lzo was missing CVE_PRODUCT and related CVEs (at least CVE-2014-4607) were
not reported.
Signed-off-by: Marta Rybczynska
---
meta/recipes-support/lzo/lzo_2.10.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-support/lzo/lzo_2.10.bb
b/meta/recipes-support/lzo/lzo_2.10.bb
lzo was missing CVE_PRODUCT and related CVEs (at least CVE-2014-4607) were
not reported.
Signed-off-by: Marta Rybczynska
---
meta/recipes-support/lzo/lzo_2.10.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-support/lzo/lzo_2.10.bb
b/meta/recipes-support/lzo/lzo_2.10.bb
Ross Burton wrote:
> This replaces the default value of 'lzo', it might be safer to use +=
> so both this name and just lzo are searched for.
>
> The CVE database isn't very reliable for consistent naming, so I
> prefer to cover all bases.
>
> Ross
>
> On Thu, 19 Aug 2021
On Wed, Aug 11, 2021 at 4:52 PM Joshua Watt wrote:
> Moving the function will allow other classes to capture which CVEs have
> been patched, in particular SBoM generation.
>
> Also add a function to capture the CPE ID from the CVE Product and
> Version
>
>
Do you have a link to some resource on
CPEs, issues in the database and more.
An example entry:
LAYER: meta
PACKAGE NAME: libsdl2-native
PACKAGE VERSION: 2.0.14
CVES FOUND IN RECIPE: Yes
PRODUCT: simple_directmedia_layer (Yes)
PRODUCT: sdl (No)
Signed-of-by: Marta Rybczynska
---
meta/classes/cve-check.bbclass | 115
On Wed, Dec 22, 2021 at 11:04 AM Ross Burton wrote:
> On Mon, 20 Dec 2021 at 15:04, Marta Rybczynska
> wrote:
> > An example entry:
> > LAYER: meta
> > PACKAGE NAME: libsdl2-native
> > PACKAGE VERSION: 2.0.14
> > CVES FOUND IN RECIPE: Yes
> >
From: Marta Rybczynska
Fix issues with grub in secure boot mode where an attacker could circumvent
secure boot by using acpi and cutmem commands. Also include patches fixing
similar issues.
Most patches are backported directly from grub. One patch
(no-insmod-on-sb.patch) comes from Debian
, issues in the database and more.
An example entry:
LAYER: meta
PACKAGE NAME: libsdl2-native
PACKAGE VERSION: 2.0.14
CVES FOUND IN RECIPE: Yes
PRODUCT: simple_directmedia_layer (Yes)
PRODUCT: sdl (No)
Signed-off-by: Marta Rybczynska
---
meta/classes/cve-check.bbclass | 115
gelog.html#changelog
Signed-off-by: Marta Rybczynska
---
.../python/{python3_3.8.11.bb => python3_3.8.12.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-devtools/python/{python3_3.8.11.bb => python3_3.8.12.bb}
(99%)
diff --git a/meta/recipes
a20.
Signed-off-by: Marta Rybczynska
---
.../nss/nss/CVE-2020-12403.patch | 68 +
.../nss/nss/CVE-2020-12403_2.patch| 96 +++
meta-oe/recipes-support/nss/nss_3.51.1.bb | 2 +
3 files changed, 166 insertions(+)
create mode 100644 meta-oe/reci
> Best regards,
>
> Steve
>
> On Tue, Nov 2, 2021 at 9:20 PM Marta Rybczynska
> wrote:
> >
> > NetworkManager 1.22.16 contains a fix for CVE-2020-10754.
> >
> > This version includes an additional option by default for firewalld
> zones,
> >
from gatesgarth
meta-openembedded 165ad9ad4c86c9e63f3afcf3172c8e1d3629f3a5 required
for the build.
Signed-off-by: Marta Rybczynska
---
.../fix_reallocarray_check.patch | 27 +++
...r_1.22.10.bb => networkmanager_1.22.16.bb} | 7 -
2 files changed, 33 inserti
On Thu, Dec 9, 2021 at 7:53 AM Tim Orling wrote:
>
> From: Richard Purdie
>
> The CVE applies to binutils 2.26 and not to gcc so ignore there.
