On 4/6/23 10:36, Richard Purdie wrote: > On Thu, 2023-04-06 at 10:23 +0200, Yoann Congal wrote: >> >> For CVE-2022-38457 and CVE-2022-40133 > > This one appears to be fixed for 6.1 only with this change: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a309c7194e8a2f8bd4539b9449917913f6c2cd50 > > coming into 6.1 stable here: > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.1.y&id=7ac9578e45b20e3f3c0c8eb71f5417a499a7226a > > > The fix seems to cover both CVEs. > >> I can't track the commit properly. >> Yes, linuxkernelcves.com gives commits for these CVEs but is this safe >> enough to ignore? >> Until now, we have only ignored CVE from commits present in the NVD database. > > I think if we have good reason to believe these commits address the > CVE, we can document that. There does seem to be a strong connection > here but I've not gone into the details.
Ok, I'm now convinced the commit fixes these CVEs. I'll send a patch to ignore these. >> CVE-2023-23005 is disputed (as you noted), I'll look into it but at a >> quick glance, the dispute has good arguments and we might ignore this >> one safely. > > Agreed. If there are strong arguments from the maintainers, this does > give us a good case for ignoring it as long as we document it as such. Same, I'll send a patch to ignore this one also. >> We are vulnerable to CVE-2023-28866 : It was introduced in 5.17 >> (bce56405201111807cc8e4f47c6de3e10b17c1ac from Fixes: tag). >> On the 6.1 branch, this is fixed in 6.1.22 and we are at 6.1.20. > > Hopefully we'll update soon then! :) > > Thanks for the help with these. It does make a difference and is much > appreciated. You can see the downtick in master here: > > https://autobuilder.yocto.io/pub/non-release/patchmetrics/ > > :) Happy to see this :) > This should then mean we'll soon get a list of "real" issues instead of > noise. I really hope we'll get to that point! Regards, -- Yoann Congal Smile ECS - Tech Expert
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#179769): https://lists.openembedded.org/g/openembedded-core/message/179769 Mute This Topic: https://lists.openembedded.org/mt/98064143/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
