On Wed, Dec 1, 2021 at 12:17 AM Ranjitsinh Rathod < [email protected]> wrote:
> HI Steve, > > When do you plan to add these db CVEs in the ' > meta/conf/distro/include/cve-extra-exclusions.inc' file? > Thanks for the reminder, it is in the set of patches I just sent out for review. Steve > > Thanks, > > Best Regards, > > *Ranjitsinh Rathod* > Technical Leader | | KPIT Technologies Ltd. > Cellphone: +91-84606 92403 > > *__________________________________________ *KPIT <http://www.kpit.com/> | > Follow us on LinkedIn <http://www.kpit.com/linkedin> > > <https://www.kpit.com/TheNewBrand> > ------------------------------ > *From:* [email protected] < > [email protected]> on behalf of Steve Sakoman via > lists.openembedded.org <[email protected]> > *Sent:* Wednesday, September 15, 2021 12:38 AM > *To:* Steve Sakoman <[email protected]> > *Cc:* Patches and discussions about the oe-core layer < > [email protected]> > *Subject:* Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert > "db: update CVE_PRODUCT" > > Caution: This email originated from outside of the KPIT. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > > On Tue, Sep 14, 2021 at 8:41 AM Steve Sakoman via > lists.openembedded.org <[email protected]> > wrote: > > > > On Tue, Sep 14, 2021 at 8:04 AM Steve Sakoman via > > lists.openembedded.org <[email protected]> > > wrote: > > > > > > The CVE database correctly reports CVEs for oracle_berkley_db and > > > berkley_db. We use the oracle_berkley_db source tree and therefore > > > should only check for oracle_berkely_db CVEs. Otherwise the scanner > > > falsely reports CVEs that are fixed in oracle_berkley_db > > > > Please hold off on taking this patch -- I need to do some more > > research. I may have confused myself :-( > > I did indeed confuse myself, so ignore this patch. > > The CVE database is reporting CVEs for the Oracle db code base under > the name berkley_db, so the original patch in question is indeed > correct and the CVEs are valid. > > Our CVE reporting has been whitelisting db CVEs. I'm going to remove > that from the tool and submit a patch to add the db CVEs to the > exclusion list in meta/conf/distro/include/cve-extra-exclusions.inc > since it seems unlikely that we will be moving to a version of db with > these issues fixed. > > Steve > > > > This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661. > > > > > > Signed-off-by: Steve Sakoman <[email protected]> > > > --- > > > meta/recipes-support/db/db_5.3.28.bb | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/meta/recipes-support/db/db_5.3.28.bb > b/meta/recipes-support/db/db_5.3.28.bb > > > index d5b788a3d7..5e9305ab06 100644 > > > --- a/meta/recipes-support/db/db_5.3.28.bb > > > +++ b/meta/recipes-support/db/db_5.3.28.bb > > > @@ -15,7 +15,7 @@ HOMEPAGE = " > https://www.oracle.com/database/technologies/related/berkeleydb.html > > > LICENSE = "Sleepycat" > > > RCONFLICTS:${PN} = "db3" > > > > > > -CVE_PRODUCT = "oracle_berkeley_db berkeley_db" > > > +CVE_PRODUCT = "oracle_berkeley_db" > > > CVE_VERSION = "11.2.${PV}" > > > > > > PR = "r1" > > > -- > > > 2.25.1 > > > > > > > > > > > > > > > > > > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only for > the person to whom it is addressed. If you are not the intended recipient, > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#159146): https://lists.openembedded.org/g/openembedded-core/message/159146 Mute This Topic: https://lists.openembedded.org/mt/85608645/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