>
Tim,
Have you requested a NVD database change on this one? Or you prefer me to do it?
Kind regards,
Marta
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive
From: Marta Rybczynska
Improper access control in BlueZ may allow an authenticated user to
potentially enable information disclosure via adjacent access.
This issue can be fixed in the kernel, in BlueZ or both. This patch
fixes it on the BlueZ side, so that the configuration no longer
depends
://eprint.iacr.org/2021/923.pdf
[2] https://dev.gnupg.org/rCb118681ebc4c9ea4b9da79b0f9541405a64f4c13
[3] https://dev.gnupg.org/T5328#149606
Signed-off-by: Marta Rybczynska
---
.../libgcrypt/files/CVE-2021-33560.patch | 138 +++---
.../libgcrypt/files/CVE-2021-40528.patch
> diff --git a/meta/recipes-bsp/grub/grub2.inc
> b/meta/recipes-bsp/grub/grub2.inc
> index bb791347dc..a72a562c5a 100644
> --- a/meta/recipes-bsp/grub/grub2.inc
> +++ b/meta/recipes-bsp/grub/grub2.inc
> @@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
>
On Mon, Jan 10, 2022 at 10:01 AM Marta Rybczynska via lists.openembedded.org
wrote:
>
> diff --git a/meta/recipes-bsp/grub/grub2.inc
>> b/meta/recipes-bsp/grub/grub2.inc
>> index bb791347dc..a72a562c5a 100644
>> --- a/meta/recipes-bsp/grub/grub2.inc
>> +++ b/m
Thanks for the renaming, Saul. Some minor comments below.
On Tue, Mar 8, 2022 at 1:33 AM Saul Wold wrote:
>
>
> -# If the recipe has been whitelisted we return empty lists
> +# If the recipe has been skipped/ignored we return empty lists
> if pn in
issues, so seem worth having.
Patches included here are also in Debian's backports [2].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
[2]
https://salsa.debian.org/grub-team/grub/-/tree/debian/2.04-20/debian/patches/2021-02-security
Marta Rybczynska (46):
grub: fix
This fix removes a possible NULL pointer dereference in grub
networking code. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...ible-dereference-to-of-a-NULL-pointe.patch | 39
Backport a fix for a memory leak in grub_mmap_iterate(). This patch
is a part of a security series [1]
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...leak-when-iterating-over-mapped-memo.patch | 39 +++
meta
This change fixes wrong handling of argc == 0 causing a memory leak.
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...n-parser-Fix-resource-leak-if-argc-0.patch | 50 +++
meta
-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...formed-device-path-arithmetic-errors.patch | 235 ++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 236 insertions(+)
create mode 100644
meta/recipes-bsp/grub/files/0005-efi-Fix-some
This change fixes a dangling memory pointer in the grub TFTP code.
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...net-tftp-Fix-dangling-memory-pointer.patch | 33 +++
meta
This patch adds a fix for an unitialized re_token in grub's gnulib.
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...b-regcomp-Fix-uninitialized-re_token.patch | 55 +++
meta
Add a fix for unnecessary assignements grub's io/lzopio. This patch
is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...e-unnecessary-self-assignment-errors.patch | 41 +++
meta
This fix adds a missing check for NULL pointer from an external source
in grub's kern/partition. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...heck-for-NULL-before-dereferencing-i.patch | 43
This patch adds initialization of a structure in grub's zstd, which
might be left uninitialized by the compiler. It is a part of a security
series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...std-Initialize-seq_t-structure
Add a fix for a memory leak in grub's disk/ldm. It is a part of
a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...re-comp-data-is-freed-before-exiting.patch | 128 ++
meta/recipes-bsp/grub/grub2
This patch adds a fix for a memory leak in grub's disk/ldm.
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...-If-failed-then-free-vg-variable-too.patch | 28 +++
meta/recipes
This change fixes a memory leak on error in grub_efi_get_filename().
