Message ID | 20240717063948.18385-1-shin.matsunaga@fujitsu.com |
---|---|
State | Under Review |
Headers | show |
Series | [1/2] audit: Fix CVE_PRODUCT | expand |
On Wed, Jul 17, 2024 at 8:39 AM Matsunaga-Shinji via lists.openembedded.org <shin.matsunaga=fujitsu.com@lists.openembedded.org> wrote: > linux_audit is also a valid CVE_PRODUCT for audit, > e.g., https://nvd.nist.gov/vuln/detail/CVE-2015-5186. > > Signed-off-by: Shinji Matsunaga <shin.matsunaga@fujitsu.com> > Signed-off-by: Shunsuke Tokumoto <s-tokumoto@fujitsu.com> > --- > meta-oe/recipes-security/audit/audit_4.0.1.bb | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta-oe/recipes-security/audit/audit_4.0.1.bb > b/meta-oe/recipes-security/audit/audit_4.0.1.bb > index bd8f8cc31..0b5857cbf 100644 > --- a/meta-oe/recipes-security/audit/audit_4.0.1.bb > +++ b/meta-oe/recipes-security/audit/audit_4.0.1.bb > @@ -102,4 +102,4 @@ do_install:append() { > install -d -m 0700 ${D}${localstatedir}/spool/audit > } > > -CVE_PRODUCT = "linux:audit" > +CVE_PRODUCT = "linux:audit linux_audit" > Hello, I think it will be better to put linux_audit_project:linux_audit What do you think? Kind regards, Marta
Hello, Are not there any vulnerabilities where the vendor is other than linux_audit_project? Kind regards, Shinji From: Marta Rybczynska <rybczynska@gmail.com> Sent: Wednesday, July 17, 2024 8:57 PM To: Matsunaga, Shinji/松永 慎司 <shin.matsunaga@fujitsu.com> Cc: raj.khem@gmail.com; openembedded-devel@lists.openembedded.org; Tokumoto, Shunsuke/徳本 俊介 <s-tokumoto@fujitsu.com> Subject: Re: [oe] [PATCH 2/2] audit: Add linux_audit to CVE_PRODUCT On Wed, Jul 17, 2024 at 8:39 AM Matsunaga-Shinji via lists.openembedded.org<http://lists.openembedded.org> <shin.matsunaga=fujitsu.com@lists.openembedded.org<mailto:fujitsu.com@lists.openembedded.org>> wrote: linux_audit is also a valid CVE_PRODUCT for audit, e.g., https://nvd.nist.gov/vuln/detail/CVE-2015-5186. Signed-off-by: Shinji Matsunaga <shin.matsunaga@fujitsu.com<mailto:shin.matsunaga@fujitsu.com>> Signed-off-by: Shunsuke Tokumoto <s-tokumoto@fujitsu.com<mailto:s-tokumoto@fujitsu.com>> --- meta-oe/recipes-security/audit/audit_4.0.1.bb<http://audit_4.0.1.bb> | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-security/audit/audit_4.0.1.bb<http://audit_4.0.1.bb> b/meta-oe/recipes-security/audit/audit_4.0.1.bb<http://audit_4.0.1.bb> index bd8f8cc31..0b5857cbf 100644 --- a/meta-oe/recipes-security/audit/audit_4.0.1.bb<http://audit_4.0.1.bb> +++ b/meta-oe/recipes-security/audit/audit_4.0.1.bb<http://audit_4.0.1.bb> @@ -102,4 +102,4 @@ do_install:append() { install -d -m 0700 ${D}${localstatedir}/spool/audit } -CVE_PRODUCT = "linux:audit" +CVE_PRODUCT = "linux:audit linux_audit" Hello, I think it will be better to put linux_audit_project:linux_audit What do you think? Kind regards, Marta
Hello, I am not aware of any CVE in the linux_audit project since 2018. There are fixes that are well worth a CVE in my opinion (even from this year). My suggestion is more to be future-proof. The name is generic and there will be a project with a similar name getting a CVE one day. Kind regards, Marta On Thu, Jul 18, 2024 at 6:38 AM Shinji Matsunaga (Fujitsu) < shin.matsunaga@fujitsu.com> wrote: > Hello, > > Are not there any vulnerabilities where the vendor is other than > linux_audit_project? > > > > Kind regards, > > Shinji > > *From:* Marta Rybczynska <rybczynska@gmail.com> > *Sent:* Wednesday, July 17, 2024 8:57 PM > *To:* Matsunaga, Shinji/松永 慎司 <shin.matsunaga@fujitsu.com> > *Cc:* raj.khem@gmail.com; openembedded-devel@lists.openembedded.org; > Tokumoto, Shunsuke/徳本 俊介 <s-tokumoto@fujitsu.com> > *Subject:* Re: [oe] [PATCH 2/2] audit: Add linux_audit to CVE_PRODUCT > > > > > > > > On Wed, Jul 17, 2024 at 8:39 AM Matsunaga-Shinji via > lists.openembedded.org <shin.matsunaga=fujitsu.com@lists.openembedded.org> > wrote: > > linux_audit is also a valid CVE_PRODUCT for audit, > e.g., https://nvd.nist.gov/vuln/detail/CVE-2015-5186. > > Signed-off-by: Shinji Matsunaga <shin.matsunaga@fujitsu.com> > Signed-off-by: Shunsuke Tokumoto <s-tokumoto@fujitsu.com> > --- > meta-oe/recipes-security/audit/audit_4.0.1.bb | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta-oe/recipes-security/audit/audit_4.0.1.bb > b/meta-oe/recipes-security/audit/audit_4.0.1.bb > index bd8f8cc31..0b5857cbf 100644 > --- a/meta-oe/recipes-security/audit/audit_4.0.1.bb > +++ b/meta-oe/recipes-security/audit/audit_4.0.1.bb > @@ -102,4 +102,4 @@ do_install:append() { > install -d -m 0700 ${D}${localstatedir}/spool/audit > } > > -CVE_PRODUCT = "linux:audit" > +CVE_PRODUCT = "linux:audit linux_audit" > > > > Hello, > > I think it will be better to put linux_audit_project:linux_audit > > > > What do you think? > > > > Kind regards, > > Marta >
diff --git a/meta-oe/recipes-security/audit/audit_4.0.1.bb b/meta-oe/recipes-security/audit/audit_4.0.1.bb index bd8f8cc31..0b5857cbf 100644 --- a/meta-oe/recipes-security/audit/audit_4.0.1.bb +++ b/meta-oe/recipes-security/audit/audit_4.0.1.bb @@ -102,4 +102,4 @@ do_install:append() { install -d -m 0700 ${D}${localstatedir}/spool/audit } -CVE_PRODUCT = "linux:audit" +CVE_PRODUCT = "linux:audit linux_audit"