On Tue, 2021-09-14 at 08:03 -1000, Steve Sakoman wrote: > The CVE database correctly reports CVEs for oracle_berkley_db and > berkley_db. We use the oracle_berkley_db source tree and therefore > should only check for oracle_berkely_db CVEs. Otherwise the scanner > falsely reports CVEs that are fixed in oracle_berkley_db
Aren't both the same thing? I think this revert is incorrect and the CVEs being flagged are correct. https://nvd.nist.gov/vuln/detail/CVE-2015-2583 The CPE data shows oracle as the vendor and berkeley_db as product. Thanks, Anuj > > This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661. > > Signed-off-by: Steve Sakoman <[email protected]> > --- > meta/recipes-support/db/db_5.3.28.bb | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes- > support/db/db_5.3.28.bb > index d5b788a3d7..5e9305ab06 100644 > --- a/meta/recipes-support/db/db_5.3.28.bb > +++ b/meta/recipes-support/db/db_5.3.28.bb > @@ -15,7 +15,7 @@ HOMEPAGE = > "https://www.oracle.com/database/technologies/related/berkeleydb.html > LICENSE = "Sleepycat" > RCONFLICTS:${PN} = "db3" > > -CVE_PRODUCT = "oracle_berkeley_db berkeley_db" > +CVE_PRODUCT = "oracle_berkeley_db" > CVE_VERSION = "11.2.${PV}" > > PR = "r1" > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#156033): https://lists.openembedded.org/g/openembedded-core/message/156033 Mute This Topic: https://lists.openembedded.org/mt/85608645/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