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...-kern-efi-Fix-memory-leak-on-failure.patch | 30 +++
meta
This change fixes a possible NULL pointer dereference in grub's
EFI support. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...ix-possible-NULL-pointer-dereference.patch | 65
This changes adds a fix for an unused variable issue in gnulib.
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...ulib-regexec-Resolve-unused-variable.patch | 59 +++
meta
This change adds a fix for an unitialized token structure in gnulib.
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...mp-Fix-uninitialized-token-structure.patch | 53 +++
meta
This change adds a fix for a NULL pointer dereference of state
in gnulib. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...-Fix-dereference-of-a-possibly-NULL-.patch | 52
Add a fix for gnulib's regexec NULL pointer dereference. This patch
a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...egexec-Fix-possible-null-dereference.patch | 53 +++
meta/recipes
Add a fix for a memory leak in grub'd disk/ldm. It is a part of
a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...ory-leak-on-uninserted-lv-references.patch | 50 +++
meta/recipes-bsp/grub/grub2
This patch adds a fix for a memory leak in grub's path construction
in zfs. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...source-leaks-while-constructing-path.patch | 121
This patch adds a fix for a possible integer overflows in grub's zfs.
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...3-zfs-Fix-possible-integer-overflows.patch | 56 +++
meta
This patch fixes an error check in grub's zfsinfo. It is a part of
a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...-a-check-for-error-allocating-memory.patch | 35 +++
meta/recipes-bsp/grub
This patch fixes a memory leak in grub's affs. It is a part of
a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
.../files/0025-affs-Fix-memory-leaks.patch| 82 +++
meta/recipes-bsp/grub/grub2
This patch fixes a possible unintended sign extension in grub's
libgcrypt/mpi. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...x-possible-unintended-sign-extension.patch | 36
This patch adds a fix for a possible NULL dereference in grub's
libgcrypt/mpi. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...pt-mpi-Fix-possible-NULL-dereference.patch | 33
This patch adds a fix for a memory leak in grub's normal/completion.
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...n-Fix-leaking-of-memory-when-process.patch | 52 +++
meta
This patch fixes a memory leak in grub's syslinux parsing. It is a part of
a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...slinux-Fix-memory-leak-while-parsing.patch | 43 +++
meta/recipes-bsp
This patch removes an uneeded return value in grub's (static)
grub_video_gop_fill_mode_info(). It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...move-unnecessary-return-value-of-gru.patch | 94
This patch adds a fix for a potential integer overflow in grub's
video/fb/fbfill. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...bfill-Fix-potential-integer-overflow.patch | 78
Add a fix of a memory leak in grub's commands/hashsum. It is a part
of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...0-commands-hashsum-Fix-a-memory-leak.patch | 56 +++
meta/recipes-bsp
This patch adds a fix for a NULL pointer dereference in grub's
util/grub-install. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...nstall-Fix-NULL-pointer-dereferences.patch | 41
This patch adds a fix for an incorrect use of a negative value in grub's
util/glue-efi. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...x-incorrect-use-of-a-possibly-negati.patch | 50
This patch adds a fix for incorrect casting from signed to unsigned
in grub's util/grub-editenv. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...v-Fix-incorrect-casting-of-a-signed-.patch | 46
This patch adds a check for a NULL pointer before use in grub's
loader/xnu. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...k-if-pointer-is-NULL-before-using-it.patch | 42
This patch fixes a memory leak in grub's loader/xnu when an error is
detected in grub_xnu_writetree_toheap(). It is a part of a security
series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...driverkey-data-when-an-error
This patch adds a fix for a NULL pointer dereference in grub's
commands/ls. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...ire-device_name-is-not-NULL-before-p.patch | 33
This patch adds a fix for a possible integer overflow in grub's
video/fb/video_fb. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...deo_fb-Fix-possible-integer-overflow.patch | 39
This patch adds a fix for multiple integer overflows in grub's
video/fb/video_fb. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...eo_fb-Fix-multiple-integer-overflows.patch | 104
This patch removes dead code from grub's gfxmenu/gui_list. It is
a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...-Remove-code-that-coverity-is-flaggi.patch | 34 +++
meta/recipes-bsp
This patch adds a fix for handling malformed JPEG files in grub's
video/readers/jpeg. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...eg-Test-for-an-invalid-next-marker-r.patch | 38
This patch adds a fix for a memory leak in grub's loader/xnu.
