Hi Steve, Thank you for the update. I understand that the patch must be submitted and accepted into the master branch before it can be taken for the stable branches. I will ensure that the patch is submitted to the master branch promptly and will follow up on its review and acceptance process.
Thanks Mohamed Meera sahib -----Original Message----- From: Steve Sakoman <st...@sakoman.com> Sent: Tuesday, January 7, 2025 7:25 PM To: Mohamed Meera Sahib -X (mmeerasa - E INFOCHIPS PRIVATE LIMITED at Cisco) <mmeer...@cisco.com> Cc: openembedded-core@lists.openembedded.org; xe-linux-external(mailer list) <xe-linux-exter...@cisco.com>; Poojitha Adireddy -X (pooadire - E INFOCHIPS PRIVATE LIMITED at Cisco) <pooad...@cisco.com> Subject: Re: [OE-core] [scarthgap] [PATCH] db 5.3.28: Ignore multiple CVEs Hi Mohamed, This patch will need to be submitted and accepted into the master branch before I can take it for the stable branches. Thanks, Steve On Tue, Jan 7, 2025 at 3:35 AM Mohamed Meera Sahib via lists.openembedded.org <mmeerasa=cisco....@lists.openembedded.org> wrote: > > Analysis: > - Unspecified vulnerability in the various components of Oracle > Berkeley Db was identified as potentially exploitable without > authentication. Later these were closed by the Critical Patch > Update (CPU). > > Reference: > [1] https://www.oracle.com/security-alerts/cpujul2015.html > [2] https://www.oracle.com/security-alerts/cpuapr2016v3.html > [3] https://www.oracle.com/security-alerts/cpujul2020.html > > Signed-off-by: Mohamed Meera Sahib <mmeer...@cisco.com> > --- > meta/recipes-support/db/db_5.3.28.bb | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/meta/recipes-support/db/db_5.3.28.bb > b/meta/recipes-support/db/db_5.3.28.bb > index a7d061e0da..d93e77a1ee 100644 > --- a/meta/recipes-support/db/db_5.3.28.bb > +++ b/meta/recipes-support/db/db_5.3.28.bb > @@ -120,3 +120,20 @@ BBCLASSEXTEND = "native nativesdk" > # many configure tests are failing with gcc-14 CFLAGS += > "-Wno-error=implicit-int -Wno-error=implicit-function-declaration" > BUILD_CFLAGS += "-Wno-error=implicit-int > -Wno-error=implicit-function-declaration" > + > +# The risk matrix of Oracle Berkeley Db was published in July 2015 by > +which many vulnerabilities # in different Oracle products were identified. > +# https://www.oracle.com/security-alerts/cpujul2015verbose.html#DB > +# The Oracle Berkeley Db issued the Critical Patch Update Advisory in > +July 2015 # which determined the status of the vulnerability whether > applicable or not. > +# https://www.oracle.com/security-alerts/cpujul2015.html#AppendixDB > +# Apart from this, different CPUs change status of the vulnerabilities e.g. > +# CVE-2020-2981: > +https://www.oracle.com/security-alerts/cpujul2020.html > +# CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, > +CVE-2016-3418: > +https://www.oracle.com/security-alerts/cpuapr2016v3.html > + > +CVE_STATUS_GROUPS = "CVE_STATUS_INGR" > +CVE_STATUS_INGR = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 > +CVE-2015-2640 CVE-2015-2654 CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 > +\ > +CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 CVE-2015-4778 > +CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 \ > +CVE-2015-4783 CVE-2015-4784 CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 > +CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2020-2981 \ > +CVE-2016-0682 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418" > +CVE_STATUS_INGR[status] = "fixed-version: The Critical Patch Update of > Oracle Berkeley DB discovers these vulnerabilities may not be remotely > exploitable without authentication." > -- > 2.35.6 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#209544): https://lists.openembedded.org/g/openembedded-core/message/209544 Mute This Topic: https://lists.openembedded.org/mt/110475404/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
