On Tue, 2021-02-02 at 08:39 +0800, Jamaluddin, Khairul Rohaizzat wrote: > From: Khairul Rohaizzat Jamaluddin < > [email protected]> > > It is an reported as to affect on rc0 release of qemu-5.1.0 > https://nvd.nist.gov/vuln/detail/CVE-2020-15863 > > It was already patched in > https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=d3c60cde03fd7de11776ec04ff50c61b6e1f6140 >
This patch was added for 5.0.0. The version in master right now is 5.2.0 ... Is this CVE really being flagged by cve checker for master branch? The CPE data looks correct so why is this required to be whitelisted? Thanks, Anuj > Signed-off-by: Khairul Rohaizzat Jamaluddin < > [email protected]> > --- > meta/recipes-devtools/qemu/qemu.inc | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes- > devtools/qemu/qemu.inc > index c894b81..38f228b 100644 > --- a/meta/recipes-devtools/qemu/qemu.inc > +++ b/meta/recipes-devtools/qemu/qemu.inc > @@ -35,6 +35,9 @@ UPSTREAM_CHECK_REGEX = "qemu- > (?P<pver>\d+(\.\d+)+)\.tar" > > SRC_URI[sha256sum] = > "cb18d889b628fbe637672b0326789d9b0e3b8027e0445b936537c78549df17bc" > > +#affected 5.1rc0 but fixed in 5.1 > +CVE_CHECK_WHITELIST += "CVE-2020-15863" > + > SRC_URI_append_class-target = " file://cross.patch" > SRC_URI_append_class-nativesdk = " file://cross.patch" > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#147545): https://lists.openembedded.org/g/openembedded-core/message/147545 Mute This Topic: https://lists.openembedded.org/mt/80303123/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