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
.../0038-loader-xnu-Fix-memory-leak.patch | 38 +++
meta/recipes
This patch adds a fix for checking for NULL in grub's loader/bsd.
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...ader-bsd-Check-for-NULL-arg-up-front.patch | 47 +++
meta
This patch adds a fix for a crash in grub's script handling. It is
a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...void-crash-when-using-outside-a-func.patch | 37 +++
meta/recipes
This patch adds a fix for a NULL pointer dereference in grub's
script/execute. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...ix-NULL-dereference-in-grub_script_e.patch | 28
This patch fixes a potential overflow in grub's disk/cryptodisk. It is
a part of a security series [1]
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...odisk-Fix-potential-integer-overflow.patch | 50 +++
meta
This patch adds a fix for a possible negative shift in grub's zfs.
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...ix-possible-negative-shift-operation.patch | 42 +++
meta
This patch adds a fix for a volume name length check in grub's
hfsplus. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...that-the-volume-name-length-is-valid.patch | 43
On Mon, Jan 24, 2022 at 5:18 PM Jon Mason wrote:
> CVE_CHECK_PN_WHITELIST -> CVE_CHECK_SKIPRECIPE
> CVE_CHECK_WHITELIST -> CVE_CHECK_IGNORECVE
>
When running master-next I have found one missing rename, cve-check has
"CVE STATUS" result
which is still Patched, Unpatched, Whitelisted. I propose
On Thu, Mar 10, 2022 at 11:25 AM Michael Opdenacker via
lists.openembedded.org wrote:
> Greetings
>
> We need to prepare the final migration notes for Kirkstone and need your
> help. Here is a quick list of already documented changes (see
>
>
On Sat, Mar 19, 2022 at 8:26 PM Richard Purdie
wrote:
>
> This adds support for a random kernel CVE monitoring tool which can be
> run as a specific task against a kernel:
>
> $ bitbake linux-yocto -c checkcves
> [...]
> Sstate summary: Wanted 3 Local 3 Mirrors 0 Missed 0 Current 135 (100% match,
On Tue, Mar 22, 2022 at 9:53 AM Michael Opdenacker
wrote:
>
> Hi Marta
>
> On 3/21/22 16:22, Marta Rybczynska wrote:
>
> > Heads up: I'm on the inclusive language migration + migration script docs.
>
>
> Thanks for helping!
> You probably have seen
> https://gi
in the database and more.
This work is based on [1], but adding the JSON format makes it easier
to implement, without additional result files.
[1] https://lists.openembedded.org/g/openembedded-core/message/159873
Signed-off-by: Marta Rybczynska
---
meta/classes/cve-check.bbclass | 51
by default.
The JSON output format gets generated in a similar way to the
text format with the exception of the manifest: appending to
JSON arrays requires parsing the file. Because of that we
first write JSON fragments and then assemble them in one pass
at the end.
Signed-off-by: Marta Rybczynska
by default.
The JSON output format gets generated in a similar way to the
text format with the exception of the manifest: appending to
JSON arrays requires parsing the file. Because of that we
first write JSON fragments and then assemble them in one pass
at the end.
Signed-off-by: Marta Rybczynska
On Tue, Jan 25, 2022 at 10:59 AM Marta Rybczynska via lists.openembedded.org
wrote:
> Add an option to output the CVE check in a JSON-based format.
> This format is easier to parse in software than the original
> text-based one and allows post-processing by other tools.
>
>
On Thu, Feb 10, 2022 at 3:36 PM Ross Burton wrote:
>
> > +from jsonmerge import Merger
>
> This isn't part of the standard Python library, you'll have to
> replicate the logic.
