From patchwork Fri May 5 11:18:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrej Valek X-Patchwork-Id: 23420 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B87F3C77B7F for ; Fri, 5 May 2023 11:18:43 +0000 (UTC) Received: from EUR04-DB3-obe.outbound.protection.outlook.com (EUR04-DB3-obe.outbound.protection.outlook.com [40.107.6.81]) by mx.groups.io with SMTP id smtpd.web11.24393.1683285514807555454 for ; Fri, 05 May 2023 04:18:35 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=lwimKTv5; spf=pass (domain: siemens.com, ip: 40.107.6.81, mailfrom: andrej.valek@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kpR48MV1TT3T4tPECaJzmTdTTqtibkSJ2IvYG8hv5ROJoAxBfpKUcIQxB/WSG79y9GxJqzG/dv9dAQCEMqAW98B8uxEWBAk+xu8D0MQZ6ekDfpViv6aWsYM97Qn+AGwxc1RLUtLWvtMuflOpzGFdHfWGpMc+aSjMfOw6FfzzAQ6aL9Dj86femMaq9sjy4i911eQglKBKpqkWR19+L3aH9a3x5OR0EfvofRAiWQXW3jKvqa1tYrhPPMNZX2+UTS7+sfUeMS18msMIlWcAxC/fdpzVI5aqnmkJ9zG+2MkTz6ORXpQEjVCOBpGmlencZda5fJprTIoHw45r7kvKsx6lzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4s5WG+X2KDiB0AfGaJsxf2TmgISV0J1m1sZIR/GRCwg=; b=FTNw5NtO+7pzcImqQ7vXn9M5NGGAXjuLEkyhKYJqOuEC+aMbH6ZJqKXRqRMbrReHe2N50pjy2M49A/W6RLEjzKCzI34DjCfaUEDfNA7OflAlfBBQ8LlhefN+jhFUsLsOG9dwMNzwu/uRCWIJKnL8ZSdtO0Lr8/Hd9uGGwRMb6LjobC8oMMtvGVjmaj8dKn/mDqNttuL0hgKoIuuTMxnUEh1dvxqVD1DYg9e7iYNEsqxtV9bmWqnWjVZTk5dy6IdM8vmxM3dkoItGQb3JUEe1SvJlujumXHen+5gSZt5nYHBSiiABcTn3su4bSI+k2tQKGKGI8BUvT0tp3mEExSVfxg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 194.138.21.74) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=siemens.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=siemens.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4s5WG+X2KDiB0AfGaJsxf2TmgISV0J1m1sZIR/GRCwg=; b=lwimKTv5Mh/ADGRys9CFRCObqRalIiUmhe7hjR2aOSX5TGEN1fuyhnkh65gwv/Qi/VT3iss5OY3N9toA5x4MoMHfnQ+CqOLXSp0bFLJaJRXmMQ+RoSW0Aegb94rVVKj6xvDSmuJdcZkQ1xKRSEZdxB8QRuyuz4p/gtcAL0tjit07t/Sw2RitxFC3ZSMOofgnuGpkkvGqPboYnc1Cn7+jx1mOBHz9cI7NiCb1leLGfvHxuxH9OK6mcGHUhCeDkNPfmqGIKrP/k9rZiAbONXTVa4DPfvHRADwTvQtBkxgM3HB9GV3I+yBLz1/jjUNM2/FGYa1En2d1Wz2eGT66wGBgwg== Received: from DB6PR0601CA0039.eurprd06.prod.outlook.com (2603:10a6:4:17::25) by DB9PR10MB7124.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:459::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6363.27; Fri, 5 May 2023 11:18:31 +0000 Received: from DB5EUR01FT030.eop-EUR01.prod.protection.outlook.com (2603:10a6:4:17:cafe::99) by DB6PR0601CA0039.outlook.office365.com (2603:10a6:4:17::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6363.27 via Frontend Transport; Fri, 5 May 2023 11:18:31 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 194.138.21.74) smtp.mailfrom=siemens.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=siemens.com; Received-SPF: Pass (protection.outlook.com: domain of siemens.com designates 194.138.21.74 as permitted sender) receiver=protection.outlook.com; client-ip=194.138.21.74; helo=hybrid.siemens.com; pr=C Received: from hybrid.siemens.com (194.138.21.74) by DB5EUR01FT030.mail.protection.outlook.com (10.152.4.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6363.25 via Frontend Transport; Fri, 5 May 2023 11:18:31 +0000 Received: from DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) by DEMCHDC8VQA.ad011.siemens.net (194.138.21.74) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Fri, 5 May 2023 13:18:31 +0200 Received: from md3hr6tc.ad001.siemens.net (167.87.35.172) by DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Fri, 5 May 2023 13:18:30 +0200 From: Andrej Valek To: CC: Andrej Valek Subject: [OE-core][PATCH] cve-check: add option to add additional patched CVEs Date: Fri, 5 May 2023 13:18:14 +0200 Message-ID: <20230505111814.491483-1-andrej.valek@siemens.com> X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 X-Originating-IP: [167.87.35.172] X-ClientProxiedBy: DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) To DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB5EUR01FT030:EE_|DB9PR10MB7124:EE_ X-MS-Office365-Filtering-Correlation-Id: dfe9bb20-0023-4cfd-5f73-08db4d5a7574 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: lM/iAX32FN/iKiAx9EQcbpXxi9rbIb8FqjQ9Ix6th/mtPWZL7BAVMCTyB0pFTUf//BEzQ8W68lHzYIqZETMuBa1ODQ0nYhtjDce9QgsVhj3oPicJIXG/03ljHHkorjYRUYXtd0xc1vd1ZbHGAHdutj3UT4L4RZnt4goEyVQhlpDOPJ0h9yi+IgqG+o0jRD1LJBc6UJ/LY0McLfuw74Gn+yj084PXHwjBv6hgQMU2UadhcCZY2/tepxyWEJKfyHQmHIdWI70ZRK0jJIDYImfoSXfXbJhcFyKk7ieYQyAS1tWiCQlVhc5MlBz4TUEvkQrc1JfdoLZZ/TgH3OJ3Pj249eFkEB+2Aa+07KEYFwz2nI32p1m3xBqbbVx4lNSD0RJjhazxa8rQvyun1SJVfcKqpOX/BUaOSz0WpgpyNfpBhObSGOYu5wb9Ndb3GSOrJmRe7nKl19Eq7Q8jo+nW/ejvxNbz5auTLuZr1CNBxwR3URD/rU73hAogvn7dgt8XWwF+LmrEiTTvMyodPIpmyTLsz3gHHdBELbQk2IzPw8iCT8OTIx79tixzy4u0HdJYgOmp7C56mKne5Ja63XTo4lu6AdOEukXD1Fa+R8jllpk3ugO/2xtMxfWBpwRYV3h1Th/r6KUlpSxC1+9lH9/EGCYFNafcGt8rgbYTVhWCYsz1qw4merysFfd96iLJD5c4q969KxUxGUL1Rmq8lW5a7Y/zJg== X-Forefront-Antispam-Report: CIP:194.138.21.74;CTRY:DE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:hybrid.siemens.com;PTR:hybrid.siemens.com;CAT:NONE;SFS:(13230028)(4636009)(39860400002)(396003)(346002)(376002)(136003)(451199021)(36840700001)(46966006)(40470700004)(36756003)(86362001)(316002)(6916009)(4326008)(70206006)(70586007)(6666004)(478600001)(41300700001)(40480700001)(82310400005)(8936002)(5660300002)(8676002)(44832011)(2906002)(186003)(7636003)(7596003)(82740400003)(356005)(82960400001)(16526019)(2616005)(1076003)(107886003)(36860700001)(26005)(336012)(47076005)(83380400001)(956004)(40460700003);DIR:OUT;SFP:1101; X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 May 2023 11:18:31.5388 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: dfe9bb20-0023-4cfd-5f73-08db4d5a7574 X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;Ip=[194.138.21.74];Helo=[hybrid.siemens.com] X-MS-Exchange-CrossTenant-AuthSource: DB5EUR01FT030.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR10MB7124 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 05 May 2023 11:18:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/180911 CVE_CHECK_PATCHED - should contains an additional CVEs which have been fixed and shouldn't be mark as vulnerable nor ignored. Signed-off-by: Andrej Valek --- meta/classes/cve-check.bbclass | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index bd9e7e7445c..957ea0130dc 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -78,6 +78,11 @@ CVE_CHECK_SKIP_RECIPE ?= "" # CVE_CHECK_IGNORE ?= "" +# Usually a CVE gets treated as patched when a patch with the name of the CVE +# gets applied. Basically this variable should not be used. But if there are +# other reasons to mark a CVE as patched it can be added to this list. +CVE_CHECK_PATCHED ?= "" + # Layers to be excluded CVE_CHECK_LAYER_EXCLUDELIST ??= "" @@ -284,6 +289,9 @@ def check_cves(d, patched_cves): cve_ignore = d.getVar("CVE_CHECK_IGNORE").split() + # add additional patched CVEs into existing patched list + patched_cves.update(d.getVar("CVE_CHECK_PATCHED").split()) + import sqlite3 db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") conn = sqlite3.connect(db_file, uri=True) From patchwork Fri May 19 06:24:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrej Valek X-Patchwork-Id: 24176 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C24D0C77B7F for ; Fri, 19 May 2023 06:24:56 +0000 (UTC) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (EUR05-AM6-obe.outbound.protection.outlook.com [40.107.22.48]) by mx.groups.io with SMTP id smtpd.web10.19792.1684477495554200090 for ; Thu, 18 May 2023 23:24:56 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=vwG9NsTE; spf=pass (domain: siemens.com, ip: 40.107.22.48, mailfrom: andrej.valek@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ISoC6xxont47fLVaUittK6ELE5oH1rin0q/nd4kskmP7xzh/6ouC968ihbPauBix83rP2e0TEJqyjAboMlzsKPSQ1u9xM/9uN1QmyIJTEJ9C1lHSR9YXKbX+q445xBVMYgWrBH75ApTMI+HMJK/zB1PoeGWMdjdJImplqf4VdP9duUCwHbw4NfEbEWCYs1bsD4IirMDnDhduxh8GI2ZG89uiP1z00QLcO+sUAZOB9lM68GnHx0bVfswIOqkbcm3W0ey846NqfRQgJiquPdwUI7CbvLd2nR8WNAaqZZ1pVzzJYRzMy4S6am2T4KYJncrM15Evo89EvLxbTS6KAmVHZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UWsiXAGKva0e4Q2+tCDT+9BxX7Y8FgxxTyngz3iNrD4=; b=jTU3wYXQGvUm+up1WKCrtlVuL0jgLvs9+WS9RaZIhdbD87wa4jDkJTbpoTCj8jT39d7s21nVwd9ZwUizjXRlnmLJ8VjJdMujWvGKlXZNgCD680uI6CTc7aZSfkU20kXA7wPyUNmPrsXHfkr7dPJIIXbD+ZFdcbjb4F5fp1SZHUiKE2S7krQ1Vf3/jhDYc63gT/k6sIKFfBQGuLA0jxvuwZ7CuwatV3YLbNYDqxj8goM56PoYsYitNHhH1gXRbPOUAG/CWnWDM8ObqU9CxPmFjiSoROROEUBrsPCVc2gEQkDC3kinXwp0LVTEzev0to2tK4oeM0sIjPrEYl9q2Lyvdw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 194.138.21.76) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=siemens.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=siemens.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UWsiXAGKva0e4Q2+tCDT+9BxX7Y8FgxxTyngz3iNrD4=; b=vwG9NsTEvW0y4FZuBRXGiXRwibhhcm3eqrXW5P6RaP2AaTaSOhg+mQd2O5W4ckNzpQIoLMAqPkWx5TQG068TP7zDRPWBIjLxTdvPEphU8pg/yUueuFKNGcDwlvtLAsN2vgRRZFsHDGI1AYPHJcP85k2F1XZDlZXMEq0lwWdHAERJvJUUtQnNVfMEgFu6jDS8Nu69Rnd6BEpK4vuBvgZ7atEhE0MqO6KDEXTdDxKlTSsGxAGFoH2kq25ITjpsUsWAsp1ywUz5NkQhPtQH3YJ64kb5+qJh415CfZV2L0ZqLIwmq7J3tN+Dhtlg3yWGNYSLEeNkAHoAG4IcQITM78DZpw== Received: from DB6PR07CA0062.eurprd07.prod.outlook.com (2603:10a6:6:2a::24) by AS1PR10MB5240.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:4a2::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.19; Fri, 19 May 2023 06:24:52 +0000 Received: from DB5EUR01FT059.eop-EUR01.prod.protection.outlook.com (2603:10a6:6:2a:cafe::1) by DB6PR07CA0062.outlook.office365.com (2603:10a6:6:2a::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6433.6 via Frontend Transport; Fri, 19 May 2023 06:24:52 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 194.138.21.76) smtp.mailfrom=siemens.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=siemens.com; Received-SPF: Pass (protection.outlook.com: domain of siemens.com designates 194.138.21.76 as permitted sender) receiver=protection.outlook.com; client-ip=194.138.21.76; helo=hybrid.siemens.com; pr=C Received: from hybrid.siemens.com (194.138.21.76) by DB5EUR01FT059.mail.protection.outlook.com (10.152.4.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.16 via Frontend Transport; Fri, 19 May 2023 06:24:52 +0000 Received: from DEMCHDC8WBA.ad011.siemens.net (139.25.226.105) by DEMCHDC8VSA.ad011.siemens.net (194.138.21.76) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Fri, 19 May 2023 08:24:51 +0200 Received: from md3hr6tc.ad001.siemens.net (139.22.107.140) by DEMCHDC8WBA.ad011.siemens.net (139.25.226.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Fri, 19 May 2023 08:24:50 +0200 From: Andrej Valek To: CC: , Andrej Valek Subject: [OE-core][PATCH v3 2/3] oeqa/selftest/cve_check: add check for optional "reason" value Date: Fri, 19 May 2023 08:24:19 +0200 Message-ID: <20230519062420.37015-2-andrej.valek@siemens.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230505111814.491483-1-andrej.valek@siemens.com> References: <20230505111814.491483-1-andrej.valek@siemens.com> MIME-Version: 1.0 X-Originating-IP: [139.22.107.140] X-ClientProxiedBy: DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) To DEMCHDC8WBA.ad011.siemens.net (139.25.226.105) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB5EUR01FT059:EE_|AS1PR10MB5240:EE_ X-MS-Office365-Filtering-Correlation-Id: 1a96bd67-6055-42d9-efff-08db5831c146 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 4f7btyKcy2S4BJjNthUbJILPsYggpyujFimVg3BRoLTaSx1CVFIC4QzekKTznR/L0ypOCdkAZ0891ULpmOeyqaKAdHtEGBkeUyrV1mKbW3WPuNyiEnHt/IdG16qxD7HxR7yGTo3UXHiwqjaBRIaEYNiUEzABzS2N6kdHLbCjFjGKyz7mkJSbZ8uQ9PePYteP6WBw1EJK7E2l8MyxxJHHqVsjmIbk+XwXnev1b7IhgaOLXDGVHJkxxJ0nt6vaQ9NgUBzPj/sOTpNUhJzE9uW204NdmD54cUcVduE39VWZA+lZpAwsxws/2pTP6aU1inXOsJMC8ZVSfy2yX9a+yq2RhCF1MiCU4xl1evNwSXYVt8v50X/BbtuNuEx0LdbiWa60j8uquClh4kTgm0dA0S7kFz1eHb2RnhLQIuiLaJTlk4YQWLXGyMv1Kb6/Z+rLmabjBgSt3MiLJA+Hn2zfH/Snk4kDQGTPR682qaqWi42s/5QcWGDO/JqaOAnrExn1GtPs4lxpbegYH2lzTnbVfR9+QrLd/lzgVBoGojLhyq+M0nZkvHmVxgG0wLO+P34M+vtUesasOfjnPKbWmLMCECA6dNrLRL+w1A+XGoxxfGMPj5evXSIdmkKv0zFh3Vn/8HT4BpJfDs3MtxN9mexElYgpOy6pD9oyv7VmwrvdeCUidLsoMWTfruuhtODytH0Yec6/K7EaW91qw82W+o2NFGN+SZSXtifxgTmwZsubuOAMIBiVDxmvEEiaJE2jsKtO2C+lt8/vhJm9Vor9+9GPBVflYA== X-Forefront-Antispam-Report: CIP:194.138.21.76;CTRY:DE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:hybrid.siemens.