| Message ID | 20251015063531.1573191-1-ankur.tyagi85@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe,scarthgap,1/4] mercurial: Update CVE status for CVE-2022-43410 | expand |
On Wed, 2025-10-15 at 19:35 +1300, Ankur Tyagi via lists.openembedded.org wrote: > From: Ninette Adhikari <ninette@thehoodiefirm.com> > > The recipe used in the `meta-openembedded` is a different mercurial > package compared to the one which has the CVE issue. > Package used in `meta-embedded`: https://www.mercurial-scm.org/ > Package with CVE issue is a Jenkins plugin: > https://plugins.jenkins.io/mercurial/ > (This is reflected in the CPE) > > Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com> > Signed-off-by: Khem Raj <raj.khem@gmail.com> > (cherry picked from commit bf84ac1c4c1a00c2aa92a09fbdfae128d055fe05) > Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> > --- > meta-oe/recipes-devtools/mercurial/mercurial_6.5.bb | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta-oe/recipes-devtools/mercurial/mercurial_6.5.bb > b/meta-oe/recipes-devtools/mercurial/mercurial_6.5.bb > index 2451a36be2..53fe0a28ae 100644 > --- a/meta-oe/recipes-devtools/mercurial/mercurial_6.5.bb > +++ b/meta-oe/recipes-devtools/mercurial/mercurial_6.5.bb > @@ -34,3 +34,4 @@ PACKAGES =+ "${PN}-python" > FILES:${PN} += "${PYTHON_SITEPACKAGES_DIR} ${datadir}" > FILES:${PN}-python = "${nonarch_libdir}/${PYTHON_DIR}" > > +CVE_STATUS[CVE-2022-43410] = "cpe-incorrect: The recipe used in the > `meta-openembedded` is a different mercurial package compared to the > one which has the CVE issue." This shouldn't be a cpe-incorrect in that case and should use mercurial-scm as the vendor in CVE_PRODUCT. > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#120690): > https://lists.openembedded.org/g/openembedded-devel/message/120690 > Mute This Topic: https://lists.openembedded.org/mt/115766810/3616702 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: > https://lists.openembedded.org/g/openembedded-devel/unsub [ > anuj.mittal@intel.com] > -=-=-=-=-=-=-=-=-=-=-=-
On Thu, Oct 30, 2025 at 7:38 PM Mittal, Anuj <anuj.mittal@intel.com> wrote: > > On Wed, 2025-10-15 at 19:35 +1300, Ankur Tyagi via > lists.openembedded.org wrote: > > From: Ninette Adhikari <ninette@thehoodiefirm.com> > > > > The recipe used in the `meta-openembedded` is a different mercurial > > package compared to the one which has the CVE issue. > > Package used in `meta-embedded`: https://www.mercurial-scm.org/ > > Package with CVE issue is a Jenkins plugin: > > https://plugins.jenkins.io/mercurial/ > > (This is reflected in the CPE) > > > > Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com> > > Signed-off-by: Khem Raj <raj.khem@gmail.com> > > (cherry picked from commit bf84ac1c4c1a00c2aa92a09fbdfae128d055fe05) > > Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> > > --- > > meta-oe/recipes-devtools/mercurial/mercurial_6.5.bb | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/meta-oe/recipes-devtools/mercurial/mercurial_6.5.bb > > b/meta-oe/recipes-devtools/mercurial/mercurial_6.5.bb > > index 2451a36be2..53fe0a28ae 100644 > > --- a/meta-oe/recipes-devtools/mercurial/mercurial_6.5.bb > > +++ b/meta-oe/recipes-devtools/mercurial/mercurial_6.5.bb > > @@ -34,3 +34,4 @@ PACKAGES =+ "${PN}-python" > > FILES:${PN} += "${PYTHON_SITEPACKAGES_DIR} ${datadir}" > > FILES:${PN}-python = "${nonarch_libdir}/${PYTHON_DIR}" > > > > +CVE_STATUS[CVE-2022-43410] = "cpe-incorrect: The recipe used in the > > `meta-openembedded` is a different mercurial package compared to the > > one which has the CVE issue." > > This shouldn't be a cpe-incorrect in that case and should use > mercurial-scm as the vendor in CVE_PRODUCT. Good point, I'll send the fix to the master branch as well. Please drop this patch. > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#120690): > > https://lists.openembedded.org/g/openembedded-devel/message/120690 > > Mute This Topic: https://lists.openembedded.org/mt/115766810/3616702 > > Group Owner: openembedded-devel+owner@lists.openembedded.org > > Unsubscribe: > > https://lists.openembedded.org/g/openembedded-devel/unsub [ > > anuj.mittal@intel.com] > > -=-=-=-=-=-=-=-=-=-=-=-
diff --git a/meta-oe/recipes-devtools/mercurial/mercurial_6.5.bb b/meta-oe/recipes-devtools/mercurial/mercurial_6.5.bb index 2451a36be2..53fe0a28ae 100644 --- a/meta-oe/recipes-devtools/mercurial/mercurial_6.5.bb +++ b/meta-oe/recipes-devtools/mercurial/mercurial_6.5.bb @@ -34,3 +34,4 @@ PACKAGES =+ "${PN}-python" FILES:${PN} += "${PYTHON_SITEPACKAGES_DIR} ${datadir}" FILES:${PN}-python = "${nonarch_libdir}/${PYTHON_DIR}" +CVE_STATUS[CVE-2022-43410] = "cpe-incorrect: The recipe used in the `meta-openembedded` is a different mercurial package compared to the one which has the CVE issue."