>
>
Do you mean copying part of the class or reimplementing it?
> One suggestion would be to move more of the
by default.
The JSON output format gets generated in a similar way to the
text format with the exception of the manifest: appending to
JSON arrays requires parsing the file. Because of that we
first write JSON fragments and then assemble them in one pass
at the end.
Signed-off-by: Marta Rybczynska
Signed-off-by: Marta Rybczynska
---
.../grub/files/CVE-2020-25647.patch | 119 ++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 120 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-25647.patch
diff --git a/meta/recipes-bsp
arbitrary code to be executed or a bypass of Secure Boot protections.
This patch is a part of a bigger security collection for grub [2].
[1] https://nvd.nist.gov/vuln/detail/CVE-2020-25632
[2] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
On Sun, 10 Sept 2023, 17:14 Khem Raj, wrote:
> On Sun, Sep 10, 2023 at 4:18 AM Steve Sakoman wrote:
> >
> > Branch: master
> >
> > New this week: 10 CVEs
> > CVE-2022-3563 (CVSS3: 5.7 MEDIUM): bluez5
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3563 *
> > CVE-2022-3637 (CVSS3:
Hello,
I've been working recently on collecting what works and what doesn't
in YP security processes. The goal is to go forward and define an
actionable strategy!
Today, I'd like to share with you the summary of what I have heard as
needs from several people (those in Cc:).
I want the community
On Wed, Sep 13, 2023 at 2:33 PM Mikko Rapeli wrote:
>
> Hi,
>
> On Wed, Sep 13, 2023 at 01:52:19PM +0200, Marta Rybczynska wrote:
> > Hello,
> > I've been working recently on collecting what works and what doesn't
> > in YP security processes. The go
ction.
>
Thank you Alex!
>
> More responses inline.
>
> On 9/13/23 07:52, Marta Rybczynska via lists.openembedded.org wrote:
> > * CVEs: Visibility if YP is vulnerable or not
> >
> > People want to be able to check/look up a specific CVE; it might be a
>
On Wed, Sep 13, 2023 at 6:28 PM Mark Hatle
wrote:
> >> * Visibility of the security work of the YP
> >>
> >> There is much work on security in the YP, but it lacks visibility.
> >
> > Is there a common nexus for this work? eg. do most of the folks who are
> > doing security work tend to
Add a SECURITY.md filr with hints for security researchers and other
parties who might report potential security vulnerabilities.
Signed-off-by: Marta Rybczynska
---
SECURITY.md | 17 +
1 file changed, 17 insertions(+)
create mode 100644 SECURITY.md
diff --git a/SECURITY.md b
e" with status
> "cpe-incorrect" or "ignored" exactly for those purposes. Extending the
> option with "not affected" doesn't make any sense.
>
> You have to set the status to "why is not affected" = "ignored". Which
> comple
e start exploding the statuses as someone will “need” additional
> one soon.
>
>
>
> If we really want to introduce these new statues (I hope not), please modify
> this patch to handle its CVE_STATUS flags, too.
>
> Additionally, I’d drop “Undecidable” and map it to “Unpat
On Wed, 1 Nov 2023, 11:48 Anuj Mittal, wrote:
> On Tue, 2023-10-31 at 19:33 -0700, Tim Orling wrote:
> >
> >
> > On Tue, Oct 31, 2023 at 7:26 PM Anuj Mittal
> > wrote:
> > > On Tue, 2023-10-31 at 14:20 +, Trevor Gamblin wrote:
> > > > Thank you for your submission. Patchtest identified one
On Wed, Nov 1, 2023 at 6:31 AM Marta Rybczynska via
lists.openembedded.org
wrote:
>
>
>
>
> On Wed, 1 Nov 2023, 11:48 Anuj Mittal, wrote:
>>
>> On Tue, 2023-10-31 at 19:33 -0700, Tim Orling wrote:
>> >
>> >
>> > On Tue, Oct 31, 2023 at 7:26
code architecture documentation
Signed-off-by: Marta Rybczynska
---
...{python3-spdx-tools_0.8.1.bb => python3-spdx-tools_0.8.2.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-devtools/python/{python3-spdx-tools_0.8.1.bb =>
python3-spdx-tools_0.8.2.bb} (88%)
forward reference exceptions
Class redecoration eliding
Documentation update
[1] https://github.com/beartype/beartype/releases/tag/v0.16.4
[2] https://github.com/beartype/beartype/releases/tag/v0.16.3
Signed-off-by: Marta Rybczynska
---
.../{python3-beartype_0.16.2.bb => python3-beartype_0.16.4
From: Samantha Jalabert
Change functions and tasks to match the SPDX 3 model.
