| Message ID | 20250107054539.4002240-1-mmeerasa@cisco.com |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [scarthgap] db 5.3.28: Ignore multiple CVEs | expand |
Hi Mohamed, This patch will need to be submitted and accepted into the master branch before I can take it for the stable branches. Thanks, Steve On Tue, Jan 7, 2025 at 3:35 AM Mohamed Meera Sahib via lists.openembedded.org <mmeerasa=cisco.com@lists.openembedded.org> wrote: > > Analysis: > - Unspecified vulnerability in the various components of Oracle > Berkeley Db was identified as potentially exploitable without > authentication. Later these were closed by the Critical Patch > Update (CPU). > > Reference: > [1] https://www.oracle.com/security-alerts/cpujul2015.html > [2] https://www.oracle.com/security-alerts/cpuapr2016v3.html > [3] https://www.oracle.com/security-alerts/cpujul2020.html > > Signed-off-by: Mohamed Meera Sahib <mmeerasa@cisco.com> > --- > meta/recipes-support/db/db_5.3.28.bb | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb > index a7d061e0da..d93e77a1ee 100644 > --- a/meta/recipes-support/db/db_5.3.28.bb > +++ b/meta/recipes-support/db/db_5.3.28.bb > @@ -120,3 +120,20 @@ BBCLASSEXTEND = "native nativesdk" > # many configure tests are failing with gcc-14 > CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-declaration" > BUILD_CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-declaration" > + > +# The risk matrix of Oracle Berkeley Db was published in July 2015 by which many vulnerabilities > +# in different Oracle products were identified. > +# https://www.oracle.com/security-alerts/cpujul2015verbose.html#DB > +# The Oracle Berkeley Db issued the Critical Patch Update Advisory in July 2015 > +# which determined the status of the vulnerability whether applicable or not. > +# https://www.oracle.com/security-alerts/cpujul2015.html#AppendixDB > +# Apart from this, different CPUs change status of the vulnerabilities e.g. > +# CVE-2020-2981: https://www.oracle.com/security-alerts/cpujul2020.html > +# CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, CVE-2016-3418: https://www.oracle.com/security-alerts/cpuapr2016v3.html > + > +CVE_STATUS_GROUPS = "CVE_STATUS_INGR" > +CVE_STATUS_INGR = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 \ > +CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 \ > +CVE-2015-4783 CVE-2015-4784 CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2020-2981 \ > +CVE-2016-0682 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418" > +CVE_STATUS_INGR[status] = "fixed-version: The Critical Patch Update of Oracle Berkeley DB discovers these vulnerabilities may not be remotely exploitable without authentication." > -- > 2.35.6 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#209451): https://lists.openembedded.org/g/openembedded-core/message/209451 > Mute This Topic: https://lists.openembedded.org/mt/110475404/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Steve, Thank you for the update. I understand that the patch must be submitted and accepted into the master branch before it can be taken for the stable branches. I will ensure that the patch is submitted to the master branch promptly and will follow up on its review and acceptance process. Thanks Mohamed Meera sahib -----Original Message----- From: Steve Sakoman <steve@sakoman.com> Sent: Tuesday, January 7, 2025 7:25 PM To: Mohamed Meera Sahib -X (mmeerasa - E INFOCHIPS PRIVATE LIMITED at Cisco) <mmeerasa@cisco.com> Cc: openembedded-core@lists.openembedded.org; xe-linux-external(mailer list) <xe-linux-external@cisco.com>; Poojitha Adireddy -X (pooadire - E INFOCHIPS PRIVATE LIMITED at Cisco) <pooadire@cisco.com> Subject: Re: [OE-core] [scarthgap] [PATCH] db 5.3.28: Ignore multiple CVEs Hi Mohamed, This patch will need to be submitted and accepted into the master branch before I can take it for the stable branches. Thanks, Steve On Tue, Jan 7, 2025 at 3:35 AM Mohamed Meera Sahib via lists.openembedded.org <mmeerasa=cisco.com@lists.openembedded.org> wrote: > > Analysis: > - Unspecified vulnerability in the various components of Oracle > Berkeley Db was identified as potentially exploitable without > authentication. Later these were closed by the Critical Patch > Update (CPU). > > Reference: > [1] https://www.oracle.com/security-alerts/cpujul2015.html > [2] https://www.oracle.com/security-alerts/cpuapr2016v3.html > [3] https://www.oracle.com/security-alerts/cpujul2020.html > > Signed-off-by: Mohamed Meera Sahib <mmeerasa@cisco.com> > --- > meta/recipes-support/db/db_5.3.28.bb | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/meta/recipes-support/db/db_5.3.28.bb > b/meta/recipes-support/db/db_5.3.28.bb > index a7d061e0da..d93e77a1ee 100644 > --- a/meta/recipes-support/db/db_5.3.28.bb > +++ b/meta/recipes-support/db/db_5.3.28.bb > @@ -120,3 +120,20 @@ BBCLASSEXTEND = "native nativesdk" > # many configure tests are failing with gcc-14 CFLAGS += > "-Wno-error=implicit-int -Wno-error=implicit-function-declaration" > BUILD_CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-declaration" > + > +# The risk matrix of Oracle Berkeley Db was published in July 2015 by > +which many vulnerabilities # in different Oracle products were identified. > +# https://www.oracle.com/security-alerts/cpujul2015verbose.html#DB > +# The Oracle Berkeley Db issued the Critical Patch Update Advisory in > +July 2015 # which determined the status of the vulnerability whether applicable or not. > +# https://www.oracle.com/security-alerts/cpujul2015.html#AppendixDB > +# Apart from this, different CPUs change status of the vulnerabilities e.g. > +# CVE-2020-2981: > +https://www.oracle.com/security-alerts/cpujul2020.html > +# CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, > +CVE-2016-3418: > +https://www.oracle.com/security-alerts/cpuapr2016v3.html > + > +CVE_STATUS_GROUPS = "CVE_STATUS_INGR" > +CVE_STATUS_INGR = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 > +CVE-2015-2640 CVE-2015-2654 CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 > +\ > +CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 CVE-2015-4778 > +CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 \ > +CVE-2015-4783 CVE-2015-4784 CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 > +CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2020-2981 \ > +CVE-2016-0682 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418" > +CVE_STATUS_INGR[status] = "fixed-version: The Critical Patch Update of Oracle Berkeley DB discovers these vulnerabilities may not be remotely exploitable without authentication." > -- > 2.35.6 > > > >
diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb index a7d061e0da..d93e77a1ee 100644 --- a/meta/recipes-support/db/db_5.3.28.bb +++ b/meta/recipes-support/db/db_5.3.28.bb @@ -120,3 +120,20 @@ BBCLASSEXTEND = "native nativesdk" # many configure tests are failing with gcc-14 CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-declaration" BUILD_CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-declaration" + +# The risk matrix of Oracle Berkeley Db was published in July 2015 by which many vulnerabilities +# in different Oracle products were identified. +# https://www.oracle.com/security-alerts/cpujul2015verbose.html#DB +# The Oracle Berkeley Db issued the Critical Patch Update Advisory in July 2015 +# which determined the status of the vulnerability whether applicable or not. +# https://www.oracle.com/security-alerts/cpujul2015.html#AppendixDB +# Apart from this, different CPUs change status of the vulnerabilities e.g. +# CVE-2020-2981: https://www.oracle.com/security-alerts/cpujul2020.html +# CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, CVE-2016-3418: https://www.oracle.com/security-alerts/cpuapr2016v3.html + +CVE_STATUS_GROUPS = "CVE_STATUS_INGR" +CVE_STATUS_INGR = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 \ +CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 \ +CVE-2015-4783 CVE-2015-4784 CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2020-2981 \ +CVE-2016-0682 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418" +CVE_STATUS_INGR[status] = "fixed-version: The Critical Patch Update of Oracle Berkeley DB discovers these vulnerabilities may not be remotely exploitable without authentication."
Analysis: - Unspecified vulnerability in the various components of Oracle Berkeley Db was identified as potentially exploitable without authentication. Later these were closed by the Critical Patch Update (CPU). Reference: [1] https://www.oracle.com/security-alerts/cpujul2015.html [2] https://www.oracle.com/security-alerts/cpuapr2016v3.html [3] https://www.oracle.com/security-alerts/cpujul2020.html Signed-off-by: Mohamed Meera Sahib <mmeerasa@cisco.com> --- meta/recipes-support/db/db_5.3.28.bb | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)