rds,
Marta
On Thu, May 16, 2024 at 3:26 PM Marko, Peter
wrote:
> Hello Marta,
>
>
>
> Glibc fixes are already staged in scarthgap-nut.
>
> Interesting would be to check why the prototype does not list glib-2.0
> CVE-2024-34397 which is staged there, too.
>
>
>
>
Hello all,
The prototype CVE check via the MITRE database is giving the following for
scathgap today (adding maintainers of affected packages in copy):
CVE-2024-32002.json: affected: git 2.44.0
CVE-2024-32004.json: affected: git 2.44.0
CVE-2024-32020.json: affected: git 2.44.0
Hello all,
We're close to the point to post RFC patches of the VEX work. As a
reminder, we're working on storing SBOM/CVE information for later use and
be able to re-run the cve-check in the future.
To do that, we split out the nvd fetcher and cve-check from the YP builds
to a separate tool. This
On Mon, 6 May 2024, 13:09 nikhil via lists.openembedded.org, wrote:
> Update LICENSE defined for xz packages to match the license
> information provided in the xz COPYING file.
>
> The License information from PACKAGERS file of xz mentions
> packages with lzma files are in public domain.They ask
Hello Bruce et al,
For information, the linux_kernel_cves repo has now a banner "This
repository has been archived by the owner on May 2, 2024. It is now
read-only. ",
so I guess this is the last update.
Greg has scripting for statistics of the new process, haven't looked
into them yet.
Regards,
Details: https://kb.cert.org/vuls/id/421644
Affected (amongst others): nodejs, oghttp, nghttp2, Apache httpd, go
Multiple CVEs have been issued.
Quoting from the description:
HTTP allows messages to include named fields in both header and
trailer sections. These header and trailer fields are
On Sat, Mar 30, 2024 at 1:26 PM Richard Purdie
wrote:
>
> On Sat, 2024-03-30 at 13:08 +0100, Marta Rybczynska wrote:
> > Absolutely confirm. DO NOT UPDATE
> >
> > Marta
> >
> > On Sat, 30 Mar 2024, 02:04 Mark Hatle,
> > wrote:
> > > I know th
On Mon, Apr 1, 2024 at 9:02 PM Denys Dmytriyenko wrote:
>
> On Mon, Apr 01, 2024 at 11:42:51AM +0200, Fathi Boudra wrote:
> > On Sat, 30 Mar 2024 at 17:18, Richard Purdie
> > wrote:
> > >
> > > On Sat, 2024-03-30 at 14:06 +0100, Martin Jansa wrote:
> > > > From what is publicly known it injected
Absolutely confirm. DO NOT UPDATE
Marta
On Sat, 30 Mar 2024, 02:04 Mark Hatle,
wrote:
> I know this request is a week or so old..
>
> But do NOT upgrade to 'xz' 5.6.0 or 5.6.1. It has been compromised:
>
> https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> --Mark
>
> On 3/14/24 8:40
On Sun, Mar 24, 2024 at 3:11 PM Alexander Kanavin
wrote:
>
> I’m getting slightly concerned, no new CVEs second week in a row? Did the
> checker break?
>
I think you weren't there at the weekly meeting when we discussed
that: it started around Feb 14th and I see that in my data
(I have a daily
On Sun, Mar 24, 2024 at 3:25 PM Rich Persaud wrote:
>
> https://www.darkreading.com/cybersecurity-operations/nist-vuln-database-downshifts-prompting-questions-about-its-future
>
> > Next week, vulnerability researchers will gather for the VulnCon conference
> > in Raleigh, N.C., where an "NVD
On Wed, 13 Mar 2024, 16:15 Yoann Congal, wrote:
> Add a new variable "CVE_DB_INCR_UPDATE_AGE_THRES", which can be used to
> specify the maximum age of the database for doing an incremental update
> For older databases, a full re-download is done.
>
> With a value of "0", this forces a
On Mon, Mar 4, 2024 at 1:29 PM Ross Burton wrote:
>
> On 3 Mar 2024, at 13:18, Peter Marko via lists.yoctoproject.org
> wrote:
> >
> > I already mentioned this last week.
