| Message ID | 20220311041033.1684086-1-shin.matsunaga@fujitsu.com |
|---|---|
| State | New |
| Headers | show |
| Series | ecryptfs-utils: add CVE-2016-1572 to allowlist | expand |
I guess this belongs to meta-security, please prefix the patch subject with layer name [meta-security] in this case. On Thu, Mar 10, 2022 at 8:14 PM Matsunaga-Shinji <shin.matsunaga@fujitsu.com> wrote: > > Patch for CVE-2016-1572 is applied in version 109. > > Signed-off-by: matsunaga-shinji <shin.matsunaga@fujitsu.com> > --- > recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb > index 9aefc32..d98724c 100644 > --- a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb > +++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb > @@ -68,3 +68,6 @@ FILES:${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*" > > RDEPENDS:${PN} += "cryptsetup" > RRECOMMENDS:${PN} = "gettext-runtime" > + > +# Patch for CVE-2016-1572 is applied in version 109. > +CVE_CHECK_IGNORE += "CVE-2016-1572" > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#95945): https://lists.openembedded.org/g/openembedded-devel/message/95945 > Mute This Topic: https://lists.openembedded.org/mt/89704285/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Fri, Mar 11, 2022, 05:14 Matsunaga-Shinji <shin.matsunaga@fujitsu.com> wrote: > Patch for CVE-2016-1572 is applied in version 109. > > Signed-off-by: matsunaga-shinji <shin.matsunaga@fujitsu.com> > --- > recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb > b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb > index 9aefc32..d98724c 100644 > --- a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb > +++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb > @@ -68,3 +68,6 @@ FILES:${PN} += "${base_libdir}/security/* > ${base_libdir}/ecryptfs/*" > > RDEPENDS:${PN} += "cryptsetup" > RRECOMMENDS:${PN} = "gettext-runtime" > + > +# Patch for CVE-2016-1572 is applied in version 109. > +CVE_CHECK_IGNORE += "CVE-2016-1572" > Wouldn't it be better to report this to the NVD and do the fix in the database instead? Regards Marta >
Thank you for your comment. When I sent a mail to NVD about a database modification request, this has been approved. NVD has made the appropriate modifications to reflect that the affected versions are up to (excluding) 109. So we can confirm that the website has changed. The same is the data feeds. https://nvd.nist.gov/vuln/detail/CVE-2016-1572 Regards Shinji From: Marta Rybczynska <rybczynska@gmail.com> Sent: Friday, March 11, 2022 2:27 PM To: Matsunaga, Shinji/松永 慎司 <shin.matsunaga@fujitsu.com> Cc: OpenEmbedded Devel List <openembedded-devel@lists.openembedded.org> Subject: Re: [oe] [PATCH] ecryptfs-utils: add CVE-2016-1572 to allowlist On Fri, Mar 11, 2022, 05:14 Matsunaga-Shinji <shin.matsunaga@fujitsu.com<mailto:shin.matsunaga@fujitsu.com>> wrote: Patch for CVE-2016-1572 is applied in version 109. Signed-off-by: matsunaga-shinji <shin.matsunaga@fujitsu.com<mailto:shin.matsunaga@fujitsu.com>> --- recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb<http://ecryptfs-utils_111.bb> | 3 +++ 1 file changed, 3 insertions(+) diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb<http://ecryptfs-utils_111.bb> b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb<http://ecryptfs-utils_111.bb> index 9aefc32..d98724c 100644 --- a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb<http://ecryptfs-utils_111.bb> +++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb<http://ecryptfs-utils_111.bb> @@ -68,3 +68,6 @@ FILES:${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*" RDEPENDS:${PN} += "cryptsetup" RRECOMMENDS:${PN} = "gettext-runtime" + +# Patch for CVE-2016-1572 is applied in version 109. +CVE_CHECK_IGNORE += "CVE-2016-1572" Wouldn't it be better to report this to the NVD and do the fix in the database instead? Regards Marta
diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb index 9aefc32..d98724c 100644 --- a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb +++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -68,3 +68,6 @@ FILES:${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*" RDEPENDS:${PN} += "cryptsetup" RRECOMMENDS:${PN} = "gettext-runtime" + +# Patch for CVE-2016-1572 is applied in version 109. +CVE_CHECK_IGNORE += "CVE-2016-1572"
Patch for CVE-2016-1572 is applied in version 109. Signed-off-by: matsunaga-shinji <shin.matsunaga@fujitsu.com> --- recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb | 3 +++ 1 file changed, 3 insertions(+)