From patchwork Thu Dec 19 20:27:27 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Marko, Peter" <peter.marko@siemens.com>
X-Patchwork-Id: 54381
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BC7E6E7718B
	for <webhook@archiver.kernel.org>; Thu, 19 Dec 2024 20:28:45 +0000 (UTC)
Received: from mta-64-225.siemens.flowmailer.net
 (mta-64-225.siemens.flowmailer.net [185.136.64.225])
 by mx.groups.io with SMTP id smtpd.web11.138137.1734640116067421932
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 19 Dec 2024 12:28:36 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=dTiP1fj2;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225,
 mailfrom:
 fm-256628-202412192028341f273103bdda3e29fa-wu_ux3@rts-flowmailer.siemens.com)
Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id
 202412192028341f273103bdda3e29fa
        for <openembedded-devel@lists.openembedded.org>;
        Thu, 19 Dec 2024 21:28:34 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=qJxvY7AjijVm77gr5baJcPyRsffAx9huVKAH8kj8aK8=;
 b=dTiP1fj2i13rgyyyTza3zpKdbWtdeMPymHh8NKp6z/m7JIgr6v6ME5Qs5lhqBoMRQSEmqq
 gbDsueIE3v4FyA7ykofa0wSVGf000qA9p1TGEGXi5DYzZ+dzecRLQ1eWuieuhvfdjuVqfsa/
 goaSsnZ41rJMsRBYBaTPpkH+F3JQHw2zcIPSGMYQ91ZE6AW1ppwnFnt0ecZIrw9T0U52/M8t
 qMdsnwwJLhJCYvHQczRsDTCz7cbzuFDtYj96iBvA2o3+p+N0vwwleJ7AgxJ0OWrBjZGuDpsi
 ioNQhcD4JJlJwGGRHYgkarlZ51jCNEVIIoq6shqBZ+zkOeA8UIKkWDEw==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-devel@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [meta-oe][PATCH 01/12] ace: ignore CVE-2009-1147
Date: Thu, 19 Dec 2024 21:27:27 +0100
Message-Id: <20241219202738.346121-2-peter.marko@siemens.com>
In-Reply-To: <20241219202738.346121-1-peter.marko@siemens.com>
References: <20241219202738.346121-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 19 Dec 2024 20:28:45 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114402

From: Peter Marko <peter.marko@siemens.com>

This CVE is for vmware ace.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta-oe/recipes-connectivity/ace/ace_8.0.1.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-oe/recipes-connectivity/ace/ace_8.0.1.bb b/meta-oe/recipes-connectivity/ace/ace_8.0.1.bb
index c79fba323c..88df9ae5df 100644
--- a/meta-oe/recipes-connectivity/ace/ace_8.0.1.bb
+++ b/meta-oe/recipes-connectivity/ace/ace_8.0.1.bb
@@ -16,6 +16,8 @@ SRC_URI[sha256sum] = "8d379f37d56db33f3ae447725b632d48b1c13e887593547ac3568e3b42
 UPSTREAM_CHECK_URI = "https://github.com/DOCGroup/ACE_TAO/releases"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)"
 
+CVE_STATUS[CVE-2009-1147] = "cpe-incorrect: this CVE is for vmware ace"
+
 COMPATIBLE_HOST:libc-musl = "null"
 
 S = "${WORKDIR}/ACE_wrappers"

From patchwork Thu Dec 19 20:27:28 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Marko, Peter" <peter.marko@siemens.com>
X-Patchwork-Id: 54382
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BF1EEE7718A
	for <webhook@archiver.kernel.org>; Thu, 19 Dec 2024 20:28:45 +0000 (UTC)
Received: from mta-64-226.siemens.flowmailer.net
 (mta-64-226.siemens.flowmailer.net [185.136.64.226])
 by mx.groups.io with SMTP id smtpd.web11.138138.1734640121437172409
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 19 Dec 2024 12:28:41 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=StmnNkfi;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226,
 mailfrom:
 fm-256628-2024121920283991b1bfa201a9252a08-fetyr9@rts-flowmailer.siemens.com)
Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id
 2024121920283991b1bfa201a9252a08
        for <openembedded-devel@lists.openembedded.org>;
        Thu, 19 Dec 2024 21:28:39 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=WFJAebSTIhKoSSwZ+/PYe4YSGZ11zJgfuOvqNNDRvv8=;
 b=StmnNkfi6e0aPX//LaWsPIODsZJ7cWgl9olo301d1s3tTfdAGiMJD3PnuNxQu4YFoEmIHe
 FKYQV5Hot6stmzdCtzTVsJjXJ2lyiG2BhD+bpvFO40E1aGsEXNdz6kRpe0FQCKEXCXBpkE/s
 AUUbIKYsZFtUIcbj/P3C8mfW4vr2tdeRSZjg3h0AVsUlcXAf/FsT2TPvxaiI7dOxVKKnko2J
 yMNpFsUp+xd2Lo/mIOrB42Yp39dwSRFOAgaCIZkS3lLHnknzRl8ByRqgPUnOvcu0YXW0LLFY
 HM7E0s5HLAiGT6k3deqRogtufWtcaOwFj2jEPcM9x6FLzujw82OvRFJA==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-devel@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [meta-oe][PATCH 02/12] apache2: ignore CVE-1999-0678 and
 CVE-1999-1412
Date: Thu, 19 Dec 2024 21:27:28 +0100
Message-Id: <20241219202738.346121-3-peter.marko@siemens.com>
In-Reply-To: <20241219202738.346121-1-peter.marko@siemens.com>
References: <20241219202738.346121-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 19 Dec 2024 20:28:45 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114403

