* [OE-core][PATCH] db: update CVE_PRODUCT
@ 2021-04-20 2:32 Chen Qi
2021-04-20 6:21 ` Mikko Rapeli
2021-05-06 5:59 ` leimaohui
0 siblings, 2 replies; 3+ messages in thread
From: Chen Qi @ 2021-04-20 2:32 UTC (permalink / raw)
To: openembedded-core
Update CVE_PRODUCT to also include 'berkeley_db'. For example,
CVE-2020-2981 uses 'berkeley_db'.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
meta/recipes-support/db/db_5.3.28.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
index 9cb57e6a53..b2ae98f05c 100644
--- a/meta/recipes-support/db/db_5.3.28.bb
+++ b/meta/recipes-support/db/db_5.3.28.bb
@@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
LICENSE = "Sleepycat"
RCONFLICTS_${PN} = "db3"
-CVE_PRODUCT = "oracle_berkeley_db"
+CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
CVE_VERSION = "11.2.${PV}"
PR = "r1"
--
2.30.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core][PATCH] db: update CVE_PRODUCT
2021-04-20 2:32 [OE-core][PATCH] db: update CVE_PRODUCT Chen Qi
@ 2021-04-20 6:21 ` Mikko Rapeli
2021-05-06 5:59 ` leimaohui
1 sibling, 0 replies; 3+ messages in thread
From: Mikko Rapeli @ 2021-04-20 6:21 UTC (permalink / raw)
To: Qi.Chen; +Cc: openembedded-core
Hi,
On Mon, Apr 19, 2021 at 07:32:52PM -0700, Chen Qi wrote:
> Update CVE_PRODUCT to also include 'berkeley_db'. For example,
> CVE-2020-2981 uses 'berkeley_db'.
Yep, this is correct. The situation is rather complex as CVE-2020-2981
is an example of a bug which only affects the newer version with a lot
of additional (buggy?) features from Oracle. The db5.3 (Debian source package name)
and yocto db recipes are not affected by this.
https://security-tracker.debian.org/tracker/CVE-2020-2981
Hence, the CVE checker data needs to know the version and the vendors and even
then there may be false positives for it. It's a good idea to check what Debian
and Ubuntu do with the same source package and CVEs...
Acked-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Cheers,
-Mikko
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
> meta/recipes-support/db/db_5.3.28.bb | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
> index 9cb57e6a53..b2ae98f05c 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
> LICENSE = "Sleepycat"
> RCONFLICTS_${PN} = "db3"
>
> -CVE_PRODUCT = "oracle_berkeley_db"
> +CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
> CVE_VERSION = "11.2.${PV}"
>
> PR = "r1"
> --
> 2.30.2
>
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core][PATCH] db: update CVE_PRODUCT
2021-04-20 2:32 [OE-core][PATCH] db: update CVE_PRODUCT Chen Qi
2021-04-20 6:21 ` Mikko Rapeli
@ 2021-05-06 5:59 ` leimaohui
1 sibling, 0 replies; 3+ messages in thread
From: leimaohui @ 2021-05-06 5:59 UTC (permalink / raw)
To: openembedded-core; +Cc: Chen Qi
Hi,
Why hasn't this patch been merged yet?
Best regards
Lei
> -----Original Message-----
> From: openembedded-core@lists.openembedded.org
> <openembedded-core@lists.openembedded.org> On Behalf Of Chen Qi
> Sent: Tuesday, April 20, 2021 10:33 AM
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core][PATCH] db: update CVE_PRODUCT
>
> Update CVE_PRODUCT to also include 'berkeley_db'. For example,
> CVE-2020-2981 uses 'berkeley_db'.
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
> meta/recipes-support/db/db_5.3.28.bb | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-support/db/db_5.3.28.bb
> b/meta/recipes-support/db/db_5.3.28.bb
> index 9cb57e6a53..b2ae98f05c 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -15,7 +15,7 @@ HOMEPAGE =
> "https://www.oracle.com/database/technologies/related/berkeleydb.html
> LICENSE = "Sleepycat"
> RCONFLICTS_${PN} = "db3"
>
> -CVE_PRODUCT = "oracle_berkeley_db"
> +CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
> CVE_VERSION = "11.2.${PV}"
>
> PR = "r1"
> --
> 2.30.2
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-06 5:59 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-20 2:32 [OE-core][PATCH] db: update CVE_PRODUCT Chen Qi
2021-04-20 6:21 ` Mikko Rapeli
2021-05-06 5:59 ` leimaohui
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.