On Sun, 2024-02-18 at 16:52 +0000, Simone Weiß wrote:
> From: Simone Weiß <[email protected]>
>
> All are already fixed in 8.2.1, NVD was informed that cpes are wrong.
>
> Signed-off-by: Simone Weiß <[email protected]>
> ---
> meta/recipes-devtools/qemu/qemu.inc | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc
> b/meta/recipes-devtools/qemu/qemu.inc
> index 5d953e5ef5..233652fc49 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -68,6 +68,12 @@ CVE_STATUS[CVE-2023-0664] = "not-applicable-platform:
> Issue only applies on Wind
> # As per https://bugzilla.redhat.com/show_bug.cgi?id=2203387
> CVE_STATUS[CVE-2023-2680] = "not-applicable-platform: RHEL specific issue."
>
> +CVE_STATUS[CVE-2023-3019] = "cpe-incorrect: Applies against versions > 8.2.0
> only"
> +
> +CVE_STATUS[CVE-2023-5088] = "cpe-incorrect: Applies against versions >=
> 8.2.0 only"
> +
> +CVE_STATUS[CVE-2023-6693] = "cpe-incorrect: Applies against versions >=
> 8.2.0 only"
> +
> COMPATIBLE_HOST:mipsarchn32 = "null"
> COMPATIBLE_HOST:mipsarchn64 = "null"
> COMPATIBLE_HOST:riscv32 = "null"
>
Thanks for trying to resolve these.
I'm struggling a little to read the above since to me that says the CVE
applies to versions greater than 8.2.0 so 8.2.1 would be affected?
Should the operators be the other way around, or should we spell it out
("applies to versions 8.2.0 and earlier")?
Cheers,
Richard
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#195840):
https://lists.openembedded.org/g/openembedded-core/message/195840
Mute This Topic: https://lists.openembedded.org/mt/104430283/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
