Re: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status
Thanks Peter for sharing the details. Shall I leave the patches as is then? or do I need to update the commit details? I've been going through the CVE list and will post patches for any other invalid ones. It's a long clean up process but hopefully we'll get there:) Ninette On Thu, Apr 11, 2024 at 9:46 PM Marko, Peter wrote: > Hello Ninette, > > > > Yocto currently supports CVE statuses listed in this file > > > https://git.openembedded.org/openembedded-core/tree/meta/conf/cve-check-map.conf > > In most cases you just want to add a status and description why the CVE is > ignored. > > If you want a different or more specialized status, you need to add it > there first. > > But imho cpe-incorrect is good enough as there is also description which > gives more detail about it. > > > > If you want to start working on open CVEs in meta-openembedded, here is a > looong list to work on > > and many of them are invalid, e.g. to be ignored for similar reasons you > tried to fix: > > > https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt > > > > Peter > > > > *From:* Ninette Adhikari > *Sent:* Thursday, April 11, 2024 18:19 > *To:* Marko, Peter (ADV D EU SK BFS1) > *Cc:* openembedded-devel@lists.openembedded.org > *Subject:* Re: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status > > > > Hi Peter, > > > > Thanks so much for your response. Many apologies for the confusion, I was > trying to follow the example here > <https://git.yoctoproject.org/poky/commit/?id=378bc2f8e3ac393d89a6d2e52094478fb3879ef7> > to report a CVE issue but clearly I chose an incorrect classification. > > > > I meant to say that the 7 CVEs are invalid or not relevant any more. I can > make new patches marking them as "cve-invalid" instead of "cpe-incorrect". > Would that be okay? Let me know. > > > > Thanks again! > > Ninette > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109940): https://lists.openembedded.org/g/openembedded-devel/message/109940 Mute This Topic: https://lists.openembedded.org/mt/105443451/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status
Hello Ninette, Yocto currently supports CVE statuses listed in this file https://git.openembedded.org/openembedded-core/tree/meta/conf/cve-check-map.conf In most cases you just want to add a status and description why the CVE is ignored. If you want a different or more specialized status, you need to add it there first. But imho cpe-incorrect is good enough as there is also description which gives more detail about it. If you want to start working on open CVEs in meta-openembedded, here is a looong list to work on and many of them are invalid, e.g. to be ignored for similar reasons you tried to fix: https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt Peter From: Ninette Adhikari Sent: Thursday, April 11, 2024 18:19 To: Marko, Peter (ADV D EU SK BFS1) Cc: openembedded-devel@lists.openembedded.org Subject: Re: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status Hi Peter, Thanks so much for your response. Many apologies for the confusion, I was trying to follow the example here<https://git.yoctoproject.org/poky/commit/?id=378bc2f8e3ac393d89a6d2e52094478fb3879ef7> to report a CVE issue but clearly I chose an incorrect classification. I meant to say that the 7 CVEs are invalid or not relevant any more. I can make new patches marking them as "cve-invalid" instead of "cpe-incorrect". Would that be okay? Let me know. Thanks again! Ninette -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109926): https://lists.openembedded.org/g/openembedded-devel/message/109926 Mute This Topic: https://lists.openembedded.org/mt/105443451/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status
Hi Peter,
Thanks so much for your response. Many apologies for the confusion, I was
trying to follow the example here
<https://git.yoctoproject.org/poky/commit/?id=378bc2f8e3ac393d89a6d2e52094478fb3879ef7>
to report a CVE issue but clearly I chose an incorrect classification.
I meant to say that the 7 CVEs are invalid or not relevant any more. I can
make new patches marking them as "cve-invalid" instead of "cpe-incorrect".
Would that be okay? Let me know.
Thanks again!
Ninette
On Wed, Apr 10, 2024 at 6:54 PM Marko, Peter
wrote:
> Hello,
>
> May I ask what are you trying to achieve?
> These entries fix incorrect CPE mapping so they are still needed.
> So by removing these 7 CVE_STATUS entries via your 7 contributions, you
> are marking the CVEs as relevant for the components.
