Re: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992
-Original Message- From: Ross Burton Sent: Monday, January 22, 2024 15:27 To: Marko, Peter (ADV D EU SK BFS1) Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992 > On 22 Jan 2024, at 14:16, Marko, Peter wrote: > > > > Hi Ross, > > > > I think this one is better - > > https://lists.openembedded.org/g/openembedded-core/message/193603 > > I'm not sure why it was not picked up yet after 9 days, but It's CPE which > > is not matching, not our configuration options… > > Ah I didn’t see that. > > However the CPE _is_ correct, its our matching which is not. I assumed there > wasn’t enough consistency in the zlib CPEs that we could set one with a > vendor. Yes, it’s inconsistency on our side but still in CPE field. Current CVE status option do not offer better selection. My commit message explains why I have chosen the way to ignore it although it will be in the recipe forever (as version 2023-11-16 will be always higher than PV) But I can also resubmit with changing CVE_PRODUCT to "gnu:zlib zlib:zlib" if that is the preferred option to go forward. Peter > > Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194173): https://lists.openembedded.org/g/openembedded-core/message/194173 Mute This Topic: https://lists.openembedded.org/mt/103886356/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992
On 22 Jan 2024, at 14:16, Marko, Peter wrote: > > Hi Ross, > > I think this one is better - > https://lists.openembedded.org/g/openembedded-core/message/193603 > I'm not sure why it was not picked up yet after 9 days, but It's CPE which is > not matching, not our configuration options… Ah I didn’t see that. However the CPE _is_ correct, its our matching which is not. I assumed there wasn’t enough consistency in the zlib CPEs that we could set one with a vendor. Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194170): https://lists.openembedded.org/g/openembedded-core/message/194170 Mute This Topic: https://lists.openembedded.org/mt/103886356/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992
Hi Ross,
I think this one is better -
https://lists.openembedded.org/g/openembedded-core/message/193603
I'm not sure why it was not picked up yet after 9 days, but It's CPE which is
not matching, not our configuration options...
Peter
-Original Message-
From: openembedded-core@lists.openembedded.org
On Behalf Of Ross Burton via
lists.openembedded.org
Sent: Monday, January 22, 2024 15:04
To: openembedded-core@lists.openembedded.org
Subject: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992
> From: Ross Burton
>
> This issue is specific to the Cloudflare fork of zlib.
>
> Signed-off-by: Ross Burton
> ---
> meta/recipes-core/zlib/zlib_1.3.bb | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-core/zlib/zlib_1.3.bb
> b/meta/recipes-core/zlib/zlib_1.3.bb
> index 1ed18172faa..9db5588d66a 100644
> --- a/meta/recipes-core/zlib/zlib_1.3.bb
> +++ b/meta/recipes-core/zlib/zlib_1.3.bb
> @@ -47,3 +47,4 @@ do_install_ptest() {
> BBCLASSEXTEND = "native nativesdk"
>
> CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip"
> +CVE_STATUS[CVE-2023-6992] = "not-applicable-config: specific to the
> Cloudflare fork"
> --
> 2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#194167):
https://lists.openembedded.org/g/openembedded-core/message/194167
Mute This Topic: https://lists.openembedded.org/mt/103886356/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992
From: Ross Burton
This issue is specific to the Cloudflare fork of zlib.
Signed-off-by: Ross Burton
---
meta/recipes-core/zlib/zlib_1.3.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-core/zlib/zlib_1.3.bb
b/meta/recipes-core/zlib/zlib_1.3.bb
index 1ed18172faa..9db5588d66a 100644
--- a/meta/recipes-core/zlib/zlib_1.3.bb
+++ b/meta/recipes-core/zlib/zlib_1.3.bb
@@ -47,3 +47,4 @@ do_install_ptest() {
BBCLASSEXTEND = "native nativesdk"
CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip"
+CVE_STATUS[CVE-2023-6992] = "not-applicable-config: specific to the Cloudflare
fork"
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#194162):
https://lists.openembedded.org/g/openembedded-core/message/194162
Mute This Topic: https://lists.openembedded.org/mt/103886356/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
