On Tue, Sep 14, 2021, 3:15 PM Mittal, Anuj <[email protected]> wrote:
> On Tue, 2021-09-14 at 08:03 -1000, Steve Sakoman wrote: > > The CVE database correctly reports CVEs for oracle_berkley_db and > > berkley_db. We use the oracle_berkley_db source tree and therefore > > should only check for oracle_berkely_db CVEs. Otherwise the scanner > > falsely reports CVEs that are fixed in oracle_berkley_db > > Aren't both the same thing? I think this revert is incorrect and the > CVEs being flagged are correct. > > https://nvd.nist.gov/vuln/detail/CVE-2015-2583 > > The CPE data shows oracle as the vendor and berkeley_db as product. > Yes, I agree. See my reply from earlier today where I withdrew this patch! Steve > > > > Thanks, > > Anuj > > > > > This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661. > > > > Signed-off-by: Steve Sakoman <[email protected]> > > --- > > meta/recipes-support/db/db_5.3.28.bb | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes- > > support/db/db_5.3.28.bb > > index d5b788a3d7..5e9305ab06 100644 > > --- a/meta/recipes-support/db/db_5.3.28.bb > > +++ b/meta/recipes-support/db/db_5.3.28.bb > > @@ -15,7 +15,7 @@ HOMEPAGE = > > "https://www.oracle.com/database/technologies/related/berkeleydb.html > > LICENSE = "Sleepycat" > > RCONFLICTS:${PN} = "db3" > > > > -CVE_PRODUCT = "oracle_berkeley_db berkeley_db" > > +CVE_PRODUCT = "oracle_berkeley_db" > > CVE_VERSION = "11.2.${PV}" > > > > PR = "r1" > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#156034): https://lists.openembedded.org/g/openembedded-core/message/156034 Mute This Topic: https://lists.openembedded.org/mt/85608645/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
