diff mbox series

[2/2] audit: Add linux_audit to CVE_PRODUCT

Message ID 20240717063948.18385-1-shin.matsunaga@fujitsu.com
State Under Review
Headers show
Series [1/2] audit: Fix CVE_PRODUCT | expand

Commit Message

Shinji Matsunaga July 17, 2024, 6:39 a.m. UTC
linux_audit is also a valid CVE_PRODUCT for audit,
e.g., https://nvd.nist.gov/vuln/detail/CVE-2015-5186.

Signed-off-by: Shinji Matsunaga <shin.matsunaga@fujitsu.com>
Signed-off-by: Shunsuke Tokumoto <s-tokumoto@fujitsu.com>
---
 meta-oe/recipes-security/audit/audit_4.0.1.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Marta Rybczynska July 17, 2024, 11:57 a.m. UTC | #1
On Wed, Jul 17, 2024 at 8:39 AM Matsunaga-Shinji via lists.openembedded.org
<shin.matsunaga=fujitsu.com@lists.openembedded.org> wrote:

> linux_audit is also a valid CVE_PRODUCT for audit,
> e.g., https://nvd.nist.gov/vuln/detail/CVE-2015-5186.
>
> Signed-off-by: Shinji Matsunaga <shin.matsunaga@fujitsu.com>
> Signed-off-by: Shunsuke Tokumoto <s-tokumoto@fujitsu.com>
> ---
>  meta-oe/recipes-security/audit/audit_4.0.1.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta-oe/recipes-security/audit/audit_4.0.1.bb
> b/meta-oe/recipes-security/audit/audit_4.0.1.bb
> index bd8f8cc31..0b5857cbf 100644
> --- a/meta-oe/recipes-security/audit/audit_4.0.1.bb
> +++ b/meta-oe/recipes-security/audit/audit_4.0.1.bb
> @@ -102,4 +102,4 @@ do_install:append() {
>      install -d -m 0700 ${D}${localstatedir}/spool/audit
>  }
>
> -CVE_PRODUCT = "linux:audit"
> +CVE_PRODUCT = "linux:audit linux_audit"
>

Hello,
I think it will be better to put linux_audit_project:linux_audit

What do you think?

Kind regards,
Marta
Shinji Matsunaga July 18, 2024, 4:38 a.m. UTC | #2
Hello,
Are not there any vulnerabilities where the vendor is other than linux_audit_project?

Kind regards,
Shinji
From: Marta Rybczynska <rybczynska@gmail.com>
Sent: Wednesday, July 17, 2024 8:57 PM
To: Matsunaga, Shinji/松永 慎司 <shin.matsunaga@fujitsu.com>
Cc: raj.khem@gmail.com; openembedded-devel@lists.openembedded.org; Tokumoto, Shunsuke/徳本 俊介 <s-tokumoto@fujitsu.com>
Subject: Re: [oe] [PATCH 2/2] audit: Add linux_audit to CVE_PRODUCT



On Wed, Jul 17, 2024 at 8:39 AM Matsunaga-Shinji via lists.openembedded.org<http://lists.openembedded.org> <shin.matsunaga=fujitsu.com@lists.openembedded.org<mailto:fujitsu.com@lists.openembedded.org>> wrote:
linux_audit is also a valid CVE_PRODUCT for audit,
e.g., https://nvd.nist.gov/vuln/detail/CVE-2015-5186.

Signed-off-by: Shinji Matsunaga <shin.matsunaga@fujitsu.com<mailto:shin.matsunaga@fujitsu.com>>
Signed-off-by: Shunsuke Tokumoto <s-tokumoto@fujitsu.com<mailto:s-tokumoto@fujitsu.com>>
---
 meta-oe/recipes-security/audit/audit_4.0.1.bb<http://audit_4.0.1.bb> | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-oe/recipes-security/audit/audit_4.0.1.bb<http://audit_4.0.1.bb> b/meta-oe/recipes-security/audit/audit_4.0.1.bb<http://audit_4.0.1.bb>
index bd8f8cc31..0b5857cbf 100644
--- a/meta-oe/recipes-security/audit/audit_4.0.1.bb<http://audit_4.0.1.bb>
+++ b/meta-oe/recipes-security/audit/audit_4.0.1.bb<http://audit_4.0.1.bb>
@@ -102,4 +102,4 @@ do_install:append() {
     install -d -m 0700 ${D}${localstatedir}/spool/audit
 }

