Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs

Steve Sakoman Mon, 13 Sep 2021 08:03:33 -0700

On Mon, Sep 13, 2021 at 4:56 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman....@lists.openembedded.org>
wrote:
>
> On Mon, Sep 13, 2021 at 2:45 AM Saloni Jain <jainsaloni0...@gmail.com> wrote:
> >
> > From: Saloni Jain <salo...@kpit.com>
> >
> > Below CVE affects only Oracle Berkeley DB as per upstream.
> > Hence, whitelisted them.
>
> I suspect that a cleaner solution might be to revert:
>
> db: update CVE_PRODUCT
> (https://git.openembedded.org/openembedded-core/commit/?id=ad799b109716ccd2f44dcf7a6a4cfcbd622ea661)
>
> which adds berkeley_db to CVE_PRODUCT
>
> I did a quick test and this eliminates all of the CVE's below. And of
> course it makes sense to only check for oracle_berkeley_db since that
> is the source code we are using.
>
> Also, this same issue is present in master, so any fix would need to
> go there first and I will cherry-pick.
>
> Could you confirm that this approach works for you too?


And for those who are wondering why the db CVE's don't show up in the
weekly reports, it is because the script that Ross provided me many
moons ago whitelisted db and db-native.

I figured he had a good reason for that, so I left it in for
consistency with the reports he had run :-)

db and db-native are the only whitelisted packages for those who might
be wondering.

