[meta-java][dunfell][PATCH] xerces-j: Whitelisted CVE-2018-2799

[meta-java][dunfell][PATCH] xerces-j: Whitelisted CVE-2018-2799

[Saloni Jain]

From: Saloni Jain <Saloni.Jain@kpit.com>

Whitelisted below CVE:
CVE-2018-2799:
CVE only applies to some Oracle Java SE and Red Hat
Enterprise Linux versions which is already fixed with
updates and the issue is closed.
Link: https://access.redhat.com/security/cve/CVE-2018-2799
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1567542
---
 recipes-core/xerces-j/xerces-j_2.11.0.bb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/recipes-core/xerces-j/xerces-j_2.11.0.bb b/recipes-core/xerces-j/xerces-j_2.11.0.bb
index 98ef32f..f2a4434 100644
--- a/recipes-core/xerces-j/xerces-j_2.11.0.bb
+++ b/recipes-core/xerces-j/xerces-j_2.11.0.bb
@@ -14,6 +14,12 @@ LIC_FILES_CHKSUM = " \
 
 SRC_URI = "http://archive.apache.org/dist/xerces/j/Xerces-J-src.${PV}.tar.gz"
 
+# CVE only applies to some Oracle Java SE and Red Hat Enterprise Linux versions.
+# Already fixed with updates and closed.
+# https://access.redhat.com/security/cve/CVE-2018-2799
+# https://bugzilla.redhat.com/show_bug.cgi?id=1567542
+CVE_CHECK_WHITELIST += "CVE-2018-2799"
+
 S = "${WORKDIR}/xerces-2_11_0"
 
 inherit java-library
-- 
2.17.1

Re: [oe] [meta-java][dunfell][PATCH] xerces-j: Whitelisted CVE-2018-2799

[Richard Leitner]

Hi,
thanks for the patch and sorry for the late reply.
Unfortunately there are some problems with your patch.

Your git author seems to be set up incorrectly. Please set it up
correctly using the following commands before formatting the patch:

	$ git config user.name "John Doe"
	$ git config user.email johndoe@example.com

On Tue, Jul 20, 2021 at 04:11:40AM -0400, Saloni Jain via lists.openembedded.org wrote:
> Whitelisted below CVE:
> CVE-2018-2799:
> CVE only applies to some Oracle Java SE and Red Hat
> Enterprise Linux versions which is already fixed with
> updates and the issue is closed.
> Link: https://access.redhat.com/security/cve/CVE-2018-2799
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1567542

Furthermore you are missing a Signed-Off-By line here. Please add it.

> ---
>  recipes-core/xerces-j/xerces-j_2.11.0.bb | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/recipes-core/xerces-j/xerces-j_2.11.0.bb b/recipes-core/xerces-j/xerces-j_2.11.0.bb
> index 98ef32f..f2a4434 100644
> --- a/recipes-core/xerces-j/xerces-j_2.11.0.bb
> +++ b/recipes-core/xerces-j/xerces-j_2.11.0.bb
> @@ -14,6 +14,12 @@ LIC_FILES_CHKSUM = " \
>  
>  SRC_URI = "http://archive.apache.org/dist/xerces/j/Xerces-J-src.${PV}.tar.gz"
>  
> +# CVE only applies to some Oracle Java SE and Red Hat Enterprise Linux versions.
> +# Already fixed with updates and closed.
> +# https://access.redhat.com/security/cve/CVE-2018-2799
> +# https://bugzilla.redhat.com/show_bug.cgi?id=1567542
> +CVE_CHECK_WHITELIST += "CVE-2018-2799"
> +
>  S = "${WORKDIR}/xerces-2_11_0"
>  
>  inherit java-library
> -- 
> 2.17.1

Otherwise the patch seems fine to me. So I'm looking forward to receive
a v2 from you 😉

regards;rl

Re: [oe] [meta-java][dunfell][PATCH] xerces-j: Whitelisted CVE-2018-2799

[Saloni Jain]

[-- Attachment #1: Type: text/plain, Size: 2138 bytes --]

Hello,

Thank you for your reply and appreciate the feedback.
I will fix the mentioned comments and send a v2 for the patch.