> > https://lists.openembedded.org/g/openembedded-core/message/196199
> >
> > I think that partial NVD DB update is not
code architecture documentation
Signed-off-by: Marta Rybczynska
---
...{python3-spdx-tools_0.8.1.bb => python3-spdx-tools_0.8.2.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-devtools/python/{python3-spdx-tools_0.8.1.bb =>
python3-spdx-tools_0.8.2.bb} (88%)
forward reference exceptions
Class redecoration eliding
Documentation update
[1] https://github.com/beartype/beartype/releases/tag/v0.16.4
[2] https://github.com/beartype/beartype/releases/tag/v0.16.3
Signed-off-by: Marta Rybczynska
---
.../{python3-beartype_0.16.2.bb => python3-beartype_0.16.4
On Wed, Nov 1, 2023 at 6:31 AM Marta Rybczynska via
lists.openembedded.org
wrote:
>
>
>
>
> On Wed, 1 Nov 2023, 11:48 Anuj Mittal, wrote:
>>
>> On Tue, 2023-10-31 at 19:33 -0700, Tim Orling wrote:
>> >
>> >
>> > On Tue, Oct 31, 2023 at 7:26
On Wed, 1 Nov 2023, 11:48 Anuj Mittal, wrote:
> On Tue, 2023-10-31 at 19:33 -0700, Tim Orling wrote:
> >
> >
> > On Tue, Oct 31, 2023 at 7:26 PM Anuj Mittal
> > wrote:
> > > On Tue, 2023-10-31 at 14:20 +, Trevor Gamblin wrote:
> > > > Thank you for your submission. Patchtest identified one
From: Samantha Jalabert
Change functions and tasks to match the SPDX 3 model.
Signed-off-by: Samantha Jalabert
---
meta/classes/create-spdx-3.0.bbclass | 728 +--
1 file changed, 224 insertions(+), 504 deletions(-)
diff --git a/meta/classes/create-spdx-3.0.bbclass
Add a specific readme for SPDX3 with open questions and other notes
related to the PoC.
Signed-off-by: Marta Rybczynska
---
README.SPDX3 | 42 ++
1 file changed, 42 insertions(+)
create mode 100644 README.SPDX3
diff --git a/README.SPDX3 b/README.SPDX3
From: Louis Rannou
Create a function that search into a json-ld instead of completely loading it.
Signed-off-by: Louis Rannou
---
meta/lib/oe/sbom.py | 32
1 file changed, 32 insertions(+)
diff --git a/meta/lib/oe/sbom.py b/meta/lib/oe/sbom.py
index
From: Louis Rannou
Create SPDX3 objects that classes as they are described in the SPDX3 model.
Signed-off-by: Louis Rannou
Signed-off-by: Samantha Jalabert
---
meta/lib/oe/spdx3.py | 385 +++
1 file changed, 385 insertions(+)
create mode 100644
From: Louis Rannou
This changes the prototype of write_doc as the SPDX3 documentation does not
specify yet which is the root element.
Signed-off-by: Louis Rannou
Signed-off-by: Marta Rybczynska
Signed-off-by: Samantha Jalabert
---
meta/lib/oe/sbom.py | 5 +++--
1 file changed, 3 insertions
From: Louis Rannou
Extend objects used to build the spdx scheme:
- add support for inheritance
- hide all attributes starting by _spdx
- add methods to list properties and item pairs
- improve the serializer to match the spdx3 scheme
Signed-off-by: Louis Rannou
---
meta/lib/oe/sbom.py | 2
From: Louis Rannou
Initialize the work on SPDX 3 with a copy of the SPDX 2.2. Change default to
SPDX 3.
