| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2023-1652 & CVE-2023-1829 are fixed by all version used by
linux-yocto.
Fixing commits are not referenced by NVD but are referenced by:
* https://www.linuxkernelcves.com
* Debian kernel-sec team
... this should be trust worthy enough.
(From OE-Core rev: 8f9d6c5b0238641313387c139442566752a1d25d)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
Add some information about some further kernel CVEs which don't apply for
either linux-yocto or don't apply for linux-yocto 6.1.
(From OE-Core rev: 85c1713bf0c01c68558bfba38edcc005c1ebb1c9)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 39274240b7756f498507b229d5f3461c207f1823)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Reviewed-by: Frank WOLFF <frank.wolff@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
CVEs CVE-2023-0179, CVE-2023-1079 and CVE-2023-1513 are patched in our
kernels but appear as active because the NVD database is not up to date.
(From OE-Core rev: ae1e7999a06c56c6f752413296b8f6b505475f8b)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Reviewed-by: Frank WOLFF <frank.wolff@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Multiple CVEs are patched in kernel but appear as active because the NVD
database is not up to date.
In common file cve-extra-exclusion.inc, CVEs are ignored if and only if
all versions of kernel used are patched.
In cve-exclusion_6.1.inc, only ignore CVEs that are patched in v6.1,
and not patched in v5.15.
Recipes of version 6.1 should include this file.
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
(From OE-Core rev: 5feb065f1b1aaf218f71cc9d31a9251b139b9442)
Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Exclude some CVEs where the patches were backported to the stable series
kernels we have.
https://www.linuxkernelcves.com/cves/CVE-XXXX-XXXX is useful to help
with this.
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
(From OE-Core rev: 33448393493d507c4d81c40e43537065a7b61d4c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Multiple CVE are patched in kernel but appears as active because the NVD
database is not up to date.
CVE are ignored if and only if all versions of kernel used by master are patched.
Also ignore CVEs with wrong CPE (applied to kernel but actually are for
another package)
(From OE-Core rev: 92770a08c04a6c1eb351231d937b16e76558f013)
Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Remove obsolete comments/data from the file. Add in three CVEs to ignore.
Two are qemu CVEs which upstream aren't particularly intersted in and aren't
serious issues. Also ignore the nasm CVE found from fuzzing as this isn't
a issue we'd expose from OE.
(From OE-Core rev: 68291026aab2fa6ee1260ca95198dd1d568521e5)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For OE-Core our policy is to stay as close to the kernel stable releases
as we can. This should ensure the bulk of the major kernel CVEs are fixed
and we don't dive into each individual issue as the stable maintainers are
much more able to do that.
Rather than just ignore all kernel CVEs which is what we have been doing,
list the ones we ignore on this basis here, allowing new issues to be
visible. If anyone wishes to clean up CPE entries with NIST for these, we'd
welcome than and then entries can likely be removed from here.
(From OE-Core rev: 319d465d44328b5f062d2da0526c0e8b189b4239)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
Update internal variable names to improve the terms used.
(From OE-Core rev: f408068e5d7998ae165f3002e51bc54b380b8099)
Signed-off-by: Saul Wold <saul.wold@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
| |
(From OE-Core rev: aa52af4518604b5bf13f3c5e885113bf868d6c81)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
(From OE-Core rev: 679fc70f907fb221f4541ebf30c1610e937209b7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE is effectively disputed - yes there is stack exhaustion but no bug and it
is building the parser, not running it, effectively similar to a compiler ICE.
Upstream no plans to address and there is no security issue.
https://github.com/westes/flex/issues/414
(From OE-Core rev: 0cae5d7a24bedf6784781b62cbb3795a44bab4d1)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
| |
(From OE-Core rev: d2ba6d58e77430cceeca9db61fdb06882a92e1e7)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
| |
(From OE-Core rev: d4d4644e7c127e8b88b180635124e8afc905c69e)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The preferred methods for CVE resolution are:
1. Version upgrades where possible
2. Patches where not possible
3. Database updates where version info is incorrect
4. Exclusion from checking where it is determined that the CVE
does not apply to our environment
In some cases none of these methods are possible. For example the
CVE may be decades old with no apparent resolution, and with broken
links that make further research impractical. Some CVEs are vauge
with no specific action the project can take too.
This patch creates a mechanism for users to remove this type of
CVE from the cve-check results via an optional include file.
Based on an initial patch from Steve Sakoman <steve@sakoman.com>
but extended heavily by RP.
(From OE-Core rev: cf282ae03db3f09df42dcd110d7086c2d854642c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|