cve-check: Add provision to exclude
>classes
>
>On 3 Mar 2024, at 17:53, Dhairya Nagodra via lists.openembedded.org
> wrote:
>>
>> From: Dhairya Nagodra
>>
>> - There are times when exluding a package that inherits a particular
>> class/classes may be d
A gentle reminder
>-Original Message-
>From: dnago...@cisco.com
>Sent: Sunday, March 3, 2024 11:23 PM
>To: openembedded-core@lists.openembedded.org
>Cc: xe-linux-external(mailer list) ; Dhairya
>Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
>Subject: [master] [PATCH] cve-check: Add
From: Dhairya Nagodra
Includes fixes for CVE-2023-6816, CVE-2024-0408, CVE-2024-0409
Signed-off-by: Dhairya Nagodra
---
.../xwayland/{xwayland_23.2.3.bb => xwayland_23.2.4.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename
From: Dhairya Nagodra
- There are times when exluding a package that inherits a particular
class/classes may be desired.
- This provides the framework for that via the variable:
CVE_CHECK_CLASS_EXCLUDELIST
Signed-off-by: Dhairya Nagodra
---
meta/classes/cve-check.bbclass | 12
From: Dhairya Nagodra
- The current recipe only contains one (out of three) valid product
names for dbus package in NVD.
- This could result in reporting of lesser number CVEs than actual.
- Added missing names to get a proper list.
Signed-off-by: Dhairya Nagodra
---
From: Dhairya Nagodra
Signed-off-by: Dhairya Nagodra
---
meta/recipes-core/glibc/glibc-version.inc | 1 -
1 file changed, 1 deletion(-)
diff --git a/meta/recipes-core/glibc/glibc-version.inc
b/meta/recipes-core/glibc/glibc-version.inc
index 212f960cb5..ee89762ae6 100644
---
Hi,
On 2023/12/11 10:02, Yoann Congal wrote:
>Hello,
>
>Le 11/12/2023 à 08:51, Yuta Hayama a écrit :
>> Hi,
>>
>> On 2023/12/08 14:04, Dhairya Nagodra via lists.openembedded.org wrote:
>>> Sometimes NVD servers are unstable and return too many errors.
>>
From: Dhairya Nagodra
Sometimes NVD servers are unstable and return too many errors.
There is an option to have higher fetch attempts to increase the chances
of successfully fetching the CVE data.
Additionally, it also makes sense to progressively increase the delay
after a failed request to an
From: Dhairya Nagodra
As per NVD, the public rate limit is 5 requests in 30s (6s delay).
Using an API key increases the limit to 50 requests in 30s (0.6s delay).
However, NVD still recommends sleeping for several seconds so that the
other legitimate requests are serviced without denial or
Sometimes NVD servers are unstable and return too many errors.
There is an option to have higher fetch attempts to increase the chances
of successfully fetching the CVE data.
Additionally, it also makes sense to progressively increase the delay
after a failed request to an already unstable or
As per NVD, the public rate limit is 5 requests in 30s (6s delay).
Using an API key increases the limit to 50 requests in 30s (0.6s delay).
However, NVD still recommends sleeping for several seconds so that the
other legitimate requests are serviced without denial or interruption.
Keeping the
es when CVE_PRODUCT =
> "flex_project:flex" means it's not reported by cve-check?
> Peter
>
> -Original Message-
> From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Dhairya Nagodra via
> lists.openembedded.org
> Sent
Issue only affects Apache.
Signed-off-by: Dhairya Nagodra
---
meta/recipes-devtools/flex/flex_2.6.4.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb
b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 50d3bf8de1..7eb7da355f 100644
---
Issue only affects Apache.
Signed-off-by: Dhairya Nagodra
---
meta/recipes-devtools/flex/flex_2.6.4.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb
b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 15cf6f5cca..7201977857 100644
---
Issue only affects Apache.
Signe-off-by: Dhairya Nagodra
---
meta/recipes-devtools/flex/flex_2.6.4.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb
b/meta/recipes-devtools/flex/flex_2.6.4.bb
index c7cd965347..266507d7ac 100644
---
Hi @Steve Sakoman @richard.pur...@linuxfoundation.org,
Kindly consider this patch for "master" branch.
Apologies for the error.
> -Original Message-
> From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Dhairya Nagodra via
>
Issue only affects Apache.
Signed-off-by: Dhairya Nagodra
---
meta/recipes-devtools/flex/flex_2.6.4.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb
b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 1ac88d65ef..5be7351f4c 100644
---
Upstream Repository: https://git.savannah.gnu.org/git/dmidecode.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30630
Type: Security Fix
CVE: CVE-2023-30630
Score: 7.8
Patch:
https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=6ca381c1247c
Signed-off-by: Dhairya Nagodra
From: Yogita Urade
Dmidecode before 3.5 allows -dump-bin to overwrite a local file.
This has security relevance because, for example, execution of
Dmidecode via Sudo is plausible.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-30630
The commit
[https://github.com/openembedded/openembedded-core/commit/c22bbe9b45e3]
backports fix for CVE-2023-25193 for version 2.6.4.
The apply() in src/hb-ot-layout-gpos-table.hh ends prematurely.
The if block in apply() has an extra return statement,
which causes it to return w/o executing
20 matches
Mail list logo