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(376002)(346002)(396003)(136003)(39860400002)(451199021)(36840700001)(46966006)(40470700004)(47076005)(41300700001)(36860700001)(8936002)(107886003)(2906002)(8676002)(26005)(40460700003)(6666004)(356005)(1076003)(6916009)(40480700001)(82960400001)(70586007)(83380400001)(82740400003)(54906003)(70206006)(16526019)(478600001)(186003)(44832011)(336012)(82310400005)(316002)(2616005)(4326008)(5660300002)(956004)(36756003)(86362001)(81166007)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 May 2023 06:24:52.1616 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 1a96bd67-6055-42d9-efff-08db5831c146 X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;Ip=[194.138.21.76];Helo=[hybrid.siemens.com] X-MS-Exchange-CrossTenant-AuthSource: DB5EUR01FT059.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS1PR10MB5240 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 19 May 2023 06:24:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/181532 - After introducing the CVE_STATUS_REASONING flag variable, CVEs could contain a reason for assigned statuses. - Add an example conversion in logrotate recipe. Signed-off-by: Andrej Valek --- meta/lib/oeqa/selftest/cases/cve_check.py | 20 ++++++++++++++----- .../logrotate/logrotate_3.21.0.bb | 6 ++++-- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py index 9534c9775c8..ea37beba031 100644 --- a/meta/lib/oeqa/selftest/cases/cve_check.py +++ b/meta/lib/oeqa/selftest/cases/cve_check.py @@ -207,18 +207,28 @@ CVE_CHECK_REPORT_PATCHED = "1" self.assertEqual(len(report["package"]), 1) package = report["package"][0] self.assertEqual(package["name"], "logrotate") - found_cves = { issue["id"]: issue["status"] for issue in package["issue"]} + found_cves = {} + for issue in package["issue"]: + found_cves[issue["id"]] = { + "status" : issue["status"], + "reason" : issue["reason"] if "reason" in issue else "" + } # m4 CVE should not be in logrotate self.assertNotIn("CVE-2008-1687", found_cves) # logrotate has both Patched and Ignored CVEs self.assertIn("CVE-2011-1098", found_cves) - self.assertEqual(found_cves["CVE-2011-1098"], "Patched") + self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched") + self.assertEqual(len(found_cves["CVE-2011-1098"]["reason"]), 0) + reason = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used" self.assertIn("CVE-2011-1548", found_cves) - self.assertEqual(found_cves["CVE-2011-1548"], "Ignored") + self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored") + self.assertEqual(found_cves["CVE-2011-1548"]["reason"], reason) self.assertIn("CVE-2011-1549", found_cves) - self.assertEqual(found_cves["CVE-2011-1549"], "Ignored") + self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored") + self.assertEqual(found_cves["CVE-2011-1549"]["reason"], reason) self.assertIn("CVE-2011-1550", found_cves) - self.assertEqual(found_cves["CVE-2011-1550"], "Ignored") + self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored") + self.assertEqual(found_cves["CVE-2011-1550"]["reason"], reason) self.assertExists(summary_json) check_m4_json(summary_json) diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb index 87c0d9ae60f..633987ceed6 100644 --- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb +++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb @@ -16,8 +16,10 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \ SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516" -# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used -CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550" +CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE" +CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550" +CVE_STATUS_RECIPE[status] = "Ignored" +CVE_STATUS_RECIPE[reason] = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used" PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}" From patchwork Fri May 19 06:24:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrej Valek X-Patchwork-Id: 24178 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5ECBC77B7F for ; Fri, 19 May 2023 06:25:06 +0000 (UTC) Received: from EUR04-DB3-obe.outbound.protection.outlook.com (EUR04-DB3-obe.outbound.protection.outlook.com [40.107.6.82]) by mx.groups.io with SMTP id smtpd.web11.19850.1684477499184891238 for ; Thu, 18 May 2023 23:24:59 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=Au1hQxIq; spf=pass (domain: siemens.com, ip: 40.107.6.82, mailfrom: andrej.valek@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hAUdcz7N3/kir1GcImiAcYwKvpjC3SaMHUtXiVZ06s4qIeTf4RIHtlKg7/ZSk1AOlsYeMGk5d2XaqEx7smKbtZVefwhmwVptnn+MtnGnVyvtkvJQhBHr6pfaZyjnZze7ISJNGV7pLduFGVGXHv6yHkBpST9mHeJijlaTCk/tOD5F+1HiZVBKBqIEon8yIFupas7T1vkm0+WVroZX0spDJoByjOUS+RPWWw6RZiWbnx5qojDMl3wHDqlHIdLhUrr3fzGpVb/V6BtJwxXk8ABRyjCgeBLJCJuUNPJ+XUsNdre1/OGO+RQnMFdLnSkr+de9BTZa6+dOg1I84HyPlKckUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0XAQ/EWCaoFSMbUkhmSf4yBcfezPxzq7bm5Mvc7+BXc=; b=ja6ruVdPfbVyXJGRywarvn87ySoa3ewplmkSDkBfSS74KgRIMn2GzR8EpvpW8Sb1pQ0XePFzcAiZtMvpAuIDB1wdl1ewLf5RgyzLfr4pgEJac93BqEdiJg1aT5CzzoN07S1pQVdE/US4XZnJX34IoigAdb/qRZVyjn1VZxZaJ7wdtq2TkNdMLvWgcluV4X9dn8EbK2HtEkeoSxXJnNJeGx/7hhabP3LhDHdDpjSd0FhnX6gDqIrclZV+h2v1K19hDwjFUvXkC2kHMiCtescKIwto0kXpqQ8gMaHbJANVjyHT7q8X/BRa/1K79j5ojDmTEzc5x3ypw7qa6METcUUYDg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 194.138.21.75) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=siemens.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=siemens.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0XAQ/EWCaoFSMbUkhmSf4yBcfezPxzq7bm5Mvc7+BXc=; b=Au1hQxIqr1eMhr/Id/6Ct6dqUdlGQb2aXTKdCPPSARctjcLKAhH9/YUR9UBbDYazS/N2K6OJM6Yi9C2/SFtdbTaB2Kvaq7HHcAaYPotkexWKgj+mCh35px+v2d5jAsuopX++7kkqNytQiR/5Byl96TrFywh4B2eM7OV5TwINZvtAFbQAKQRoeyH0W2KKQZKK5M5g9OU2bkUNvPMfRKmO5+3JHH7VGS/sbSQ3qM+vTFe7PC+tIOTD5vczbKi1Y5+19CnL0pwlMpWQsaWCbfQ+JSlKbkkfRNZ4ugV0S2wfbmiP8nfQhTH06DYPPT5XleYYOsbiCPZUaByCXR84JTzYVA== Received: from DB8PR03CA0017.eurprd03.prod.outlook.com (2603:10a6:10:be::30) by PAWPR10MB6854.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:33a::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.19; Fri, 19 May 2023 06:24:54 +0000 Received: from DB5EUR01FT041.eop-EUR01.prod.protection.outlook.com (2603:10a6:10:be:cafe::e1) by DB8PR03CA0017.outlook.office365.com (2603:10a6:10:be::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.21 via Frontend Transport; Fri, 19 May 2023 06:24:54 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 194.138.21.75) smtp.mailfrom=siemens.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=siemens.com; Received-SPF: Pass (protection.outlook.com: domain of siemens.com designates 194.138.21.75 as permitted sender) receiver=protection.outlook.com; client-ip=194.138.21.75; helo=hybrid.siemens.com; pr=C Received: from hybrid.siemens.com (194.138.21.75) by DB5EUR01FT041.mail.protection.outlook.com (10.152.5.191) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.18 via Frontend Transport; Fri, 19 May 2023 06:24:53 +0000 Received: from DEMCHDC8WBA.ad011.siemens.net (139.25.226.105) by DEMCHDC8VRA.ad011.siemens.net (194.138.21.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Fri, 19 May 2023 08:24:53 +0200 Received: from md3hr6tc.ad001.siemens.net (139.22.107.140) by DEMCHDC8WBA.ad011.siemens.net (139.25.226.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Fri, 19 May 2023 08:24:52 +0200 From: Andrej Valek To: CC: , Andrej Valek , "Peter Marko" Subject: [OE-core][PATCH v3 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING Date: Fri, 19 May 2023 08:24:20 +0200 Message-ID: <20230519062420.37015-3-andrej.valek@siemens.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230505111814.491483-1-andrej.valek@siemens.com> References: <20230505111814.491483-1-andrej.valek@siemens.com> MIME-Version: 1.0 X-Originating-IP: [139.22.107.140] X-ClientProxiedBy: DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) To DEMCHDC8WBA.ad011.siemens.net (139.25.226.105) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB5EUR01FT041:EE_|PAWPR10MB6854:EE_ X-MS-Office365-Filtering-Correlation-Id: 89547550-8521-4df4-0d6d-08db5831c246 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: lnBWXIcaa9JHa1e59ICpl3WD94glIoZadp8xu4WONy7gqkN2YvSFeRrdoBs2Z6SVbVQ0QuuGo82+j4SGQ5v9rSjfs1SelCurG1Ux8tszlTAMkGlxvaCOBzy3C6KM5gY2iDO86l69gdO530AE0B/X+0X2PT0qo6L6r8laX7t1Hz+Bq8a8S2XJL1cAkUyh6O8CdI/Q+4bdwBOPE/e9Uwo/rJd47ZASotPrYYuIooRB5p96paaYw8CPdv8archLfNSzn1UPTRCqZSoYp6IWSCRDqtWcNeltQUCnmuTg/gUdyUcF+KMWs7Yttox4iZjGTo7D9/7sVUNmZtUUOz8EWV2Ua6h+QNzLsqi/uwpUgtMUZN9x+aRBcO+KUvvPeZt63aW8KwwwE+tgWydIC7ssJulOxPW2LIy+2DgTnvIpe5PMoG+2vzgBwl3TdPzjLrfl2cNRVCAZU5iMxwcLrC7LjRmP7Na0MkQqxSY/zps/h8Z+O+B7h3rZh4Sm+zDHiCGiudItpjKS7cVtcR3WURmlb1H/RrzIyd3n9agA7B5ctoFTiFzLEQG3wmdUq2+UNLP6NL86hUZFITXonKe39hVJ2TUwufi16cHPENVceZdVTP52BHisF+CFO76RUptUeY4waw/udk/4xiMF7fysJ8uoh7vOoEOJVRYVms3VmdiLqu+maeEfIn/O0fEd3XjXPJxc4VronXYKY6gYTCdEor1yXAl2th+ktIbwg2LaKhDYamaQ+kez726A/WFJsms9ffvueuNq X-Forefront-Antispam-Report: CIP:194.138.21.75;CTRY:DE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:hybrid.siemens.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(376002)(136003)(346002)(396003)(39860400002)(451199021)(46966006)(40470700004)(36840700001)(966005)(6666004)(40480700001)(16526019)(40460700003)(186003)(1076003)(26005)(107886003)(5660300002)(44832011)(4326008)(82310400005)(86362001)(41300700001)(8676002)(8936002)(82740400003)(82960400001)(6916009)(54906003)(70586007)(70206006)(81166007)(336012)(356005)(316002)(2616005)(956004)(66899021)(36860700001)(30864003)(2906002)(36756003)(45080400002)(47076005)(478600001)(83380400001)(36900700001)(559001)(579004);DIR:OUT;SFP:1101; X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 May 2023 06:24:53.8346 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 89547550-8521-4df4-0d6d-08db5831c246 X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;Ip=[194.138.21.75];Helo=[hybrid.siemens.com] X-MS-Exchange-CrossTenant-AuthSource: DB5EUR01FT041.