Message ID | 20240307092113.3674886-1-soumya.sambu@windriver.com |
---|---|
State | New |
Headers | show |
Series | [meta-oe,kirkstone,1/1] openvpn: ignore CVE-2023-7235 | expand |
Hi, Le jeu. 7 mars 2024 à 10:21, Soumya via lists.openembedded.org <soumya.sambu=windriver.com@lists.openembedded.org> a écrit : > From: Soumya Sambu <soumya.sambu@windriver.com> > > This CVE is related to OpenVPN 2.x GUI on Windows. > > References: > https://community.openvpn.net/openvpn/wiki/CVE-2023-7235 > https://security-tracker.debian.org/tracker/CVE-2023-7235 > > Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> > --- > meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb > b/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb > index 218e72b7a..828cd5033 100644 > --- a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb > +++ b/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb > @@ -19,6 +19,9 @@ SRC_URI[sha256sum] = > "333a7ef3d5b317968aca2c77bdc29aa7c6d6bb3316eb3f79743b59c532 > # CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not > for openvpn. > CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569" > > +# CVE-2023-7235 is specific to Windows platform > +CVE_CHECK_IGNORE += "CVE-2023-7235" > That's weird, this CVE does not appear as applicable neither locally for me or on the AB: https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-kirkstone.txt Did you do something specific to see this CVE? > + > SYSTEMD_SERVICE:${PN} += "openvpn@loopback-server.service > openvpn@loopback-client.service" > SYSTEMD_AUTO_ENABLE = "disable" > > -- > 2.40.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#109193): > https://lists.openembedded.org/g/openembedded-devel/message/109193 > Mute This Topic: https://lists.openembedded.org/mt/104784192/4316185 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ > yoann.congal@smile.fr] > -=-=-=-=-=-=-=-=-=-=-=- > >
Hi Yoann, This is because OE's cve-checker uses the configuration field to check. If a CVE lacks such field, it's not on the list. https://nvd.nist.gov/vuln/detail/CVE-2023-7235 Regards, Qi On 3/7/24 21:49, Yoann Congal wrote: > Hi, > > Le jeu. 7 mars 2024 à 10:21, Soumya via lists.openembedded.org > <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbC7WVPqoU$> > <soumya.sambu=windriver.com@lists.openembedded.org> a écrit : > > From: Soumya Sambu <soumya.sambu@windriver.com> > > This CVE is related to OpenVPN 2.x GUI on Windows. > > References: > https://community.openvpn.net/openvpn/wiki/CVE-2023-7235 > <https://urldefense.com/v3/__https://community.openvpn.net/openvpn/wiki/CVE-2023-7235__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbC7x8FYAr$> > https://security-tracker.debian.org/tracker/CVE-2023-7235 > <https://urldefense.com/v3/__https://security-tracker.debian.org/tracker/CVE-2023-7235__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbC1oOLnVU$> > > Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> > --- > meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb > <https://urldefense.com/v3/__http://openvpn_2.5.6.bb__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbCzrRMlgD$> > | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git > a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb > <https://urldefense.com/v3/__http://openvpn_2.5.6.bb__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbCzrRMlgD$> > b/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb > <https://urldefense.com/v3/__http://openvpn_2.5.6.bb__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbCzrRMlgD$> > index 218e72b7a..828cd5033 100644 > --- a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb > <https://urldefense.com/v3/__http://openvpn_2.5.6.bb__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbCzrRMlgD$> > +++ b/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb > <https://urldefense.com/v3/__http://openvpn_2.5.6.bb__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbCzrRMlgD$> > @@ -19,6 +19,9 @@ SRC_URI[sha256sum] = > "333a7ef3d5b317968aca2c77bdc29aa7c6d6bb3316eb3f79743b59c532 > # CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN > client, not for openvpn. > CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569" > > +# CVE-2023-7235 is specific to Windows platform > +CVE_CHECK_IGNORE += "CVE-2023-7235" > > > That's weird, this CVE does not appear as applicable neither locally > for me or on the AB: > https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-kirkstone.txt > <https://urldefense.com/v3/__https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-kirkstone.txt__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbCwBzRMAA$> > Did you do something specific to see this CVE? > > + > SYSTEMD_SERVICE:${PN} += "openvpn@loopback-server.service > openvpn@loopback-client.service" > SYSTEMD_AUTO_ENABLE = "disable" > > -- > 2.40.0 > > > > > > > -- > Yoann Congal > Smile ECS - Tech expert > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#109196):https://lists.openembedded.org/g/openembedded-devel/message/109196 > Mute This Topic:https://lists.openembedded.org/mt/104784192/7304865 > Group Owner:openembedded-devel+owner@lists.openembedded.org > Unsubscribe:https://lists.openembedded.org/g/openembedded-devel/unsub [Qi.Chen@eng.windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb b/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb index 218e72b7a..828cd5033 100644 --- a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb +++ b/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb @@ -19,6 +19,9 @@ SRC_URI[sha256sum] = "333a7ef3d5b317968aca2c77bdc29aa7c6d6bb3316eb3f79743b59c532 # CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569" +# CVE-2023-7235 is specific to Windows platform +CVE_CHECK_IGNORE += "CVE-2023-7235" + SYSTEMD_SERVICE:${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service" SYSTEMD_AUTO_ENABLE = "disable"