Re: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992
-Original Message- From: Ross Burton Sent: Monday, January 22, 2024 15:27 To: Marko, Peter (ADV D EU SK BFS1) Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992 > On 22 Jan 2024, at 14:16, Marko, Peter wrote: > > > > Hi Ross, > > > > I think this one is better - > > https://lists.openembedded.org/g/openembedded-core/message/193603 > > I'm not sure why it was not picked up yet after 9 days, but It's CPE which > > is not matching, not our configuration options… > > Ah I didn’t see that. > > However the CPE _is_ correct, its our matching which is not. I assumed there > wasn’t enough consistency in the zlib CPEs that we could set one with a > vendor. Yes, it’s inconsistency on our side but still in CPE field. Current CVE status option do not offer better selection. My commit message explains why I have chosen the way to ignore it although it will be in the recipe forever (as version 2023-11-16 will be always higher than PV) But I can also resubmit with changing CVE_PRODUCT to "gnu:zlib zlib:zlib" if that is the preferred option to go forward. Peter > > Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194173): https://lists.openembedded.org/g/openembedded-core/message/194173 Mute This Topic: https://lists.openembedded.org/mt/103886356/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992
On 22 Jan 2024, at 14:16, Marko, Peter wrote: > > Hi Ross, > > I think this one is better - > https://lists.openembedded.org/g/openembedded-core/message/193603 > I'm not sure why it was not picked up yet after 9 days, but It's CPE which is > not matching, not our configuration options… Ah I didn’t see that. However the CPE _is_ correct, its our matching which is not. I assumed there wasn’t enough consistency in the zlib CPEs that we could set one with a vendor. Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194170): https://lists.openembedded.org/g/openembedded-core/message/194170 Mute This Topic: https://lists.openembedded.org/mt/103886356/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992
Hi Ross, I think this one is better - https://lists.openembedded.org/g/openembedded-core/message/193603 I'm not sure why it was not picked up yet after 9 days, but It's CPE which is not matching, not our configuration options... Peter -Original Message- From: openembedded-core@lists.openembedded.org On Behalf Of Ross Burton via lists.openembedded.org Sent: Monday, January 22, 2024 15:04 To: openembedded-core@lists.openembedded.org Subject: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992 > From: Ross Burton > > This issue is specific to the Cloudflare fork of zlib. > > Signed-off-by: Ross Burton > --- > meta/recipes-core/zlib/zlib_1.3.bb | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/recipes-core/zlib/zlib_1.3.bb > b/meta/recipes-core/zlib/zlib_1.3.bb > index 1ed18172faa..9db5588d66a 100644 > --- a/meta/recipes-core/zlib/zlib_1.3.bb > +++ b/meta/recipes-core/zlib/zlib_1.3.bb > @@ -47,3 +47,4 @@ do_install_ptest() { > BBCLASSEXTEND = "native nativesdk" > > CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip" > +CVE_STATUS[CVE-2023-6992] = "not-applicable-config: specific to the > Cloudflare fork" > -- > 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194167): https://lists.openembedded.org/g/openembedded-core/message/194167 Mute This Topic: https://lists.openembedded.org/mt/103886356/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992
From: Ross Burton This issue is specific to the Cloudflare fork of zlib. Signed-off-by: Ross Burton --- meta/recipes-core/zlib/zlib_1.3.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-core/zlib/zlib_1.3.bb b/meta/recipes-core/zlib/zlib_1.3.bb index 1ed18172faa..9db5588d66a 100644 --- a/meta/recipes-core/zlib/zlib_1.3.bb +++ b/meta/recipes-core/zlib/zlib_1.3.bb @@ -47,3 +47,4 @@ do_install_ptest() { BBCLASSEXTEND = "native nativesdk" CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip" +CVE_STATUS[CVE-2023-6992] = "not-applicable-config: specific to the Cloudflare fork" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194162): https://lists.openembedded.org/g/openembedded-core/message/194162 Mute This Topic: https://lists.openembedded.org/mt/103886356/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-