Signed-off-by: Louis Rannou
Signed-off-by: Marta Rybczynska
---
meta/classes/create-spdx-3.0.bbclass | 1158 ++
meta/classes/create-spdx.bbclass |2 +-
2
the write_doc to prepare for spdx3
create-spdx-3.0: SPDX3 objects as classes
oe/sbom: search into json
Marta Rybczynska (1):
README.SPDX3: add file
Samantha Jalabert (1):
create-spdx-3.0: support for recipe spdx creation
README.SPDX3 | 42 ++
meta/classes/create
e start exploding the statuses as someone will “need” additional
> one soon.
>
>
>
> If we really want to introduce these new statues (I hope not), please modify
> this patch to handle its CVE_STATUS flags, too.
>
> Additionally, I’d drop “Undecidable” and map it to “Unpat
e" with status
> "cpe-incorrect" or "ignored" exactly for those purposes. Extending the
> option with "not affected" doesn't make any sense.
>
> You have to set the status to "why is not affected" = "ignored". Which
> comple
Hi Andrej,
This is more complex. "Not affected" is also an issue that isn't present in the
code - like when we have a version that has never had the vulnerability.
Those are also currently 'Patched' in cve-check.
This work is in sync with what VEX is doing, is it the use-case
Matsanaga-Shinji?
On Fri, Oct 20, 2023 at 4:18 PM Michael Opdenacker
wrote:
>
> Hi Marta
>
> On 20.10.23 at 10:36, Marta Rybczynska wrote:
> > Hello everyone,
> > We have a constant flow of work on pending CVEs. During my discussion
> > with multiple people, there is a c
Hello everyone,
We have a constant flow of work on pending CVEs. During my discussion
with multiple people, there is a common need for synchronization of
this work to avoid duplication or forgotten fixes.
We have a decision on the tooling to make: do we want to create a
Bugzilla entry for each
On Mon, Oct 16, 2023 at 9:01 AM Mikko Rapeli wrote:
>
> Many recipes embed other SW components. The name and version of the
> embedded SW component differs from the main recipe. To detect CVEs in the
> embedded SW component, it needs to be added to CVE_PRODUCT list using
> name of the SW product
Add a SECURITY.md file with hints for security researchers and other
parties who might report potential security vulnerabilities.
Signed-off-by: Marta Rybczynska
---
SECURITY.md | 22 ++
1 file changed, 22 insertions(+)
create mode 100644 SECURITY.md
diff --git
On Tue, Oct 17, 2023 at 11:50 PM Richard Purdie
wrote:
>
> On Tue, 2023-10-17 at 17:25 +0200, Marta Rybczynska wrote:
> > Add a SECURITY.md filr with hints for security researchers and other
> > parties who might report potential security vulnerabilities.
> >
> > S
Add a SECURITY.md filr with hints for security researchers and other
parties who might report potential security vulnerabilities.
Signed-off-by: Marta Rybczynska
---
SECURITY.md | 17 +
1 file changed, 17 insertions(+)
create mode 100644 SECURITY.md
diff --git a/SECURITY.md b
On Thu, 21 Sept 2023, 11:03 Matsunaga-Shinji,
wrote:
> CVEs that are currently considered "Patched" are classified into the
> following 3 statuses:
> 1. "Patched" - means that a patch file that fixed the vulnerability
> has been applied
> 2. "Out of range" - means that the package version
On Mon, Oct 2, 2023 at 12:40 PM Richard Purdie
wrote:
>
> It isn't any secret that I'm overloaded and struggle to keep up with
> the demands of the project. People often ask me "how do you need
> help?". Today, we have a fairly good example of the kind of problem I
> struggle with. So it is
of my code update, so you can get that for free.
>
Thanks!
David
>
> -Original Message-
> From: Marta Rybczynska
> Sent: Wednesday, September 27, 2023 12:18 AM
> To: Reyna, David
> Cc: yocto-secur...@lists.yoctoproject.org; OE-core <
> openembedded-core@lists.openembed
that manages CVE scanning of
> build images, with hooks to a number existing CVE scanners (e.g. Trivy) in
> addition to other vulnerability metrics. This is probably out of scope to YP
> at this time, but it is perhaps something to grow in to.
>
> -Original Message-
> From: yo..
