Hi, On Mon, Apr 19, 2021 at 07:32:52PM -0700, Chen Qi wrote: > Update CVE_PRODUCT to also include 'berkeley_db'. For example, > CVE-2020-2981 uses 'berkeley_db'.
Yep, this is correct. The situation is rather complex as CVE-2020-2981 is an example of a bug which only affects the newer version with a lot of additional (buggy?) features from Oracle. The db5.3 (Debian source package name) and yocto db recipes are not affected by this. https://security-tracker.debian.org/tracker/CVE-2020-2981 Hence, the CVE checker data needs to know the version and the vendors and even then there may be false positives for it. It's a good idea to check what Debian and Ubuntu do with the same source package and CVEs... Acked-by: Mikko Rapeli <[email protected]> Cheers, -Mikko > Signed-off-by: Chen Qi <[email protected]> > --- > meta/recipes-support/db/db_5.3.28.bb | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta/recipes-support/db/db_5.3.28.bb > b/meta/recipes-support/db/db_5.3.28.bb > index 9cb57e6a53..b2ae98f05c 100644 > --- a/meta/recipes-support/db/db_5.3.28.bb > +++ b/meta/recipes-support/db/db_5.3.28.bb > @@ -15,7 +15,7 @@ HOMEPAGE = > "https://www.oracle.com/database/technologies/related/berkeleydb.html > LICENSE = "Sleepycat" > RCONFLICTS_${PN} = "db3" > > -CVE_PRODUCT = "oracle_berkeley_db" > +CVE_PRODUCT = "oracle_berkeley_db berkeley_db" > CVE_VERSION = "11.2.${PV}" > > PR = "r1" > -- > 2.30.2 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#150693): https://lists.openembedded.org/g/openembedded-core/message/150693 Mute This Topic: https://lists.openembedded.org/mt/82226028/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