Regards,
Saloni Jain

On Wed, 11 Aug 2021 at 01:17, Richard Leitner - SKIDATA <
Richard.Leitner@skidata.com> wrote:

> Hi,
> thanks for the patch and sorry for the late reply.
> Unfortunately there are some problems with your patch.
>
> Your git author seems to be set up incorrectly. Please set it up
> correctly using the following commands before formatting the patch:
>
>         $ git config user.name "John Doe"
>         $ git config user.email johndoe@example.com
>
> On Tue, Jul 20, 2021 at 04:11:40AM -0400, Saloni Jain via
> lists.openembedded.org wrote:
> > Whitelisted below CVE:
> > CVE-2018-2799:
> > CVE only applies to some Oracle Java SE and Red Hat
> > Enterprise Linux versions which is already fixed with
> > updates and the issue is closed.
> > Link: https://access.redhat.com/security/cve/CVE-2018-2799
> > Link: https://bugzilla.redhat.com/show_bug.cgi?id=1567542
>
> Furthermore you are missing a Signed-Off-By line here. Please add it.
>
> > ---
> >  recipes-core/xerces-j/xerces-j_2.11.0.bb | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/recipes-core/xerces-j/xerces-j_2.11.0.bb
> b/recipes-core/xerces-j/xerces-j_2.11.0.bb
> > index 98ef32f..f2a4434 100644
> > --- a/recipes-core/xerces-j/xerces-j_2.11.0.bb
> > +++ b/recipes-core/xerces-j/xerces-j_2.11.0.bb
> > @@ -14,6 +14,12 @@ LIC_FILES_CHKSUM = " \
> >
> >  SRC_URI = "
> http://archive.apache.org/dist/xerces/j/Xerces-J-src.${PV}.tar.gz"
> >
> > +# CVE only applies to some Oracle Java SE and Red Hat Enterprise Linux
> versions.
> > +# Already fixed with updates and closed.
> > +# https://access.redhat.com/security/cve/CVE-2018-2799
> > +# https://bugzilla.redhat.com/show_bug.cgi?id=1567542
> > +CVE_CHECK_WHITELIST += "CVE-2018-2799"
> > +
> >  S = "${WORKDIR}/xerces-2_11_0"
> >
> >  inherit java-library
> > --
> > 2.17.1
>
> Otherwise the patch seems fine to me. So I'm looking forward to receive
> a v2 from you 😉
>
> regards;rl

[-- Attachment #2: Type: text/html, Size: 3824 bytes --]

Re: [meta-java][dunfell][PATCH] xerces-j: Whitelisted CVE-2018-2799

[Saloni Jain]

[-- Attachment #1: Type: text/plain, Size: 147 bytes --]

Hello,

Could anyone please do a review again and confirm if the patch is now okay for integration in upstream branch.

Regards,
Saloni Jain

[-- Attachment #2: Type: text/html, Size: 222 bytes --]

Re: [meta-java][dunfell][PATCH] xerces-j: Whitelisted CVE-2018-2799

[Khem Raj]

meta-java has contribution guidelines here
https://git.yoctoproject.org/cgit/cgit.cgi/meta-java/tree/README
please read through Contributing section and follow the right mailing
list and CC the maintainers please

On Mon, Jul 12, 2021 at 6:35 AM Saloni Jain <Saloni.Jain@kpit.com> wrote:
>
> Hi,
>
> Please take the below changes and merge them in upstream dunfell branch.
>
> Thanks & Regards,
> Saloni
> ________________________________
> From: Saloni Jain <Saloni.Jain@kpit.com>
> Sent: Sunday, May 30, 2021 4:07 PM
> To: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>; raj.khem@gmail.com <raj.khem@gmail.com>
> Cc: Nisha Parrakat <Nisha.Parrakat@kpit.com>; Saloni Jain <Saloni.Jain@kpit.com>
> Subject: [meta-java][dunfell][PATCH] xerces-j: Whitelisted CVE-2018-2799
>
> From: Saloni Jain <Saloni.Jain@kpit.com>
>
> Whitelisted below CVE:
> CVE-2018-2799:
> CVE only applies to some Oracle Java SE and Red Hat
> Enterprise Linux versions which is already fixed with
> updates and the issue is closed.
> Link: https://access.redhat.com/security/cve/CVE-2018-2799
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1567542
>
> Signed-off-by: Saloni <Saloni.Jain@kpit.com>
> ---
>  recipes-core/xerces-j/xerces-j_2.11.0.bb | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/recipes-core/xerces-j/xerces-j_2.11.0.bb b/recipes-core/xerces-j/xerces-j_2.11.0.bb
> index 98ef32f..f2a4434 100644
> --- a/recipes-core/xerces-j/xerces-j_2.11.0.bb
> +++ b/recipes-core/xerces-j/xerces-j_2.11.0.bb
> @@ -14,6 +14,12 @@ LIC_FILES_CHKSUM = " \
>
>  SRC_URI = "http://archive.apache.org/dist/xerces/j/Xerces-J-src.${PV}.tar.gz"
>
> +# CVE only applies to some Oracle Java SE and Red Hat Enterprise Linux versions.
> +# Already fixed with updates and closed.
> +# https://access.redhat.com/security/cve/CVE-2018-2799
> +# https://bugzilla.redhat.com/show_bug.cgi?id=1567542
> +CVE_CHECK_WHITELIST += "CVE-2018-2799"
> +
>  S = "${WORKDIR}/xerces-2_11_0"
>
>  inherit java-library
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

