On Tue, Apr 18, 2023 at 1:46 AM Kokkonda, Sundeep <[email protected]> wrote: > > Hello Steve, > > When this patch is planned to take into Kirkstone?
It is in the set of patches being tested today. So if all goes well it should hit the kirkstone branch later this week. Steve > ________________________________ > From: [email protected] > <[email protected]> on behalf of Sundeep KOKKONDA via > lists.openembedded.org <[email protected]> > Sent: 02 April 2023 20:58 > To: [email protected] > <[email protected]> > Cc: [email protected] <[email protected]>; [email protected] > <[email protected]>; [email protected] <[email protected]>; > [email protected] <[email protected]> > Subject: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 > added to excluded list > > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and > know the content is safe. > > This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security > vulnirability when using cargo ssh. > Kirkstone doesn't support rust on-target images and the bitbake using the > 'wget' (which uses 'https') for fetching the sources instead of ssh. > So, cargo-native also not vulnerable to this cve and so added to excluded > list. > > Signed-off-by: Sundeep KOKKONDA <[email protected]> > --- > meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc > b/meta/conf/distro/include/cve-extra-exclusions.inc > index 8b5f8d49b8..cb2d920441 100644 > --- a/meta/conf/distro/include/cve-extra-exclusions.inc > +++ b/meta/conf/distro/include/cve-extra-exclusions.inc > @@ -15,6 +15,11 @@ > # the aim of sharing that work and ensuring we don't duplicate it. > # > > +#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176 > +#cargo security advisor > https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html > +#This CVE is a security issue when using cargo ssh. In kirkstone, rust > 1.59.0 is used and the rust on-target is not supported, so the target images > are not vulnerable to the cve. > +#The bitbake using the 'wget' (which uses 'https') for fetching the sources > instead of ssh. So, the cargo-native are also not vulnerable to this cve and > so added to excluded list. > +CVE_CHECK_IGNORE += "CVE-2022-46176" > > # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 > # CVE is more than 20 years old with no resolution evident > -- > 2.34.1 >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180191): https://lists.openembedded.org/g/openembedded-core/message/180191 Mute This Topic: https://lists.openembedded.org/mt/98015597/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