>
> > commit: 1a14a28f132a10e9db7b3e5bb2b5361c4679946e
> >
> > Signed-off-by: Marta Rybczynska
>
> Please send a removal patch for meta-python as well. So we can keep
> passing the yp compat checks for meta-openembedded on AB and coordinate
> the change between meta-
On Wed, Sep 13, 2023 at 6:28 PM Mark Hatle
wrote:
> >> * Visibility of the security work of the YP
> >>
> >> There is much work on security in the YP, but it lacks visibility.
> >
> > Is there a common nexus for this work? eg. do most of the folks who are
> > doing security work tend to
ction.
>
Thank you Alex!
>
> More responses inline.
>
> On 9/13/23 07:52, Marta Rybczynska via lists.openembedded.org wrote:
> > * CVEs: Visibility if YP is vulnerable or not
> >
> > People want to be able to check/look up a specific CVE; it might be a
>
On Wed, Sep 13, 2023 at 2:33 PM Mikko Rapeli wrote:
>
> Hi,
>
> On Wed, Sep 13, 2023 at 01:52:19PM +0200, Marta Rybczynska wrote:
> > Hello,
> > I've been working recently on collecting what works and what doesn't
> > in YP security processes. The go
Hello,
I've been working recently on collecting what works and what doesn't
in YP security processes. The goal is to go forward and define an
actionable strategy!
Today, I'd like to share with you the summary of what I have heard as
needs from several people (those in Cc:).
I want the community
On Sun, 10 Sept 2023, 17:14 Khem Raj, wrote:
> On Sun, Sep 10, 2023 at 4:18 AM Steve Sakoman wrote:
> >
> > Branch: master
> >
> > New this week: 10 CVEs
> > CVE-2022-3563 (CVSS3: 5.7 MEDIUM): bluez5
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3563 *
> > CVE-2022-3637 (CVSS3:
On Mon, Aug 7, 2023 at 6:28 PM wrote:
> From: Ross Burton
>
> Instead of manually looking up new CVEs and determining what point
> releases the fixes are incorporated into, add a script to generate the
> CVE_STATUS data automatically.
>
> First, note that this is very much an interim solution
> Hitendra Prajapati (1):
> openssl: CVE-2023-2650 Possible DoS translating ASN.1 object
> identifiers
>
> Ian Ray (1):
> systemd-systemctl: support instance expansion in WantedBy
>
> Jan Vermaete (1):
> cve-update-nvd2-native: added the missing http import
pdates
>
> Ian Ray (1):
> systemd-systemctl: support instance expansion in WantedBy
>
> Jan Vermaete (1):
> cve-update-nvd2-native: added the missing http import
>
> Marta Rybczynska (1):
> cve-update-nvd2-native: new CVE database fetcher
>
> Qiu Tingting (1):
>
We might see some difficulties in the next days.
Marta
-- Forwarded message -
From: nvd-news
Date: Fri, Jul 21, 2023 at 5:57 PM
Subject: [nvd-news] Keyword and Keyword Exact Match Searches Temporarily
Disabled
To: nvd-news
*Keyword and Keyword Exact Match Searches Temporarily
On Wed, Jul 19, 2023 at 2:03 PM Andrej Valek via lists.openembedded.org
wrote:
> Even better,
>
> So I will make one more rebase, just for "[OE-core][PATCH v9 3/3]
> cve_check:
> convert CVE_CHECK_IGNORE to CVE_STATUS"
>
>
This version looks best from all I've seen. Let's get it in in this
Thank you Peter for debugging this. Could you dump us a log of one of your
typical runs to see what the errors are?
We might consider mirroring at some point.
Kind regards,
Marta
On Tue, Jul 11, 2023 at 8:37 AM Peter Marko via lists.openembedded.org
wrote:
> From: Peter Marko
>
> Last couple
Peter, what is the probability it passes (for the complete download) with
those settings? Is it every time?
Kind regards,
Marta
On Tue, Jul 11, 2023 at 1:17 PM Ross Burton wrote:
> Horrible, but in my testing it works. Thanks Peter!