From: Peter Marko <peter.marko@siemens.com>

These CVEs are specific to Debian and MAC OS X respectively.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb
index 7d6ea27e7e..475f77d41b 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb
@@ -38,6 +38,8 @@ DEPENDS = "openssl expat pcre apr apr-util apache2-native "
 CVE_PRODUCT = "apache:http_server"
 
 CVE_STATUS[CVE-1999-0289] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows"
+CVE_STATUS[CVE-1999-0678] = "not-applicable-platform: this CVE is for Debian packaging configuration"
+CVE_STATUS[CVE-1999-1412] = "not-applicable-platform: this CVE is for MAC OS X specific problem"
 CVE_STATUS[CVE-2007-0450] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows."
 CVE_STATUS[CVE-2007-6421] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)"
 CVE_STATUS[CVE-2007-6422] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)"

From patchwork Thu Dec 19 20:27:29 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Marko, Peter" <peter.marko@siemens.com>
X-Patchwork-Id: 54383
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BE428E7718B
	for <webhook@archiver.kernel.org>; Thu, 19 Dec 2024 20:28:55 +0000 (UTC)
Received: from mta-64-228.siemens.flowmailer.net
 (mta-64-228.siemens.flowmailer.net [185.136.64.228])
 by mx.groups.io with SMTP id smtpd.web11.138140.1734640126347330083
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 19 Dec 2024 12:28:46 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=alsPW+tS;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228,
 mailfrom:
 fm-256628-202412192028446287e9dbc5dc4aeaae-llgw0w@rts-flowmailer.siemens.com)
Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id
 202412192028446287e9dbc5dc4aeaae
        for <openembedded-devel@lists.openembedded.org>;
        Thu, 19 Dec 2024 21:28:44 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=Jy34stIp+lY+uv0iwtz26dtttQc0niJABEgYOofh01U=;
 b=alsPW+tSY6FjiroNOp82wiWtRdTzK1L0DZRvv7POZmOAw/e61ZsQESPC5SFDjBH7odfOdN
 rYFfMXB4+bS0cQGwOb+AL8qypxbTLk3+4QLfLXGcAHom/g2cLDI5yWnqkw0Z98eYOzmFEJFf
 kyOdVEeaPKU+VLFFDfFsR6xKZnX9teIzeWS4z8poK44M5NsVZ/KoQvR4T7e6pTv8+E++45AX
 TepuAOJ7ksZLgTruG9XEVBXP88EmBs1lAMA5helLiRgB8Yfbb6oEuk4arlZwVAzoizds7HDB
 Xpnp6AWNibhLXLNbMvLQ/UeGIcNAAGHeKHuOogH3m03v9ZJdLdn+Nm/w==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-devel@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [meta-oe][PATCH 03/12] apache2: remove old version references from
 CVEs
Date: Thu, 19 Dec 2024 21:27:29 +0100
Message-Id: <20241219202738.346121-4-peter.marko@siemens.com>
In-Reply-To: <20241219202738.346121-1-peter.marko@siemens.com>
References: <20241219202738.346121-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 19 Dec 2024 20:28:55 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114404

From: Peter Marko <peter.marko@siemens.com>

These were not updated on recipe upgrade.
To make maintenance easier, remove exact versions.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../recipes-httpd/apache2/apache2_2.4.62.bb        | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb
index 475f77d41b..3a988f2494 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb
@@ -37,15 +37,15 @@ DEPENDS = "openssl expat pcre apr apr-util apache2-native "
 
 CVE_PRODUCT = "apache:http_server"
 
-CVE_STATUS[CVE-1999-0289] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows"
+CVE_STATUS[CVE-1999-0289] = "not-applicable-platform: The current version is not affected. It only applies for Windows"
 CVE_STATUS[CVE-1999-0678] = "not-applicable-platform: this CVE is for Debian packaging configuration"
 CVE_STATUS[CVE-1999-1412] = "not-applicable-platform: this CVE is for MAC OS X specific problem"
-CVE_STATUS[CVE-2007-0450] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows."
-CVE_STATUS[CVE-2007-6421] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)"
-CVE_STATUS[CVE-2007-6422] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)"
-CVE_STATUS[CVE-2007-6423] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions from 2.2.x to 2.2.7-dev"
-CVE_STATUS[CVE-2008-2168] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions up to 2.2.6 (excl.)"
-CVE_STATUS[CVE-2010-0425] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows."
+CVE_STATUS[CVE-2007-0450] = "not-applicable-platform: The current version is not affected. It only applies for Windows."
+CVE_STATUS[CVE-2007-6421] = "cpe-incorrect: The current version is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)"
+CVE_STATUS[CVE-2007-6422] = "cpe-incorrect: The current version is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)"
+CVE_STATUS[CVE-2007-6423] = "cpe-incorrect: The current version is not affected by the CVE which affects versions from 2.2.x to 2.2.7-dev"
+CVE_STATUS[CVE-2008-2168] = "cpe-incorrect: The current version is not affected by the CVE which affects versions up to 2.2.6 (excl.)"
+CVE_STATUS[CVE-2010-0425] = "not-applicable-platform: The current version is not affected. It only applies for Windows."
 