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR10MB6854 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 19 May 2023 06:25:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/181533 - Try to add convert and apply statuses for old CVEs Signed-off-by: Andrej Valek Reviewed-by: Peter Marko --- .../distro/include/cve-extra-exclusions.inc | 281 +++++++++++------- meta/recipes-bsp/grub/grub2.inc | 9 +- meta/recipes-connectivity/avahi/avahi_0.8.bb | 4 +- .../recipes-connectivity/bind/bind_9.18.13.bb | 3 +- .../bluez5/bluez5_5.66.bb | 6 +- .../openssh/openssh_9.3p1.bb | 12 +- .../openssl/openssl_3.1.0.bb | 3 +- meta/recipes-core/coreutils/coreutils_9.1.bb | 3 +- meta/recipes-core/glibc/glibc_2.37.bb | 12 +- meta/recipes-core/libxml/libxml2_2.10.4.bb | 3 +- meta/recipes-core/systemd/systemd_253.3.bb | 4 +- meta/recipes-devtools/cmake/cmake.inc | 5 +- meta/recipes-devtools/flex/flex_2.6.4.bb | 3 +- meta/recipes-devtools/gcc/gcc-12.2.inc | 3 - meta/recipes-devtools/git/git_2.39.2.bb | 12 +- meta/recipes-devtools/jquery/jquery_3.6.3.bb | 6 +- .../recipes-devtools/python/python3_3.11.2.bb | 18 +- meta/recipes-devtools/qemu/qemu.inc | 13 +- meta/recipes-devtools/rsync/rsync_3.2.7.bb | 3 - meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 +- meta/recipes-extended/cpio/cpio_2.13.bb | 4 +- meta/recipes-extended/cups/cups.inc | 24 +- .../ghostscript/ghostscript_10.0.0.bb | 3 +- .../iputils/iputils_20221126.bb | 7 +- .../libtirpc/libtirpc_1.3.3.bb | 4 +- meta/recipes-extended/procps/procps_4.0.3.bb | 4 +- meta/recipes-extended/shadow/shadow_4.13.bb | 8 +- meta/recipes-extended/unzip/unzip_6.0.bb | 3 +- .../xinetd/xinetd_2.3.15.4.bb | 3 +- meta/recipes-extended/zip/zip_3.0.bb | 8 +- .../libnotify/libnotify_0.8.2.bb | 4 +- meta/recipes-gnome/librsvg/librsvg_2.54.5.bb | 4 +- meta/recipes-graphics/builder/builder_0.1.bb | 3 +- .../xorg-xserver/xserver-xorg.inc | 13 +- .../linux/cve-exclusion_6.1.inc | 14 +- .../libpng/libpng_1.6.39.bb | 4 +- meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 10 +- .../libgcrypt/libgcrypt_1.10.1.bb | 6 +- .../recipes-support/libxslt/libxslt_1.1.37.bb | 5 +- meta/recipes-support/lz4/lz4_1.9.4.bb | 4 +- meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 13 +- 41 files changed, 325 insertions(+), 230 deletions(-) diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index 0ca75bae3ef..1cb32db814d 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -19,7 +19,8 @@ # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 # CVE is more than 20 years old with no resolution evident # broken links in CVE database references make resolution impractical -CVE_CHECK_IGNORE += "CVE-2000-0006" +CVE_STATUS[CVE-2000-0006] = "Ignored" +CVE_STATUS_REASONING[CVE-2000-0006] = "CVE is more than 20 years old with no resolution evident." # epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238 # The issue here is spoofing of domain names using characters from other character sets. @@ -28,31 +29,39 @@ CVE_CHECK_IGNORE += "CVE-2000-0006" # there is unlikely ever to be a single fix to webkit or epiphany which addresses this # problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further # we can seem to take. -CVE_CHECK_IGNORE += "CVE-2005-0238" +CVE_STATUS[CVE-2005-0238] = "Ignored" +CVE_STATUS_REASONING[CVE-2005-0238] = "There isn't any mitigation or fix or way to progress this further." # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756 # Issue is memory exhaustion via glob() calls, e.g. from within an ftp server # Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 # Upstream don't see it as a security issue, ftp servers shouldn't be passing # this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar -CVE_CHECK_IGNORE += "CVE-2010-4756" +CVE_STATUS[CVE-2010-4756] = "Ignored" +CVE_STATUS_REASONING[CVE-2010-4756] = "Upstream have no plans to add BSD's GLOB_LIMIT or similar." # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509 # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511 # The encoding/xml package in go can potentially be used for security exploits if not used correctly # CVE applies to a netapp product as well as flagging a general issue. We don't ship anything # exposing this interface in an exploitable way -CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511" +CVE_STATUS[CVE-2020-29509] = "Ignored" +CVE_STATUS_REASONING[CVE-2020-29509] = "We don't ship anything exposing this interface in an exploitable way." +CVE_STATUS[CVE-2020-29511] = "Ignored" +CVE_STATUS_REASONING[CVE-2020-29511] = "We don't ship anything exposing this interface in an exploitable way." # db # Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with # supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed. -CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \ +CVE_STATUS_GROUPS += "CVE_STATUS_DB" +CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \ CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \ CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \ CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981" - +CVE_STATUS_DB[status] = "Ignored" +CVE_STATUS_DB[reason] = "Since Oracle relicensed bdb, the open source community is slowly but surely \ +replacing bdb with supported and open source friendly alternatives" # # Kernel CVEs, e.g. linux-yocto* @@ -65,60 +74,77 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981" # issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd # welcome than and then entries can likely be removed from here. # + +CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2010 CVE_STATUS_KERNEL_2017 CVE_STATUS_KERNEL_2018 CVE_STATUS_KERNEL_2019 CVE_STATUS_KERNEL_2020" # 1999-2010 -CVE_CHECK_IGNORE += "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \ - CVE-2008-4609 CVE-2010-0298 CVE-2010-4563" +CVE_STATUS_KERNEL_2010 = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \ + CVE-2008-4609 CVE-2010-0298 CVE-2010-4563" +CVE_STATUS_KERNEL_2010[status] = "Ignored" + # 2011-2017 -CVE_CHECK_IGNORE += "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \ - CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264" +CVE_STATUS_KERNEL_2017 = "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \ + CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264" +CVE_STATUS_KERNEL_2017[status] = "Ignored" + # 2018 -CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \ - CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873 CVE-2018-6559" +CVE_STATUS_KERNEL_2018 = "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \ + CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873 CVE-2018-6559" +CVE_STATUS_KERNEL_2018[status] = "Ignored" + # 2019 -CVE_CHECK_IGNORE += "CVE-2019-10126 CVE-2019-14899 CVE-2019-18910 CVE-2019-3016 CVE-2019-3819 CVE-2019-3846 CVE-2019-3887" +CVE_STATUS_KERNEL_2019 = "CVE-2019-10126 CVE-2019-14899 CVE-2019-18910 CVE-2019-3016 CVE-2019-3819 CVE-2019-3846 CVE-2019-3887" +CVE_STATUS_KERNEL_2019[status] = "Ignored" + # 2020 -CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834" +CVE_STATUS_KERNEL_2020 = "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834" +CVE_STATUS_KERNEL_2020[status] = "Ignored" # https://nvd.nist.gov/vuln/detail/CVE-2020-27784 # Introduced in version v4.1 b26394bd567e5ebe57ec4dee7fe6cd14023c96e9 -# Patched in kernel since v5.10 e8d5f92b8d30bb4ade76494490c3c065e12411b1 -# Backported in version v5.4.73 e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3 -CVE_CHECK_IGNORE += "CVE-2020-27784" +# Patched in kernel since v5.10 e8d5f92b8d30bb4ade76494490c3c065e12411b1 +# Backported in version v5.4.73 e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3 +CVE_STATUS[CVE-2020-27784] = "Patched" +CVE_STATUS_REASONING[CVE-2020-27784] = "Backported in version v5.4.73" # 2021 -CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \ - CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402" +CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2021" +CVE_STATUS_KERNEL_2021 = "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \ + CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402" +CVE_STATUS_KERNEL_2021[status] = "Ignored" # https://nvd.nist.gov/vuln/detail/CVE-2021-3669 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v5.15 20401d1058f3f841f35a594ac2fc1293710e55b9 -CVE_CHECK_IGNORE += "CVE-2021-3669" +CVE_STATUS[CVE-2021-3669] = "Patched" # https://nvd.nist.gov/vuln/detail/CVE-2021-3759 # Introduced in version v4.5 a9bb7e620efdfd29b6d1c238041173e411670996 # Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f # Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92 # Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196 -CVE_CHECK_IGNORE += "CVE-2021-3759" +CVE_STATUS[CVE-2021-3759] = "Patched" +CVE_STATUS_REASONING[CVE-2021-3759] = "Backported in versions v5.4.224 and v5.10.154" # https://nvd.nist.gov/vuln/detail/CVE-2021-4218 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v5.8 32927393dc1ccd60fb2bdc05b9e8e88753761469 -CVE_CHECK_IGNORE += "CVE-2021-4218" +CVE_STATUS[CVE-2021-4218] = "Patched" # 2022 -CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \ - CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \ - CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \ - CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \ - CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \ - CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \ - CVE-2022-29582 CVE-2022-29968" +CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2022" +CVE_STATUS_KERNEL_2022 = "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \ + CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \ + CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \ + CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \ + CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \ + CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \ + CVE-2022-29582 CVE-2022-29968" +CVE_STATUS_KERNEL_2022[status] = "Ignored" # https://nvd.nist.gov/vuln/detail/CVE-2022-0480 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v5.15 0f12156dff2862ac54235fc72703f18770769042 -CVE_CHECK_IGNORE += "CVE-2022-0480" +CVE_STATUS[CVE-2022-0480] = "Patched" # https://nvd.nist.gov/vuln/detail/CVE-2022-1184 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -126,7 +152,8 @@ CVE_CHECK_IGNORE += "CVE-2022-0480" # Backported in version v5.4.198 17034d45ec443fb0e3c0e7297f9cd10f70446064 # Backported in version v5.10.121 da2f05919238c7bdc6e28c79539f55c8355408bb # Backported in version v5.15.46 ca17db384762be0ec38373a12460081d22a8b42d -CVE_CHECK_IGNORE += "CVE-2022-1184" +CVE_STATUS[CVE-2022-1184] = "Patched" +CVE_STATUS_REASONING[CVE-2022-1184] = "Backported in versions v5.4.198, v5.10.121 and v5.15.46" # https://nvd.nist.gov/vuln/detail/CVE-2022-1462 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -134,7 +161,8 @@ CVE_CHECK_IGNORE += "CVE-2022-1184" # Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132 # Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c # Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29 -CVE_CHECK_IGNORE += "CVE-2022-1462" +CVE_STATUS[CVE-2022-1462] = "Patched" +CVE_STATUS_REASONING[CVE-2022-1462] = "Backported in versions v5.4.208, v5.10.134 and v5.15.58" # https://nvd.nist.gov/vuln/detail/CVE-2022-2196 # Introduced in version v5.8 5c911beff20aa8639e7a1f28988736c13e03ed54 @@ -144,19 +172,21 @@ CVE_CHECK_IGNORE += "CVE-2022-1462" # Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349 # Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35 # Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15 -CVE_CHECK_IGNORE += "CVE-2022-2196" +CVE_STATUS[CVE-2022-2196] = "Patched" +CVE_STATUS_REASONING[CVE-2022-2196] = "Backported in versions v5.4.233, v5.10.170, v5.15.96 and v6.1.14" # https://nvd.nist.gov/vuln/detail/CVE-2022-2308 # Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e # Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b # Backported in version v5.15.72 dc248ddf41eab4566e95b1ee2433c8a5134ad94a # Backported in version v5.19.14 38d854c4a11c3bbf6a96ea46f14b282670c784ac -CVE_CHECK_IGNORE += "CVE-2022-2308" +CVE_STATUS[CVE-2022-2308] = "Patched" +CVE_STATUS_REASONING[CVE-2022-2308] = "Backported in versions v5.15.72 and v5.19.14" # https://nvd.nist.gov/vuln/detail/CVE-2022-2327 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v5.10.125 df3f3bb5059d20ef094d6b2f0256c4bf4127a859 -CVE_CHECK_IGNORE += "CVE-2022-2327" +CVE_STATUS[CVE-2022-2327] = "Patched" # https://nvd.nist.gov/vuln/detail/CVE-2022-2663 # Introduced in version v2.6.20 869f37d8e48f3911eb70f38a994feaa8f8380008 @@ -165,19 +195,22 @@ CVE_CHECK_IGNORE += "CVE-2022-2327" # Backported in