>
> Ross
>
> > On 11 Jul 2023, at 07:36, Peter Marko via
On Fri, 23 Jun 2023, 08:32 , wrote:
> From: Ross Burton
>
> Some CVEs, such as CVE-2013-6629, list multiple configurations which are
> vulnerable. The current JSON parser only considers the first
> configuration.
>
> Instead, consider every configuration. We don't yet handle the AND/OR
>
Hello all,
I'm drafting a fetcher for kernelcves (
https://github.com/nluedtke/linux_kernel_cves/) and the data conflicts in a
certain way with cve-extra-exclusions.inc. With multiple fetchers we'll
need to have a way to say which data set has priority.
For now I can see examples of two cases
On Mon, Jun 5, 2023 at 6:25 PM Ross Burton wrote:
> From: Ross Burton
>
> These CVEs have all been fixed <6.1.30, which is the default linux-yocto
> kernel version.
>
>
Those are pretty new ones, should be all covered by the new CVE format. Is
anyone already
sending pull requests to include
On Mon, Jun 5, 2023 at 6:48 PM Richard Purdie <
richard.pur...@linuxfoundation.org> wrote:
> On Mon, 2023-06-05 at 16:31 +, Ross Burton wrote:
> > I did some triage of the CVEs in this list but realised that this
> > file is a bad location for them: whilst we don’t expect people to
> > switch
Hello all,
I'm in process of clarifying entries for NVD to have them fixed in the
sources. The comments in the patch linked do not include all the needed
information, however.
Let's take this one:
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1462
+# Introduced in version v2.6.12
Hello all,
A short heads-up on the situation with CVE updates.
1. In the new CVE database, each fix needs to be made by the CNA that
created the entry. For the kernel ones there are several. Will try a test
fix (at random) to see what the reaction could be.
2. I do not have an answer from NVD
On Thu, May 11, 2023 at 11:17 PM Armin Kuster wrote:
>
>
> On 5/9/23 6:32 PM, Steve Sakoman wrote:
> > From: Yoann Congal
> >
> > Exclude CVEs that are fixed in both current linux-yocto version
> > v5.10.175 and v5.15.108.
> >
> > To get the commit fixing a CVE, I used the Debian kernel-sec
Thank you for this work. I think we are going in a good direction. My
comments in the text.
In general, I would like that we come with the fixed list of possible
statuses and avoid adding new ones too frequently. Changing them will break
my parsing and status scripts each time.
On Fri, May 19,
On Wed, Apr 5, 2023 at 8:44 PM Steve Sakoman wrote:
> On Wed, Apr 5, 2023 at 8:43 AM Marta Rybczynska
> wrote:
> >
> >
> >
> > On Wed, Apr 5, 2023 at 5:55 PM Steve Sakoman wrote:
> >>
> >> Hi Marta,
> >>
> >> Is this saf
On Wed, Apr 12, 2023 at 3:19 PM Yoann Congal wrote:
> On 4/12/23 13:45, jan vermaete wrote:
> > Hi,
> >
> > I have no preference on how to fix it.
> > I intended to stay as close as possible to the code of Marta
>
> Yes, I see that. I'm okay with your patch as-is since the current code is
> not
On Wed, Apr 5, 2023 at 5:55 PM Steve Sakoman wrote:
> Hi Marta,
>
> Is this safe to backport to the stable branches, or should I let it
> "age" in master for a while?
>
>
Hi Steve,
I vote to let it age for a little moment. In the meantime I'm trying to
figure out when exactly NVD will turn off
rta,
>
> We only tested core-image-minimal and some recipes that use the update
> and release candidate formats (pX and -rcX)
>
> Geoffrey GIRY
> SMILE ECS - R Engineer
>
> Le mer. 29 mars 2023 à 06:45, Marta Rybczynska a
> écrit :
> >
> > On Tue, Mar 2
On Wed, 29 Mar 2023, 12:03 Marta Rybczynska via lists.openembedded.org,
wrote:
> Add new fetcher for the NVD database using the 2.0 API [1].