 SSTATE_SCAN_FILES += "apxs config_vars.mk config.nice"
 

From patchwork Thu Dec 19 20:27:30 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Marko, Peter" <peter.marko@siemens.com>
X-Patchwork-Id: 54385
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BE88DE7718C
	for <webhook@archiver.kernel.org>; Thu, 19 Dec 2024 20:28:55 +0000 (UTC)
Received: from mta-65-228.siemens.flowmailer.net
 (mta-65-228.siemens.flowmailer.net [185.136.65.228])
 by mx.groups.io with SMTP id smtpd.web11.138142.1734640130525106281
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 19 Dec 2024 12:28:50 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=medzJPF+;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228,
 mailfrom:
 fm-256628-202412192028480328ec7388a0ba0bec-imhcby@rts-flowmailer.siemens.com)
Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id
 202412192028480328ec7388a0ba0bec
        for <openembedded-devel@lists.openembedded.org>;
        Thu, 19 Dec 2024 21:28:48 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=zckjIG4ArPlEhgmqUritxRmajoxQPfJpF7IrFoWHt70=;
 b=medzJPF+z3gXkTswooiE8gvocvIeOaGwztMg4fh60xhQg5lEe5oHq70C2XlCtJR+WVn8Mv
 gqw3X0tVhoDtOrTSu/Gfma7HOIgf2X/ST8FDSzpaRAb7VTPK2K4JgaebgCoSMkW1INwOT8uq
 iPRG8qSUXeYYE2EIEbJlZKF62ea306ewc6tpKQMQRSqsK8/nJ2cYKKyTOnEaw9Yop8dqqRI+
 z7ftGVXMDTwPITiVmebjlkvOGw5gyLJtvE0yTs+OmrzZxQp+QoKEsf0PhPAaNcucgAbKwYjW
 1nP1Lzx0lNeG24pHbrDqIEPC8RAQBaPX1X5d40Eud6KwuRx2RJamb/Sw==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-devel@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [meta-oe][PATCH 04/12] spice: ignore CVE-2016-0749
Date: Thu, 19 Dec 2024 21:27:30 +0100
Message-Id: <20241219202738.346121-5-peter.marko@siemens.com>
In-Reply-To: <20241219202738.346121-1-peter.marko@siemens.com>
References: <20241219202738.346121-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 19 Dec 2024 20:28:55 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114405

From: Peter Marko <peter.marko@siemens.com>

NVD tracks this as version-less CVE for spice.
It was fixed by [1] and [2] included in 0.13.2.

[1] https://gitlab.freedesktop.org/spice/spice/-/commit/6b32af3e1746988bb5a5123263bcf61b65e5be7e
[2] https://gitlab.freedesktop.org/spice/spice/-/commit/359ac42a7ac02dcd1013757559292006647cd5c4

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta-networking/recipes-support/spice/spice_git.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-networking/recipes-support/spice/spice_git.bb b/meta-networking/recipes-support/spice/spice_git.bb
index 419316a26e..5e6d8584e3 100644
--- a/meta-networking/recipes-support/spice/spice_git.bb
+++ b/meta-networking/recipes-support/spice/spice_git.bb
@@ -21,6 +21,7 @@ SRC_URI = "gitsm://gitlab.freedesktop.org/spice/spice;branch=master;protocol=htt
 
 S = "${WORKDIR}/git"
 
+CVE_STATUS[CVE-2016-0749] = "fixed-version: patched since 0.13.2"
 CVE_STATUS[CVE-2018-10893] = "fixed-version: patched already, caused by inaccurate CPE in the NVD database."
 
 inherit meson gettext python3native python3-dir pkgconfig

From patchwork Thu Dec 19 20:27:31 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Marko, Peter" <peter.marko@siemens.com>
X-Patchwork-Id: 54384
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BA9B1E77184
	for <webhook@archiver.kernel.org>; Thu, 19 Dec 2024 20:28:55 +0000 (UTC)
Received: from mta-64-227.siemens.flowmailer.net
 (mta-64-227.siemens.flowmailer.net [185.136.64.227])
 by mx.groups.io with SMTP id smtpd.web11.138144.1734640134643274085
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 19 Dec 2024 12:28:54 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=K6BX3rmK;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227,
 mailfrom:
 fm-256628-20241219202852315cd91551f20af53c-he6mgy@rts-flowmailer.siemens.com)
Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id
 20241219202852315cd91551f20af53c
        for <openembedded-devel@lists.openembedded.org>;
        Thu, 19 Dec 2024 21:28:52 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=8nbAoc/20xQfjyyA28I5Ummr1jXjPqN4Pm/zBnc5BKQ=;
 b=K6BX3rmKutj89b3ElS+FoICAmTSS+Eee4exackMps6unSqXRYt14oqwSN5CcfWG5hrHz8v
 r9+ytCcT/8ufOveb/yS52rxlMLbZlBEVyvaTZZUkJo68yKZrJzcOqwPYCm6/FAcul2PbnkYI
 yOGD02QZN7AXn+FNPWXuFdcS8Oe5h+kv++sphDicFqBmIlMAosTYFT0fbD8aJTmh2MNl/PW8
 xd80X0j72XZmA25TkaXrI7WS1HQTR2M6GkCiabo6vm5CQtvpTL45ztMpWFALtZZ6s7DIyy7z
 CTqtZXTWVEWFGH34qETF82COshOFsf80jGGvelxdBDOFlNyF6u2poZJw==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-devel@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [meta-oe][PATCH 05/12] gattlib: mark CVE-2019-6498 as fixed
Date: Thu, 19 Dec 2024 21:27:31 +0100
Message-Id: <20241219202738.346121-6-peter.marko@siemens.com>
In-Reply-To: <20241219202738.346121-1-peter.marko@siemens.com>
References: <20241219202738.346121-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 19 Dec 2024 20:28:55 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114406

