Hello Steve, The patches are generic to all Yocto implementations and are not reported for any particular distros.
I have re-sent another patch version mentioning in detail why these CVEs can be safely whitelisted. Please review and let me know for any change. Thanks & Regards, Saloni ________________________________ From: Steve Sakoman <sako...@gmail.com> Sent: Wednesday, February 3, 2021 8:15 PM To: Saloni Jain <saloni.j...@kpit.com> Cc: Patches and discussions about the oe-core layer <openembedded-core@lists.openembedded.org>; Khem Raj <raj.k...@gmail.com>; Nisha Parrakat <nisha.parra...@kpit.com>; Anuj Chougule <anuj.choug...@kpit.com> Subject: Re: [OE-core] [poky][dunfell][PATCH] libgcrypt: Whitelisted CVEs On Tue, Feb 2, 2021 at 8:09 AM saloni <saloni.j...@kpit.com> wrote: > > Whitelisted below CVEs as their status is disputed > and ignored and not affecting the Ubuntu and Debian > environments. Hence, marked them whitelisted. I'm not sure why you are referencing Ubuntu and Debian environments. We care about whether it is affecting the Yocto implementation. Could you explain your reasoning a bit more? Are you saying that Ubuntu and Debian maintainers don't consider these CVE's to be a serious enough issue to mitigate and thus it is safe for us to do the same? Thanks! Steve > 1. CVE-2018-12433 > Link: > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2018-12433&data=04%7C01%7Csaloni.jain%40kpit.com%7C552396efe6014cdf8dbb08d8c8526011%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637479603466304421%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NBbGFes6ahGsJLIXXcmqnQ%2Fi95ziKHMHnGzD%2F%2FPFEBM%3D&reserved=0 > > 2. CVE-2018-12438 > Link: > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2018-12438&data=04%7C01%7Csaloni.jain%40kpit.com%7C552396efe6014cdf8dbb08d8c8526011%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637479603466304421%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=uBYKEgLQ3vY8%2FH0QuBxS2znVtRPJANKv%2FWF0nOGpkI8%3D&reserved=0 > > Signed-off-by: Saloni Jain <saloni.j...@kpit.com> > --- > meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb > b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb > index 4e0eb0a..ba3666f 100644 > --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb > +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb > @@ -29,6 +29,9 @@ SRC_URI = > "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ > SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743" > SRC_URI[sha256sum] = > "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3" > > +# Below whitelisted CVEs are disputed and not affecting Ubuntu and Debian > environments. > +CVE_CHECK_WHITELIST += "CVE-2018-12433 CVE-2018-12438" > + > BINCONFIG = "${bindir}/libgcrypt-config" > > inherit autotools texinfo binconfig-disabled pkgconfig > -- > 2.7.4 > > This message contains information that may be privileged or confidential and > is the property of the KPIT Technologies Ltd. It is intended only for the > person to whom it is addressed. If you are not the intended recipient, you > are not authorized to read, print, retain copy, disseminate, distribute, or > use this message or any part thereof. If you receive this message in error, > please notify the sender immediately and delete all copies of this message. > KPIT Technologies Ltd. does not accept any liability for virus infected mails. > > > This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#147698): https://lists.openembedded.org/g/openembedded-core/message/147698 Mute This Topic: https://lists.openembedded.org/mt/80321678/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
