| Message ID | 20251104193437.1797870-2-ankur.tyagi85@gmail.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | [meta-oe,1/2] redis: upgrade 7.2.11 -> 7.2.12 | expand |
On 11/4/25 20:34, Ankur Tyagi via lists.openembedded.org wrote: > From: Ankur Tyagi <ankur.tyagi85@gmail.com> > > Fixes for CVE 46817[1], 46818[2], 47819[3] are included in the used version > [1] https://github.com/redis/redis/commit/fc282edb61b56e7fe1e6bacf9400252145852fdc > [2] https://github.com/redis/redis/commit/dccb672d838f05c940f040c27b74fde6fb47b2a7 > [3] https://github.com/redis/redis/commit/2802b52b554cb9f0f249a24474c9fba94e933dbb > > Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> > --- > meta-oe/recipes-extended/redis/redis_7.2.12.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta-oe/recipes-extended/redis/redis_7.2.12.bb b/meta-oe/recipes-extended/redis/redis_7.2.12.bb > index 9016254731..6527fb6996 100644 > --- a/meta-oe/recipes-extended/redis/redis_7.2.12.bb > +++ b/meta-oe/recipes-extended/redis/redis_7.2.12.bb > @@ -23,6 +23,9 @@ RPROVIDES:${PN} = "virtual-redis" > > CVE_STATUS[CVE-2025-21605] = "cpe-incorrect: the used version already contains the fix" > CVE_STATUS[CVE-2025-27151] = "cpe-incorrect: the used version already contains the fix" > +CVE_STATUS[CVE-2025-46817] = "cpe-incorrect: the used version already contains the fix" > +CVE_STATUS[CVE-2025-46818] = "cpe-incorrect: the used version already contains the fix" > +CVE_STATUS[CVE-2025-46819] = "cpe-incorrect: the used version already contains the fix" I have submitted this yesterday, but why I'm writing this is because "cpe-incorrect" is not appropriate status for this - cpe-incorrect is for cases when the actual CVE is for a completely different software than the one built by the recipe: https://git.openembedded.org/openembedded-core/tree/meta/conf/cve-check-map.conf - this also determines how it shows up in the final CVE report when someone runs the cve checker. "cpe-incorrect" is marked as "ignored", instead of the the more appropriate "patched" status. > > inherit pkgconfig update-rc.d systemd useradd > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#121304): https://lists.openembedded.org/g/openembedded-devel/message/121304 > Mute This Topic: https://lists.openembedded.org/mt/116123103/6084445 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Wed, Nov 5, 2025 at 9:07 AM Gyorgy Sarvari <skandigraun@gmail.com> wrote: > > On 11/4/25 20:34, Ankur Tyagi via lists.openembedded.org wrote: > > From: Ankur Tyagi <ankur.tyagi85@gmail.com> > > > > Fixes for CVE 46817[1], 46818[2], 47819[3] are included in the used version > > [1] https://github.com/redis/redis/commit/fc282edb61b56e7fe1e6bacf9400252145852fdc > > [2] https://github.com/redis/redis/commit/dccb672d838f05c940f040c27b74fde6fb47b2a7 > > [3] https://github.com/redis/redis/commit/2802b52b554cb9f0f249a24474c9fba94e933dbb > > > > Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> > > --- > > meta-oe/recipes-extended/redis/redis_7.2.12.bb | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/meta-oe/recipes-extended/redis/redis_7.2.12.bb b/meta-oe/recipes-extended/redis/redis_7.2.12.bb > > index 9016254731..6527fb6996 100644 > > --- a/meta-oe/recipes-extended/redis/redis_7.2.12.bb > > +++ b/meta-oe/recipes-extended/redis/redis_7.2.12.bb > > @@ -23,6 +23,9 @@ RPROVIDES:${PN} = "virtual-redis" > > > > CVE_STATUS[CVE-2025-21605] = "cpe-incorrect: the used version already contains the fix" > > CVE_STATUS[CVE-2025-27151] = "cpe-incorrect: the used version already contains the fix" > > +CVE_STATUS[CVE-2025-46817] = "cpe-incorrect: the used version already contains the fix" > > +CVE_STATUS[CVE-2025-46818] = "cpe-incorrect: the used version already contains the fix" > > +CVE_STATUS[CVE-2025-46819] = "cpe-incorrect: the used version already contains the fix" > > I have submitted this yesterday, but why I'm writing this is because > "cpe-incorrect" is not appropriate status for this - cpe-incorrect is > for cases when the actual CVE is for a completely different software > than the one built by the recipe: > https://git.openembedded.org/openembedded-core/tree/meta/conf/cve-check-map.conf > - this also determines how it shows up in the final CVE report when > someone runs the cve checker. "cpe-incorrect" is marked as "ignored", > instead of the the more appropriate "patched" status. Got it, thanks for the explanation. > > > > > inherit pkgconfig update-rc.d systemd useradd > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#121304): https://lists.openembedded.org/g/openembedded-devel/message/121304 > > Mute This Topic: https://lists.openembedded.org/mt/116123103/6084445 > > Group Owner: openembedded-devel+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
diff --git a/meta-oe/recipes-extended/redis/redis_7.2.12.bb b/meta-oe/recipes-extended/redis/redis_7.2.12.bb index 9016254731..6527fb6996 100644 --- a/meta-oe/recipes-extended/redis/redis_7.2.12.bb +++ b/meta-oe/recipes-extended/redis/redis_7.2.12.bb @@ -23,6 +23,9 @@ RPROVIDES:${PN} = "virtual-redis" CVE_STATUS[CVE-2025-21605] = "cpe-incorrect: the used version already contains the fix" CVE_STATUS[CVE-2025-27151] = "cpe-incorrect: the used version already contains the fix" +CVE_STATUS[CVE-2025-46817] = "cpe-incorrect: the used version already contains the fix" +CVE_STATUS[CVE-2025-46818] = "cpe-incorrect: the used version already contains the fix" +CVE_STATUS[CVE-2025-46819] = "cpe-incorrect: the used version already contains the fix" inherit pkgconfig update-rc.d systemd useradd