* [meta-oe][dunfell][PATCH] protobuf: Whitelist CVE-2015-5237
@ 2021-06-15 7:19 RAHUL taya
2021-06-23 10:21 ` RAHUL taya
2021-06-27 13:07 ` [oe] " Armin Kuster
0 siblings, 2 replies; 5+ messages in thread
From: RAHUL taya @ 2021-06-15 7:19 UTC (permalink / raw)
To: openembedded-devel, raj.khem
Cc: nisha.parrakat, purushottam.choudhary, Rahul Taya
As per below reference links this CVE issue seems to be minor and
harmless and as per upstream this is not a real issue in practice.
And as per red hat this issue is marked as low severity.
1. https://bugzilla.suse.com/show_bug.cgi?id=CVE-2015-5237
2. https://security-tracker.debian.org/tracker/CVE-2015-5237
3. https://ubuntu.com/security/CVE-2015-5237
4. https://github.com/protocolbuffers/protobuf/issues/760
As per NVD link: https://nvd.nist.gov/vuln/detail/CVE-2015-5237#range-6634983
it affects version upto 3.1(including)
Signed-off-by: Rahul Taya <Rahultaya96@gmail.com>
---
meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
index 4d6c5b255..f845a72a0 100644
--- a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
+++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
@@ -88,3 +88,11 @@ LDFLAGS_append_arm = " -latomic"
LDFLAGS_append_mips = " -latomic"
LDFLAGS_append_powerpc = " -latomic"
LDFLAGS_append_mipsel = " -latomic"
+
+# As per below links this issue is minor and harmless and
+# as per upstream this is not a real issue in practice.
+# https://bugzilla.suse.com/show_bug.cgi?id=CVE-2015-5237
+# https://security-tracker.debian.org/tracker/CVE-2015-5237
+# https://ubuntu.com/security/CVE-2015-5237
+# https://github.com/protocolbuffers/protobuf/issues/760
+CVE_CHECK_WHITELIST += "CVE-2015-5237"
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [meta-oe][dunfell][PATCH] protobuf: Whitelist CVE-2015-5237
2021-06-15 7:19 [meta-oe][dunfell][PATCH] protobuf: Whitelist CVE-2015-5237 RAHUL taya
@ 2021-06-23 10:21 ` RAHUL taya
2021-06-27 13:07 ` [oe] " Armin Kuster
1 sibling, 0 replies; 5+ messages in thread
From: RAHUL taya @ 2021-06-23 10:21 UTC (permalink / raw)
To: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 64 bytes --]
Hi Team,
Any update on this ?
Thanks and Regards,
Rahul
[-- Attachment #2: Type: text/html, Size: 84 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [oe] [meta-oe][dunfell][PATCH] protobuf: Whitelist CVE-2015-5237
2021-06-15 7:19 [meta-oe][dunfell][PATCH] protobuf: Whitelist CVE-2015-5237 RAHUL taya
2021-06-23 10:21 ` RAHUL taya
@ 2021-06-27 13:07 ` Armin Kuster
1 sibling, 0 replies; 5+ messages in thread
From: Armin Kuster @ 2021-06-27 13:07 UTC (permalink / raw)
To: RAHUL taya, openembedded-devel, raj.khem
Cc: nisha.parrakat, purushottam.choudhary
On 6/15/21 12:19 AM, RAHUL taya wrote:
> As per below reference links this CVE issue seems to be minor and
> harmless and as per upstream this is not a real issue in practice.
>
> And as per red hat this issue is marked as low severity.
>
> 1. https://bugzilla.suse.com/show_bug.cgi?id=CVE-2015-5237
> 2. https://security-tracker.debian.org/tracker/CVE-2015-5237
> 3. https://ubuntu.com/security/CVE-2015-5237
> 4. https://github.com/protocolbuffers/protobuf/issues/760
I believe it is bad form for a upstream project to not fix Security
issues based on their score. The decision should be left up to the
consumers of sed repo, layer or Project.
BTW, the NVD score is 8.8. IMHO, it should be fixed, not masked out. If
you want to evaluate it yourself and decide to excluded this issue from
you project or product, you are able to do so in your own layer.
