-----Original Message----- From: [email protected] <[email protected]> On Behalf Of Changqing Li via lists.openembedded.org Sent: Friday, September 1, 2023 11:02 To: [email protected] Subject: [OE-core] [PATCH] sqlite3: set CVE_STATUS for CVE-2023-36191
> From: Changqing Li <[email protected]> > > The error is a bug. It has been fixed upstream. But it is not a > vulnerability. You may safely ignore the CVE. > > Refer: > [1] https://www.sqlite.org/forum/forumpost/19f55ef73b > > Signed-off-by: Changqing Li <[email protected]> > --- > meta/recipes-support/sqlite/sqlite3_3.42.0.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb > b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb > index 8783f620f4..b37644580c 100644 > --- a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb > +++ b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb > @@ -6,3 +6,5 @@ LIC_FILES_CHKSUM = > "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0 > SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz"; > SRC_URI[sha256sum] = > "7abcfd161c6e2742ca5c6c0895d1f853c940f203304a0b49da4e1eca5d088ca6" > > +CVE_STATUS[CVE-2023-36191] = "The error is a bug. It has been fixed > upstream. But it is not a vulnerability" This is wrong format since it's missing CVE status map prefix. It needs to be something like: CVE_STATUS[CVE-2023-36191] = "disputed: The error is a bug. It has been fixed upstream. But it is not a vulnerability" Also since this CVE is reported in NVD DB for 3.40.1 only, this CVE exclusion is not needed for 3.42.0 recipe. > + > -- > 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#186996): https://lists.openembedded.org/g/openembedded-core/message/186996 Mute This Topic: https://lists.openembedded.org/mt/101090960/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
