[PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"
@ 2021-09-14 18:03 Steve Sakoman
  2021-09-15  1:15 ` [OE-core] " Anuj Mittal
  0 siblings, 1 reply; 4+ messages in thread
From: Steve Sakoman @ 2021-09-14 18:03 UTC (permalink / raw)
  To: openembedded-core

The CVE database correctly reports CVEs for oracle_berkley_db and
berkley_db.  We use the oracle_berkley_db source tree and therefore
should only check for oracle_berkely_db CVEs. Otherwise the scanner
falsely reports CVEs that are fixed in oracle_berkley_db

This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661.

Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/db/db_5.3.28.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
index d5b788a3d7..5e9305ab06 100644
--- a/meta/recipes-support/db/db_5.3.28.bb
+++ b/meta/recipes-support/db/db_5.3.28.bb
@@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
 LICENSE = "Sleepycat"
 RCONFLICTS:${PN} = "db3"
 
-CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
+CVE_PRODUCT = "oracle_berkeley_db"
 CVE_VERSION = "11.2.${PV}"
 
 PR = "r1"
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"
  2021-09-14 18:03 [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT" Steve Sakoman
@ 2021-09-15  1:15 ` Anuj Mittal
  2021-09-15  1:32   ` Steve Sakoman
  0 siblings, 1 reply; 4+ messages in thread
From: Anuj Mittal @ 2021-09-15  1:15 UTC (permalink / raw)
  To: openembedded-core, steve

On Tue, 2021-09-14 at 08:03 -1000, Steve Sakoman wrote:
> The CVE database correctly reports CVEs for oracle_berkley_db and
> berkley_db.  We use the oracle_berkley_db source tree and therefore
> should only check for oracle_berkely_db CVEs. Otherwise the scanner
> falsely reports CVEs that are fixed in oracle_berkley_db

Aren't both the same thing? I think this revert is incorrect and the
CVEs being flagged are correct.

https://nvd.nist.gov/vuln/detail/CVE-2015-2583

The CPE data shows oracle as the vendor and berkeley_db as product.

Thanks,

Anuj

> 
> This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661.
> 
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  meta/recipes-support/db/db_5.3.28.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-
> support/db/db_5.3.28.bb
> index d5b788a3d7..5e9305ab06 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -15,7 +15,7 @@ HOMEPAGE =
> "https://www.oracle.com/database/technologies/related/berkeleydb.html
>  LICENSE = "Sleepycat"
>  RCONFLICTS:${PN} = "db3"
>  
> -CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
> +CVE_PRODUCT = "oracle_berkeley_db"
>  CVE_VERSION = "11.2.${PV}"
>  
>  PR = "r1"
> 
> 
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"
  2021-09-15  1:15 ` [OE-core] " Anuj Mittal
@ 2021-09-15  1:32   ` Steve Sakoman
  2021-09-15  1:43     ` Anuj Mittal
  0 siblings, 1 reply; 4+ messages in thread
From: Steve Sakoman @ 2021-09-15  1:32 UTC (permalink / raw)
  To: Mittal, Anuj; +Cc: Patches and discussions about the oe-core layer

[-- Attachment #1: Type: text/plain, Size: 1614 bytes --]

On Tue, Sep 14, 2021, 3:15 PM Mittal, Anuj <anuj.mittal@intel.com> wrote:

> On Tue, 2021-09-14 at 08:03 -1000, Steve Sakoman wrote:
> > The CVE database correctly reports CVEs for oracle_berkley_db and
> > berkley_db.  We use the oracle_berkley_db source tree and therefore
> > should only check for oracle_berkely_db CVEs. Otherwise the scanner
> > falsely reports CVEs that are fixed in oracle_berkley_db
>
> Aren't both the same thing? I think this revert is incorrect and the
> CVEs being flagged are correct.
>
> https://nvd.nist.gov/vuln/detail/CVE-2015-2583
>
> The CPE data shows oracle as the vendor and berkeley_db as product.
>

Yes, I agree.  See my reply from earlier today where I withdrew this patch!

Steve





>
>
>
> Thanks,
>
> Anuj
>
> >
> > This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661.
> >
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> >  meta/recipes-support/db/db_5.3.28.bb | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-
> > support/db/db_5.3.28.bb
> > index d5b788a3d7..5e9305ab06 100644
> > --- a/meta/recipes-support/db/db_5.3.28.bb
> > +++ b/meta/recipes-support/db/db_5.3.28.bb
> > @@ -15,7 +15,7 @@ HOMEPAGE =
> > "https://www.oracle.com/database/technologies/related/berkeleydb.html
> >  LICENSE = "Sleepycat"
> >  RCONFLICTS:${PN} = "db3"
> >
> > -CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
> > +CVE_PRODUCT = "oracle_berkeley_db"
> >  CVE_VERSION = "11.2.${PV}"
> >
> >  PR = "r1"
> >
> > 
> >
>
>

[-- Attachment #2: Type: text/html, Size: 3337 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"
  2021-09-15  1:32   ` Steve Sakoman
@ 2021-09-15  1:43     ` Anuj Mittal
  0 siblings, 0 replies; 4+ messages in thread
From: Anuj Mittal @ 2021-09-15  1:43 UTC (permalink / raw)
  To: steve; +Cc: openembedded-core

On Tue, 2021-09-14 at 15:32 -1000, Steve Sakoman wrote:
> 
> 
> On Tue, Sep 14, 2021, 3:15 PM Mittal, Anuj <anuj.mittal@intel.com>
> wrote:
> > On Tue, 2021-09-14 at 08:03 -1000, Steve Sakoman wrote:
> > > The CVE database correctly reports CVEs for oracle_berkley_db and
> > > berkley_db.  We use the oracle_berkley_db source tree and
> > > therefore
> > > should only check for oracle_berkely_db CVEs. Otherwise the
> > > scanner
> > > falsely reports CVEs that are fixed in oracle_berkley_db
> > 
> > Aren't both the same thing? I think this revert is incorrect and
> > the
> > CVEs being flagged are correct.
> > 
> > https://nvd.nist.gov/vuln/detail/CVE-2015-2583
> > 
> > The CPE data shows oracle as the vendor and berkeley_db as product.
> 
> Yes, I agree.  See my reply from earlier today where I withdrew this
> patch!

Oh, this isn't showing up as threaded so I missed the reply. Thanks.

Thanks,

Anuj

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-09-15  1:43 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-14 18:03 [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT" Steve Sakoman
2021-09-15  1:15 ` [OE-core] " Anuj Mittal
2021-09-15  1:32   ` Steve Sakoman
2021-09-15  1:43     ` Anuj Mittal

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.