From: Peter Marko <peter.marko@siemens.com>

Our hash does not point to exact tag and CVE patch is already in.

We use: 33a8a275928b186381bb0aea0f9778e330e57ec3
Fix: https://github.com/labapart/gattlib/commit/60b813a770e42fdb0e85c1d2da7a55327784b8d6

git describe --tags --match=v0.2 33a8a275928b186381bb0aea0f9778e330e57ec3 60b813a770e42fdb0e85c1d2da7a55327784b8d6
v0.2-262-g33a8a27
v0.2-85-g60b813a

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta-oe/recipes-connectivity/gattlib/gattlib_git.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb
index 7ad28d594d..0841dc2596 100644
--- a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb
+++ b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb
@@ -17,6 +17,8 @@ SRCREV = "33a8a275928b186381bb0aea0f9778e330e57ec3"
 
 S = "${WORKDIR}/git"
 
+CVE_STATUS[CVE-2019-6498] = "fixed-version: patch is already included in sources"
+
 PACKAGECONFIG[examples] = "-DGATTLIB_BUILD_EXAMPLES=ON,-DGATTLIB_BUILD_EXAMPLES=OFF"
 
 # Set this to force use of DBus API if Bluez version is older than 5.42

From patchwork Thu Dec 19 20:27:32 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Marko, Peter" <peter.marko@siemens.com>
X-Patchwork-Id: 54386
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BBCF6E77184
	for <webhook@archiver.kernel.org>; Thu, 19 Dec 2024 20:29:05 +0000 (UTC)
Received: from mta-64-227.siemens.flowmailer.net
 (mta-64-227.siemens.flowmailer.net [185.136.64.227])
 by mx.groups.io with SMTP id smtpd.web11.138144.1734640134643274085
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 19 Dec 2024 12:28:56 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=lxhlVpQ5;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227,
 mailfrom:
 fm-256628-2024121920285626176e22d07bbd4482-n8jfhm@rts-flowmailer.siemens.com)
Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id
 2024121920285626176e22d07bbd4482
        for <openembedded-devel@lists.openembedded.org>;
        Thu, 19 Dec 2024 21:28:56 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=b89PgISj3f+nh6Od870RQV68D4NBIoczGd/7zSUnAbs=;
 b=lxhlVpQ5lNcGY/SemwzfzRn9WBO3Z3zBtXSf9PbwW2QXRRJqgpebCC4VyIo+POJJUbUIlW
 HEeWQwZhsj+qqVW0KUnWPRcnzIozKEejlPqFe8eWQrqnUOO1WZ1AJxm6bt0DhaC2O27uuSgN
 k3ScBSq1zCNYofM8VlH8omNRVz1OrVOK0Aq3ncAxOMwG/nrrNEPfzVDID0hOJHs6GF9vBnm0
 Fw6hLM7ZKf2kw2TKMrz6PIP4zaPyA0rfftjjVLSMplBVEUSOo+l2NDrOP7uESxKw7G5exLXW
 uOvhS63FoPU02+4FTDhlDlHxVIUsxAkYE1gvqN16TUP6Q1U8UJha1mRQ==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-devel@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [meta-oe][PATCH 06/12] monkey: ignore CVE-2013-1771
Date: Thu, 19 Dec 2024 21:27:32 +0100
Message-Id: <20241219202738.346121-7-peter.marko@siemens.com>
In-Reply-To: <20241219202738.346121-1-peter.marko@siemens.com>
References: <20241219202738.346121-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 19 Dec 2024 20:29:05 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114407

From: Peter Marko <peter.marko@siemens.com>

This is gentoo specific CVE.
NVD tracks this as version-less CVE.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta-webserver/recipes-httpd/monkey/monkey_1.6.9.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-webserver/recipes-httpd/monkey/monkey_1.6.9.bb b/meta-webserver/recipes-httpd/monkey/monkey_1.6.9.bb
index f10262366a..a11af8129a 100644
--- a/meta-webserver/recipes-httpd/monkey/monkey_1.6.9.bb
+++ b/meta-webserver/recipes-httpd/monkey/monkey_1.6.9.bb
@@ -91,3 +91,4 @@ CONFFILES:${PN} = "${sysconfdir}/monkey/monkey.conf \
                    "
 