- armin
>
> As per NVD link: https://nvd.nist.gov/vuln/detail/CVE-2015-5237#range-6634983
> it affects version upto 3.1(including)
>
> Signed-off-by: Rahul Taya <Rahultaya96@gmail.com>
> ---
> meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
> index 4d6c5b255..f845a72a0 100644
> --- a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
> +++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
> @@ -88,3 +88,11 @@ LDFLAGS_append_arm = " -latomic"
> LDFLAGS_append_mips = " -latomic"
> LDFLAGS_append_powerpc = " -latomic"
> LDFLAGS_append_mipsel = " -latomic"
> +
> +# As per below links this issue is minor and harmless and
> +# as per upstream this is not a real issue in practice.
> +# https://bugzilla.suse.com/show_bug.cgi?id=CVE-2015-5237
> +# https://security-tracker.debian.org/tracker/CVE-2015-5237
> +# https://ubuntu.com/security/CVE-2015-5237
> +# https://github.com/protocolbuffers/protobuf/issues/760
> +CVE_CHECK_WHITELIST += "CVE-2015-5237"
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [meta-oe][dunfell][PATCH] protobuf: Whitelist CVE-2015-5237
@ 2021-06-14 11:15 RAHUL taya
2021-06-14 11:18 ` Purushottam choudhary
0 siblings, 1 reply; 5+ messages in thread
From: RAHUL taya @ 2021-06-14 11:15 UTC (permalink / raw)
To: openembedded-core, raj.khem
Cc: nisha.parrakat, purushottam.choudhary, Rahul Taya
As per below reference links this CVE issue seems to be minor and
harmless and as per upstream this is not a real issue in practice.
And as per red hat this issue is marked as low severity.
1. https://bugzilla.suse.com/show_bug.cgi?id=CVE-2015-5237
2. https://security-tracker.debian.org/tracker/CVE-2015-5237
3. https://ubuntu.com/security/CVE-2015-5237
4. https://github.com/protocolbuffers/protobuf/issues/760
Signed-off-by: Rahul Taya <Rahultaya96@gmail.com>
---
meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
index 4d6c5b255..f845a72a0 100644
--- a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
+++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
@@ -88,3 +88,11 @@ LDFLAGS_append_arm = " -latomic"
LDFLAGS_append_mips = " -latomic"
LDFLAGS_append_powerpc = " -latomic"
LDFLAGS_append_mipsel = " -latomic"
+
+# As per below links this issue is minor and harmless and
+# as per upstream this is not a real issue in practice.
+# https://bugzilla.suse.com/show_bug.cgi?id=CVE-2015-5237
+# https://security-tracker.debian.org/tracker/CVE-2015-5237
+# https://ubuntu.com/security/CVE-2015-5237
+# https://github.com/protocolbuffers/protobuf/issues/760
+CVE_CHECK_WHITELIST += "CVE-2015-5237"
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [meta-oe][dunfell][PATCH] protobuf: Whitelist CVE-2015-5237
2021-06-14 11:15 RAHUL taya
@ 2021-06-14 11:18 ` Purushottam choudhary
0 siblings, 0 replies; 5+ messages in thread
From: Purushottam choudhary @ 2021-06-14 11:18 UTC (permalink / raw)
To: Rahul, openembedded-core, raj.khem; +Cc: Nisha Parrakat
[-- Attachment #1: Type: text/plain, Size: 5584 bytes --]
Hi Rahul,
Looks good to me.
Thanks & Regards,
Purushottam
________________________________
From: Rahul <rahultaya96@gmail.com>
Sent: Monday, June 14, 2021 4:45 PM
To: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>; raj.khem@gmail.com <raj.khem@gmail.com>
Cc: Nisha Parrakat <Nisha.Parrakat@kpit.com>; Purushottam Choudhary <Purushottam.Choudhary@kpit.com>; Rahul Taya <Rahultaya96@gmail.com>
Subject: [meta-oe][dunfell][PATCH] protobuf: Whitelist CVE-2015-5237
As per below reference links this CVE issue seems to be minor and
harmless and as per upstream this is not a real issue in practice.
