All of lore.kernel.org
 help / color / mirror / Atom feed
* [OE-core][PATCH] db: update CVE_PRODUCT
@ 2021-04-20  2:32 Chen Qi
  2021-04-20  6:21 ` Mikko Rapeli
  2021-05-06  5:59 ` leimaohui
  0 siblings, 2 replies; 3+ messages in thread
From: Chen Qi @ 2021-04-20  2:32 UTC (permalink / raw)
  To: openembedded-core

Update CVE_PRODUCT to also include 'berkeley_db'. For example,
CVE-2020-2981 uses 'berkeley_db'.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 meta/recipes-support/db/db_5.3.28.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
index 9cb57e6a53..b2ae98f05c 100644
--- a/meta/recipes-support/db/db_5.3.28.bb
+++ b/meta/recipes-support/db/db_5.3.28.bb
@@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
 LICENSE = "Sleepycat"
 RCONFLICTS_${PN} = "db3"
 
-CVE_PRODUCT = "oracle_berkeley_db"
+CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
 CVE_VERSION = "11.2.${PV}"
 
 PR = "r1"
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [OE-core][PATCH] db: update CVE_PRODUCT
  2021-04-20  2:32 [OE-core][PATCH] db: update CVE_PRODUCT Chen Qi
@ 2021-04-20  6:21 ` Mikko Rapeli
  2021-05-06  5:59 ` leimaohui
  1 sibling, 0 replies; 3+ messages in thread
From: Mikko Rapeli @ 2021-04-20  6:21 UTC (permalink / raw)
  To: Qi.Chen; +Cc: openembedded-core

Hi,

On Mon, Apr 19, 2021 at 07:32:52PM -0700, Chen Qi wrote:
> Update CVE_PRODUCT to also include 'berkeley_db'. For example,
> CVE-2020-2981 uses 'berkeley_db'.

Yep, this is correct. The situation is rather complex as CVE-2020-2981
is an example of a bug which only affects the newer version with a lot
of additional (buggy?) features from Oracle. The db5.3 (Debian source package name)
and yocto db recipes are not affected by this.

https://security-tracker.debian.org/tracker/CVE-2020-2981

Hence, the CVE checker data needs to know the version and the vendors and even
then there may be false positives for it. It's a good idea to check what Debian
and Ubuntu do with the same source package and CVEs...

Acked-by: Mikko Rapeli <mikko.rapeli@bmw.de>

Cheers,

-Mikko

> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
>  meta/recipes-support/db/db_5.3.28.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
> index 9cb57e6a53..b2ae98f05c 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
>  LICENSE = "Sleepycat"
>  RCONFLICTS_${PN} = "db3"
>
> -CVE_PRODUCT = "oracle_berkeley_db"
> +CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
>  CVE_VERSION = "11.2.${PV}"
>
>  PR = "r1"
> -- 
> 2.30.2
> 

> 
> 
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [OE-core][PATCH] db: update CVE_PRODUCT
  2021-04-20  2:32 [OE-core][PATCH] db: update CVE_PRODUCT Chen Qi
  2021-04-20  6:21 ` Mikko Rapeli
@ 2021-05-06  5:59 ` leimaohui
  1 sibling, 0 replies; 3+ messages in thread
From: leimaohui @ 2021-05-06  5:59 UTC (permalink / raw)
  To: openembedded-core; +Cc: Chen Qi

Hi,

Why hasn't this patch been merged yet? 


Best regards
Lei

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org
> <openembedded-core@lists.openembedded.org> On Behalf Of Chen Qi
> Sent: Tuesday, April 20, 2021 10:33 AM
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core][PATCH] db: update CVE_PRODUCT
> 
> Update CVE_PRODUCT to also include 'berkeley_db'. For example,
> CVE-2020-2981 uses 'berkeley_db'.
> 
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
>  meta/recipes-support/db/db_5.3.28.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-support/db/db_5.3.28.bb
> b/meta/recipes-support/db/db_5.3.28.bb
> index 9cb57e6a53..b2ae98f05c 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -15,7 +15,7 @@ HOMEPAGE =
> "https://www.oracle.com/database/technologies/related/berkeleydb.html
>  LICENSE = "Sleepycat"
>  RCONFLICTS_${PN} = "db3"
> 
> -CVE_PRODUCT = "oracle_berkeley_db"
> +CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
>  CVE_VERSION = "11.2.${PV}"
> 
>  PR = "r1"
> --
> 2.30.2


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-06  5:59 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-20  2:32 [OE-core][PATCH] db: update CVE_PRODUCT Chen Qi
2021-04-20  6:21 ` Mikko Rapeli
2021-05-06  5:59 ` leimaohui

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.