 CVE_STATUS[CVE-2013-2183] = "cpe-incorrect: Current version (1.6.9) is not affected. Issue was addressed in version 1.3.0"
+CVE_STATUS[CVE-2013-1771] = "not-applicable-platform: this is gentoo specific CVE"

From patchwork Thu Dec 19 20:27:33 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Marko, Peter" <peter.marko@siemens.com>
X-Patchwork-Id: 54390
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CE0ACE7718A
	for <webhook@archiver.kernel.org>; Thu, 19 Dec 2024 20:29:15 +0000 (UTC)
Received: from mta-64-228.siemens.flowmailer.net
 (mta-64-228.siemens.flowmailer.net [185.136.64.228])
 by mx.groups.io with SMTP id smtpd.web10.138175.1734640142927868016
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 19 Dec 2024 12:29:03 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=rUQc6Mrd;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228,
 mailfrom:
 fm-256628-202412192029008222437bd7e39f3706-rkm5p5@rts-flowmailer.siemens.com)
Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id
 202412192029008222437bd7e39f3706
        for <openembedded-devel@lists.openembedded.org>;
        Thu, 19 Dec 2024 21:29:00 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=kjCysLd5go4DSZo5G/gE1KWqsvuNtE+rvEqbnOv1R5Q=;
 b=rUQc6MrdrGSVWJjoiNBm8RUX2pdZXpLU4CU+zLe2JG+Wz0vh8VrY+L0sJET9YsnfYwrJJf
 9xPIOWsJqbdKLFehRAdES6qi55eh1+AI7vfV4O5eLlYQ7gkT87iqzU0XClRgLg3RJzBZnu9x
 MINgPbq7B9mp1Jn+zHpZvt6cT0Gomgr38FTdhHgwOOEu9kSS2EVqGuftcRASDv/922MVae6S
 OXiWNkYGbgfqVKihpTggONGL1HAY4EeaskkRQTE8lZLIuJBQUbwzSYEW/zL/eQgsWgHHsBLI
 yfHaM5GZ3xDdTAkcG5GwFGGf7WrGrPwHvwStR3j2ujSsSmxH7KkfIC/Q==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-devel@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [meta-oe][PATCH 07/12] redis: ignore CVE-2022-0543
Date: Thu, 19 Dec 2024 21:27:33 +0100
Message-Id: <20241219202738.346121-8-peter.marko@siemens.com>
In-Reply-To: <20241219202738.346121-1-peter.marko@siemens.com>
References: <20241219202738.346121-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 19 Dec 2024 20:29:15 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114408

From: Peter Marko <peter.marko@siemens.com>

This is Debian-specific CVE.
NVD tracks this CVE as version-less.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta-oe/recipes-extended/redis/redis_7.2.6.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-oe/recipes-extended/redis/redis_7.2.6.bb b/meta-oe/recipes-extended/redis/redis_7.2.6.bb
index dcfd532cff..b52381c7aa 100644
--- a/meta-oe/recipes-extended/redis/redis_7.2.6.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.2.6.bb
@@ -71,3 +71,4 @@ INITSCRIPT_PARAMS = "defaults 87"
 SYSTEMD_SERVICE:${PN} = "redis.service"
 
 CVE_STATUS[CVE-2022-3734] = "not-applicable-platform: CVE only applies for Windows."
+CVE_STATUS[CVE-2022-0543] = "not-applicable-platform: Debian-specific CVE"

From patchwork Thu Dec 19 20:27:34 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Marko, Peter" <peter.marko@siemens.com>
X-Patchwork-Id: 54389
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C34BBE7718C
	for <webhook@archiver.kernel.org>; Thu, 19 Dec 2024 20:29:15 +0000 (UTC)
Received: from mta-64-226.siemens.flowmailer.net
 (mta-64-226.siemens.flowmailer.net [185.136.64.226])
 by mx.groups.io with SMTP id smtpd.web11.138147.1734640146688168345
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 19 Dec 2024 12:29:06 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=vHOXD4Yp;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226,
 mailfrom:
 fm-256628-20241219202904301f66540d55d1bb07-zasp2c@rts-flowmailer.siemens.com)
Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id
 20241219202904301f66540d55d1bb07
        for <openembedded-devel@lists.openembedded.org>;
        Thu, 19 Dec 2024 21:29:04 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=CtQ9GB0634YwQcAsdGLWyX2e8VCqvZaZqLiaR50JVu0=;
 b=vHOXD4Yp3eTMjbRlRnxE71w29p9YcDafzzegQlpGS/XDXLXBcEvBMZiOO5MVfdKOyGZICx
 YnlIwrYU4d6A8yY0d0/vxyHTbNABh6ETWYVxZjBJsttGMXmJA5BpUAkEi4MXLK4g/Unynagq
 84GpZd7UYHD4S1loOtfUZinyj1dkR6/3Vl/9hSNbELi0epeeDsLL18DzPDoq160JVIOyZOWO
 H/cT+XAEvs6AM4LrvXMK8c3S8xT1R63mk/104Fcf+BoapNx4SEtxGKcwAwX3og5D7Rd7EP9c
 4bhoFHpnK++lITxSdIJW3pEK7EgEW/taVqIbZBEVsc7IYnMjTBOxksWQ==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-devel@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [meta-oe][PATCH 08/12] spice-gtk: mark CVE-2012-4425 as fixed
Date: Thu, 19 Dec 2024 21:27:34 +0100
Message-Id: <20241219202738.346121-9-peter.marko@siemens.com>
In-Reply-To: <20241219202738.346121-1-peter.marko@siemens.com>
References: <20241219202738.346121-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 19 Dec 2024 20:29:15 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114409

From: Peter Marko <peter.marko@siemens.com>

It is fixed by [1] since 0.15.3.
NVD tracks this CVE as version-less.

