[PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"

[PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"

[Steve Sakoman]

The CVE database correctly reports CVEs for oracle_berkley_db and
berkley_db.  We use the oracle_berkley_db source tree and therefore
should only check for oracle_berkely_db CVEs. Otherwise the scanner
falsely reports CVEs that are fixed in oracle_berkley_db

This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661.

Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/db/db_5.3.28.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
index d5b788a3d7..5e9305ab06 100644
--- a/meta/recipes-support/db/db_5.3.28.bb
+++ b/meta/recipes-support/db/db_5.3.28.bb
@@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
 LICENSE = "Sleepycat"
 RCONFLICTS:${PN} = "db3"
 
-CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
+CVE_PRODUCT = "oracle_berkeley_db"
 CVE_VERSION = "11.2.${PV}"
 
 PR = "r1"
-- 
2.25.1

Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"

[Anuj Mittal]

On Tue, 2021-09-14 at 08:03 -1000, Steve Sakoman wrote:
> The CVE database correctly reports CVEs for oracle_berkley_db and
> berkley_db.  We use the oracle_berkley_db source tree and therefore
> should only check for oracle_berkely_db CVEs. Otherwise the scanner
> falsely reports CVEs that are fixed in oracle_berkley_db

Aren't both the same thing? I think this revert is incorrect and the
CVEs being flagged are correct.

https://nvd.nist.gov/vuln/detail/CVE-2015-2583

The CPE data shows oracle as the vendor and berkeley_db as product.

Thanks,

Anuj

> 
> This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661.
> 
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  meta/recipes-support/db/db_5.3.28.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-
> support/db/db_5.3.28.bb
> index d5b788a3d7..5e9305ab06 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -15,7 +15,7 @@ HOMEPAGE =
> "https://www.oracle.com/database/technologies/related/berkeleydb.html
>  LICENSE = "Sleepycat"
>  RCONFLICTS:${PN} = "db3"
>  
> -CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
> +CVE_PRODUCT = "oracle_berkeley_db"
>  CVE_VERSION = "11.2.${PV}"
>  
>  PR = "r1"
> 
> 
> 

Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"

[Steve Sakoman]

[-- Attachment #1: Type: text/plain, Size: 1614 bytes --]

On Tue, Sep 14, 2021, 3:15 PM Mittal, Anuj <anuj.mittal@intel.com> wrote:

> On Tue, 2021-09-14 at 08:03 -1000, Steve Sakoman wrote:
> > The CVE database correctly reports CVEs for oracle_berkley_db and
> > berkley_db.  We use the oracle_berkley_db source tree and therefore
> > should only check for oracle_berkely_db CVEs. Otherwise the scanner
> > falsely reports CVEs that are fixed in oracle_berkley_db
>
> Aren't both the same thing? I think this revert is incorrect and the
> CVEs being flagged are correct.
>
> https://nvd.nist.gov/vuln/detail/CVE-2015-2583
>
> The CPE data shows oracle as the vendor and berkeley_db as product.
>

Yes, I agree.  See my reply from earlier today where I withdrew this patch!

Steve





>
>
>
> Thanks,
>
> Anuj
>
> >
> > This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661.
> >
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> >  meta/recipes-support/db/db_5.3.28.bb | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-
> > support/db/db_5.3.28.bb
> > index d5b788a3d7..5e9305ab06 100644
> > --- a/meta/recipes-support/db/db_5.3.28.bb
> > +++ b/meta/recipes-support/db/db_5.3.28.bb
> > @@ -15,7 +15,7 @@ HOMEPAGE =
> > "https://www.oracle.com/database/technologies/related/berkeleydb.html
> >  LICENSE = "Sleepycat"
> >  RCONFLICTS:${PN} = "db3"
> >
> > -CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
> > +CVE_PRODUCT = "oracle_berkeley_db"
> >  CVE_VERSION = "11.2.${PV}"
> >
> >  PR = "r1"
> >
> > 
> >
>
>