> Basically direct opposite of what your commit messages are saying.
>
> Peter
>
> -Original Message-
> From: openembedded-devel@lists.openembedded.org <
> openembedded-devel@lists.openembedded.org> On Behalf Of Ninette Adhikari
> via lists.openembedded.org
> Sent: Wednesday, April 10, 2024 17:05
> To: openembedded-devel@lists.openembedded.org
> Cc: Ninette Adhikari
> Subject: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status
>
> > Current version 0.28.0 is not affected by the issue.
> > Affected version: < 0.13-r1
> >
> > Signed-off-by: Ninette Adhikari
> > ---
> > meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb
> b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb
> > index 958810cf7..ad99d0bf4 100644
> > --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb
> > +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb
> > @@ -10,6 +10,8 @@ SRC_URI[sha256sum] =
> "89af3b5ef7277753ef7a7b5374ae017c6b9e304db3b688f1948e73e103
> > # inherit dos2unix
> > S = "${WORKDIR}/${BP}-Source"
> >
> > +CVE_STATUS[CVE-2007-6353] = "cpe-incorrect: Current version 0.28.0 is
> not affected by the issue."
> > +
> > inherit cmake gettext
> >
> > do_install:append:class-target() {
> > --
> > 2.44.0
>
>
--
Ninette Adhikari
Software developer
The Neighbourhoodie Software GmbH
Harzer Straße 39, 12059 Berlin
neighbourhood.ie
Handelsregister HRB 157851 B Amtsgericht Charlottenburg
Geschäftsführung: Jan Lehnardt, Simone Haas
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#109921):
https://lists.openembedded.org/g/openembedded-devel/message/109921
Mute This Topic: https://lists.openembedded.org/mt/105443451/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status
Hello,
May I ask what are you trying to achieve?
These entries fix incorrect CPE mapping so they are still needed.
So by removing these 7 CVE_STATUS entries via your 7 contributions, you are
marking the CVEs as relevant for the components.
Basically direct opposite of what your commit messages are saying.
Peter
-Original Message-
From: openembedded-devel@lists.openembedded.org
On Behalf Of Ninette Adhikari via
lists.openembedded.org
Sent: Wednesday, April 10, 2024 17:05
To: openembedded-devel@lists.openembedded.org
Cc: Ninette Adhikari
Subject: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status
> Current version 0.28.0 is not affected by the issue.
> Affected version: < 0.13-r1
>
> Signed-off-by: Ninette Adhikari
> ---
> meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb
> b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb
> index 958810cf7..ad99d0bf4 100644
> --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb
> +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb
> @@ -10,6 +10,8 @@ SRC_URI[sha256sum] =
> "89af3b5ef7277753ef7a7b5374ae017c6b9e304db3b688f1948e73e103
> # inherit dos2unix
> S = "${WORKDIR}/${BP}-Source"
>
> +CVE_STATUS[CVE-2007-6353] = "cpe-incorrect: Current version 0.28.0 is not
> affected by the issue."
> +
> inherit cmake gettext
>
> do_install:append:class-target() {
> --
> 2.44.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#109905):
https://lists.openembedded.org/g/openembedded-devel/message/109905
Mute This Topic: https://lists.openembedded.org/mt/105443451/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status
Current version 0.28.0 is not affected by the issue.
Affected version: < 0.13-r1
Signed-off-by: Ninette Adhikari
---
meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb
b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb
index 958810cf7..ad99d0bf4 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb
@@ -10,6 +10,8 @@ SRC_URI[sha256sum] =
"89af3b5ef7277753ef7a7b5374ae017c6b9e304db3b688f1948e73e103
# inherit dos2unix
S = "${WORKDIR}/${BP}-Source"
+CVE_STATUS[CVE-2007-6353] = "cpe-incorrect: Current version 0.28.0 is not
affected by the issue."
+
inherit cmake gettext
do_install:append:class-target() {
--
2.44.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#109904):
https://lists.openembedded.org/g/openembedded-devel/message/109904
Mute This Topic: https://lists.openembedded.org/mt/105443451/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
