Re: [OE-core] [RFC PATCH] cve-extra-exclusions: add more linux-yocto CVE ignores
On Mon, Jun 5, 2023 at 6:25 PM Ross Burton wrote: > From: Ross Burton > > These CVEs have all been fixed <6.1.30, which is the default linux-yocto > kernel version. > > Those are pretty new ones, should be all covered by the new CVE format. Is anyone already sending pull requests to include that information in the CVE database directly (not NVD)? Kind regards, Marta -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#182412): https://lists.openembedded.org/g/openembedded-core/message/182412 Mute This Topic: https://lists.openembedded.org/mt/99344319/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [RFC PATCH] cve-extra-exclusions: add more linux-yocto CVE ignores
On Mon, Jun 5, 2023 at 6:48 PM Richard Purdie < richard.pur...@linuxfoundation.org> wrote: > On Mon, 2023-06-05 at 16:31 +, Ross Burton wrote: > > I did some triage of the CVEs in this list but realised that this > > file is a bad location for them: whilst we don’t expect people to > > switch out most recipes, we do have to expect BSPs to switch the > > kernel, so by accumulating a list of exclusions in this recipe that > > are based on the current version of linux-yocto we may negatively > > impact on people using a BSP which, for example, uses a 5.10 kernel. > > > > Should we move the kernel-specific exclusions, where they’re being > > done because they’re fixed in a release we ship, to the linux-yocto > > recipe? > > A specific include with "6.1" in the name might be a good way to do it > so that others who follow the same stable series updates could reuse > it? > > This is definitely better to have a specific file. However, I know some BSPs that stay at x.0 version of the kernel and if they include such a file, they will have a false sense of security... Kind regards, Marta -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#182411): https://lists.openembedded.org/g/openembedded-core/message/182411 Mute This Topic: https://lists.openembedded.org/mt/99344319/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [RFC PATCH] cve-extra-exclusions: add more linux-yocto CVE ignores
On Mon, 2023-06-05 at 16:31 +, Ross Burton wrote: > I did some triage of the CVEs in this list but realised that this > file is a bad location for them: whilst we don’t expect people to > switch out most recipes, we do have to expect BSPs to switch the > kernel, so by accumulating a list of exclusions in this recipe that > are based on the current version of linux-yocto we may negatively > impact on people using a BSP which, for example, uses a 5.10 kernel. > > Should we move the kernel-specific exclusions, where they’re being > done because they’re fixed in a release we ship, to the linux-yocto > recipe? A specific include with "6.1" in the name might be a good way to do it so that others who follow the same stable series updates could reuse it? Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#182398): https://lists.openembedded.org/g/openembedded-core/message/182398 Mute This Topic: https://lists.openembedded.org/mt/99344319/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [RFC PATCH] cve-extra-exclusions: add more linux-yocto CVE ignores
I did some triage of the CVEs in this list but realised that this file is a bad location for them: whilst we don’t expect people to switch out most recipes, we do have to expect BSPs to switch the kernel, so by accumulating a list of exclusions in this recipe that are based on the current version of linux-yocto we may negatively impact on people using a BSP which, for example, uses a 5.10 kernel. Should we move the kernel-specific exclusions, where they’re being done because they’re fixed in a release we ship, to the linux-yocto recipe? Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#182397): https://lists.openembedded.org/g/openembedded-core/message/182397 Mute This Topic: https://lists.openembedded.org/mt/99344319/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