[-- Attachment #2: Type: text/html, Size: 3337 bytes --]

Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"

[Anuj Mittal]

On Tue, 2021-09-14 at 15:32 -1000, Steve Sakoman wrote:
> 
> 
> On Tue, Sep 14, 2021, 3:15 PM Mittal, Anuj <anuj.mittal@intel.com>
> wrote:
> > On Tue, 2021-09-14 at 08:03 -1000, Steve Sakoman wrote:
> > > The CVE database correctly reports CVEs for oracle_berkley_db and
> > > berkley_db.  We use the oracle_berkley_db source tree and
> > > therefore
> > > should only check for oracle_berkely_db CVEs. Otherwise the
> > > scanner
> > > falsely reports CVEs that are fixed in oracle_berkley_db
> > 
> > Aren't both the same thing? I think this revert is incorrect and
> > the
> > CVEs being flagged are correct.
> > 
> > https://nvd.nist.gov/vuln/detail/CVE-2015-2583
> > 
> > The CPE data shows oracle as the vendor and berkeley_db as product.
> 
> Yes, I agree.  See my reply from earlier today where I withdrew this
> patch!

Oh, this isn't showing up as threaded so I missed the reply. Thanks.

Thanks,

Anuj

Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"

[Ranjitsinh Rathod]

[-- Attachment #1.1: Type: text/plain, Size: 4624 bytes --]

Yes I have checked that. Thanks Steve.

On Sat, 4 Dec, 2021, 3:59 am Steve Sakoman, <steve@sakoman.com> wrote:

>
>
> On Wed, Dec 1, 2021 at 12:17 AM Ranjitsinh Rathod <
> Ranjitsinh.Rathod@kpit.com> wrote:
>
>> HI Steve,
>>
>> When do you plan to add these db CVEs in the '
>> meta/conf/distro/include/cve-extra-exclusions.inc' file?
>>
>
> Thanks for the reminder, it is in the set of patches I just sent out for
> review.
>
> Steve
>
>
>>
>> Thanks,
>>
>> Best Regards,
>>
>> *Ranjitsinh Rathod*
>> Technical Leader |  | KPIT Technologies Ltd.
>> Cellphone: +91-84606 92403
>>
>> *__________________________________________ *KPIT <http://www.kpit.com/>
>> | Follow us on LinkedIn <http://www.kpit.com/linkedin>
>>
>> <https://www.kpit.com/TheNewBrand>
>> ------------------------------
>> *From:* openembedded-core@lists.openembedded.org <
>> openembedded-core@lists.openembedded.org> on behalf of Steve Sakoman via
>> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
>> *Sent:* Wednesday, September 15, 2021 12:38 AM
>> *To:* Steve Sakoman <steve@sakoman.com>
>> *Cc:* Patches and discussions about the oe-core layer <
>> openembedded-core@lists.openembedded.org>
>> *Subject:* Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert
>> "db: update CVE_PRODUCT"
>>
>> Caution: This email originated from outside of the KPIT. Do not click
>> links or open attachments unless you recognize the sender and know the
>> content is safe.
>>
>> On Tue, Sep 14, 2021 at 8:41 AM Steve Sakoman via
>> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
>> wrote:
>> >
>> > On Tue, Sep 14, 2021 at 8:04 AM Steve Sakoman via
>> > lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
>> > wrote:
>> > >
>> > > The CVE database correctly reports CVEs for oracle_berkley_db and
>> > > berkley_db.  We use the oracle_berkley_db source tree and therefore
>> > > should only check for oracle_berkely_db CVEs. Otherwise the scanner
>> > > falsely reports CVEs that are fixed in oracle_berkley_db
>> >
>> > Please hold off on taking this patch -- I need to do some more
>> > research.  I may have confused myself :-(
>>
>> I did indeed confuse myself, so ignore this patch.
>>
>> The CVE database is reporting CVEs for the Oracle db code base under
>> the name berkley_db, so the original patch in question is indeed
>> correct and the CVEs are valid.
>>
>> Our CVE reporting has been whitelisting db CVEs.  I'm going to remove
>> that from the tool and submit a patch to add the db CVEs to the
>> exclusion list in meta/conf/distro/include/cve-extra-exclusions.inc
>> since it seems unlikely that we will be moving to a version of db with
>> these issues fixed.
>>
>> Steve
>>
>> > > This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661.
>> > >
>> > > Signed-off-by: Steve Sakoman <steve@sakoman.com>
>> > > ---
>> > >  meta/recipes-support/db/db_5.3.28.bb | 2 +-
>> > >  1 file changed, 1 insertion(+), 1 deletion(-)
>> > >
>> > > diff --git a/meta/recipes-support/db/db_5.3.28.bb
>> b/meta/recipes-support/db/db_5.3.28.bb
>> > > index d5b788a3d7..5e9305ab06 100644
>> > > --- a/meta/recipes-support/db/db_5.3.28.bb
>> > > +++ b/meta/recipes-support/db/db_5.3.28.bb
>> > > @@ -15,7 +15,7 @@ HOMEPAGE = "
>> https://www.oracle.com/database/technologies/related/berkeleydb.html
>> > >  LICENSE = "Sleepycat"
>> > >  RCONFLICTS:${PN} = "db3"
>> > >
>> > > -CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
>> > > +CVE_PRODUCT = "oracle_berkeley_db"
>> > >  CVE_VERSION = "11.2.${PV}"
>> > >
>> > >  PR = "r1"
>> > > --
>> > > 2.25.1
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> >
>> This message contains information that may be privileged or confidential
>> and is the property of the KPIT Technologies Ltd. It is intended only for
>> the person to whom it is addressed. If you are not the intended recipient,
>> you are not authorized to read, print, retain copy, disseminate,
>> distribute, or use this message or any part thereof. If you receive this
>> message in error, please notify the sender immediately and delete all
>> copies of this message. KPIT Technologies Ltd. does not accept any
>> liability for virus infected mails.
>>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#159146):
> https://lists.openembedded.org/g/openembedded-core/message/159146
> Mute This Topic: https://lists.openembedded.org/mt/85608645/6360406
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> ranjitsinhrathod1991@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