version v5.10.143 e12ce30fe593dd438c5b392290ad7316befc11ca # Backported in version v5.15.68 451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4 # Backported in version v5.19.9 6cf0609154b2ce8d3ae160e7506ab316400a8d3d -CVE_CHECK_IGNORE += "CVE-2022-2663" +CVE_STATUS[CVE-2022-2663] = "Patched" +CVE_STATUS_REASONING[CVE-2022-2663] = "Backported in versions v5.4.213, v5.10.143, v5.15.68 and v5.19.9" # https://nvd.nist.gov/vuln/detail/CVE-2022-2785 # Introduced in version v5.18 b1d18a7574d0df5eb4117c14742baf8bc2b9bb74 # Patched in kernel since v6.0 86f44fcec22ce2979507742bc53db8400e454f46 # Backported in version v5.19.4 b429d0b9a7a0f3dddb1f782b72629e6353f292fd -CVE_CHECK_IGNORE += "CVE-2022-2785" +CVE_STATUS[CVE-2022-2785] = "Patched" +CVE_STATUS_REASONING[CVE-2022-2785] = "Backported in version v5.19.4" # https://nvd.nist.gov/vuln/detail/CVE-2022-3176 # Introduced in version v5.1 221c5eb2338232f7340386de1c43decc32682e58 # Patched in kernel since v5.17 791f3465c4afde02d7f16cf7424ca87070b69396 # Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5 -CVE_CHECK_IGNORE += "CVE-2022-3176" +CVE_STATUS[CVE-2022-3176] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3176] = "Backported in version v5.15.65" # https://nvd.nist.gov/vuln/detail/CVE-2022-3424 # Introduced in version v2.6.33 55484c45dbeca2eec7642932ec3f60f8a2d4bdbf @@ -186,7 +219,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3176" # Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c # Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106 # Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e -CVE_CHECK_IGNORE += "CVE-2022-3424" +CVE_STATUS[CVE-2022-3424] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3424] = "Backported in versions v5.4.229, v5.10.163, v5.15.86 and v6.1.2" # https://nvd.nist.gov/vuln/detail/CVE-2022-3435 # Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82 @@ -197,13 +231,15 @@ CVE_CHECK_IGNORE += "CVE-2022-3424" # Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32 # Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e # Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133 -CVE_CHECK_IGNORE += "CVE-2022-3435" +CVE_STATUS[CVE-2022-3435] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3435] = "Backported in versions v5.4.226, v5.10.158 and v5.15.82" # https://nvd.nist.gov/vuln/detail/CVE-2022-3526 # Introduced in version v5.13 427f0c8c194b22edcafef1b0a42995ddc5c2227d # Patched in kernel since v5.18 e16b859872b87650bb55b12cca5a5fcdc49c1442 # Backported in version v5.15.35 8f79ce226ad2e9b2ec598de2b9560863b7549d1b -CVE_CHECK_IGNORE += "CVE-2022-3526" +CVE_STATUS[CVE-2022-3526] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3526] = "Backported in version v5.15.35" # https://nvd.nist.gov/vuln/detail/CVE-2022-3534 # Introduced in version v5.10 919d2b1dbb074d438027135ba644411931179a59 @@ -211,20 +247,23 @@ CVE_CHECK_IGNORE += "CVE-2022-3526" # Backported in version v5.10.163 c61650b869e0b6fb0c0a28ed42d928eea969afc8 # Backported in version v5.15.86 a733bf10198eb5bb927890940de8ab457491ed3b # Backported in version v6.1.2 fbe08093fb2334549859829ef81d42570812597d -CVE_CHECK_IGNORE += "CVE-2022-3534" +CVE_STATUS[CVE-2022-3534] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3534] = "Backported in versions v5.10.163, v5.15.86 and v6.1.2" # https://nvd.nist.gov/vuln/detail/CVE-2022-3564 # Introduced in version v3.6 4b51dae96731c9d82f5634e75ac7ffd3b9c1b060 # Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966 # Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569 # Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde -CVE_CHECK_IGNORE += "CVE-2022-3564" +CVE_STATUS[CVE-2022-3564] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3564] = "Backported in versions v5.10.154 and v5.15.78" # https://nvd.nist.gov/vuln/detail/CVE-2022-3619 # Introduced in version v5.12 4d7ea8ee90e42fc75995f6fb24032d3233314528 # Patched in kernel since v6.1 7c9524d929648935bac2bbb4c20437df8f9c3f42 # Backported in version v5.15.78 aa16cac06b752e5f609c106735bd7838f444784c -CVE_CHECK_IGNORE += "CVE-2022-3619" +CVE_STATUS[CVE-2022-3619] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3619] = "Backported in version v5.15.78" # https://nvd.nist.gov/vuln/detail/CVE-2022-3621 # Introduced in version v2.60.30 05fe58fdc10df9ebea04c0eaed57adc47af5c184 @@ -233,7 +272,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3619" # Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2 # Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55 # Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd -CVE_CHECK_IGNORE += "CVE-2022-3621" +CVE_STATUS[CVE-2022-3621] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3621] = "Backported in versions v5.4.218, v5.10.148, v5.15.74 and v5.19.16" # https://nvd.nist.gov/vuln/detail/CVE-2022-3623 # Introduced in version v5.1 5480280d3f2d11d47f9be59d49b20a8d7d1b33e8 @@ -242,12 +282,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3621" # Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850 # Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff # Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54 -CVE_CHECK_IGNORE += "CVE-2022-3623" +CVE_STATUS[CVE-2022-3623] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3623] = "Backported in versions v5.4.228, v5.10.159, v5.15.78 and v5.19.17" # https://nvd.nist.gov/vuln/detail/CVE-2022-3624 # Introduced in version v6.0 d5410ac7b0baeca91cf73ff5241d35998ecc8c9e # Patched in kernel since v6.0 4f5d33f4f798b1c6d92b613f0087f639d9836971 -CVE_CHECK_IGNORE += "CVE-2022-3624" +CVE_STATUS[CVE-2022-3624] = "Patched" # https://nvd.nist.gov/vuln/detail/CVE-2022-3625 # Introduced in version v4.19 45f05def5c44c806f094709f1c9b03dcecdd54f0 @@ -256,7 +297,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3624" # Backported in version v5.10.138 0e28678a770df7989108327cfe86f835d8760c33 # Backported in version v5.15.63 c4d09fd1e18bac11c2f7cf736048112568687301 # Backported in version v5.19.4 26bef5616255066268c0e40e1da10cc9b78b82e9 -CVE_CHECK_IGNORE += "CVE-2022-3625" +CVE_STATUS[CVE-2022-3625] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3625] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4" # https://nvd.nist.gov/vuln/detail/CVE-2022-3629 # Introduced in version v3.9 d021c344051af91f42c5ba9fdedc176740cbd238 @@ -265,13 +307,15 @@ CVE_CHECK_IGNORE += "CVE-2022-3625" # Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50 # Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795 # Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72 -CVE_CHECK_IGNORE += "CVE-2022-3629" +CVE_STATUS[CVE-2022-3629] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3629] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4" # https://nvd.nist.gov/vuln/detail/CVE-2022-3630 # Introduced in version v5.19 85e4ea1049c70fb99de5c6057e835d151fb647da # Patched in kernel since v6.0 fb24771faf72a2fd62b3b6287af3c610c3ec9cf1 # Backported in version v5.19.4 7a369dc87b66acc85d0cffcf39984344a203e20b -CVE_CHECK_IGNORE += "CVE-2022-3630" +CVE_STATUS[CVE-2022-3630] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3630] = "Backported in version v5.19.4" # https://nvd.nist.gov/vuln/detail/CVE-2022-3633 # Introduced in version v5.4 9d71dd0c70099914fcd063135da3c580865e924c @@ -280,7 +324,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3630" # Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027 # Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2 # Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de -CVE_CHECK_IGNORE += "CVE-2022-3633" +CVE_STATUS[CVE-2022-3633] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3633] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4" # https://nvd.nist.gov/vuln/detail/CVE-2022-3635 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -289,12 +334,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3633" # Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e # Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4 # Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835 -CVE_CHECK_IGNORE += "CVE-2022-3635" +CVE_STATUS[CVE-2022-3635] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3635] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4" # https://nvd.nist.gov/vuln/detail/CVE-2022-3636 # Introduced in version v5.19 33fc42de33278b2b3ec6f3390512987bc29a62b7 # Patched in kernel since v5.19 17a5f6a78dc7b8db385de346092d7d9f9dc24df6 -CVE_CHECK_IGNORE += "CVE-2022-3636" +CVE_STATUS[CVE-2022-3636] = "Patched" # https://nvd.nist.gov/vuln/detail/CVE-2022-3640 # Introduced in version v5.19 d0be8347c623e0ac4202a1d4e0373882821f56b0 @@ -305,7 +351,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3636" # Backported in version v5.4.224 c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab # Backported in version v5.10.154 d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd # Backported in version v5.15.78 a3a7b2ac64de232edb67279e804932cb42f0b52a -CVE_CHECK_IGNORE += "CVE-2022-3640" +CVE_STATUS[CVE-2022-3640] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3640] = "Backported in versions v5.4.224, v5.10.154 and v5.15.78" # https://nvd.nist.gov/vuln/detail/CVE-2022-3646 # Introduced in version v2.6.30 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 @@ -314,7 +361,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3640" # Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee # Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc # Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570 -CVE_CHECK_IGNORE += "CVE-2022-3646" +CVE_STATUS[CVE-2022-3646] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3646] = "Backported in versions v5.4.218, v5.10.148, v5.15.74 and v5.19.16" # https://nvd.nist.gov/vuln/detail/CVE-2022-3649 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -323,7 +371,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3646" # Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652 # Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006 # Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4 -CVE_CHECK_IGNORE += "CVE-2022-3649" +CVE_STATUS[CVE-2022-3649] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3649] = "Backported in versions v5.4.220, v5.10.148, v5.15.74 and v5.19.16" # https://nvd.nist.gov/vuln/detail/CVE-2022-4382 # Introduced in version v5.3 e5d82a7360d124ae1a38c2a5eac92ba49b125191 @@ -332,7 +381,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3649" # Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4 # Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9 # Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3 -CVE_CHECK_IGNORE += "CVE-2022-4382" +CVE_STATUS[CVE-2022-4382] = "Patched" +CVE_STATUS_REASONING[CVE-2022-4382] = "Backported in versions v5.4.230, v5.10.165, v5.15.90 and v6.1.8" # https://nvd.nist.gov/vuln/detail/CVE-2022-26365 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -340,7 +390,8 @@ CVE_CHECK_IGNORE += "CVE-2022-4382" # Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506 # Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1 # Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9 -CVE_CHECK_IGNORE += "CVE-2022-26365" +CVE_STATUS[CVE-2022-26365] = "Patched" +CVE_STATUS_REASONING[CVE-2022-26365] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53" # https://nvd.nist.gov/vuln/detail/CVE-2022-33740 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -348,7 +399,8 @@ CVE_CHECK_IGNORE += "CVE-2022-26365" # Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14 # Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404 # Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961 -CVE_CHECK_IGNORE += "CVE-2022-33740" +CVE_STATUS[CVE-2022-33740] = "Patched" +CVE_STATUS_REASONING[CVE-2022-33740] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53" # https://nvd.nist.gov/vuln/detail/CVE-2022-33741 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -356,7 +408,8 @@ CVE_CHECK_IGNORE += "CVE-2022-33740" # Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd # Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca # Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49 -CVE_CHECK_IGNORE += "CVE-2022-33741" +CVE_STATUS[CVE-2022-33741] = "Patched" +CVE_STATUS_REASONING[CVE-2022-33741] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53" # https://nvd.nist.gov/vuln/detail/CVE-2022-33742 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -364,15 +417,17 @@ CVE_CHECK_IGNORE += "CVE-2022-33741" # Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997 # Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6 # Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3 -CVE_CHECK_IGNORE += "CVE-2022-33742" +CVE_STATUS[CVE-2022-33742] = "Patched" +CVE_STATUS_REASONING[CVE-2022-33742] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53" # https://nvd.nist.gov/vuln/detail/CVE-2022-42895 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e -# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422 -# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7 # Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89 -CVE_CHECK_IGNORE += "CVE-2022-42895" +# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7 +# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422 +CVE_STATUS[CVE-2022-42895] = "Patched" +CVE_STATUS_REASONING[CVE-2022-42895] = "Backported in versions v5.4.224, v5.10.154 and v5.15.78" # https://nvd.nist.gov/vuln/detail/CVE-2022-42896 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -380,7 +435,8 @@ CVE_CHECK_IGNORE += "CVE-2022-42895" # Backported in version v5.4.226 0d87bb6070361e5d1d9cb391ba7ee73413bc109b # Backported in version v5.10.154 6b6f94fb9a74dd2891f11de4e638c6202bc89476 # Backported in version v5.15.78 81035e1201e26d57d9733ac59140a3e29befbc5a -CVE_CHECK_IGNORE += "CVE-2022-42896" +CVE_STATUS[CVE-2022-42896] = "Patched" +CVE_STATUS_REASONING[CVE-2022-42896] = "Backported in versions v5.4.224, v5.10.154 and v5.15.78" # 2023 @@ -390,14 +446,16 @@ CVE_CHECK_IGNORE += "CVE-2022-42896" # Backported in version v5.10.164 550efeff989b041f3746118c0ddd863c39ddc1aa # Backported in version v5.15.89 a8acfe2c6fb99f9375a9325807a179cd8c32e6e3 # Backported in version v6.1.7 76ef74d4a379faa451003621a84e3498044e7aa3 -CVE_CHECK_IGNORE += "CVE-2023-0179" +CVE_STATUS[CVE-2023-0179] = "Patched" +CVE_STATUS_REASONING[CVE-2023-0179] = "Backported in versions v5.10.164, v5.15.89 and v6.1.7" # https://nvd.nist.gov/vuln/detail/CVE-2023-0266 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v6.2 56b88b50565cd8b946a2d00b0c83927b7ebb055e # Backported in version v5.15.88 26350c21bc5e97a805af878e092eb8125843fe2c # Backported in version v6.1.6 d6ad4bd1d896ae1daffd7628cd50f124280fb8b1 -CVE_CHECK_IGNORE += "CVE-2023-0266" +CVE_STATUS[CVE-2023-0266] = "Patched" +CVE_STATUS_REASONING[CVE-2023-0266] = "Backported in versions v5.15.88 and v6.1.6" # https://nvd.nist.gov/vuln/detail/CVE-2023-0394 # Introduced in version 2.6.12 357b40a18b04c699da1d45608436e9b76b50e251 @@ -406,7 +464,8 @@ CVE_CHECK_IGNORE += "CVE-2023-0266" # Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5 # Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf # Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4 -CVE_CHECK_IGNORE += "CVE-2023-0394" +CVE_STATUS[CVE-2023-0394] = "Patched" +CVE_STATUS_REASONING[CVE-2023-0394] = "Backported in versions v5.4.229, v5.10.164, v5.15.89 and v6.1.7" # https://nvd.nist.gov/vuln/detail/CVE-2023-0461 # Introduced in version v4.13 734942cc4ea6478eed125af258da1bdbb4afe578 @@ -415,28 +474,32 @@ CVE_CHECK_IGNORE += "CVE-2023-0394" # Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0 # Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6 # Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c -CVE_CHECK_IGNORE += "CVE-2023-0461" +CVE_STATUS[CVE-2023-0461] = "Patched" +CVE_STATUS_REASONING[CVE-2023-0461] = "Backported in versions v5.4.229, v5.10.163, v5.15.88 and v6.1.7" # https://nvd.nist.gov/vuln/detail/CVE-2023-0386 # Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203 # Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3 -# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81 -# Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e -CVE_CHECK_IGNORE += "CVE-2023-0386" +# Backported in version v5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e +# Backported in version v6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81 +CVE_STATUS[CVE-2023-0386] = "Patched" +CVE_STATUS_REASONING[CVE-2023-0386] = "Backported in versions v5.15.91 and v6.1.9" # https://nvd.nist.gov/vuln/detail/CVE-2023-1073 # Introduced in v3.16 1b15d2e5b8077670b1e6a33250a0d9577efff4a5 # Patched in kernel v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456 -# Backported in version 5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58 -# Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64 -# Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d -CVE_CHECK_IGNORE += "CVE-2023-1073" +# Backported in version v5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58 +# Backported in version v5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64 +# Backported in version v6.1.9 cdcdc0531a51659527fea4b4d064af343452062d +CVE_STATUS[CVE-2023-1073] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1073] = "Backported in versions v5.10.166, v5.15.91 and v6.1.9" # https://nvd.nist.gov/vuln/detail/CVE-2023-1074 # Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f -# Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32 -# Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3 -CVE_CHECK_IGNORE += "CVE-2023-1074" +# Backported in version v5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32 +# Backported in version v6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3 +CVE_STATUS[CVE-2023-1074] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1074] = "Backported in versions v5.15.91 and v6.1.9" # https://nvd.nist.gov/vuln/detail/CVE-2023-1076 # Patched in kernel v6.3 a096ccca6e503a5c575717ff8a36ace27510ab0a @@ -445,19 +508,22 @@ CVE_CHECK_IGNORE += "CVE-2023-1074" # Backported in version v5.15.99 67f9f02928a34aad0a2c11dab5eea269f5ecf427 # Backported in version v6.1.16 b4ada752eaf1341f47bfa3d8ada377eca75a8d44 # Backported in version v6.2.3 4aa4b4b3b3e9551c4de2bf2987247c28805fb8f6 -CVE_CHECK_IGNORE += "CVE-2023-1076" +CVE_STATUS[CVE-2023-1076] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1076] = "Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3" # https://nvd.nist.gov/vuln/detail/CVE-2023-1077 # Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97 -# Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7 -# Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3 -CVE_CHECK_IGNORE += "CVE-2023-1077" +# Backported in version v5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7 +# Backported in version v6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3 +CVE_STATUS[CVE-2023-1077] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1077] = "Backported in versions v5.15.99 and v6.1.16" # https://nvd.nist.gov/vuln/detail/CVE-2023-1078 # Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d -# Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba -# Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3 -CVE_CHECK_IGNORE += "CVE-2023-1078" +# Backported in version v5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba +# Backported in version v6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3 +CVE_STATUS[CVE-2023-1078] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1078] = "Backported in versions v5.15.94 and v6.1.12" # https://nvd.nist.gov/vuln/detail/CVE-2023-1079 # Patched in kernel since v6.3-rc1 4ab3a086d10eeec1424f2e8a968827a6336203df @@ -466,7 +532,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1078" # Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138 # Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e # Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540 -CVE_CHECK_IGNORE += "CVE-2023-1079" +CVE_STATUS[CVE-2023-1079] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1079] = "Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3" # https://nvd.nist.gov/vuln/detail/CVE-2023-1118 # Introduced in version v2.6.36 9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6 @@ -476,7 +543,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1079" # Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28 # Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a # Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555 -CVE_CHECK_IGNORE += "CVE-2023-1118" +CVE_STATUS[CVE-2023-1118] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1118] = "Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3" # https://nvd.nist.gov/vuln/detail/CVE-2023-1281 # Introduced in version v4.14 9b0d4446b56904b59ae3809913b0ac760fa941a6 @@ -484,7 +552,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1118" # Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4 # Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da # Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f -CVE_CHECK_IGNORE += "CVE-2023-1281" +CVE_STATUS[CVE-2023-1281] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1281] = "Backported in versions v5.10.169, v5.15.95 and v6.1.13" # https://nvd.nist.gov/vuln/detail/CVE-2023-1513 # Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952 @@ -492,7 +561,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1281" # Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107 # Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8 # Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb -CVE_CHECK_IGNORE += "CVE-2023-1513" +CVE_STATUS[CVE-2023-1513] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1513] = "Backported in versions v5.4.232, v5.10.169, v5.15.95 and v6.1.13" # https://nvd.nist.gov/vuln/detail/CVE-2023-1652 # Patched in kernel since v6.2 e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd @@ -500,7 +570,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1513" # Backported in version v6.1.9 32d5eb95f8f0e362e37c393310b13b9e95404560 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1652 # Ref: Debian kernel-sec team: https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/retired/CVE-2023-1652 -CVE_CHECK_IGNORE += "CVE-2023-1652" +CVE_STATUS[CVE-2023-1652] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1652] = "Backported in versions v5.15.91 and v6.1.9" # https://nvd.nist.gov/vuln/detail/CVE-2023-1829 # Patched in kernel since v6.3-rc1 8c710f75256bb3cf05ac7b1672c82b92c43f3d28 @@ -511,7 +582,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1652" # Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1829 # Ref: Debian kernel-sec team : https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/active/CVE-2023-1829 -CVE_CHECK_IGNORE += "CVE-2023-1829" +CVE_STATUS[CVE-2023-1829] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1829] = "Backported in versions v5.4.235, v5.10.173, v5.15.100, v6.1.18 and v6.2.5" # https://nvd.nist.gov/vuln/detail/CVE-2023-23005 # Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b @@ -521,7 +593,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1829" # > in which a user can cause the alloc_memory_type error case to be reached. # See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2 # We can safely ignore it. -CVE_CHECK_IGNORE += "CVE-2023-23005" +CVE_STATUS[CVE-2023-23005] = "Patched" +CVE_STATUS_REASONING[CVE-2023-23005] = "Disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached." # https://nvd.nist.gov/vuln/detail/CVE-2023-28466 # Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218 @@ -529,31 +602,33 @@ CVE_CHECK_IGNORE += "CVE-2023-23005" # Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa # Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123 # Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce -CVE_CHECK_IGNORE += "CVE-2023-28466" +CVE_STATUS[CVE-2023-28466] = "Patched" +CVE_STATUS_REASONING[CVE-2023-28466] = "Backported in versions v5.15.105, v6.1.20 and v6.2.7" # Wrong CPE in NVD database # https://nvd.nist.gov/vuln/detail/CVE-2022-3563 # https://nvd.nist.gov/vuln/detail/CVE-2022-3637 # Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git -CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637" +CVE_STATUS[CVE-2022-3563] = "Ignored" +CVE_STATUS_REASONING[CVE-2022-3563] = "Wrong CPE in NVD database" +CVE_STATUS[CVE-2022-3637] = "Ignored" +CVE_STATUS_REASONING[CVE-2022-3637] = "Wrong CPE in NVD database" # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 # There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html # qemu maintainers say the patch is incorrect and should not be applied -# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable -CVE_CHECK_IGNORE += "CVE-2021-20255" +CVE_STATUS[CVE-2021-20255] = "Ignored" +CVE_STATUS_REASONING[CVE-2021-20255] = "Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable." # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067 # There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can # still be reproduced or where exactly any bug is. -# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one. -CVE_CHECK_IGNORE += "CVE-2019-12067" +CVE_STATUS[CVE-2019-12067] = "Ignored" +CVE_STATUS_REASONING[CVE-2019-12067] = "Ignore from OE's perspective as we'll pick up any fix when upstream accepts one." # nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974 # It is a fuzzing related buffer overflow. It is of low impact since most devices # wouldn't expose an assembler. The upstream is inactive and there is little to be # done about the bug, ignore from an OE perspective. -CVE_CHECK_IGNORE += "CVE-2020-18974" - - - +CVE_STATUS[CVE-2020-18974] = "Ignored" +CVE_STATUS_REASONING[CVE-2020-18974] = "Ignore from OE's perspective as the upstream is inactive and there is little to be done about the bug" diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 58b215d79c3..7a457f37b23 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -46,10 +46,11 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" -# Applies only to RHEL -CVE_CHECK_IGNORE += "CVE-2019-14865" -# Applies only to SUSE -CVE_CHECK_IGNORE += "CVE-2021-46705" +CVE_STATUS[CVE-2019-14865] = "Not applicable" +CVE_STATUS_REASONING[CVE-2019-14865] = "Applies only to RHEL" + +CVE_STATUS[CVE-2021-46705] = "Not applicable" +CVE_STATUS_REASONING[CVE-2021-46705] = "Applies only to SUSE" DEPENDS = "flex-native bison-native gettext-native" diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index bf6835e0d6f..a5b6174e37e 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -32,8 +32,8 @@ GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/" SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7" SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda" -# Issue only affects Debian/SUSE, not us -CVE_CHECK_IGNORE += "CVE-2021-26720" +CVE_STATUS[CVE-2021-26720] = "Not applicable" +CVE_STATUS_REASONING[CVE-2021-26720] = "Issue only affects Debian/SUSE" DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native gobject-introspection" diff --git a/meta/recipes-connectivity/bind/bind_9.18.13.bb b/meta/recipes-connectivity/bind/bind_9.18.13.bb index 8617137e870..c5a51695ef2 100644 --- a/meta/recipes-connectivity/bind/bind_9.18.13.bb +++ b/meta/recipes-connectivity/bind/bind_9.18.13.bb @@ -28,7 +28,8 @@ UPSTREAM_CHECK_REGEX = "(?P9.(\d*[02468])+(\.\d+)+(-P\d+)*)/" # Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore # so the issue doesn't affect us. -CVE_CHECK_IGNORE += "CVE-2019-6470" +CVE_STATUS[CVE-2019-6470] = "Not applicable" +CVE_STATUS_REASONING[CVE-2019-6470] = "Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore." inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb index 2208b730b0e..3159584e9b5 100644 --- a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb +++ b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb @@ -2,8 +2,10 @@ require bluez5.inc SRC_URI[sha256sum] = "39fea64b590c9492984a0c27a89fc203e1cdc74866086efb8f4698677ab2b574" -# These issues have kernel fixes rather than bluez fixes so exclude here -CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490" +CVE_STATUS[CVE-2020-12352] = "Ignored" +CVE_STATUS_REASONING[CVE-2020-12352] = "These issues have kernel fixes rather than bluez fixes." +CVE_STATUS[CVE-2020-24490] = "Ignored" +CVE_STATUS_REASONING[CVE-2020-24490] = "These issues have kernel fixes rather than bluez fixes" # noinst programs in Makefile.tools that are conditional on READLINE # support diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb index d3dedd1a5a7..d6ba7ef830e 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb @@ -27,15 +27,17 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar " SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8" -# This CVE is specific to OpenSSH with the pam opie which we don't build/use here -CVE_CHECK_IGNORE += "CVE-2007-2768" +CVE_STATUS[CVE-2007-2768] = "Not applicable" +CVE_STATUS_REASONING[CVE-2007-2768] = "This CVE is specific to OpenSSH with the pam opie which we don't build/use here." # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded -CVE_CHECK_IGNORE += "CVE-2014-9278" +CVE_STATUS[CVE-2014-9278] = "Not applicable" +CVE_STATUS_REASONING[CVE-2014-9278] = "This CVE is specific to OpenSSH server, as used in Fedora and \ +Red Hat Enterprise Linux 7 and when running in a Kerberos environment" -# CVE only applies to some distributed RHEL binaries -CVE_CHECK_IGNORE += "CVE-2008-3844" +CVE_STATUS[CVE-2008-3844] = "Not applicable" +CVE_STATUS_REASONING[CVE-2008-3844] = "Only applies to some distributed RHEL binaries." PAM_SRC_URI = "file://sshd" diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.0.bb b/meta/recipes-connectivity/openssl/openssl_3.1.0.bb index b319c660440..00ee1cda61e 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.1.0.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.1.0.bb @@ -256,4 +256,5 @@ CVE_VERSION_SUFFIX = "alphabetical" # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 # Apache in meta-webserver is already recent enough -CVE_CHECK_IGNORE += "CVE-2019-0190" +CVE_STATUS[CVE-2019-0190] = "Ignored" +CVE_STATUS_REASONING[CVE-2019-0190] = "Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37" diff --git a/meta/recipes-core/coreutils/coreutils_9.1.bb b/meta/recipes-core/coreutils/coreutils_9.1.bb index e12a6d67971..7b201b0d797 100644 --- a/meta/recipes-core/coreutils/coreutils_9.1.bb +++ b/meta/recipes-core/coreutils/coreutils_9.1.bb @@ -23,7 +23,8 @@ SRC_URI[sha256sum] = "61a1f410d78ba7e7f37a5a4f50e6d1320aca33375484a3255eddf17a38 # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842 # runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue. -CVE_CHECK_IGNORE += "CVE-2016-2781" +CVE_STATUS[CVE-2016-2781] = "Ignored" +CVE_STATUS_REASONING[CVE-2016-2781] = "runcon is not really a sandbox command" EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}" EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname" diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb index b27f98fb199..98493442f91 100644 --- a/meta/recipes-core/glibc/glibc_2.37.bb +++ b/meta/recipes-core/glibc/glibc_2.37.bb @@ -6,16 +6,20 @@ require glibc-version.inc # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024 # Upstream glibc maintainers dispute there is any issue and have no plans to address it further. # "this is being treated as a non-security bug and no real threat." -CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024" +CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE" +CVE_STATUS_RECIPE = "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024" +CVE_STATUS_RECIPE[status] = "Ignored" +CVE_STATUS_RECIPE[reason] = "Upstream glibc maintainers dispute there is any issue and have no plans to address it further." # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025 # Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow # easier access for another. "ASLR bypass itself is not a vulnerability." # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853 -CVE_CHECK_IGNORE += "CVE-2019-1010025" +CVE_STATUS[CVE-2019-1010025] = "Ignored" +CVE_STATUS_REASONING[CVE-2019-1010025] = "ASLR bypass itself is not a vulnerability." -# This is integrated into the 2.37 branch as of 07b9521fc6 -CVE_CHECK_IGNORE += "CVE-2023-25139" +CVE_STATUS[CVE-2023-25139] = "Patched" +CVE_STATUS_REASONING[CVE-2023-25139] = "This is integrated into the 2.37 branch as of 07b9521fc6" DEPENDS += "gperf-native bison-native" diff --git a/meta/recipes-core/libxml/libxml2_2.10.4.bb b/meta/recipes-core/libxml/libxml2_2.10.4.bb index 288631504ce..d97a310aac0 100644 --- a/meta/recipes-core/libxml/libxml2_2.10.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.10.4.bb @@ -28,7 +28,8 @@ BINCONFIG = "${bindir}/xml2-config" # Fixed since 2.9.11 via # https://gitlab.gnome.org/GNOME/libxml2/-/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f -CVE_CHECK_IGNORE += "CVE-2016-3709" +CVE_STATUS[CVE-2016-3709] = "Patched" +CVE_STATUS_REASONING[CVE-2016-3709] = "Fixed since 2.9.11" PACKAGECONFIG ??= "python \ ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \ diff --git a/meta/recipes-core/systemd/systemd_253.3.bb b/meta/recipes-core/systemd/systemd_253.3.bb index a79d6cb3ca0..a0ff4ac7da2 100644 --- a/meta/recipes-core/systemd/systemd_253.3.bb +++ b/meta/recipes-core/systemd/systemd_253.3.bb @@ -831,5 +831,5 @@ pkg_prerm:udev-hwdb () { rm -f $D${sysconfdir}/udev/hwdb.bin } -# This was also fixed in 252.4 with 9b75a3d0 -CVE_CHECK_IGNORE += "CVE-2022-4415" +CVE_STATUS[CVE-2022-4415] = "Patched" +CVE_STATUS_REASONING[CVE-2022-4415] = "This was also fixed in 252.4 with 9b75a3d0" diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc index 2b6554690b6..60bd018d4a5 100644 --- a/meta/recipes-devtools/cmake/cmake.inc +++ b/meta/recipes-devtools/cmake/cmake.inc @@ -23,6 +23,5 @@ SRC_URI[sha256sum] = "bbd8d39217509d163cb544a40d6428ac666ddc83e22905d3e52c925781 UPSTREAM_CHECK_REGEX = "cmake-(?P\d+(\.