Re: [OE-core][kirkstone 04/15] linux-yocto: Exclude 121 CVEs already fixed upstream

Wed, 10 May 2023 09:21:59 -0700 

On Wed, May 10, 2023 at 5:32 AM Yoann Congal <yoann.con...@smile.fr> wrote:
>
> Hi Steve!
>
> On 5/10/23 00:32, Steve Sakoman wrote:
> > From: Yoann Congal <yoann.con...@smile.fr>
> >
> > Exclude CVEs that are fixed in both current linux-yocto version
> > v5.10.175 and v5.15.108.
> >
> > To get the commit fixing a CVE, I used the Debian kernel-sec repo [1].
> >
> > [1]: 
> > https://salsa.debian.org/kernel-team/kernel-sec/-/commit/86d5040aee9275f9555458fcaf9cb43710dff398
> >
> > Signed-off-by: Yoann Congal <yoann.con...@smile.fr>
> > Signed-off-by: Steve Sakoman <st...@sakoman.com>
> > ---
> >  meta/recipes-kernel/linux/cve-exclusion.inc | 875 ++++++++++++++++++++
> >  meta/recipes-kernel/linux/linux-yocto.inc   |   3 +
> >  2 files changed, 878 insertions(+)
> >  create mode 100644 meta/recipes-kernel/linux/cve-exclusion.inc
> >
> > diff --git a/meta/recipes-kernel/linux/cve-exclusion.inc 
> > b/meta/recipes-kernel/linux/cve-exclusion.inc
> > new file mode 100644
> > index 0000000000..7fd362881a
> > --- /dev/null
> > +++ b/meta/recipes-kernel/linux/cve-exclusion.inc
> > @@ -0,0 +1,875 @@
> > +# Kernel CVE exclusion file
> > +
>
> .../...
> > +
> > +# https://nvd.nist.gov/vuln/detail/CVE-2022-2503
> > +# Patched in kernel since v5.19 4caae58406f8ceb741603eee460d79bacca9b1b5
> > +# Backported in version v5.4.197 fd2f7e9984850a0162bfb6948b98ffac9fb5fa58
> > +# Backported in version v5.10.120 8df42bcd364cc3b41105215d841792aea787b133
> > +# Backported in version v5.15.45 69712b170237ec5979f168149cd31e851a465853
> > +CVE_CHECK_IGNORE += "CVE-2022-2503"
> > +
> > +# https://nvd.nist.gov/vuln/detail/CVE-2022-26365
> > +# Patched in kernel since v5.19 2f446ffe9d737e9a844b97887919c4fda18246e7
> > +# Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
> > +# Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
> > +# Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
> > +CVE_CHECK_IGNORE += "CVE-2022-26365"
> > +
> > +# https://nvd.nist.gov/vuln/detail/CVE-2022-2663
> > +# Patched in kernel since v6.0 e8d5dfd1d8747b56077d02664a8838c71ced948e
> > +# Backported in version v5.4.215 d0a24bc8e2aa703030d80affa3e5237fe3ad4dd2
> > +# Backported in version v5.10.146 9a5d7e0acb41bb2aac552f8eeb4b404177f3f66d
> > +# Backported in version v5.15.71 dc33ffbc361e2579a8f31b8724ef85d4117440e4
> > +# Backported in version v5.19.12 510ea9eae5ee45f4e443023556532bda99387351
> > +CVE_CHECK_IGNORE += "CVE-2022-2663"
>
> I just noticed that the list in not sorted :(
>
> I'll send a V2 sorted (This will make the next iterations cleaner)

I'm just about to finalize the patchset for the upcoming 4.0.10
release, so I'll need to get the v2 today if you want it in the
release!

Thanks for doing this!

Steve

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181117): 
https://lists.openembedded.org/g/openembedded-core/message/181117
Mute This Topic: https://lists.openembedded.org/mt/98795092/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to