[-- Attachment #1.2: Type: text/html, Size: 11909 bytes --]

[-- Attachment #2: Outlook-03iblzjl.png --]
[-- Type: image/png, Size: 22485 bytes --]

Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"

[Steve Sakoman]

[-- Attachment #1.1: Type: text/plain, Size: 3940 bytes --]

On Wed, Dec 1, 2021 at 12:17 AM Ranjitsinh Rathod <
Ranjitsinh.Rathod@kpit.com> wrote:

> HI Steve,
>
> When do you plan to add these db CVEs in the '
> meta/conf/distro/include/cve-extra-exclusions.inc' file?
>

Thanks for the reminder, it is in the set of patches I just sent out for
review.

Steve


>
> Thanks,
>
> Best Regards,
>
> *Ranjitsinh Rathod*
> Technical Leader |  | KPIT Technologies Ltd.
> Cellphone: +91-84606 92403
>
> *__________________________________________ *KPIT <http://www.kpit.com/> |
>  Follow us on LinkedIn <http://www.kpit.com/linkedin>
>
> <https://www.kpit.com/TheNewBrand>
> ------------------------------
> *From:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org> on behalf of Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> *Sent:* Wednesday, September 15, 2021 12:38 AM
> *To:* Steve Sakoman <steve@sakoman.com>
> *Cc:* Patches and discussions about the oe-core layer <
> openembedded-core@lists.openembedded.org>
> *Subject:* Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert
> "db: update CVE_PRODUCT"
>
> Caution: This email originated from outside of the KPIT. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
>
> On Tue, Sep 14, 2021 at 8:41 AM Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> wrote:
> >
> > On Tue, Sep 14, 2021 at 8:04 AM Steve Sakoman via
> > lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> > wrote:
> > >
> > > The CVE database correctly reports CVEs for oracle_berkley_db and
> > > berkley_db.  We use the oracle_berkley_db source tree and therefore
> > > should only check for oracle_berkely_db CVEs. Otherwise the scanner
> > > falsely reports CVEs that are fixed in oracle_berkley_db
> >
> > Please hold off on taking this patch -- I need to do some more
> > research.  I may have confused myself :-(
>
> I did indeed confuse myself, so ignore this patch.
>
> The CVE database is reporting CVEs for the Oracle db code base under
> the name berkley_db, so the original patch in question is indeed
> correct and the CVEs are valid.
>
> Our CVE reporting has been whitelisting db CVEs.  I'm going to remove
> that from the tool and submit a patch to add the db CVEs to the
> exclusion list in meta/conf/distro/include/cve-extra-exclusions.inc
> since it seems unlikely that we will be moving to a version of db with
> these issues fixed.
>
> Steve
>
> > > This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661.
> > >
> > > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > > ---
> > >  meta/recipes-support/db/db_5.3.28.bb | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/meta/recipes-support/db/db_5.3.28.bb
> b/meta/recipes-support/db/db_5.3.28.bb
> > > index d5b788a3d7..5e9305ab06 100644
> > > --- a/meta/recipes-support/db/db_5.3.28.bb
> > > +++ b/meta/recipes-support/db/db_5.3.28.bb
> > > @@ -15,7 +15,7 @@ HOMEPAGE = "
> https://www.oracle.com/database/technologies/related/berkeleydb.html
> > >  LICENSE = "Sleepycat"
> > >  RCONFLICTS:${PN} = "db3"
> > >
> > > -CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
> > > +CVE_PRODUCT = "oracle_berkeley_db"
> > >  CVE_VERSION = "11.2.${PV}"
> > >
> > >  PR = "r1"
> > > --
> > > 2.25.1
> > >
> > >
> > >
> > >
> >
> >
> >
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>

[-- Attachment #1.2: Type: text/html, Size: 10100 bytes --]

[-- Attachment #2: Outlook-03iblzjl.png --]
[-- Type: image/png, Size: 22485 bytes --]

Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"

[Ranjitsinh Rathod]

[-- Attachment #1.1: Type: text/plain, Size: 3678 bytes --]

HI Steve,

When do you plan to add these db CVEs in the 'meta/conf/distro/include/cve-extra-exclusions.inc' file?


Thanks,

Best Regards,

Ranjitsinh Rathod
Technical Leader |  | KPIT Technologies Ltd.
Cellphone: +91-84606 92403
__________________________________________
KPIT<http://www.kpit.com/> | Follow us on LinkedIn<http://www.kpit.com/linkedin>

[cid:bd98461e-3fae-4ae5-bd5d-5abc68f568c4]<https://www.kpit.com/TheNewBrand>

________________________________
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Steve Sakoman via lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
Sent: Wednesday, September 15, 2021 12:38 AM
To: Steve Sakoman <steve@sakoman.com>
Cc: Patches and discussions about the oe-core layer <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"

Caution: This email originated from outside of the KPIT. Do not click links or open attachments unless you recognize the sender and know the content is safe.

On Tue, Sep 14, 2021 at 8:41 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> On Tue, Sep 14, 2021 at 8:04 AM Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> wrote:
> >
> > The CVE database correctly reports CVEs for oracle_berkley_db and
> > berkley_db.  We use the oracle_berkley_db source tree and therefore
> > should only check for oracle_berkely_db CVEs. Otherwise the scanner
> > falsely reports CVEs that are fixed in oracle_berkley_db
>
> Please hold off on taking this patch -- I need to do some more
> research.  I may have confused myself :-(

I did indeed confuse myself, so ignore this patch.