> The implementation changes as little as possible, keeping the current
> database format (but using a different database file for the transition
be visible:
- the database starts in 1999 instead of 2002
- the complete fetch is longer (30 minutes typically)
[1] https://nvd.nist.gov/developers/vulnerabilities
Signed-off-by: Marta Rybczynska
---
meta/classes/cve-check.bbclass| 4 +-
.../meta/cve-update-nvd2-native.bb
On Tue, Mar 28, 2023 at 12:24 PM Geoffrey GIRY
wrote:
> Fixes [YOCTO #14127]
>
> NVD DB store version and update in the same value, separated by '_'.
> The proposed patch check if the version from NVD DB contains a "_",
> ie 9.2.0_p1 is convert to 9.2.0p1 before version comparison.
>
>
Thank you
On Wed, Feb 22, 2023 at 11:08 AM Marta Rybczynska via lists.openembedded.org
wrote:
>
>
> On Tue, Feb 21, 2023 at 2:47 PM Ross Burton wrote:
>
>> Hi Marta,
>>
>> > On 21 Feb 2023, at 13:20, Marta Rybczynska
>> wrote:
>> > I'm finishing the
On Fri, Feb 24, 2023 at 5:22 PM Marta Rybczynska via lists.openembedded.org
wrote:
>
>
> On Fri, Feb 24, 2023 at 5:16 PM Marta Rybczynska
> wrote:
>
>> Add new fetcher for the NVD database using the 2.0 API [1].
>> The implementation changes as little as po
.
>
> Richard, thank you for the details provided.
>
> Regards,
> Geoffrey GIRY
> Research and Development Engineer
> SMILE
>
>
>
> Le lun. 27 févr. 2023 à 23:02, Richard Purdie
> a écrit :
> >
> > On Mon, 2023-02-27 at 18:49 +0100, Marta Rybczyns
Hello Geoffroy,
Thank you for the work. Have you contacted NVD to update the database
instead? What did they say?
Kind regards
Marta
On Mon, 27 Feb 2023, 12:00 Geoffrey GIRY, wrote:
> Multiple CVE are patched in kernel but appears as active because the NVD
> database is not up to date.
>
> CVE
On Fri, Feb 24, 2023 at 5:16 PM Marta Rybczynska
wrote:
> Add new fetcher for the NVD database using the 2.0 API [1].
> The implementation changes as little as possible, keeping the current
> database format (but using a different database file for the transition
> period), wi
be visible:
- the database starts in 1999 instead of 2002
- the complete fetch is longer (30 minutes typically)
[1] https://nvd.nist.gov/developers/vulnerabilities
Signed-off-by: Marta Rybczynska
---
meta/classes/cve-check.bbclass| 4 +-
.../meta/cve-update-nvd2-native.bb
On Tue, Feb 21, 2023 at 2:47 PM Ross Burton wrote:
> Hi Marta,
>
> > On 21 Feb 2023, at 13:20, Marta Rybczynska wrote:
> > I'm finishing the new fetcher for cve check using the 2.0 NVD API. Will
> need testers to check as many configurations as possible before w
Hello all,
I'm finishing the new fetcher for cve check using the 2.0 NVD API. Will
need testers to check as many configurations as possible before we switch
the format.
The current estimate is this week, hoping that the real life doesn't
interfere.
Good news for all users is that nothing changes
>
>
>>>
>>> Hi Jose,
>>> Thanks for looking into that. The function is not a total duplicate: the
>>> difference is that
>>> the it always removes the db_tmp_file, not only if the journal file
>>> exists (Python code
>>> formatting!).
>>>
>>
>> Don't see on the first time that the db_tmp_file is
This patch is replaced by
https://lists.openembedded.org/g/openembedded-core/message/175355 (with a
minor patch title change)
On Mon, Jan 2, 2023 at 8:03 AM Marta Rybczynska
wrote:
> Move cleanup of the database after a failed download to a separate
> function. This will be useful when w
. It replaces the main one only if the whole
update was successful.