Signed-off-by: Samantha Jalabert
---
meta/classes/create-spdx-3.0.bbclass | 728 +--
1 file changed, 224 insertions(+), 504 deletions(-)
diff --git a/meta/classes/create-spdx-3.0.bbclass
From: Louis Rannou
Initialize the work on SPDX 3 with a copy of the SPDX 2.2. Change default to
SPDX 3.
Signed-off-by: Louis Rannou
Signed-off-by: Marta Rybczynska
---
meta/classes/create-spdx-3.0.bbclass | 1158 ++
meta/classes/create-spdx.bbclass |2 +-
2
From: Louis Rannou
Extend objects used to build the spdx scheme:
- add support for inheritance
- hide all attributes starting by _spdx
- add methods to list properties and item pairs
- improve the serializer to match the spdx3 scheme
Signed-off-by: Louis Rannou
---
meta/lib/oe/sbom.py | 2
From: Louis Rannou
Create SPDX3 objects that classes as they are described in the SPDX3 model.
Signed-off-by: Louis Rannou
Signed-off-by: Samantha Jalabert
---
meta/lib/oe/spdx3.py | 385 +++
1 file changed, 385 insertions(+)
create mode 100644
From: Louis Rannou
Create a function that search into a json-ld instead of completely loading it.
Signed-off-by: Louis Rannou
---
meta/lib/oe/sbom.py | 32
1 file changed, 32 insertions(+)
diff --git a/meta/lib/oe/sbom.py b/meta/lib/oe/sbom.py
index
Add a specific readme for SPDX3 with open questions and other notes
related to the PoC.
Signed-off-by: Marta Rybczynska
---
README.SPDX3 | 42 ++
1 file changed, 42 insertions(+)
create mode 100644 README.SPDX3
diff --git a/README.SPDX3 b/README.SPDX3
the write_doc to prepare for spdx3
create-spdx-3.0: SPDX3 objects as classes
oe/sbom: search into json
Marta Rybczynska (1):
README.SPDX3: add file
Samantha Jalabert (1):
create-spdx-3.0: support for recipe spdx creation
README.SPDX3 | 42 ++
meta/classes/create
From: Louis Rannou
This changes the prototype of write_doc as the SPDX3 documentation does not
specify yet which is the root element.
Signed-off-by: Louis Rannou
Signed-off-by: Marta Rybczynska
Signed-off-by: Samantha Jalabert
---
meta/lib/oe/sbom.py | 5 +++--
1 file changed, 3 insertions
On Fri, Oct 20, 2023 at 4:18 PM Michael Opdenacker
wrote:
>
> Hi Marta
>
> On 20.10.23 at 10:36, Marta Rybczynska wrote:
> > Hello everyone,
> > We have a constant flow of work on pending CVEs. During my discussion
> > with multiple people, there is a c
Hi Andrej,
This is more complex. "Not affected" is also an issue that isn't present in the
code - like when we have a version that has never had the vulnerability.
Those are also currently 'Patched' in cve-check.
This work is in sync with what VEX is doing, is it the use-case
Matsanaga-Shinji?
>
> > commit: 1a14a28f132a10e9db7b3e5bb2b5361c4679946e
> >
> > Signed-off-by: Marta Rybczynska
>
> Please send a removal patch for meta-python as well. So we can keep
> passing the yp compat checks for meta-openembedded on AB and coordinate
> the change between meta-
1 - 100 of 219 matches
Mail list logo