko, Peter (ADV D EU SK BFS1) > *Cc:* openembedded-devel@lists.openembedded.org > *Subject:* Re: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status > > > > Hi Peter, > > > > Thanks so much for your response. Many apologies for the confusion, I was > trying to follow the example here > <https://git.yoctoproject.org/poky/commit/?id=378bc2f8e3ac393d89a6d2e52094478fb3879ef7> > to report a CVE issue but clearly I chose an incorrect classification. > > > > I meant to say that the 7 CVEs are invalid or not relevant any more. I can > make new patches marking them as "cve-invalid" instead of "cpe-incorrect". > Would that be okay? Let me know. > > > > Thanks again! > > Ninette > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109940): https://lists.openembedded.org/g/openembedded-devel/message/109940 Mute This Topic: https://lists.openembedded.org/mt/105443451/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status
Hello Ninette, Yocto currently supports CVE statuses listed in this file https://git.openembedded.org/openembedded-core/tree/meta/conf/cve-check-map.conf In most cases you just want to add a status and description why the CVE is ignored. If you want a different or more specialized status, you need to add it there first. But imho cpe-incorrect is good enough as there is also description which gives more detail about it. If you want to start working on open CVEs in meta-openembedded, here is a looong list to work on and many of them are invalid, e.g. to be ignored for similar reasons you tried to fix: https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt Peter From: Ninette Adhikari Sent: Thursday, April 11, 2024 18:19 To: Marko, Peter (ADV D EU SK BFS1) Cc: openembedded-devel@lists.openembedded.org Subject: Re: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status Hi Peter, Thanks so much for your response. Many apologies for the confusion, I was trying to follow the example here<https://git.yoctoproject.org/poky/commit/?id=378bc2f8e3ac393d89a6d2e52094478fb3879ef7> to report a CVE issue but clearly I chose an incorrect classification. I meant to say that the 7 CVEs are invalid or not relevant any more. I can make new patches marking them as "cve-invalid" instead of "cpe-incorrect". Would that be okay? Let me know. Thanks again! Ninette -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109926): https://lists.openembedded.org/g/openembedded-devel/message/109926 Mute This Topic: https://lists.openembedded.org/mt/105443451/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status
Hi Peter, Thanks so much for your response. Many apologies for the confusion, I was trying to follow the example here <https://git.yoctoproject.org/poky/commit/?id=378bc2f8e3ac393d89a6d2e52094478fb3879ef7> to report a CVE issue but clearly I chose an incorrect classification. I meant to say that the 7 CVEs are invalid or not relevant any more. I can make new patches marking them as "cve-invalid" instead of "cpe-incorrect". Would that be okay? Let me know. Thanks again! Ninette On Wed, Apr 10, 2024 at 6:54 PM Marko, Peter wrote: > Hello, > > May I ask what are you trying to achieve? > These entries fix incorrect CPE mapping so they are still needed. > So by removing these 7 CVE_STATUS entries via your 7 contributions, you > are marking the CVEs as relevant for the components. > Basically direct opposite of what your commit messages are saying. > > Peter > > -Original Message- > From: openembedded-devel@lists.openembedded.org < > openembedded-devel@lists.openembedded.org> On Behalf Of Ninette Adhikari > via lists.openembedded.org > Sent: Wednesday, April 10, 2024 17:05 > To: openembedded-devel@lists.openembedded.org > Cc: Ninette Adhikari > Subject: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status > > > Current version 0.28.0 is not affected by the issue. > > Affected version: < 0.13-r1 > > > > Signed-off-by: Ninette Adhikari > > --- > > meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb > b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb > > index 958810cf7..ad99d0bf4 100644 > > --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb > > +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb > > @@ -10,6 +10,8 @@ SRC_URI[sha256sum] = > "89af3b5ef7277753ef7a7b5374ae017c6b9e304db3b688f1948e73e103 > > # inherit dos2unix > > S = "${WORKDIR}/${BP}-Source" > > > > +CVE_STATUS[CVE-2007-6353] = "cpe-incorrect: Current version 0.28.0 is > not affected by the issue." > > + > > inherit cmake gettext > > > > do_install:append:class-target() { > > -- > > 2.44.0 > > -- Ninette Adhikari Software developer The Neighbourhoodie Software GmbH Harzer Straße 39, 12059 Berlin neighbourhood.ie Handelsregister HRB 157851 B Amtsgericht Charlottenburg Geschäftsführung: Jan Lehnardt, Simone Haas -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109921): https://lists.openembedded.org/g/openembedded-devel/message/109921 Mute This Topic: https://lists.openembedded.org/mt/105443451/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status
Hello, May I ask what are you trying to achieve? These entries fix incorrect CPE mapping so they are still needed. So by removing these 7 CVE_STATUS entries via your 7 contributions, you are marking the CVEs as relevant for the components. Basically direct opposite of what your commit messages are saying. Peter -Original Message- From: openembedded-devel@lists.openembedded.org On Behalf Of Ninette Adhikari via lists.openembedded.org Sent: Wednesday, April 10, 2024 17:05 To: openembedded-devel@lists.openembedded.org Cc: Ninette Adhikari Subject: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status > Current version 0.28.0 is not affected by the issue. > Affected version: < 0.13-r1 > > Signed-off-by: Ninette Adhikari > --- > meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb > b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb > index 958810cf7..ad99d0bf4 100644 > --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb > +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb > @@ -10,6 +10,8 @@ SRC_URI[sha256sum] = > "89af3b5ef7277753ef7a7b5374ae017c6b9e304db3b688f1948e73e103 > # inherit dos2unix > S = "${WORKDIR}/${BP}-Source" > > +CVE_STATUS[CVE-2007-6353] = "cpe-incorrect: Current version 0.28.0 is not > affected by the issue." > + > inherit cmake gettext > > do_install:append:class-target() { > -- > 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109905): https://lists.openembedded.org/g/openembedded-devel/message/109905 Mute This Topic: https://lists.openembedded.org/mt/105443451/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status
Current version 0.28.0 is not affected by the issue. Affected version: < 0.13-r1 Signed-off-by: Ninette Adhikari --- meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb index 958810cf7..ad99d0bf4 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb @@ -10,6 +10,8 @@ SRC_URI[sha256sum] = "89af3b5ef7277753ef7a7b5374ae017c6b9e304db3b688f1948e73e103 # inherit dos2unix S = "${WORKDIR}/${BP}-Source" +CVE_STATUS[CVE-2007-6353] = "cpe-incorrect: Current version 0.28.0 is not affected by the issue." + inherit cmake gettext do_install:append:class-target() { -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109904): https://lists.openembedded.org/g/openembedded-devel/message/109904 Mute This Topic: https://lists.openembedded.org/mt/105443451/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-