On Thu, May 11, 2023 at 11:17 PM Armin Kuster <akuster...@gmail.com> wrote:
> > > On 5/9/23 6:32 PM, Steve Sakoman wrote: > > From: Yoann Congal <yoann.con...@smile.fr> > > > > Exclude CVEs that are fixed in both current linux-yocto version > > v5.10.175 and v5.15.108. > > > > To get the commit fixing a CVE, I used the Debian kernel-sec repo [1]. > > > > [1]: > https://salsa.debian.org/kernel-team/kernel-sec/-/commit/86d5040aee9275f9555458fcaf9cb43710dff398 > > Just a cautionary note: If anyone is including linux-yocto.inc in their > custom kernel recipes based on the same kernel version but have not > updated past the dot release Yocto has, you wont know you are missing > fixes. > > I don't know how we advise the proper use of linux-yocto.inc? > Most of those should be in the NVD database and not included this way. While working on the new featcher, I was also considering a multiple fetcher configuration. Originally to allow OSV and such. But also, an additional "fetcher" could contain entries where we want to override the NVD database. IMO that would be a cleaner solution and would allow safer include of the complete fix file, because it will be always checked to the actual package version. What do you think about it? Worth a POC? Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181557): https://lists.openembedded.org/g/openembedded-core/message/181557 Mute This Topic: https://lists.openembedded.org/mt/98795092/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
