Thanks for the patch. I did check the NVD database before I sent out the patch. But when I checked it just now, I can see that there's really no 'sqlite3' for this recipe. All 'sqlite3' refer to the node js package.
Acked-by: Chen Qi <qi.c...@windriver.com> -----Original Message----- From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org Sent: Sunday, May 28, 2023 3:10 PM To: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) <schit...@cisco.com>; openembedded-core@lists.openembedded.org; alexandre.bell...@bootlin.com Subject: Re: [OE-core][PATCH] Revert "sqlite3: update CVE_PRODUCT" Hi Alex, It looks that due to https://github.com/openembedded/openembedded-core/commit/8800976e79d65956218ab462d9644d0661579301 commit. "CVE-2022-21227: sqlite3-native:sqlite3 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21227 " is wrongly reported on master branch: https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-master.txt Ideally CVE-2022-21227 CVE is applicable to https://github.com/TryGhost/node-sqlite3 which is " SQLite3 bindings for Node.js". "https://github.com/sqlite/sqlite"; is "Official Git mirror of the SQLite source tree". Please review the case and share your comment. Thanks, Sanjay -----Original Message----- From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org Sent: Sunday, May 28, 2023 12:18 PM To: openembedded-core@lists.openembedded.org; Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) <schit...@cisco.com> Subject: [OE-core][PATCH] Revert "sqlite3: update CVE_PRODUCT" This reverts commit 8800976e79d65956218ab462d9644d0661579301. As per NVD database "ghost:sqlite3" product is specific to "node.js" CVEs reported against above products are not applicable to us. Signed-off-by: Sanjay Chitroda <schit...@cisco.com> --- meta/recipes-support/sqlite/sqlite3.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-support/sqlite/sqlite3.inc b/meta/recipes-support/sqlite/sqlite3.inc index c246d42fdf..9a0de08553 100644 --- a/meta/recipes-support/sqlite/sqlite3.inc +++ b/meta/recipes-support/sqlite/sqlite3.inc @@ -18,7 +18,7 @@ S = "${WORKDIR}/sqlite-autoconf-${SQLITE_PV}" UPSTREAM_CHECK_URI = "http://www.sqlite.org/"; UPSTREAM_CHECK_REGEX = "releaselog/(?P<pver>(\d+[\.\-_]*)+)\.html" -CVE_PRODUCT = "sqlite sqlite3" +CVE_PRODUCT = "sqlite" inherit autotools pkgconfig siteinfo -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181818): https://lists.openembedded.org/g/openembedded-core/message/181818 Mute This Topic: https://lists.openembedded.org/mt/99178769/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