The CVE database is reporting CVEs for the Oracle db code base under
the name berkley_db, so the original patch in question is indeed
correct and the CVEs are valid.

Our CVE reporting has been whitelisting db CVEs.  I'm going to remove
that from the tool and submit a patch to add the db CVEs to the
exclusion list in meta/conf/distro/include/cve-extra-exclusions.inc
since it seems unlikely that we will be moving to a version of db with
these issues fixed.

Steve

> > This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661.
> >
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> >  meta/recipes-support/db/db_5.3.28.bb | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
> > index d5b788a3d7..5e9305ab06 100644
> > --- a/meta/recipes-support/db/db_5.3.28.bb
> > +++ b/meta/recipes-support/db/db_5.3.28.bb
> > @@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
> >  LICENSE = "Sleepycat"
> >  RCONFLICTS:${PN} = "db3"
> >
> > -CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
> > +CVE_PRODUCT = "oracle_berkeley_db"
> >  CVE_VERSION = "11.2.${PV}"
> >
> >  PR = "r1"
> > --
> > 2.25.1
> >
> >
> >
> >
>
>
>
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[-- Attachment #1.2: Type: text/html, Size: 8910 bytes --]

[-- Attachment #2: Outlook-03iblzjl.png --]
[-- Type: image/png, Size: 22485 bytes --]

Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"

[Steve Sakoman]

On Tue, Sep 14, 2021 at 8:41 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> On Tue, Sep 14, 2021 at 8:04 AM Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> wrote:
> >
> > The CVE database correctly reports CVEs for oracle_berkley_db and
> > berkley_db.  We use the oracle_berkley_db source tree and therefore
> > should only check for oracle_berkely_db CVEs. Otherwise the scanner
> > falsely reports CVEs that are fixed in oracle_berkley_db
>
> Please hold off on taking this patch -- I need to do some more
> research.  I may have confused myself :-(

I did indeed confuse myself, so ignore this patch.

The CVE database is reporting CVEs for the Oracle db code base under
the name berkley_db, so the original patch in question is indeed
correct and the CVEs are valid.

Our CVE reporting has been whitelisting db CVEs.  I'm going to remove
that from the tool and submit a patch to add the db CVEs to the
exclusion list in meta/conf/distro/include/cve-extra-exclusions.inc
since it seems unlikely that we will be moving to a version of db with
these issues fixed.

Steve

> > This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661.
> >
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> >  meta/recipes-support/db/db_5.3.28.bb | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
> > index d5b788a3d7..5e9305ab06 100644
> > --- a/meta/recipes-support/db/db_5.3.28.bb
> > +++ b/meta/recipes-support/db/db_5.3.28.bb
> > @@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
> >  LICENSE = "Sleepycat"
> >  RCONFLICTS:${PN} = "db3"
> >
> > -CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
> > +CVE_PRODUCT = "oracle_berkeley_db"
> >  CVE_VERSION = "11.2.${PV}"
> >
> >  PR = "r1"
> > --
> > 2.25.1
> >
> >
> >
> >
>
> 
>

Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT"

[Steve Sakoman]

On Tue, Sep 14, 2021 at 8:04 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> The CVE database correctly reports CVEs for oracle_berkley_db and
> berkley_db.  We use the oracle_berkley_db source tree and therefore
> should only check for oracle_berkely_db CVEs. Otherwise the scanner
> falsely reports CVEs that are fixed in oracle_berkley_db

Please hold off on taking this patch -- I need to do some more
research.  I may have confused myself :-(

Steve

> This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661.
>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  meta/recipes-support/db/db_5.3.28.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
> index d5b788a3d7..5e9305ab06 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
>  LICENSE = "Sleepycat"
>  RCONFLICTS:${PN} = "db3"
>
> -CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
> +CVE_PRODUCT = "oracle_berkeley_db"
>  CVE_VERSION = "11.2.${PV}"
>
>  PR = "r1"
> --
> 2.25.1
>
>
> 
>