See https://bugzilla.yoctoproject.org/show_bug.cgi?id=14929
Reported-by: Alberto Pianon
Signed-off-by: Marta Rybczynska
---
.../recipes-core/meta/cve-update-db-native.bb | 83 ++-
1 file changed, 61 insertions(+), 22
On Tue, Jan 3, 2023 at 10:30 AM Jose Quaresma
wrote:
>
>
> Marta Rybczynska escreveu no dia segunda,
> 2/01/2023 à(s) 16:38:
>
>>
>>
>> On Mon, Jan 2, 2023 at 2:14 PM Jose Quaresma
>> wrote:
>>
>>> Hi Marta,
>>>
>>
Hello all,
NVD (which we use for the cve-check database) has been working on the new
format for some time. What I understand is that they plan to retire old API
and all the feeds (like the one we use) by september 2023. Has anyone
started working on migration of the cve-check to this new format?
On Mon, Jan 2, 2023 at 2:14 PM Jose Quaresma
wrote:
> Hi Marta,
>
> Marta Rybczynska escreveu no dia segunda,
> 2/01/2023 à(s) 07:03:
>
>> The database update has been done on the original file. In case of
>> network connection issues, temporary outage of the
. It replaces the main one only if the whole
update was successful.
See https://bugzilla.yoctoproject.org/show_bug.cgi?id=14929
Reported-by: Alberto Pianon
Signed-off-by: Marta Rybczynska
---
.../recipes-core/meta/cve-update-db-native.bb | 81 +--
1 file changed, 56 insertions(+), 25
Move cleanup of the database after a failed download to a separate
function. This will be useful when we have more actions to do in
that situation.
Signed-off-by: Marta Rybczynska
---
meta/recipes-core/meta/cve-update-db-native.bb | 17 ++---
1 file changed, 10 insertions(+), 7
On Wed, Dec 14, 2022 at 5:08 PM Steve Sakoman wrote:
> On Wed, Dec 14, 2022 at 4:29 AM Marta Rybczynska
> wrote:
> >
> > Since the commit 005b6aba89eaf1b79fdd7565dd028fdd9bbfcc7d
> > (efivar: add musl libc compatibility) efibootmgr compiles with
> > musl to
Since the commit 005b6aba89eaf1b79fdd7565dd028fdd9bbfcc7d
(efivar: add musl libc compatibility) efibootmgr compiles with
musl too. Update the variable to take that into account.
Signed-off-by: Marta Rybczynska
---
meta/recipes-bsp/efibootmgr/efibootmgr_18.bb | 3 ---
1 file changed, 3 deletions
Since the commit 005b6aba89eaf1b79fdd7565dd028fdd9bbfcc7d
(efivar: add musl libc compatibility) efibootmgr compiles with
musl too. Update the variable to take that into account.
Signed-off-by: Marta Rybczynska
---
meta/recipes-bsp/efibootmgr/efibootmgr_18.bb | 3 ---
1 file changed, 3 deletions
On Wed, Dec 14, 2022 at 3:29 PM Marta Rybczynska via lists.openembedded.org
wrote:
> Since the commit 005b6aba89eaf1b79fdd7565dd028fdd9bbfcc7d
> (efivar: add musl libc compatibility) efibootmgr compiles with
> musl too. Update the variable to take that into account.
>
>
Lang
Since the commit 005b6aba89eaf1b79fdd7565dd028fdd9bbfcc7d
(efivar: add musl libc compatibility) efibootmgr compiles with
musl too. Update the variable to take that into account.
Signed-off-by: Marta Rybczynska
---
meta/recipes-bsp/efibootmgr/efibootmgr_17.bb | 2 --
1 file changed, 2 deletions
Kanavin
wrote:
>
> What happens when you run 'bitbake weston'?