[1] https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=efbf867bb88845d5edf839550b54494b1bb752b9

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta-networking/recipes-support/spice/spice-gtk_0.42.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-networking/recipes-support/spice/spice-gtk_0.42.bb b/meta-networking/recipes-support/spice/spice-gtk_0.42.bb
index c8a3f7f532..4ef39f0904 100644
--- a/meta-networking/recipes-support/spice/spice-gtk_0.42.bb
+++ b/meta-networking/recipes-support/spice/spice-gtk_0.42.bb
@@ -12,6 +12,8 @@ SRCREV = "f04479c16f0969fb394ebe74b6eff74e560a42f0"
 
 SRC_URI = "gitsm://gitlab.freedesktop.org/spice/spice-gtk.git;protocol=https;branch=master"
 
+CVE_STATUS[CVE-2012-4425] = "fixed-version: fixed since 0.15.3"
+
 S = "${WORKDIR}/git"
 
 DEPENDS = " \

From patchwork Thu Dec 19 20:27:35 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Marko, Peter" <peter.marko@siemens.com>
X-Patchwork-Id: 54388
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BAE1BE77184
	for <webhook@archiver.kernel.org>; Thu, 19 Dec 2024 20:29:15 +0000 (UTC)
Received: from mta-65-225.siemens.flowmailer.net
 (mta-65-225.siemens.flowmailer.net [185.136.65.225])
 by mx.groups.io with SMTP id smtpd.web10.138178.1734640150697081304
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 19 Dec 2024 12:29:11 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=rkxw41zS;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225,
 mailfrom:
 fm-256628-20241219202908f6d3e7959db268a3b8-sjd_tu@rts-flowmailer.siemens.com)
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
 20241219202908f6d3e7959db268a3b8
        for <openembedded-devel@lists.openembedded.org>;
        Thu, 19 Dec 2024 21:29:09 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=WnsI+jvsU+NMy6iuJe3KmFnclv3g3xVF0hc31cN9oJY=;
 b=rkxw41zSM5PQXfozc88yyopVeFZyIAE46W61PUr7wZvYaa4HyDLn4OO4q7xIWckMcbRNn2
 V3nTe0/yYwHuKQZpk+UfWFAMA+Nk2ywaTKh2XQsz5dOLbXINKcFnZtN8vkNF+YdJgKzwrE0Z
 jp3OjSDg9PXkH/fekmq0aoe3KLVHT5R/6gXyl65sWQS56mLoHKMFHHq+vkBRc4kSLqfGYbu+
 vgldQcbgiJYvCADsja/hDleI8fn7BXmCQu21VG3lN0C0M5IGQ4CulBIyzCt5ZBdMdLHVHURK
 icPGAMfMwJg7yWKEy8TTMmUqAKJ2n/4isiWFXFaPeHNUKMTp1KZ2KCIw==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-devel@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [meta-oe][PATCH 09/12] apache2: ignore disputed CVE CVE-2007-0086
Date: Thu, 19 Dec 2024 21:27:35 +0100
Message-Id: <20241219202738.346121-10-peter.marko@siemens.com>
In-Reply-To: <20241219202738.346121-1-peter.marko@siemens.com>
References: <20241219202738.346121-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 19 Dec 2024 20:29:15 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114410

From: Peter Marko <peter.marko@siemens.com>

This CVE is officially disputed by Redhat with official statement in
https://nvd.nist.gov/vuln/detail/CVE-2007-0086

Red Hat does not consider this issue to be a security vulnerability.
The pottential attacker has to send acknowledgement packets periodically
to make server generate traffic. Exactly the same effect could be
achieved by simply downloading the file. The statement that setting the
TCP window size to arbitrarily high value would permit the attacker to
disconnect and stop sending ACKs is false, because Red Hat Enterprise
Linux limits the size of the TCP send buffer to 4MB by default.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb
index 3a988f2494..bba00fb95c 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb
@@ -40,6 +40,7 @@ CVE_PRODUCT = "apache:http_server"
 CVE_STATUS[CVE-1999-0289] = "not-applicable-platform: The current version is not affected. It only applies for Windows"
 CVE_STATUS[CVE-1999-0678] = "not-applicable-platform: this CVE is for Debian packaging configuration"
 CVE_STATUS[CVE-1999-1412] = "not-applicable-platform: this CVE is for MAC OS X specific problem"
+CVE_STATUS[CVE-2007-0086] = "disputed: this CVE is officially disputed by Redhat"
 CVE_STATUS[CVE-2007-0450] = "not-applicable-platform: The current version is not affected. It only applies for Windows."
 CVE_STATUS[CVE-2007-6421] = "cpe-incorrect: The current version is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)"
 CVE_STATUS[CVE-2007-6422] = "cpe-incorrect: The current version is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)"