\d+)+)\.tar" -# This is specific to the npm package that installs cmake, so isn't -# relevant to OpenEmbedded -CVE_CHECK_IGNORE += "CVE-2016-10642" +CVE_STATUS[CVE-2016-10642] = "Ignored" +CVE_STATUS_REASONING[CVE-2016-10642] = "This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded" diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb index 15cf6f5ccad..1cb9c5d07b4 100644 --- a/meta/recipes-devtools/flex/flex_2.6.4.bb +++ b/meta/recipes-devtools/flex/flex_2.6.4.bb @@ -29,7 +29,8 @@ GITHUB_BASE_URI = "https://github.com/westes/flex/releases" # Disputed - yes there is stack exhaustion but no bug and it is building the # parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address # https://github.com/westes/flex/issues/414 -CVE_CHECK_IGNORE += "CVE-2019-6293" +CVE_STATUS[CVE-2019-6293] = "Ignored" +CVE_STATUS_REASONING[CVE-2019-6293] = "There is stack exhaustion but no bug and it is building the parser, not running it" inherit autotools gettext texinfo ptest github-releases diff --git a/meta/recipes-devtools/gcc/gcc-12.2.inc b/meta/recipes-devtools/gcc/gcc-12.2.inc index 0dbbecad4ad..432c9094fe0 100644 --- a/meta/recipes-devtools/gcc/gcc-12.2.inc +++ b/meta/recipes-devtools/gcc/gcc-12.2.inc @@ -109,6 +109,3 @@ EXTRA_OECONF_PATHS = "\ --with-sysroot=/not/exist \ --with-build-sysroot=${STAGING_DIR_TARGET} \ " - -# Is a binutils 2.26 issue, not gcc -CVE_CHECK_IGNORE += "CVE-2021-37322" diff --git a/meta/recipes-devtools/git/git_2.39.2.bb b/meta/recipes-devtools/git/git_2.39.2.bb index 222e545f609..460cee42f1a 100644 --- a/meta/recipes-devtools/git/git_2.39.2.bb +++ b/meta/recipes-devtools/git/git_2.39.2.bb @@ -28,11 +28,13 @@ LIC_FILES_CHKSUM = "\ CVE_PRODUCT = "git-scm:git" # This is about a manpage not mentioning --mirror may "leak" information -# in mirrored git repos. Most OE users wouldn't build the docs and -# we don't see this as a major issue for our general users/usecases. -CVE_CHECK_IGNORE += "CVE-2022-24975" -# This is specific to Git-for-Windows -CVE_CHECK_IGNORE += "CVE-2022-41953" +# in mirrored git repos. +CVE_STATUS[CVE-2022-24975] = "Ignored" +CVE_STATUS_REASONING[CVE-2022-24975] = "Most OE users wouldn't build the docs and \ +we don't see this as a major issue for our general users/usecases." + +CVE_STATUS[CVE-2022-41953] = "Not applicable" +CVE_STATUS_REASONING[CVE-2022-41953] = "Issue only applies on Windows" PACKAGECONFIG ??= "expat curl" PACKAGECONFIG[cvsserver] = "" diff --git a/meta/recipes-devtools/jquery/jquery_3.6.3.bb b/meta/recipes-devtools/jquery/jquery_3.6.3.bb index 93f87f730d4..c3b67a3b7b2 100644 --- a/meta/recipes-devtools/jquery/jquery_3.6.3.bb +++ b/meta/recipes-devtools/jquery/jquery_3.6.3.bb @@ -20,9 +20,9 @@ SRC_URI[map.sha256sum] = "156b740931ade6c1a98d99713eeb186f93847ffc56057e973becab UPSTREAM_CHECK_REGEX = "jquery-(?P\d+(\.\d+)+)\.js" # https://github.com/jquery/jquery/issues/3927 -# There are ways jquery can expose security issues but any issues are in the apps exposing them -# and there is little we can directly do -CVE_CHECK_IGNORE += "CVE-2007-2379" +CVE_STATUS[CVE-2007-2379] = "Ignored" +CVE_STATUS_REASONING[CVE-2007-2379] = "There are ways jquery can expose security issues \ +but any issues are in the apps exposing them and there is little we can directly do." inherit allarch diff --git a/meta/recipes-devtools/python/python3_3.11.2.bb b/meta/recipes-devtools/python/python3_3.11.2.bb index 421a305e22f..32d83aff6c6 100644 --- a/meta/recipes-devtools/python/python3_3.11.2.bb +++ b/meta/recipes-devtools/python/python3_3.11.2.bb @@ -47,15 +47,17 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/" CVE_PRODUCT = "python" -# Upstream consider this expected behaviour -CVE_CHECK_IGNORE += "CVE-2007-4559" -# This is not exploitable when glibc has CVE-2016-10739 fixed. -CVE_CHECK_IGNORE += "CVE-2019-18348" -# These are specific to Microsoft Windows -CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488" -# The mailcap module is insecure by design, so this can't be fixed in a meaningful way. +CVE_STATUS[CVE-2007-4559] = "Ignored" +CVE_STATUS_REASONING[CVE-2007-4559] = "Upstream consider this expected behaviour" +CVE_STATUS[CVE-2019-18348] = "Ignored" +CVE_STATUS_REASONING[CVE-2019-18348] = "This is not exploitable when glibc has CVE-2016-10739 fixed" +CVE_STATUS[CVE-2020-15523] = "Not applicable" +CVE_STATUS_REASONING[CVE-2020-15523] = "Issue only applies on Windows" +CVE_STATUS[CVE-2022-26488] = "Not applicable" +CVE_STATUS_REASONING[CVE-2022-26488] = "Issue only applies on Windows" # The module will be removed in the future and flaws documented. -CVE_CHECK_IGNORE += "CVE-2015-20107" +CVE_STATUS[CVE-2015-20107] = "Ignored" +CVE_STATUS_REASONING[CVE-2015-20107] = "The mailcap module is insecure by design, so this can't be fixed in a meaningful way" PYTHON_MAJMIN = "3.11" diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 394fa2acabf..b3ff0d81763 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -39,16 +39,15 @@ SRC_URI[sha256sum] = "bb60f0341531181d6cc3969dd19a013d0427a87f918193970d9adb9113 SRC_URI:append:class-target = " file://cross.patch" SRC_URI:append:class-nativesdk = " file://cross.patch" -# Applies against virglrender < 0.6.0 and not qemu itself -CVE_CHECK_IGNORE += "CVE-2017-5957" +CVE_STATUS[CVE-2017-5957] = "Not applicable" +CVE_STATUS_REASONING[CVE-2017-5957] = "Applies against virglrender < 0.6.0 and not qemu itself" -# The VNC server can expose host files uder some circumstances. We don't -# enable it by default. -CVE_CHECK_IGNORE += "CVE-2007-0998" +CVE_STATUS[CVE-2007-0998] = "Ignored" +CVE_STATUS_REASONING[CVE-2007-0998] = "The VNC server can expose host files uder some circumstances. We don't enable it by default." -# 'The issues identified by this CVE were determined to not constitute a vulnerability.' # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 -CVE_CHECK_IGNORE += "CVE-2018-18438" +CVE_STATUS[CVE-2018-18438] = "Ignored" +CVE_STATUS_REASONING[CVE-2018-18438] = "The issues identified by this CVE were determined to not constitute a vulnerability." # As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664 # https://bugzilla.redhat.com/show_bug.cgi?id=2167423 diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb index 19574bcb1cd..130581a7853 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb @@ -18,9 +18,6 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ " SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb" -# -16548 required for v3.1.3pre1. Already in v3.1.3. -CVE_CHECK_IGNORE += " CVE-2017-16548 " - inherit autotools-brokensep PACKAGECONFIG ??= "acl attr \ diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb index 982f370edb7..00db737b7d6 100644 --- a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb +++ b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb @@ -29,9 +29,9 @@ SRC_URI[sha256sum] = "c61f0d6699e2bc7691f119b41963aaa8dc980f23532c4e937739832a5f SRC_URI:class-native = "${BASE_SRC_URI}" -# Upstream don't believe this is an exploitable issue # https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7 -CVE_CHECK_IGNORE += "CVE-2021-35331" +CVE_STATUS[CVE-2021-35331] = "Ignored" +CVE_STATUS_REASONING[CVE-2021-35331] = "Upstream don't believe this is an exploitable issue" UPSTREAM_CHECK_URI = "https://www.tcl.tk/software/tcltk/download.html" UPSTREAM_CHECK_REGEX = "tcl(?P\d+(\.\d+)+)-src" diff --git a/meta/recipes-extended/cpio/cpio_2.13.bb b/meta/recipes-extended/cpio/cpio_2.13.bb index 55bcc606b37..93a3360135d 100644 --- a/meta/recipes-extended/cpio/cpio_2.13.bb +++ b/meta/recipes-extended/cpio/cpio_2.13.bb @@ -22,8 +22,8 @@ SRC_URI[sha256sum] = "e87470d9c984317f658567c03bfefb6b0c829ff17dbf6b0de48d71a4c8 inherit autotools gettext texinfo ptest -# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us -CVE_CHECK_IGNORE += "CVE-2010-4226" +CVE_STATUS[CVE-2010-4226] = "Not applicable" +CVE_STATUS_REASONING[CVE-2010-4226] = "Issue applies to use of cpio in SUSE/OBS" EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}" diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index da320b10855..086c467b00c 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -19,14 +19,18 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" -# Issue only applies to MacOS -CVE_CHECK_IGNORE += "CVE-2008-1033" -# Issue affects pdfdistiller plugin used with but not part of cups -CVE_CHECK_IGNORE += "CVE-2009-0032" -# This is an Ubuntu only issue. -CVE_CHECK_IGNORE += "CVE-2018-6553" -# This is fixed in 2.4.2 but the cve-check class still reports it -CVE_CHECK_IGNORE += "CVE-2022-26691" +CVE_STATUS[CVE-2008-1033] = "Not applicable" +CVE_STATUS_REASONING[CVE-2008-1033] = "Issue only applies to MacOS" +CVE_STATUS[CVE-2009-0032] = "Ignored" +CVE_STATUS_REASONING[CVE-2009-0032] = "Issue affects pdfdistiller plugin used with but not part of cups" +CVE_STATUS[CVE-2018-6553] = "Not applicable" +CVE_STATUS_REASONING[CVE-2018-6553] = "This is an Ubuntu only issue" +CVE_STATUS[CVE-2022-26691] = "Patched" +CVE_STATUS_REASONING[CVE-2022-26691] = "This is fixed in 2.4.2 but the cve-check class still reports it" + +# -25317 concerns /var/log/cups having lp ownership. +CVE_STATUS[CVE-2021-25317] = "Ignored" +CVE_STATUS_REASONING[CVE-2009-0032] = "Our /var/log/cups is root:root, so this doesn't apply." LEAD_SONAME = "libcupsdriver.so" @@ -114,7 +118,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess" cups_sysroot_preprocess () { sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:' } - -# -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is -# root:root, so this doesn't apply. -CVE_CHECK_IGNORE += "CVE-2021-25317" diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb index 86ecdbe24af..79a9d255749 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb @@ -21,7 +21,8 @@ UPSTREAM_CHECK_REGEX = "(?P\d+(\.\d+)+)\.tar" # As of ghostscript 9.54.0 the jpeg issue in the CVE is present in the gs jpeg sources # however we use an external jpeg which doesn't have the issue. -CVE_CHECK_IGNORE += "CVE-2013-6629" +CVE_STATUS[CVE-2013-6629] = "Ignored" +CVE_STATUS_REASONING[CVE-2013-6629] = "We use an external jpeg which doesn't have the issue" def gs_verdir(v): return "".join(v.split(".")) diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb index cd5fe9bd3ea..7891f0ffa35 100644 --- a/meta/recipes-extended/iputils/iputils_20221126.bb +++ b/meta/recipes-extended/iputils/iputils_20221126.bb @@ -17,9 +17,10 @@ S = "${WORKDIR}/git" UPSTREAM_CHECK_GITTAGREGEX = "(?P20\d+)" -# Fixed in 2000-10-10, but the versioning of iputils -# breaks the version order. -CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214" +CVE_STATUS[CVE-2000-1213] = "Patched" +CVE_STATUS_REASONING[CVE-2000-1213] = "Fixed in 2000-10-10, but the versioning of iputils breaks the version order." +CVE_STATUS[CVE-2000-1214] = "Patched" +CVE_STATUS_REASONING[CVE-2000-1214] = "Fixed in 2000-10-10, but the versioning of iputils breaks the version order." PACKAGECONFIG ??= "libcap" PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native" diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb index f55e0b0ed1d..fcccf68f070 100644 --- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb +++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb @@ -14,8 +14,8 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/" UPSTREAM_CHECK_REGEX = "(?P\d+(\.\d+)+)/" SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3" -# Was fixed in 1.3.3rc1 so not present in 1.3.3 -CVE_CHECK_IGNORE += "CVE-2021-46828" +CVE_STATUS[CVE-2021-46828] = "Patched" +CVE_STATUS_REASONING[CVE-2021-46828] = "fixed in 1.3.3rc1 so not present in 1.3.3" inherit autotools pkgconfig diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb index cc3420df4e0..d9571445288 100644 --- a/meta/recipes-extended/procps/procps_4.0.3.bb +++ b/meta/recipes-extended/procps/procps_4.0.3.bb @@ -72,9 +72,9 @@ python __anonymous() { d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog)) } -# 'ps' isn't suitable for use as a security tool so whitelist this CVE. # https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3 -CVE_CHECK_IGNORE += "CVE-2018-1121" +CVE_STATUS[CVE-2018-1121] = "Ignored" +CVE_STATUS_REASONING[CVE-2018-1121] = "'ps' isn't suitable for use as a security tool so whitelist this CVE." PROCPS_PACKAGES = "${PN}-lib \ ${PN}-ps \ diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb index d1a3fd5593b..adef0461905 100644 --- a/meta/recipes-extended/shadow/shadow_4.13.bb +++ b/meta/recipes-extended/shadow/shadow_4.13.bb @@ -6,9 +6,9 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p BBCLASSEXTEND = "native nativesdk" -# Severity is low and marked as closed and won't fix. # https://bugzilla.redhat.com/show_bug.cgi?id=884658 -CVE_CHECK_IGNORE += "CVE-2013-4235" +CVE_STATUS[CVE-2013-4235] = "Ignored" +CVE_STATUS_REASONING[CVE-2013-4235] = "Severity is low and marked as closed and won't fix." -# This is an issue for a different shadow -CVE_CHECK_IGNORE += "CVE-2016-15024" +CVE_STATUS[CVE-2016-15024] = "Ignored" +CVE_STATUS_REASONING[CVE-2016-15024] = "This is an issue for a different shadow" diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index a4d10c30aa2..bd3e7f1fc88 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb @@ -39,7 +39,8 @@ SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37" # Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source -CVE_CHECK_IGNORE += "CVE-2008-0888" +CVE_STATUS[CVE-2008-0888] = "Patched" +CVE_STATUS_REASONING[CVE-2008-0888] = "Patch applied to 6.0 source" # exclude version 5.5.2 which triggers a false positive UPSTREAM_CHECK_REGEX = "unzip(?P(?!552).