From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2DDAC64EC7 for ; Tue, 28 Feb 2023 20:41:32 +0000 (UTC) Received: from mail-lf1-f49.google.com (mail-lf1-f49.google.com [209.85.167.49]) by mx.groups.io with SMTP id smtpd.web10.4577.1677616882167661491 for ; Tue, 28 Feb 2023 12:41:22 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=LTC4Wmuf; spf=pass (domain: gmail.com, ip: 209.85.167.49, mailfrom: rybczynska@gmail.com) Received: by mail-lf1-f49.google.com with SMTP id f41so14834535lfv.13 for ; Tue, 28 Feb 2023 12:41:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=b27WpT02LzIeG+gc4l3WxcbiTbjY/Emia2RtxPK6SMI=; b=LTC4WmufvBe27SOjNjue0XGFc+pOtoWyOaL6ByVC23CiPGMagtE0S6bgBI9P+PZnSg EqKeLuGuWOR43np9xKj4TTPFfjh+R1DAc4NK+wZBUbq3fqxSm4hYgm9XzzGOSpcanz96 4xwEpo2GydjY+DA1B7W4VWu38tRE/UX/UK0KLX91GnU8S+unTY/x/BA5bVoXc3TY15dM mqbr2rICije+9DRNcvG9jeO0F9VWik74sY+X4mfibDS1wWIMLA6b4KNWJNjaQnEpcJsk xgCn0etbBze4RoVOSklS2ujAVV2vYPlC2BUB457t0BE6nTMYbTqjpn2aigrfnU4eD500 Yv4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=b27WpT02LzIeG+gc4l3WxcbiTbjY/Emia2RtxPK6SMI=; b=0bRFJfQcnv4/tMdbU3zDYAtbWk2reuVqcibga62fsVZwuLYm+9CUkvIMhGmX/AzBPy nidFb90+smrmuAu9QmDc1U6ALX8BZGtKue/SaOdGJmPP7yONNAuNF3RGgINtp5L2zVEu LOdb04lNKnmOnUtxovvPrmuTgC5PPtqGAwYPIZYa4NtUBNQ/Gf0l4x35l/Kj0fg8QhCA 3FGicioTT4gOgIf98D3Uvclvt+nP0If4BfIEB9/K4zf2OD/2C4fSzFZo3Ezx0Hm1FX+O hVIxcRRmAe0FVH0dGZd+gkQlkKKe3iSBbdsDKf8enrEXsVIo3vh0rHtw1fKEOpRRk3yW h8jw== X-Gm-Message-State: AO0yUKUt+6ajgSLUW6qOxoMbilJ0TnL8//a1eoegraAZTDDgjWoGUuV+ zk/OMli/lnDRVDd3fnphY+CTkIwDH5QhHCATcro= X-Google-Smtp-Source: AK7set9FBHd2G4c1FirayXnqoPLfPqca4XuZQSPMGKst6t3fT+qKgU5xtVGW28XcWqDGGyh+daf+bQRyrtjU9Tqx3Rc= X-Received: by 2002:a19:550b:0:b0:4e0:39f3:5b9b with SMTP id n11-20020a19550b000000b004e039f35b9bmr1152964lfe.0.1677616880187; Tue, 28 Feb 2023 12:41:20 -0800 (PST) MIME-Version: 1.0 References: <20230227110027.804671-1-geoffrey.giry@smile.fr> In-Reply-To: From: Marta Rybczynska Date: Tue, 28 Feb 2023 21:41:08 +0100 Message-ID: Subject: Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs To: Geoffrey GIRY Cc: Richard Purdie , OE-core , Yoann Congal Content-Type: multipart/alternative; boundary="000000000000367f0005f5c89ed0" List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Feb 2023 20:41:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/177857 --000000000000367f0005f5c89ed0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thank you for the explanation and the work done. Could you contact me off list so that we confirm what and where was send? 14 days is longer than I've ever had as a response time from NVD. Kind regards Marta On Tue, 28 Feb 2023, 10:05 Geoffrey GIRY, wrote: > Hello Marta, Richard, > > We sent to NVD an update for one CVE (CVE-2020-27784) 14 days ago, we > are still waiting for an answer. > This is the first time we ever do this, so we did send only the first as = a > test. > When the change is accepted, we will send updates requests for each > already patched CVE. > > Richard, thank you for the details provided. > > Regards, > Geoffrey GIRY > Research and Development Engineer > SMILE > > > > Le lun. 27 f=C3=A9vr. 2023 =C3=A0 23:02, Richard Purdie > a =C3=A9crit : > > > > On Mon, 2023-02-27 at 18:49 +0100, Marta Rybczynska wrote: > > > Thank you for the work. Have you contacted NVD to update the database > > > instead? What did they say? > > > > Ideally a large portion of these should be sent to NVD but we did talk > > a little about the on the call last week. We agreed that it will take > > time and it was better to document this and fix our reporting in the > > meantime as well as share these useful details more widely. I'd suggest > > that as things are submitted we could document that, hopefully we'll > > also be able to remove many of these entries. > > > > I'm sure Geoffrey can provide more status but I wanted to update on why > > this was sent and why I think we should take it. > > > > I will drop the kernel filtering so new kernel CVEs then show up in all > > our metrics going forward. > > > > Cheers, > > > > Richard > > > > > --000000000000367f0005f5c89ed0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thank you for the explanation and the work done. Cou= ld you contact me off list so that we confirm what and where was send? 14 d= ays is longer than I've ever had as a response time from NVD.

Kind regards=C2=A0
Marta

On Tue, 28 Feb 2023, 10:05 Geoffrey GIRY, <geoffrey.giry@smile.fr> wrote= :
Hello Marta, Richard,

We sent to NVD an update for one CVE (CVE-2020-27784) 14 days ago, we
are still waiting for an answer.
This is the first time we ever do this, so we did send only the first as a = test.
When the change is accepted, we will send updates requests for each
already patched CVE.

Richard, thank you for the details provided.

Regards,
Geoffrey GIRY
Research and Development Engineer
SMILE



Le lun. 27 f=C3=A9vr. 2023 =C3=A0 23:02, Richard Purdie
<richard.purdie@linuxfoundation.org> a =C3=A9crit= :
>
> On Mon, 2023-02-27 at 18:49 +0100, Marta Rybczynska wrote:
> > Thank you for the work. Have you contacted NVD to update the data= base
> > instead? What did they say?
>
> Ideally a large portion of these should be sent to NVD but we did talk=
> a little about the on the call last week. We agreed that it will take<= br> > time and it was better to document this and fix our reporting in the > meantime as well as share these useful details more widely. I'd su= ggest
> that as things are submitted we could document that, hopefully we'= ll
> also be able to remove many of these entries.
>
> I'm sure Geoffrey can provide more status but I wanted to update o= n why
> this was sent and why I think we should take it.
>
> I will drop the kernel filtering so new kernel CVEs then show up in al= l
> our metrics going forward.
>
> Cheers,
>
> Richard
>
>
--000000000000367f0005f5c89ed0--