Hi, > From: [email protected] > <[email protected]> On Behalf Of Marta Rybczynska via > lists.openembedded.org > Sent: Tuesday, June 6, 2023 7:34 > To: Geoffrey GIRY mailto:[email protected]; Richard Purdie > mailto:[email protected] > Cc: OE-core mailto:[email protected]; Yoann Congal > <[email protected]> > Subject: Clarifying CVEs for NVD (Was: Re: [OE-core] [PATCH] > cve-extra-exclusions: ignore inapplicable linux-yocto CVEs) > > Hello all, > I'm in process of clarifying entries for NVD to have them fixed in the > sources. The comments in the patch linked do not include all the needed > information, however. > > Let's take this one: > > +# https://nvd.nist.gov/vuln/detail/CVE-2022-1462 > +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 > +# Patched in kernel since v5.19 a501ab75e7624d133a5a3c7ec010687c8b961d23 > +# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132 > +# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c > +# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29 > +CVE_CHECK_IGNORE += "CVE-2022-1462" > > We need to write a set of rules on which versions are vulnerable, like this: > [v2.6.12 - v5.4.208] > [v5.5.0 ??? - v5.10.134] > [v5.11.0 ??? - v5.15.58] > [v5.16.0 ??? - v5.19.0]
New kernel branches start with tag vX.Y-rc1, so it should be v5.5-rc1, v5.11-rc1, v5.16.0-rc1. In NVD DB 1.1 format: 5.5_rc1, 5.1_rc1, 5.16_rc1, ... > > The values with ??? are uncertain. Geoffrey, Yann, as it was scripted out > according to one of the discussions, are you able to confirm those "starting" > versions ? > > Kind regards, > Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#182434): https://lists.openembedded.org/g/openembedded-core/message/182434 Mute This Topic: https://lists.openembedded.org/mt/99357871/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
