From: "Marko, Peter" <Peter.Marko@siemens.com>
To: "rybczynska@gmail.com" <rybczynska@gmail.com>,
Geoffrey GIRY <geoffrey.giry@smile.fr>,
Richard Purdie <richard.purdie@linuxfoundation.org>
Cc: OE-core <openembedded-core@lists.openembedded.org>,
Yoann Congal <yoann.congal@smile.fr>
Subject: RE: Clarifying CVEs for NVD (Was: Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs)
Date: Tue, 6 Jun 2023 12:35:43 +0000 [thread overview]
Message-ID: <AS1PR10MB5697D5773788B749770744D1FD52A@AS1PR10MB5697.EURPRD10.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <CAApg2=TLNBWVgS9_KdjhA1kDrio34i4st6mkthSErihXkkNvjg@mail.gmail.com>
Hi,
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Marta Rybczynska via lists.openembedded.org
> Sent: Tuesday, June 6, 2023 7:34
> To: Geoffrey GIRY mailto:geoffrey.giry@smile.fr; Richard Purdie mailto:richard.purdie@linuxfoundation.org
> Cc: OE-core mailto:openembedded-core@lists.openembedded.org; Yoann Congal <yoann.congal@smile.fr>
> Subject: Clarifying CVEs for NVD (Was: Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs)
>
> Hello all,
> I'm in process of clarifying entries for NVD to have them fixed in the sources. The comments in the patch linked do not include all the needed information, however.
>
> Let's take this one:
>
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-1462
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v5.19 a501ab75e7624d133a5a3c7ec010687c8b961d23
> +# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
> +# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
> +# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
> +CVE_CHECK_IGNORE += "CVE-2022-1462"
>
> We need to write a set of rules on which versions are vulnerable, like this:
> [v2.6.12 - v5.4.208]
> [v5.5.0 ??? - v5.10.134]
> [v5.11.0 ??? - v5.15.58]
> [v5.16.0 ??? - v5.19.0]
New kernel branches start with tag vX.Y-rc1, so it should be v5.5-rc1, v5.11-rc1, v5.16.0-rc1.
In NVD DB 1.1 format: 5.5_rc1, 5.1_rc1, 5.16_rc1, ...
>
> The values with ??? are uncertain. Geoffrey, Yann, as it was scripted out according to one of the discussions, are you able to confirm those "starting" versions ?
>
> Kind regards,
> Marta
prev parent reply other threads:[~2023-06-06 12:35 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-27 11:00 [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs Geoffrey GIRY
2023-02-27 17:49 ` [OE-core] " Marta Rybczynska
2023-02-27 22:02 ` Richard Purdie
2023-02-28 9:05 ` Geoffrey GIRY
2023-02-28 20:41 ` Marta Rybczynska
2023-03-01 10:43 ` Richard Purdie
2023-03-01 14:11 ` Richard Purdie
2023-03-01 14:37 ` Mikko Rapeli
2023-03-02 15:46 ` Geoffrey GIRY
2023-06-06 5:33 ` Clarifying CVEs for NVD (Was: Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs) Marta Rybczynska
2023-06-06 12:35 ` Marko, Peter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AS1PR10MB5697D5773788B749770744D1FD52A@AS1PR10MB5697.EURPRD10.PROD.OUTLOOK.COM \
--to=peter.marko@siemens.com \
--cc=geoffrey.giry@smile.fr \
--cc=openembedded-core@lists.openembedded.org \
--cc=richard.purdie@linuxfoundation.org \
--cc=rybczynska@gmail.com \
--cc=yoann.congal@smile.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).