From patchwork Thu Dec 19 20:27:36 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Marko, Peter" <peter.marko@siemens.com>
X-Patchwork-Id: 54387
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BFAB6E7718B
	for <webhook@archiver.kernel.org>; Thu, 19 Dec 2024 20:29:15 +0000 (UTC)
Received: from mta-65-225.siemens.flowmailer.net
 (mta-65-225.siemens.flowmailer.net [185.136.65.225])
 by mx.groups.io with SMTP id smtpd.web10.138178.1734640150697081304
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 19 Dec 2024 12:29:13 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=dIoo8POV;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225,
 mailfrom:
 fm-256628-2024121920291254e7d40402dd4fdd1c-74o8bo@rts-flowmailer.siemens.com)
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
 2024121920291254e7d40402dd4fdd1c
        for <openembedded-devel@lists.openembedded.org>;
        Thu, 19 Dec 2024 21:29:12 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=4acOEUW0KM6GDiDuJ1RI4womNLDA1sjdrTgPxfqv/0w=;
 b=dIoo8POVuyN088qYKrLWLKyua9SL7EAoIGyWaJsOC/osZJaN2+LzQ/xxOfjdU0AZQm5hoz
 NeBGIN/cjFrFeiLUs8+bTVD2eMAe35TJeF07z8a8a8eIG4FU5LP3GfTl28wvD5NZfOIzyLsw
 BHWRiPgdcTxVisaTvSv4LZsfQpjk4jBNaRYYv4UYYcS50j3y2JBsihiLn9eKGn9PFJmDC2wG
 IVsF6g4k34kaX6MzKprmE3Y8X3HsHEhaY/Or/PaoZBa0V47hh2k96SIYljjnIzn6cSWgK66U
 LDmyqn8RN0fxjc53REyuHCgysB+Ikx68Tita7QNnuQjGxkq3Zh69FIxQ==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-devel@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [meta-oe][PATCH 10/12] swagger-ui: mark CVE-2016-1000229 as fixed
Date: Thu, 19 Dec 2024 21:27:36 +0100
Message-Id: <20241219202738.346121-11-peter.marko@siemens.com>
In-Reply-To: <20241219202738.346121-1-peter.marko@siemens.com>
References: <20241219202738.346121-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 19 Dec 2024 20:29:15 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114411

From: Peter Marko <peter.marko@siemens.com>

as per https://github.com/swagger-api/swagger-ui/issues/1865
NVD tracks this CVE as version-less.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta-webserver/recipes-devtools/swagger-ui/swagger-ui_5.18.2.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-webserver/recipes-devtools/swagger-ui/swagger-ui_5.18.2.bb b/meta-webserver/recipes-devtools/swagger-ui/swagger-ui_5.18.2.bb
index 5add32db43..0998643b2a 100644
--- a/meta-webserver/recipes-devtools/swagger-ui/swagger-ui_5.18.2.bb
+++ b/meta-webserver/recipes-devtools/swagger-ui/swagger-ui_5.18.2.bb
@@ -14,6 +14,8 @@ SRC_URI = "git://github.com/swagger-api/swagger-ui;branch=master;protocol=https"
 
 SRCREV = "3c7e281d97fd3e70b25f7ff4a001eabd56e375d7"
 
+CVE_STATUS[CVE-2016-1000229] = "fixed-version: fixed since 2.2.1"
+
 S = "${WORKDIR}/git"
 
 do_install() {

From patchwork Thu Dec 19 20:27:37 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Marko, Peter" <peter.marko@siemens.com>
X-Patchwork-Id: 54392
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BF999E77184
	for <webhook@archiver.kernel.org>; Thu, 19 Dec 2024 20:29:25 +0000 (UTC)
Received: from mta-65-225.siemens.flowmailer.net
 (mta-65-225.siemens.flowmailer.net [185.136.65.225])
 by mx.groups.io with SMTP id smtpd.web10.138184.1734640158367521957
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 19 Dec 2024 12:29:18 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=Vp4TtrQd;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225,
 mailfrom:
 fm-256628-20241219202916875f3f728104897ef1-x_q2nt@rts-flowmailer.siemens.com)
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
 20241219202916875f3f728104897ef1
        for <openembedded-devel@lists.openembedded.org>;
        Thu, 19 Dec 2024 21:29:16 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=+CqQucpsP7m2LFK/bL1AYFG69D94dVZCTjbxt4kkx7w=;
 b=Vp4TtrQd/EplnjjOqV5sadXNE7c/dog2C6rCs0txy9CH3US/yuyzDpMfoBG33FBo6bi91b
 7XwwcUDEi31s+cIcN0/tlSBDpNhRHYMDUxkjTRfnSH3YJELdMDmGUwNaawW8YBcPDOP7OP3A
 R4rNeyTPFlKlapmAPF2fUeIFHRvsumsMpJ/w+2YbYeLt8jNuwJf1I8soaZGlDFC9cQ1ghx7a
 bXo9alW0L1xjl3Xu9W0wqW717EnnE0H4W5zaosuaiYlwjWKk5HZS4625h4qRgHjUU/GpRMpX
 CUqdpeT827DVtRuEPpanktCxWbaDOGWESrWFJ59FQ0DZ1V6vLlKfI4Jg==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-devel@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [meta-oe][PATCH 11/12] memcached: ignore disputed CVE-2022-26635
Date: Thu, 19 Dec 2024 21:27:37 +0100
Message-Id: <20241219202738.346121-12-peter.marko@siemens.com>
In-Reply-To: <20241219202738.346121-1-peter.marko@siemens.com>
References: <20241219202738.346121-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 19 Dec 2024 20:29:25 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114412

