On Thu, 2023-04-06 at 10:23 +0200, Yoann Congal wrote: > > > > > > Should I write a patch including the missing CVEs from Geoffrey's patch > > > or that will clash with your work-in-progress? > > > > I haven't done anything yet with these so I'd happily take a patch! > > I'll send a patch later today for CVE-2023-0179, CVE-2023-1079 and > CVE-2023-1513 (currently in internal review). > > For CVE-2022-38457 and CVE-2022-40133
This one appears to be fixed for 6.1 only with this change: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a309c7194e8a2f8bd4539b9449917913f6c2cd50 coming into 6.1 stable here: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.1.y&id=7ac9578e45b20e3f3c0c8eb71f5417a499a7226a The fix seems to cover both CVEs. > I can't track the commit properly. > Yes, linuxkernelcves.com gives commits for these CVEs but is this safe enough > to ignore? > Until now, we have only ignored CVE from commits present in the NVD database. I think if we have good reason to believe these commits address the CVE, we can document that. There does seem to be a strong connection here but I've not gone into the details. > CVE-2023-23005 is disputed (as you noted), I'll look into it but at a > quick glance, the dispute has good arguments and we might ignore this > one safely. Agreed. If there are strong arguments from the maintainers, this does give us a good case for ignoring it as long as we document it as such. > We are vulnerable to CVE-2023-28866 : It was introduced in 5.17 > (bce56405201111807cc8e4f47c6de3e10b17c1ac from Fixes: tag). > On the 6.1 branch, this is fixed in 6.1.22 and we are at 6.1.20. Hopefully we'll update soon then! :) Thanks for the help with these. It does make a difference and is much appreciated. You can see the downtick in master here: https://autobuilder.yocto.io/pub/non-release/patchmetrics/ :) This should then mean we'll soon get a list of "real" issues instead of noise. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#179759): https://lists.openembedded.org/g/openembedded-core/message/179759 Mute This Topic: https://lists.openembedded.org/mt/98064143/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