Steve

> > 1. CVE-2015-2583
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-2583
> > 2. CVE-2015-2624
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-2624
> > 3. CVE-2015-2626
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-2626
> > 4. CVE-2015-2640
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-2640
> > 5. CVE-2015-2654
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-2654
> > 6. CVE-2015-2656
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-2656
> > 7. CVE-2015-4754
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4754
> > 8. CVE-2015-4764
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4764
> > 9. CVE-2015-4774
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4774
> > 10. CVE-2015-4775
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4775
> > 11. CVE-2015-4776
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4776
> > 12. CVE-2015-4777
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4777
> > 13. CVE-2015-4778
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4778
> > 14. CVE-2015-4779
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4779
> > 15. CVE-2015-4780
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4780
> > 16. CVE-2015-4781
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4781
> > 17. CVE-2015-4782
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4782
> > 18. CVE-2015-4783
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4783
> > 19. CVE-2015-4784
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4784
> > 20. CVE-2015-4785
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4785
> > 21. CVE-2015-4786
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4786
> > 22. CVE-2015-4787
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4787
> > 23. CVE-2015-4788
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4788
> > 24. CVE-2015-4789
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4789
> > 25. CVE-2015-4790
> > Link: https://security-tracker.debian.org/tracker/CVE-2015-4790
> > 26. CVE-2016-0682
> > Link: https://security-tracker.debian.org/tracker/CVE-2016-0682
> > 27. CVE-2016-0689
> > Link: https://security-tracker.debian.org/tracker/CVE-2016-0689
> > 28. CVE-2016-0692
> > Link: https://security-tracker.debian.org/tracker/CVE-2016-0692
> > 29. CVE-2016-0694
> > Link: https://security-tracker.debian.org/tracker/CVE-2016-0694
> > 30. CVE-2016-3418
> > Link: https://security-tracker.debian.org/tracker/CVE-2016-3418
> > 31. CVE-2017-3604
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3604
> > 32. CVE-2017-3605
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3605
> > 33. CVE-2017-3606
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3606
> > 34. CVE-2017-3607
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3607
> > 35. CVE-2017-3608
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3608
> > 36. CVE-2017-3609
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3609
> > 37. CVE-2017-3610
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3610
> > 38. CVE-2017-3611
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3611
> > 39. CVE-2017-3612
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3612
> > 40. CVE-2017-3613
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3613
> > 41. CVE-2017-3614
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3614
> > 42. CVE-2017-3615
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3615
> > 43. CVE-2017-3616
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3616
> > 44. CVE-2017-3617
> > Link: https://security-tracker.debian.org/tracker/CVE-2017-3617
> > 45. CVE-2020-2981
> > Link: https://security-tracker.debian.org/tracker/CVE-2020-2981
> >
> > Signed-off-by: Saloni <jainsaloni0...@gmail.com>
> > ---
> >  meta/recipes-support/db/db_5.3.28.bb | 92 ++++++++++++++++++++++++++++
> >  1 file changed, 92 insertions(+)
> >
> > diff --git a/meta/recipes-support/db/db_5.3.28.bb 
> > b/meta/recipes-support/db/db_5.3.28.bb
> > index b2ae98f05c..000e9ef468 100644
> > --- a/meta/recipes-support/db/db_5.3.28.bb
> > +++ b/meta/recipes-support/db/db_5.3.28.bb
> > @@ -39,6 +39,98 @@ SRC_URI[sha256sum] = 
> > "e0a992d740709892e81f9d93f06daf305cf73fb81b545afe7247804317
> >
> >  LIC_FILES_CHKSUM = "file://LICENSE;md5=ed1158e31437f4f87cdd4ab2b8613955"
> >
> > +# Below CVEs affects only Oracle Berkeley DB as per upstream.
> > +# https://security-tracker.debian.org/tracker/CVE-2015-2583
> > +CVE_CHECK_WHITELIST += "CVE-2015-2583"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-2624
> > +CVE_CHECK_WHITELIST += "CVE-2015-2624"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-2626
> > +CVE_CHECK_WHITELIST += "CVE-2015-2626"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-2640
> > +CVE_CHECK_WHITELIST += "CVE-2015-2640"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-2654
> > +CVE_CHECK_WHITELIST += "CVE-2015-2654"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-2656
> > +CVE_CHECK_WHITELIST += "CVE-2015-2656"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4754
> > +CVE_CHECK_WHITELIST += "CVE-2015-4754"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4764
> > +CVE_CHECK_WHITELIST += "CVE-2015-4764"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4774
> > +CVE_CHECK_WHITELIST += "CVE-2015-4774"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4775
> > +CVE_CHECK_WHITELIST += "CVE-2015-4775"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4776
> > +CVE_CHECK_WHITELIST += "CVE-2015-4776"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4777
> > +CVE_CHECK_WHITELIST += "CVE-2015-4777"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4778
> > +CVE_CHECK_WHITELIST += "CVE-2015-4778"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4779
> > +CVE_CHECK_WHITELIST += "CVE-2015-4779"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4780
> > +CVE_CHECK_WHITELIST += "CVE-2015-4780"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4781
> > +CVE_CHECK_WHITELIST += "CVE-2015-4781"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4782
> > +CVE_CHECK_WHITELIST += "CVE-2015-4782"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4783
> > +CVE_CHECK_WHITELIST += "CVE-2015-4783"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4784
> > +CVE_CHECK_WHITELIST += "CVE-2015-4784"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4785
> > +CVE_CHECK_WHITELIST += "CVE-2015-4785"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4786
> > +CVE_CHECK_WHITELIST += "CVE-2015-4786"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4787
> > +CVE_CHECK_WHITELIST += "CVE-2015-4787"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4788
> > +CVE_CHECK_WHITELIST += "CVE-2015-4788"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4789
> > +CVE_CHECK_WHITELIST += "CVE-2015-4789"
> > +# https://security-tracker.debian.org/tracker/CVE-2015-4790
> > +CVE_CHECK_WHITELIST += "CVE-2015-4790"
> > +# https://security-tracker.debian.org/tracker/CVE-2016-0682
> > +CVE_CHECK_WHITELIST += "CVE-2016-0682"
> > +# https://security-tracker.debian.org/tracker/CVE-2016-0689
> > +CVE_CHECK_WHITELIST += "CVE-2016-0689"
> > +# https://security-tracker.debian.org/tracker/CVE-2016-0692
> > +CVE_CHECK_WHITELIST += "CVE-2016-0692"
> > +# https://security-tracker.debian.org/tracker/CVE-2016-0694
> > +CVE_CHECK_WHITELIST += "CVE-2016-0694"
> > +# https://security-tracker.debian.org/tracker/CVE-2016-3418
> > +CVE_CHECK_WHITELIST += "CVE-2016-3418"
> > +# https://security-tracker.debian.org/tracker/CVE-2017-3604
> > +CVE_CHECK_WHITELIST += "CVE-2017-3604"
> > +# https://security-tracker.debian.org/tracker/CVE-2017-3605
> > +CVE_CHECK_WHITELIST += "CVE-2017-3605"
> > +# https://security-tracker.debian.org/tracker/CVE-2017-3606
> > +CVE_CHECK_WHITELIST += "CVE-2017-3606"
> > +# https://security-tracker.debian.org/tracker/CVE-2017-3607
> > +CVE_CHECK_WHITELIST += "CVE-2017-3607"
> > +# https://security-tracker.debian.org/tracker/CVE-2017-3608
> > +CVE_CHECK_WHITELIST += "CVE-2017-3608"
> > +# https://security-tracker.debian.org/tracker/CVE-2017-3609
> > +CVE_CHECK_WHITELIST += "CVE-2017-3609"
> > +# https://security-tracker.debian.org/tracker/CVE-2017-3610
> > +CVE_CHECK_WHITELIST += "CVE-2017-3610"
> > +# https://security-tracker.debian.org/tracker/CVE-2017-3611
> > +CVE_CHECK_WHITELIST += "CVE-2017-3611"
> > +# https://security-tracker.debian.org/tracker/CVE-2017-3612
> > +CVE_CHECK_WHITELIST += "CVE-2017-3612"
> > +# https://security-tracker.debian.org/tracker/CVE-2017-3613
> > +CVE_CHECK_WHITELIST += "CVE-2017-3613"
> > +# https://security-tracker.debian.org/tracker/CVE-2017-3614
> > +CVE_CHECK_WHITELIST += "CVE-2017-3614"
> > +# https://security-tracker.debian.org/tracker/CVE-2017-3615
> > +CVE_CHECK_WHITELIST += "CVE-2017-3615"
> > +# https://security-tracker.debian.org/tracker/CVE-2017-3616
> > +CVE_CHECK_WHITELIST += "CVE-2017-3616"
> > +# https://security-tracker.debian.org/tracker/CVE-2017-3617
> > +CVE_CHECK_WHITELIST += "CVE-2017-3617"
> > +# https://security-tracker.debian.org/tracker/CVE-2020-2981
> > +CVE_CHECK_WHITELIST += "CVE-2020-2981"
> > +
> >  inherit autotools
> >
> >  # The executables go in a separate package - typically there
> > --
> > 2.17.1
> >
> >
> >
> >
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#155979): 
https://lists.openembedded.org/g/openembedded-core/message/155979
Mute This Topic: https://lists.openembedded.org/mt/85573913/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs

Reply via email to