Hi all,

We would appreciate help triaging the following CVEs filed against the
Linux Kernel, which therefore affect linux-yocto.

Each of these is missing an upstream fix version in the CVE data, so
they show as unresolved in our CVE metrics. However, they may well be
fixed already in the kernel versions that we ship. So we need some help
to determine the appropriate upstream fix versions.

For each CVE, at a minimum we need to know if they are resolved in the
mainline kernel, and if so then which release they were resolved in. A
pointer to the exact upstream commit resolving the issue would be
preferred. This may involve a bit of investigation, so please share the
information you find that proves that a CVE is resolved in a particular
kernel version.

Once you've investigated a particular CVE, if it is resolved upstream
then please send a patch to update the linux-yocto cve-exclusion.inc
file with the appropriate information. See recent commits to this file
for examples of what we need, e.g:
    
https://git.openembedded.org/openembedded-core/commit/?id=ded28ca69b326e51ac5cf363f06c6f0931a9c1bd

Once we've got patches merged into the master branch, we can look at
backporting to wrynose & scarthgap as appropriate.

The open linux-yocto CVEs lacking an upstream fix version and not
currently tracked in cve-exclusion.inc are:

- CVE-2019-14899
- CVE-2021-3714
- CVE-2021-3864
- CVE-2022-0400
- CVE-2022-1247
- CVE-2022-4543
- CVE-2023-3397
- CVE-2023-3640
- CVE-2023-4010
- CVE-2023-6238
- CVE-2023-6240

Best regards,

-- 
Paul Barker

Attachment: signature.asc
Description: This is a digitally signed message part

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239823): 
https://lists.openembedded.org/g/openembedded-core/message/239823
Mute This Topic: https://lists.openembedded.org/mt/120036381/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to