Hi team, I had discussion with Chen for this patch, but conversation is not available on OE-core patchwork. Anyone has any idea, why we can't see our conversation on website.
@Steve Sakoman @[email protected] Please take this conversation in consideration, and help/guide us on how to proceed further. Thanks, Sanjay -----Original Message----- From: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) Sent: Monday, May 29, 2023 10:35 AM To: [email protected] Subject: RE: [OE-core][PATCH] Revert "sqlite3: update CVE_PRODUCT" Hi Chen, I can't see our mail conversation on patchwork website. https://patchwork.yoctoproject.org/project/oe-core/patch/[email protected]/ Any idea on this why so? Thanks, Sanjay -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Chen Qi via lists.openembedded.org Sent: Sunday, May 28, 2023 6:22 PM To: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) <[email protected]>; [email protected]; [email protected] Subject: Re: [OE-core][PATCH] Revert "sqlite3: update CVE_PRODUCT" Thanks for the patch. I did check the NVD database before I sent out the patch. But when I checked it just now, I can see that there's really no 'sqlite3' for this recipe. All 'sqlite3' refer to the node js package. Acked-by: Chen Qi <[email protected]> -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org Sent: Sunday, May 28, 2023 3:10 PM To: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) <[email protected]>; [email protected]; [email protected] Subject: Re: [OE-core][PATCH] Revert "sqlite3: update CVE_PRODUCT" Hi Alex, It looks that due to https://github.com/openembedded/openembedded-core/commit/8800976e79d65956218ab462d9644d0661579301 commit. "CVE-2022-21227: sqlite3-native:sqlite3 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21227 " is wrongly reported on master branch: https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-master.txt Ideally CVE-2022-21227 CVE is applicable to https://github.com/TryGhost/node-sqlite3 which is " SQLite3 bindings for Node.js". "https://github.com/sqlite/sqlite"; is "Official Git mirror of the SQLite source tree". Please review the case and share your comment. Thanks, Sanjay -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org Sent: Sunday, May 28, 2023 12:18 PM To: [email protected]; Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) <[email protected]> Subject: [OE-core][PATCH] Revert "sqlite3: update CVE_PRODUCT" This reverts commit 8800976e79d65956218ab462d9644d0661579301. As per NVD database "ghost:sqlite3" product is specific to "node.js" CVEs reported against above products are not applicable to us. Signed-off-by: Sanjay Chitroda <[email protected]> --- meta/recipes-support/sqlite/sqlite3.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-support/sqlite/sqlite3.inc b/meta/recipes-support/sqlite/sqlite3.inc index c246d42fdf..9a0de08553 100644 --- a/meta/recipes-support/sqlite/sqlite3.inc +++ b/meta/recipes-support/sqlite/sqlite3.inc @@ -18,7 +18,7 @@ S = "${WORKDIR}/sqlite-autoconf-${SQLITE_PV}" UPSTREAM_CHECK_URI = "http://www.sqlite.org/"; UPSTREAM_CHECK_REGEX = "releaselog/(?P<pver>(\d+[\.\-_]*)+)\.html" -CVE_PRODUCT = "sqlite sqlite3" +CVE_PRODUCT = "sqlite" inherit autotools pkgconfig siteinfo -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181916): https://lists.openembedded.org/g/openembedded-core/message/181916 Mute This Topic: https://lists.openembedded.org/mt/99217518/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