>
> Alex
>
> On Thu, 13 Oct 2022 at 10:10, Marta Rybczynska wrote:
> >
> >
> >
> > On Thu, 13 Oct 2022, 17:00 Alexandre Belloni,
> > wrote:
> >>
> >> On 13/10/2022 0
On Thu, 13 Oct 2022, 17:00 Alexandre Belloni,
wrote:
> On 13/10/2022 09:52:44+0200, Marta Rybczynska wrote:
> > Hello all,
> > I'm trying to build the core-image-weston in kirkstone to look into
> > https://bugzilla.yoctoproject.org/show_bug.cgi?id=14926
> >
> >
Hello all,
I'm trying to build the core-image-weston in kirkstone to look into
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14926
It turns out that the image does not build (oe-core
e728d0965d6fda8ac54e065ca7bf7eb9da9a8170 with bitbake
6603c3e39f1cf746669ec6c9f0be8c6e6ece426e). I'm getting:
Reported as https://bugzilla.yoctoproject.org/show_bug.cgi?id=14929
On Wed, Oct 12, 2022 at 6:29 PM Ross Burton wrote:
>
> On 12 Oct 2022, at 08:25, Alberto Pianon via lists.openembedded.org
> wrote:
> >
> > It iterates over NIST CVE db years, but if some year fail to download, it
> > goes on
.
>
> Cheers,
>
> -Mikko
>
> On Wed, Oct 12, 2022 at 11:51:28AM +0200, Carlo Piana wrote:
> > [sent from the wrong account, resent, sorry for the noise]
> >
> > - Messaggio originale -----
> > > Da: "Mikko Rapeli"
> > > A: "Mar
I'll be looking into how to fix it. My current idea is to make the download
a transaction, so do not update the database until we're sure the download
is complete. Plus a warning that we have had an issue, I think.
In a next step we can retry a number of times.
Regards
Marta
On Wed, 12 Oct
Dear all,
(cross-posting to oe-core and *-architecture)
In the last months, we have worked in Oniro on using the create-spdx
class for both IP compliance and security.
During this work, Alberto Pianon has found that some information is
missing from the SBOM and it does not contain enough for
On Mon, Sep 12, 2022 at 9:16 PM Steve Sakoman wrote:
>
> On Mon, Sep 12, 2022 at 8:57 AM Martin Jansa wrote:
> >
> > You mean this list?
> > https://lists.yoctoproject.org/g/yocto-security/message/655
>
> Yes, I assumed everyone was aware of the weekly CVE list! Did you
> have something else in
On Mon, 12 Sept 2022, 17:55 Steve Sakoman, wrote:
> Reply to this thread noting which CVE you plan to work on. Please
> don't claim one unless you really intend to follow through!
>
> Hello Steve,
What about sending the list of pending CVEs (from the existing
dunfell/kirkstone/master lists) for
On Fri, Sep 2, 2022 at 9:09 AM Marta Rybczynska via
lists.openembedded.org
wrote:
>
> On Tue, Aug 30, 2022 at 5:59 PM Joshua Watt wrote:
> >
> > The CVE check database needs to have a shared lock acquired on it before
> > it is accessed. This to prevent cve-update
On Tue, Aug 30, 2022 at 5:59 PM Joshua Watt wrote:
>
> The CVE check database needs to have a shared lock acquired on it before
> it is accessed. This to prevent cve-update-db-native from deleting the
> database file out from underneath it.
>
> [YOCTO #14899]
>
> Signed-off-by: Joshua Watt
> +
On Thu, Aug 25, 2022 at 9:25 AM ghassaneben wrote:
> From: ghassaneben
>
> Increase the size of loop variables in the printf() implementation to
> avoid integer overflow on multi-gigabyte string arguments. CVE-2022-35737.
> This bug fix refers to: CVE-2022-35737 and it's a backport of a fix
On Tue, Aug 2, 2022 at 4:49 PM Neal Caidin wrote:
>
> Current Dev Position: YP 4.1 M3
>
> Next Deadline: 22nd August 2022 YP 4.1 M3 Build
>
>
> Next Team Meetings:
>
> Bug Triage meeting Thursday August 4th 7:30 am PDT
> (https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09)
>
>
1 - 100 of 224 matches
Mail list logo