diff mbox series

dpkg: set status for CVE-2025-6297

Message ID 20250815170517.12674-1-peter.marko@siemens.com
State Accepted, archived
Commit 75859969b5ed7359124198eb48c480b8f6fe6f8f
Headers show
Series dpkg: set status for CVE-2025-6297 | expand

Commit Message

Marko, Peter Aug. 15, 2025, 5:05 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

NVD tracks this CVE as "Up to (excluding) 2025-06-30"
(which is fix commit date, not dpkg version)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-devtools/dpkg/dpkg_1.22.21.bb | 3 +++
 1 file changed, 3 insertions(+)

Comments

Ross Burton Aug. 19, 2025, 12:59 p.m. UTC | #1 
On 15 Aug 2025, at 18:05, Peter Marko via lists.openembedded.org <peter.marko=siemens.com@lists.openembedded.org> wrote:
> NVD tracks this CVE as "Up to (excluding) 2025-06-30"
> (which is fix commit date, not dpkg version)

Have you told the NVD CPE maintainers about this? In my experience they’ve been quite good at updating CPEs like this.

Ross
Marko, Peter Aug. 19, 2025, 4:19 p.m. UTC | #2 
> -----Original Message-----
> From: Ross Burton <Ross.Burton@arm.com>
> Sent: Tuesday, August 19, 2025 14:59
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][PATCH] dpkg: set status for CVE-2025-6297
> 
> On 15 Aug 2025, at 18:05, Peter Marko via lists.openembedded.org
> <peter.marko=siemens.com@lists.openembedded.org> wrote:
> > NVD tracks this CVE as "Up to (excluding) 2025-06-30"
> > (which is fix commit date, not dpkg version)
> 
> Have you told the NVD CPE maintainers about this? In my experience they’ve
> been quite good at updating CPEs like this.
> 

No, I'm not comfortable communicating with NVD.

Peter

> Ross
Ross Burton Aug. 20, 2025, 10:52 a.m. UTC | #3 
On 19 Aug 2025, at 17:19, Marko, Peter <Peter.Marko@siemens.com> wrote:
>>> NVD tracks this CVE as "Up to (excluding) 2025-06-30"
>>> (which is fix commit date, not dpkg version)
>> 
>> Have you told the NVD CPE maintainers about this? In my experience they’ve
>> been quite good at updating CPEs like this.
>> 
> 
> No, I'm not comfortable communicating with NVD.

Okay.  I did yesterday and the CPE now says "Up to (excluding) 1.22.21” so we can drop this.

Ross
diff mbox series

Patch

diff --git a/meta/recipes-devtools/dpkg/dpkg_1.22.21.bb b/meta/recipes-devtools/dpkg/dpkg_1.22.21.bb
index d793c26d57..69b3c3d880 100644
--- a/meta/recipes-devtools/dpkg/dpkg_1.22.21.bb
+++ b/meta/recipes-devtools/dpkg/dpkg_1.22.21.bb
@@ -19,3 +19,6 @@  SRC_URI = "git://salsa.debian.org/dpkg-team/dpkg.git;protocol=https;branch=1.22.
 SRC_URI:append:class-native = " file://0001-build.c-ignore-return-of-1-from-tar-cf.patch"
 
 SRCREV = "d72b038fd2113cb62972e4071db03dd1388394d8"
+
+# NVD tracks this CVE as "Up to (excluding) 2025-06-30" (which is fix commit date, not dpkg version)
+CVE_STATUS[CVE-2025-6297] = "cpe-incorrect: this is fixed in 1.22.21"