On Wed, 2023-04-05 at 11:51 +0200, Yoann Congal wrote: > Hi Richard, > > On 4/5/23 00:26, Richard Purdie wrote: > > .../... > > Thanks, I tweaked those bits. I did a bit more research and the other > > easier looking linux-yocto ones to mark up are listed below along with > > the versions known to contain fixes. I'd still need to map out the > > revisions and so on for these but several look like they can be > > resolved for our versions if this data is correct. > > > > That left 13 linux-yocto CVEs that would need more work to track down > > and 5 non linux-yocto ones. > > Some of these will be part of a patch from Geoffrey (in cc) that he will send > in an hour or 2. > > > > > CVE-2022-2196: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2196 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5 > > 5.10.170 > > 5.15.96 > > 6.1.14> > > CVE-2022-3424: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3424 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=643a16a0eb1d6ac23744bb6e90a00fc21148a9dc > > 5.10.163 > > 5.15.86 > > 6.1.2 > > > > CVE-2022-3523: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3523 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=16ce101db85db694a91380aa4c89b25530871d33 > > > > CVE-2022-3566: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3566 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 > > > > CVE-2022-3567: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3567 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=364f997b5cfe1db0d63a390fe7c801fa2b3115f6 > > All of the above will be included. > > > > > CVE-2022-38457: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38457 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a309c7194e8a2f8bd4539b9449917913f6c2cd50 > > 6.1.7> > > CVE-2022-40133: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40133 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a309c7194e8a2f8bd4539b9449917913f6c2cd50 > > > > CVE-2023-0179: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0179 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=696e1a48b1a1b01edad542a1ef293665864a4dd0 > > 5.10.164 > > 5.15.89 > > 6.1.7 > > > > CVE-2023-1079: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1079 * > > Fixed in > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=4ab3a086d10eeec1424f2e8a968827a6336203df > > 5.10.173 > > 5.15.99 > > 6.1.16 > > Not these 4 above. > > > > > CVE-2023-1118: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1118 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=29b0589a865b6f66d141d79b2dd1373e4e50fe17 > > 5.10.173 > > 5.15.99 > > 6.1.16 > > > > CVE-2023-1281: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1281 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=ee059170b1f7e94e55fa6cadee544e176a6e59c2 > > 5.10.169 > > 5.15.95 > > 6.1.13 > > These 2 above will be included. > > > CVE-2023-1513: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1513 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=2c10b61421a28e95a46ab489fd56c0f442ff6952 > > 5.10.169 > > 5.15.95 > > 6.1.13 > > > > CVE-2023-23005: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23005 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=4a625ceee8a0ab0273534cb6b432ce6b331db5ee > > Disputed? > > These 2 above will not be included. > > > > > CVE-2023-28466: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28466 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 > > 5.15.105 > > 6.1.20 > Included > > > > CVE-2023-28866: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28866 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=bce56405201111807cc8e4f47c6de3e10b17c1ac > > 6.1.22 > > Not included. > > Should I write a patch including the missing CVEs from Geoffrey's patch or > that will clash with your work-in-progress?
I haven't done anything yet with these so I'd happily take a patch! Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#179731): https://lists.openembedded.org/g/openembedded-core/message/179731 Mute This Topic: https://lists.openembedded.org/mt/98064143/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