From: Peter Marko <peter.marko@siemens.com>

Per [1] this is a problem of applications using memcached inproperly.

This should not be a CVE against php-memcached, but for whatever
software the issue was actually found in. php-memcached and
libmemcached provide a VERIFY_KEY flag if they're too lazy to
filter untrusted user input.

[1] https://github.com/php-memcached-dev/php-memcached/issues/519

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta-networking/recipes-support/memcached/memcached_1.6.17.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-networking/recipes-support/memcached/memcached_1.6.17.bb b/meta-networking/recipes-support/memcached/memcached_1.6.17.bb
index 270ad5486d..7234f02a13 100644
--- a/meta-networking/recipes-support/memcached/memcached_1.6.17.bb
+++ b/meta-networking/recipes-support/memcached/memcached_1.6.17.bb
@@ -25,6 +25,8 @@ SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \
            "
 SRC_URI[sha256sum] = "2055e373613d8fc21529aff9f0adce3e23b9ce01ba0478d30e7941d9f2bd1224"
 
+CVE_STATUS[CVE-2022-26635] = "disputed: this is a problem of applications using php-memcached inproperly"
+
 # set the same COMPATIBLE_HOST as libhugetlbfs
 COMPATIBLE_HOST = "(i.86|x86_64|powerpc|powerpc64|aarch64|arm).*-linux*"
 

From patchwork Thu Dec 19 20:27:38 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Marko, Peter" <peter.marko@siemens.com>
X-Patchwork-Id: 54391
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C54F2E7718A
	for <webhook@archiver.kernel.org>; Thu, 19 Dec 2024 20:29:25 +0000 (UTC)
Received: from mta-65-225.siemens.flowmailer.net
 (mta-65-225.siemens.flowmailer.net [185.136.65.225])
 by mx.groups.io with SMTP id smtpd.web10.138184.1734640158367521957
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 19 Dec 2024 12:29:21 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=ZwbikYfn;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225,
 mailfrom:
 fm-256628-20241219202920b3dc21880eaf03d166-8sn6a_@rts-flowmailer.siemens.com)
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
 20241219202920b3dc21880eaf03d166
        for <openembedded-devel@lists.openembedded.org>;
        Thu, 19 Dec 2024 21:29:20 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=eIRcIhOQXyt7HWnN9kEN0Sasr6gzdtwJ351HnmzuX5M=;
 b=ZwbikYfnCrFw8cqfNEZ7yWNP4y+ei4QjRH56YdxRfQHwuXNDk8mO21Igh4RFYm6ZlLoEUE
 MFiWY1b9qut8wTkgmNVF8DwGoP7oD7D0Q8rCqEURO/Dh6THrqTXvT4mmmTYfCvKO0CnWMwnK
 IkJKSQ3T2bjuY0cZ4uum/f7p2tTBpUzMpRJL9m7jtwOCVCxQOPWSI8ewCE6rRHtlJ9nuxIZf
 77EAYPxLdf7N4x82M5JJlkquucoBB8YgidtMXikLlokiJeIxB1ZILrtvdoCLV8MYwsiO7kbV
 +EbgK92mU1JhKjgkUATgAccEh0x6AW9/aAlEP6H8MFXcY2V9meg36SzQ==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-devel@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [meta-oe][PATCH 12/12] emlog: set CVE_PRODUCT
Date: Thu, 19 Dec 2024 21:27:38 +0100
Message-Id: <20241219202738.346121-13-peter.marko@siemens.com>
In-Reply-To: <20241219202738.346121-1-peter.marko@siemens.com>
References: <20241219202738.346121-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 19 Dec 2024 20:29:25 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114413

From: Peter Marko <peter.marko@siemens.com>

This will remove false-positive CVE-2024-50655 from reports.
There are different emlog components from other vendors around.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta-oe/recipes-core/emlog/emlog.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-oe/recipes-core/emlog/emlog.inc b/meta-oe/recipes-core/emlog/emlog.inc
index 631e52f388..ec78a11086 100644
--- a/meta-oe/recipes-core/emlog/emlog.inc
+++ b/meta-oe/recipes-core/emlog/emlog.inc
@@ -8,6 +8,8 @@ SRCREV = "a9bbf324fde131ff4cf064e32674086c4ced4dca"
 PV = "0.70+git"
 S = "${WORKDIR}/git"
 
+CVE_PRODUCT = "nicupavel:emlog"
+
 EXTRA_OEMAKE += " \
     CFLAGS='${TARGET_CFLAGS}' \
 "