* [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"
@ 2021-09-14 18:03 Steve Sakoman
2021-09-15 1:15 ` [OE-core] " Anuj Mittal
0 siblings, 1 reply; 4+ messages in thread
From: Steve Sakoman @ 2021-09-14 18:03 UTC (permalink / raw)
To: openembedded-core
The CVE database correctly reports CVEs for oracle_berkley_db and
berkley_db. We use the oracle_berkley_db source tree and therefore
should only check for oracle_berkely_db CVEs. Otherwise the scanner
falsely reports CVEs that are fixed in oracle_berkley_db
This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661.
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/db/db_5.3.28.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
index d5b788a3d7..5e9305ab06 100644
--- a/meta/recipes-support/db/db_5.3.28.bb
+++ b/meta/recipes-support/db/db_5.3.28.bb
@@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
LICENSE = "Sleepycat"
RCONFLICTS:${PN} = "db3"
-CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
+CVE_PRODUCT = "oracle_berkeley_db"
CVE_VERSION = "11.2.${PV}"
PR = "r1"
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"
2021-09-14 18:03 [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT" Steve Sakoman
@ 2021-09-15 1:15 ` Anuj Mittal
2021-09-15 1:32 ` Steve Sakoman
0 siblings, 1 reply; 4+ messages in thread
From: Anuj Mittal @ 2021-09-15 1:15 UTC (permalink / raw)
To: openembedded-core, steve
On Tue, 2021-09-14 at 08:03 -1000, Steve Sakoman wrote:
> The CVE database correctly reports CVEs for oracle_berkley_db and
> berkley_db. We use the oracle_berkley_db source tree and therefore
> should only check for oracle_berkely_db CVEs. Otherwise the scanner
> falsely reports CVEs that are fixed in oracle_berkley_db
Aren't both the same thing? I think this revert is incorrect and the
CVEs being flagged are correct.
https://nvd.nist.gov/vuln/detail/CVE-2015-2583
The CPE data shows oracle as the vendor and berkeley_db as product.
Thanks,
Anuj
>
> This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661.
>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
> meta/recipes-support/db/db_5.3.28.bb | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-
> support/db/db_5.3.28.bb
> index d5b788a3d7..5e9305ab06 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -15,7 +15,7 @@ HOMEPAGE =
> "https://www.oracle.com/database/technologies/related/berkeleydb.html
> LICENSE = "Sleepycat"
> RCONFLICTS:${PN} = "db3"
>
> -CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
> +CVE_PRODUCT = "oracle_berkeley_db"
> CVE_VERSION = "11.2.${PV}"
>
> PR = "r1"
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"
2021-09-15 1:15 ` [OE-core] " Anuj Mittal
@ 2021-09-15 1:32 ` Steve Sakoman
2021-09-15 1:43 ` Anuj Mittal
0 siblings, 1 reply; 4+ messages in thread
From: Steve Sakoman @ 2021-09-15 1:32 UTC (permalink / raw)
To: Mittal, Anuj; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 1614 bytes --]
On Tue, Sep 14, 2021, 3:15 PM Mittal, Anuj <anuj.mittal@intel.com> wrote:
> On Tue, 2021-09-14 at 08:03 -1000, Steve Sakoman wrote:
> > The CVE database correctly reports CVEs for oracle_berkley_db and
> > berkley_db. We use the oracle_berkley_db source tree and therefore
> > should only check for oracle_berkely_db CVEs. Otherwise the scanner
> > falsely reports CVEs that are fixed in oracle_berkley_db
>
> Aren't both the same thing? I think this revert is incorrect and the
> CVEs being flagged are correct.
>
> https://nvd.nist.gov/vuln/detail/CVE-2015-2583
>
> The CPE data shows oracle as the vendor and berkeley_db as product.
>
Yes, I agree. See my reply from earlier today where I withdrew this patch!
Steve
>
>
>
> Thanks,
>
> Anuj
>
> >
> > This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661.
> >
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> > meta/recipes-support/db/db_5.3.28.bb | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-
> > support/db/db_5.3.28.bb
> > index d5b788a3d7..5e9305ab06 100644
> > --- a/meta/recipes-support/db/db_5.3.28.bb
> > +++ b/meta/recipes-support/db/db_5.3.28.bb
> > @@ -15,7 +15,7 @@ HOMEPAGE =
> > "https://www.oracle.com/database/technologies/related/berkeleydb.html
> > LICENSE = "Sleepycat"
> > RCONFLICTS:${PN} = "db3"
> >
> > -CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
> > +CVE_PRODUCT = "oracle_berkeley_db"
> > CVE_VERSION = "11.2.${PV}"
> >
> > PR = "r1"
> >
> >
> >
>
>
[-- Attachment #2: Type: text/html, Size: 3337 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"
2021-09-15 1:32 ` Steve Sakoman
@ 2021-09-15 1:43 ` Anuj Mittal
0 siblings, 0 replies; 4+ messages in thread
From: Anuj Mittal @ 2021-09-15 1:43 UTC (permalink / raw)
To: steve; +Cc: openembedded-core
On Tue, 2021-09-14 at 15:32 -1000, Steve Sakoman wrote:
>
>
> On Tue, Sep 14, 2021, 3:15 PM Mittal, Anuj <anuj.mittal@intel.com>
> wrote:
> > On Tue, 2021-09-14 at 08:03 -1000, Steve Sakoman wrote:
> > > The CVE database correctly reports CVEs for oracle_berkley_db and
> > > berkley_db. We use the oracle_berkley_db source tree and
> > > therefore
> > > should only check for oracle_berkely_db CVEs. Otherwise the
> > > scanner
> > > falsely reports CVEs that are fixed in oracle_berkley_db
> >
> > Aren't both the same thing? I think this revert is incorrect and
> > the
> > CVEs being flagged are correct.
> >
> > https://nvd.nist.gov/vuln/detail/CVE-2015-2583
> >
> > The CPE data shows oracle as the vendor and berkeley_db as product.
>
> Yes, I agree. See my reply from earlier today where I withdrew this
> patch!
Oh, this isn't showing up as threaded so I missed the reply. Thanks.
Thanks,
Anuj
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-09-15 1:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-14 18:03 [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT" Steve Sakoman
2021-09-15 1:15 ` [OE-core] " Anuj Mittal
2021-09-15 1:32 ` Steve Sakoman
2021-09-15 1:43 ` Anuj Mittal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.