-CVE_PRODUCT = "linux:audit"
+CVE_PRODUCT = "linux:audit linux_audit"

Hello,
I think it will be better to put linux_audit_project:linux_audit

What do you think?

Kind regards,
Marta
Marta Rybczynska July 18, 2024, 5:23 a.m. UTC | #3
Hello,
I am not aware of any CVE in the linux_audit project since 2018. There are
fixes that are well worth a CVE in my opinion (even from this year). My
suggestion is more to be future-proof. The name is generic and there will
be a project with a similar name getting a CVE one day.

Kind regards,
Marta

On Thu, Jul 18, 2024 at 6:38 AM Shinji Matsunaga (Fujitsu) <
shin.matsunaga@fujitsu.com> wrote:

> Hello,
>
> Are not there any vulnerabilities where the vendor is other than
> linux_audit_project?
>
>
>
> Kind regards,
>
> Shinji
>
> *From:* Marta Rybczynska <rybczynska@gmail.com>
> *Sent:* Wednesday, July 17, 2024 8:57 PM
> *To:* Matsunaga, Shinji/松永 慎司 <shin.matsunaga@fujitsu.com>
> *Cc:* raj.khem@gmail.com; openembedded-devel@lists.openembedded.org;
> Tokumoto, Shunsuke/徳本 俊介 <s-tokumoto@fujitsu.com>
> *Subject:* Re: [oe] [PATCH 2/2] audit: Add linux_audit to CVE_PRODUCT
>
>
>
>
>
>
>
> On Wed, Jul 17, 2024 at 8:39 AM Matsunaga-Shinji via
> lists.openembedded.org <shin.matsunaga=fujitsu.com@lists.openembedded.org>
> wrote:
>
> linux_audit is also a valid CVE_PRODUCT for audit,
> e.g., https://nvd.nist.gov/vuln/detail/CVE-2015-5186.
>
> Signed-off-by: Shinji Matsunaga <shin.matsunaga@fujitsu.com>
> Signed-off-by: Shunsuke Tokumoto <s-tokumoto@fujitsu.com>
> ---
>  meta-oe/recipes-security/audit/audit_4.0.1.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta-oe/recipes-security/audit/audit_4.0.1.bb
> b/meta-oe/recipes-security/audit/audit_4.0.1.bb
> index bd8f8cc31..0b5857cbf 100644
> --- a/meta-oe/recipes-security/audit/audit_4.0.1.bb
> +++ b/meta-oe/recipes-security/audit/audit_4.0.1.bb
> @@ -102,4 +102,4 @@ do_install:append() {
>      install -d -m 0700 ${D}${localstatedir}/spool/audit
>  }
>
> -CVE_PRODUCT = "linux:audit"
> +CVE_PRODUCT = "linux:audit linux_audit"
>
>
>
> Hello,
>
> I think it will be better to put linux_audit_project:linux_audit
>
>
>
> What do you think?
>
>
>
> Kind regards,
>
> Marta
>
diff mbox series

Patch

diff --git a/meta-oe/recipes-security/audit/audit_4.0.1.bb b/meta-oe/recipes-security/audit/audit_4.0.1.bb
index bd8f8cc31..0b5857cbf 100644
--- a/meta-oe/recipes-security/audit/audit_4.0.1.bb
+++ b/meta-oe/recipes-security/audit/audit_4.0.1.bb
@@ -102,4 +102,4 @@  do_install:append() {
     install -d -m 0700 ${D}${localstatedir}/spool/audit
 }
 
-CVE_PRODUCT = "linux:audit"
+CVE_PRODUCT = "linux:audit linux_audit"