+)\.tgz" diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb index c390fcf33c4..7b1e8cd02a2 100644 --- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb +++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb @@ -18,7 +18,8 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4" S = "${WORKDIR}/git" # https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision -CVE_CHECK_IGNORE += "CVE-2013-4342" +CVE_STATUS[CVE-2013-4342] = "Patched" +CVE_STATUS_REASONING[CVE-2013-4342] = "Fixed directly in git tree revision" inherit autotools update-rc.d systemd pkgconfig diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb index 1930a40140b..60cd565fe81 100644 --- a/meta/recipes-extended/zip/zip_3.0.bb +++ b/meta/recipes-extended/zip/zip_3.0.bb @@ -25,11 +25,11 @@ UPSTREAM_VERSION_UNKNOWN = "1" SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37" SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369" -# Disputed and also Debian doesn't consider a vulnerability -CVE_CHECK_IGNORE += "CVE-2018-13410" +CVE_STATUS[CVE-2018-13410] = "Ignored" +CVE_STATUS_REASONING[CVE-2018-13410] = "Disputed and also Debian doesn't consider a vulnerability" -# Not for zip but for smart contract implementation for it -CVE_CHECK_IGNORE += "CVE-2018-13684" +CVE_STATUS[CVE-2018-13684] = "Not applicable" +CVE_STATUS_REASONING[CVE-2018-13684] = "Not for zip but for smart contract implementation for it" # Enable largefile support CFLAGS += "-DLARGE_FILE_SUPPORT" diff --git a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb index 08e9899d00c..91dba7466da 100644 --- a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb +++ b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb @@ -32,5 +32,5 @@ RPROVIDES:${PN} += "libnotify3" RCONFLICTS:${PN} += "libnotify3" RREPLACES:${PN} += "libnotify3" -# -7381 is specific to the NodeJS bindings -CVE_CHECK_IGNORE += "CVE-2013-7381" +CVE_STATUS[CVE-2013-7381] = "Ignored" +CVE_STATUS_REASONING[CVE-2013-7381] = "-7381 is specific to the NodeJS bindings" diff --git a/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb b/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb index 59278d1b169..5f4fd79bc0e 100644 --- a/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb +++ b/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb @@ -50,8 +50,8 @@ do_compile:prepend() { sed -ie 's,"linker": ".*","linker": "${RUST_TARGET_CC}",g' ${RUST_TARGETS_DIR}/${RUST_HOST_SYS}.json } -# Issue only on windows -CVE_CHECK_IGNORE += "CVE-2018-1000041" +CVE_STATUS[CVE-2018-1000041] = "Not applicable" +CVE_STATUS_REASONING[CVE-2018-1000041] = "Issue only applies on Windows" CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders" diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb index 39be3bd63ff..e70b30a7639 100644 --- a/meta/recipes-graphics/builder/builder_0.1.bb +++ b/meta/recipes-graphics/builder/builder_0.1.bb @@ -30,4 +30,5 @@ do_install () { } # -4178 is an unrelated 'builder' -CVE_CHECK_IGNORE = "CVE-2008-4178" +CVE_STATUS[CVE-2008-4178] = "Ignored" +CVE_STATUS_REASONING[CVE-2008-4178] = "This CVE is for an unrelated builder" diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc index ecb164ddf76..189619d8715 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc @@ -20,16 +20,19 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz" UPSTREAM_CHECK_REGEX = "xorg-server-(?P\d+(\.(?!99)\d+)+)\.tar" CVE_PRODUCT = "xorg-server x_server" -# This is specific to Debian's xserver-wrapper.c -CVE_CHECK_IGNORE += "CVE-2011-4613" +CVE_STATUS[CVE-2011-4613] = "Not applicable" +CVE_STATUS_REASONING[CVE-2011-4613] = "This is specific to Debian's xserver-wrapper.c" + # As per upstream, exploiting this flaw is non-trivial and it requires exact # timing on the behalf of the attacker. Many graphical applications exit if their # connection to the X server is lost, so a typical desktop session is either # impossible or difficult to exploit. There is currently no upstream patch # available for this flaw. -CVE_CHECK_IGNORE += "CVE-2020-25697" -# This is specific to XQuartz, which is the macOS X server port -CVE_CHECK_IGNORE += "CVE-2022-3553" +CVE_STATUS[CVE-2020-25697] = "Ignored" +CVE_STATUS_REASONING[CVE-2020-25697] = "As per upstream, exploiting this flaw is non-trivial and it requires exact timing on the behalf of the attacker" + +CVE_STATUS[CVE-2022-3553] = "Not applicable" +CVE_STATUS_REASONING[CVE-2022-3553] = "This is specific to XQuartz, which is the macOS X server port" S = "${WORKDIR}/${XORG_PN}-${PV}" diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc index 4cc151901b8..a7b12e3b57e 100644 --- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc +++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc @@ -1,17 +1,17 @@ # https://nvd.nist.gov/vuln/detail/CVE-2022-3523 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33 -CVE_CHECK_IGNORE += "CVE-2022-3523" +CVE_STATUS[CVE-2022-3523] = "Ignored" # https://nvd.nist.gov/vuln/detail/CVE-2022-3566 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 -CVE_CHECK_IGNORE += "CVE-2022-3566" +CVE_STATUS[CVE-2022-3566] = "Ignored" # https://nvd.nist.gov/vuln/detail/CVE-2022-3567 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6 -CVE_CHECK_IGNORE += "CVE-2022-3567" +CVE_STATUS[CVE-2022-3567] = "Ignored" # 2023 @@ -26,11 +26,15 @@ CVE_CHECK_IGNORE += "CVE-2022-3567" # * https://www.linuxkernelcves.com/cves/CVE-2022-38457 # * https://www.linuxkernelcves.com/cves/CVE-2022-40133 # * https://lore.kernel.org/all/CAODzB9q3OBD0k6W2bcWrSZo2jC3EvV0PrLyWmO07rxR4nQgkJA@mail.gmail.com/T/ -CVE_CHECK_IGNORE += "CVE-2022-38457 CVE-2022-40133" +CVE_STATUS[CVE-2022-38457] = "Ignored" +CVE_STATUS_REASONING[CVE-2022-38457] = "Backported in version 6.1.7" +CVE_STATUS[CVE-2022-40133] = "Ignored" +CVE_STATUS_REASONING[CVE-2022-40133] = "Backported in version 6.1.7" # https://nvd.nist.gov/vuln/detail/CVE-2023-1075 # Introduced in v4.20 a42055e8d2c30d4decfc13ce943d09c7b9dad221 # Patched in kernel v6.2 ffe2a22562444720b05bdfeb999c03e810d84cbb # Backported in version 6.1.11 37c0cdf7e4919e5f76381ac60817b67bcbdacb50 # 5.15 still has issue, include/net/tls.h:is_tx_ready() would need patch -CVE_CHECK_IGNORE += "CVE-2023-1075" +CVE_STATUS[CVE-2023-1075] = "Ignored" +CVE_STATUS_REASONING[CVE-2023-1075] = "Backported in version 6.1.11" diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb index a6c229f5cf0..38e18542c21 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb @@ -32,5 +32,5 @@ FILES:${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp" BBCLASSEXTEND = "native nativesdk" -# CVE-2019-17371 is actually a memory leak in gif2png 2.x -CVE_CHECK_IGNORE += "CVE-2019-17371" +CVE_STATUS[CVE-2019-17371] = "Not applicable" +CVE_STATUS_REASONING[CVE-2019-17371] = "A memory leak in gif2png 2.x" diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb index f8a2482a848..499687207d1 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb @@ -16,14 +16,8 @@ SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c # exclude betas UPSTREAM_CHECK_REGEX = "tiff-(?P\d+(\.\d+)+).tar" -# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 -# and 4.3.0 doesn't have the issue -CVE_CHECK_IGNORE += "CVE-2015-7313" -# These issues only affect libtiff post-4.3.0 but before 4.4.0, -# caused by 3079627e and fixed by b4e79bfa. -CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623" -# Issue is in jbig which we don't enable -CVE_CHECK_IGNORE += "CVE-2022-1210" +CVE_STATUS[CVE-2022-1210] = "Ignored" +CVE_STATUS_REASONING[CVE-2022-1210] = "Issue is in jbig which we don't enable" inherit autotools multilib_header diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb index bf9d7cbd102..bf59069cfa5 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb @@ -29,8 +29,10 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ " SRC_URI[sha256sum] = "ef14ae546b0084cd84259f61a55e07a38c3b53afc0f546bffcef2f01baffe9de" -# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro. -CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438" +CVE_STATUS[CVE-2018-12433] = "Ignored" +CVE_STATUS_REASONING[CVE-2018-12433] = "CVE is disputed and not affecting crypto libraries for any distro." +CVE_STATUS[CVE-2018-12438] = "Ignored" +CVE_STATUS_REASONING[CVE-2018-12438] = "CVE is disputed and not affecting crypto libraries for any distro." BINCONFIG = "${bindir}/libgcrypt-config" diff --git a/meta/recipes-support/libxslt/libxslt_1.1.37.bb b/meta/recipes-support/libxslt/libxslt_1.1.37.bb index 361bb0f8dc9..76f7a34d05a 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.37.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.37.bb @@ -19,9 +19,8 @@ SRC_URI[sha256sum] = "3a4b27dc8027ccd6146725950336f1ec520928f320f144eb5fa7990ae6 UPSTREAM_CHECK_REGEX = "libxslt-(?P\d+(\.\d+)+)\.tar" -# We have libxml2 2.9.14 and we don't link statically with it anyway -# so this isn't an issue. -CVE_CHECK_IGNORE += "CVE-2022-29824" +CVE_STATUS[CVE-2022-29824] = "Ignored" +CVE_STATUS_REASONING[CVE-2022-29824] = "Static linking to libxml2 is not enabled." S = "${WORKDIR}/libxslt-${PV}" diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb index d2a25fd5b09..97217781f42 100644 --- a/meta/recipes-support/lz4/lz4_1.9.4.bb +++ b/meta/recipes-support/lz4/lz4_1.9.4.bb @@ -21,8 +21,8 @@ S = "${WORKDIR}/git" inherit ptest -# Fixed in r118, which is larger than the current version. -CVE_CHECK_IGNORE += "CVE-2014-4715" +CVE_STATUS[CVE-2014-4715] = "Patched" +CVE_STATUS_REASONING[CVE-2014-4715] = "Fixed in r118, which is larger than the current version." EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no" diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb index b09e8e7f557..6af884b58fe 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb @@ -7,8 +7,11 @@ SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz" SRC_URI[sha256sum] = "e98c100dd1da4e30fa460761dab7c0b91a50b785e167f8c57acc46514fae9499" # -19242 is only an issue in specific development branch commits -CVE_CHECK_IGNORE += "CVE-2019-19242" -# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA) -CVE_CHECK_IGNORE += "CVE-2015-3717" -# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f -CVE_CHECK_IGNORE += "CVE-2021-36690" +CVE_STATUS[CVE-2019-19242] = "Ignored" +CVE_STATUS_REASONING[CVE-2019-19242] = "This CVE is only an issue in specific development branch commits" +# https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA +CVE_STATUS[CVE-2015-3717] = "Not applicable" +CVE_STATUS_REASONING[CVE-2015-3717] = "This is believed to be iOS specific" +# Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f +CVE_STATUS[CVE-2021-36690] = "Patched" +CVE_STATUS_REASONING[CVE-2021-36690] = "Issue in an experimental extension we don't have/use."