[OE-core][PATCH] ovmf: set CVE_STATUS for a few CVEs

Chen Qi via lists.openembedded.org Mon, 08 Apr 2024 08:01:31 -0700

From: Chen Qi <qi.c...@windriver.com>

For all those CVE-2019-xxxxx CVEs, following the links in NVD, we
can see they have all been fixed.


For CVE-2014-4859 and CVE-2014-4860, there's no useful links in NVD,
but according to the following two links, they have also been fixed.

  https://security-tracker.debian.org/tracker/CVE-2014-4859
  https://security-tracker.debian.org/tracker/CVE-2014-4860

Signed-off-by: Chen Qi <qi.c...@windriver.com>
---
 meta/recipes-core/ovmf/ovmf_git.bb | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/meta/recipes-core/ovmf/ovmf_git.bb 
b/meta/recipes-core/ovmf/ovmf_git.bb
index 97651faf62..35ca8d1834 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -34,6 +34,15 @@ CVE_PRODUCT = "edk2"
 CVE_VERSION = "${@d.getVar('PV').split('stable')[1]}"
 
 CVE_STATUS[CVE-2014-8271] = "fixed-version: Fixed in svn_16280, which is an 
unusual versioning breaking version comparison."
+CVE_STATUS[CVE-2014-4859] = "fixed-version: The CPE in the NVD database 
doesn't reflect correctly the vulnerable versions."
+CVE_STATUS[CVE-2014-4860] = "fixed-version: The CPE in the NVD database 
doesn't reflect correctly the vulnerable versions."
+CVE_STATUS[CVE-2019-14553] = "fixed-version: The CPE in the NVD database 
doesn't reflect correctly the vulnerable versions."
+CVE_STATUS[CVE-2019-14559] = "fixed-version: The CPE in the NVD database 
doesn't reflect correctly the vulnerable versions."
+CVE_STATUS[CVE-2019-14562] = "fixed-version: The CPE in the NVD database 
doesn't reflect correctly the vulnerable versions."
+CVE_STATUS[CVE-2019-14563] = "fixed-version: The CPE in the NVD database 
doesn't reflect correctly the vulnerable versions."
+CVE_STATUS[CVE-2019-14575] = "fixed-version: The CPE in the NVD database 
doesn't reflect correctly the vulnerable versions."
+CVE_STATUS[CVE-2019-14586] = "fixed-version: The CPE in the NVD database 
doesn't reflect correctly the vulnerable versions."
+CVE_STATUS[CVE-2019-14587] = "fixed-version: The CPE in the NVD database 
doesn't reflect correctly the vulnerable versions."
 
 inherit deploy
 
-- 
2.34.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198015): 
https://lists.openembedded.org/g/openembedded-core/message/198015
Mute This Topic: https://lists.openembedded.org/mt/105402982/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] ovmf: set CVE_STATUS for a few CVEs

Reply via email to