Re: [meta-java][dunfell][PATCH] xerces-j: Whitelisted CVE-2018-2799

[saloni]

[-- Attachment #1: Type: text/plain, Size: 2239 bytes --]

Hi,

Please take the below changes and merge them in upstream dunfell branch.

Thanks & Regards,
Saloni
________________________________
From: Saloni Jain <Saloni.Jain@kpit.com>
Sent: Sunday, May 30, 2021 4:07 PM
To: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>; raj.khem@gmail.com <raj.khem@gmail.com>
Cc: Nisha Parrakat <Nisha.Parrakat@kpit.com>; Saloni Jain <Saloni.Jain@kpit.com>
Subject: [meta-java][dunfell][PATCH] xerces-j: Whitelisted CVE-2018-2799

From: Saloni Jain <Saloni.Jain@kpit.com>

Whitelisted below CVE:
CVE-2018-2799:
CVE only applies to some Oracle Java SE and Red Hat
Enterprise Linux versions which is already fixed with
updates and the issue is closed.
Link: https://access.redhat.com/security/cve/CVE-2018-2799
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1567542

Signed-off-by: Saloni <Saloni.Jain@kpit.com>
---
 recipes-core/xerces-j/xerces-j_2.11.0.bb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/recipes-core/xerces-j/xerces-j_2.11.0.bb b/recipes-core/xerces-j/xerces-j_2.11.0.bb
index 98ef32f..f2a4434 100644
--- a/recipes-core/xerces-j/xerces-j_2.11.0.bb
+++ b/recipes-core/xerces-j/xerces-j_2.11.0.bb
@@ -14,6 +14,12 @@ LIC_FILES_CHKSUM = " \

 SRC_URI = "http://archive.apache.org/dist/xerces/j/Xerces-J-src.${PV}.tar.gz"

+# CVE only applies to some Oracle Java SE and Red Hat Enterprise Linux versions.
+# Already fixed with updates and closed.
+# https://access.redhat.com/security/cve/CVE-2018-2799
+# https://bugzilla.redhat.com/show_bug.cgi?id=1567542
+CVE_CHECK_WHITELIST += "CVE-2018-2799"
+
 S = "${WORKDIR}/xerces-2_11_0"

 inherit java-library
--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[-- Attachment #2: Type: text/html, Size: 3710 bytes --]

[meta-java][dunfell][PATCH] xerces-j: Whitelisted CVE-2018-2799

[saloni]

From: Saloni Jain <Saloni.Jain@kpit.com>

Whitelisted below CVE:
CVE-2018-2799:
CVE only applies to some Oracle Java SE and Red Hat
Enterprise Linux versions which is already fixed with
updates and the issue is closed.
Link: https://access.redhat.com/security/cve/CVE-2018-2799
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1567542

Signed-off-by: Saloni <Saloni.Jain@kpit.com>
---
 recipes-core/xerces-j/xerces-j_2.11.0.bb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/recipes-core/xerces-j/xerces-j_2.11.0.bb b/recipes-core/xerces-j/xerces-j_2.11.0.bb
index 98ef32f..f2a4434 100644
--- a/recipes-core/xerces-j/xerces-j_2.11.0.bb
+++ b/recipes-core/xerces-j/xerces-j_2.11.0.bb
@@ -14,6 +14,12 @@ LIC_FILES_CHKSUM = " \

 SRC_URI = "http://archive.apache.org/dist/xerces/j/Xerces-J-src.${PV}.tar.gz"

+# CVE only applies to some Oracle Java SE and Red Hat Enterprise Linux versions.
+# Already fixed with updates and closed.
+# https://access.redhat.com/security/cve/CVE-2018-2799
+# https://bugzilla.redhat.com/show_bug.cgi?id=1567542
+CVE_CHECK_WHITELIST += "CVE-2018-2799"
+
 S = "${WORKDIR}/xerces-2_11_0"

 inherit java-library
--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.