And as per red hat this issue is marked as low severity.
1. https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.suse.com%2Fshow_bug.cgi%3Fid%3DCVE-2015-5237&data=04%7C01%7Cpurushottam.choudhary%40kpit.com%7C8eaaa022c7434e8c8d4808d92f25b834%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637592661322740590%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=oE1VI2w%2FlOIZ%2FmkpVL%2FZaq9aw%2FGcV4b0edHV0mmJk0o%3D&reserved=0
2. https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2015-5237&data=04%7C01%7Cpurushottam.choudhary%40kpit.com%7C8eaaa022c7434e8c8d4808d92f25b834%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637592661322740590%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WSLRqApgOA9Tu9FBP9e66uhyY3cJUOd9SyXFD0LEn1c%3D&reserved=0
3. https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fubuntu.com%2Fsecurity%2FCVE-2015-5237&data=04%7C01%7Cpurushottam.choudhary%40kpit.com%7C8eaaa022c7434e8c8d4808d92f25b834%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637592661322740590%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=oSir0LEkiJCeUJtq6IFCwZjY%2Blux%2FuBqN49vCHai%2FR8%3D&reserved=0
4. https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fprotocolbuffers%2Fprotobuf%2Fissues%2F760&data=04%7C01%7Cpurushottam.choudhary%40kpit.com%7C8eaaa022c7434e8c8d4808d92f25b834%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637592661322740590%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=b8Pg5FwlWu0AutQbFJ6RvukNlC7np%2FrLgHu5wcr9Luc%3D&reserved=0
Signed-off-by: Rahul Taya <Rahultaya96@gmail.com>
---
meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
index 4d6c5b255..f845a72a0 100644
--- a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
+++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
@@ -88,3 +88,11 @@ LDFLAGS_append_arm = " -latomic"
LDFLAGS_append_mips = " -latomic"
LDFLAGS_append_powerpc = " -latomic"
LDFLAGS_append_mipsel = " -latomic"
+
+# As per below links this issue is minor and harmless and
+# as per upstream this is not a real issue in practice.
+# https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.suse.com%2Fshow_bug.cgi%3Fid%3DCVE-2015-5237&data=04%7C01%7Cpurushottam.choudhary%40kpit.com%7C8eaaa022c7434e8c8d4808d92f25b834%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637592661322740590%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=oE1VI2w%2FlOIZ%2FmkpVL%2FZaq9aw%2FGcV4b0edHV0mmJk0o%3D&reserved=0
+# https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2015-5237&data=04%7C01%7Cpurushottam.choudhary%40kpit.com%7C8eaaa022c7434e8c8d4808d92f25b834%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637592661322740590%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WSLRqApgOA9Tu9FBP9e66uhyY3cJUOd9SyXFD0LEn1c%3D&reserved=0
+# https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fubuntu.com%2Fsecurity%2FCVE-2015-5237&data=04%7C01%7Cpurushottam.choudhary%40kpit.com%7C8eaaa022c7434e8c8d4808d92f25b834%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637592661322750585%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8EWGOaenFikIjMC6BTEwwTSyQp1kcYXMkHyRVbVPZWM%3D&reserved=0
+# https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fprotocolbuffers%2Fprotobuf%2Fissues%2F760&data=04%7C01%7Cpurushottam.choudhary%40kpit.com%7C8eaaa022c7434e8c8d4808d92f25b834%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637592661322750585%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=0vLwqC9ouL%2F1%2BskVdFJOeE9KCAvF25SBDpazy5ojao4%3D&reserved=0
+CVE_CHECK_WHITELIST += "CVE-2015-5237"
--
2.17.1
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
[-- Attachment #2: Type: text/html, Size: 10730 bytes --]
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-06-27 13:07 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-15 7:19 [meta-oe][dunfell][PATCH] protobuf: Whitelist CVE-2015-5237 RAHUL taya
2021-06-23 10:21 ` RAHUL taya
2021-06-27 13:07 ` [oe] " Armin Kuster
-- strict thread matches above, loose matches on Subject: below --
2021-06-14 11:15 RAHUL taya
2021-06-14 11:18 ` Purushottam choudhary
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.