summaryrefslogtreecommitdiffstats
path: root/meta/conf/distro/include/cve-extra-exclusions.inc
Commit message (Collapse)AuthorAgeFilesLines
* cve-extra-exclusions: linux-yocto: ignore fixed CVE-2023-1652 & CVE-2023-1829Yoann Congal2023-04-271-0/+19
| | | | | | | | | | | | | | | CVE-2023-1652 & CVE-2023-1829 are fixed by all version used by linux-yocto. Fixing commits are not referenced by NVD but are referenced by: * https://www.linuxkernelcves.com * Debian kernel-sec team ... this should be trust worthy enough. (From OE-Core rev: 8f9d6c5b0238641313387c139442566752a1d25d) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-exclusions: Document some further linux-yocto CVE statusesRichard Purdie2023-04-111-0/+9
| | | | | | | | | Add some information about some further kernel CVEs which don't apply for either linux-yocto or don't apply for linux-yocto 6.1. (From OE-Core rev: 85c1713bf0c01c68558bfba38edcc005c1ebb1c9) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-extra-exclusion: ignore disputed CVE-2023-23005Yoann Congal2023-04-071-0/+10
| | | | | | | | (From OE-Core rev: 39274240b7756f498507b229d5f3461c207f1823) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Reviewed-by: Frank WOLFF <frank.wolff@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-extra-exclusions: ignore inapplicable linux-yocto CVEsYoann Congal2023-04-061-0/+25
| | | | | | | | | | | CVEs CVE-2023-0179, CVE-2023-1079 and CVE-2023-1513 are patched in our kernels but appear as active because the NVD database is not up to date. (From OE-Core rev: ae1e7999a06c56c6f752413296b8f6b505475f8b) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Reviewed-by: Frank WOLFF <frank.wolff@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-extra-exclusions: ignore inapplicable linux-yocto CVEsGeoffrey GIRY2023-04-051-3/+50
| | | | | | | | | | | | | | | | | | Multiple CVEs are patched in kernel but appear as active because the NVD database is not up to date. In common file cve-extra-exclusion.inc, CVEs are ignored if and only if all versions of kernel used are patched. In cve-exclusion_6.1.inc, only ignore CVEs that are patched in v6.1, and not patched in v5.15. Recipes of version 6.1 should include this file. Reviewed-by: Yoann Congal <yoann.congal@smile.fr> (From OE-Core rev: 5feb065f1b1aaf218f71cc9d31a9251b139b9442) Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-extra-exclusions.inc: Exclude some issues not present in linux-yoctoRichard Purdie2023-04-041-0/+40
| | | | | | | | | | | | | Exclude some CVEs where the patches were backported to the stable series kernels we have. https://www.linuxkernelcves.com/cves/CVE-XXXX-XXXX is useful to help with this. Reviewed-by: Yoann Congal <yoann.congal@smile.fr> (From OE-Core rev: 33448393493d507c4d81c40e43537065a7b61d4c) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-extra-exclusions: ignore inapplicable linux-yocto CVEsGeoffrey GIRY2023-02-281-0/+296
| | | | | | | | | | | | | | | | Multiple CVE are patched in kernel but appears as active because the NVD database is not up to date. CVE are ignored if and only if all versions of kernel used by master are patched. Also ignore CVEs with wrong CPE (applied to kernel but actually are for another package) (From OE-Core rev: 92770a08c04a6c1eb351231d937b16e76558f013) Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr> Reviewed-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-extra-exclusions: Clean up and ignore three CVEs (2xqemu and nasm)Richard Purdie2022-06-301-15/+15
| | | | | | | | | | | Remove obsolete comments/data from the file. Add in three CVEs to ignore. Two are qemu CVEs which upstream aren't particularly intersted in and aren't serious issues. Also ignore the nasm CVE found from fuzzing as this isn't a issue we'd expose from OE. (From OE-Core rev: 68291026aab2fa6ee1260ca95198dd1d568521e5) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-extra-exclusions: Add kernel CVEsRichard Purdie2022-05-271-0/+37
| | | | | | | | | | | | | | | | | | For OE-Core our policy is to stay as close to the kernel stable releases as we can. This should ensure the bulk of the major kernel CVEs are fixed and we don't dive into each individual issue as the stable maintainers are much more able to do that. Rather than just ignore all kernel CVEs which is what we have been doing, list the ones we ignore on this basis here, allowing new issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd welcome than and then entries can likely be removed from here. (From OE-Core rev: 319d465d44328b5f062d2da0526c0e8b189b4239) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/scripts: Improve internal variable namingSaul Wold2022-03-101-1/+1
| | | | | | | | | Update internal variable names to improve the terms used. (From OE-Core rev: f408068e5d7998ae165f3002e51bc54b380b8099) Signed-off-by: Saul Wold <saul.wold@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/scripts: Automated conversion of OE renamed variablesRichard Purdie2022-02-211-6/+6
| | | | | | (From OE-Core rev: aa52af4518604b5bf13f3c5e885113bf868d6c81) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-extra-exclusions: add db CVEs to exclusion listSteve Sakoman2021-12-081-1/+8
| | | | | | | | | | Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed. (From OE-Core rev: 679fc70f907fb221f4541ebf30c1610e937209b7) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* flex: Add CVE-2019-6293 to exclusions for checksRichard Purdie2021-09-071-4/+0
| | | | | | | | | | | | CVE is effectively disputed - yes there is stack exhaustion but no bug and it is building the parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address and there is no security issue. https://github.com/westes/flex/issues/414 (From OE-Core rev: 0cae5d7a24bedf6784781b62cbb3795a44bab4d1) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-extra-exclusions.inc: Clean up merged CPE updatesRichard Purdie2021-05-211-15/+0
| | | | | | (From OE-Core rev: d2ba6d58e77430cceeca9db61fdb06882a92e1e7) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-extra-exclusions: Fix typosRichard Purdie2021-05-201-4/+4
| | | | | | (From OE-Core rev: d4d4644e7c127e8b88b180635124e8afc905c69e) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-extra-exclusions.inc: add exclusion list for intractable CVE'sRichard Purdie2021-05-201-0/+88
The preferred methods for CVE resolution are: 1. Version upgrades where possible 2. Patches where not possible 3. Database updates where version info is incorrect 4. Exclusion from checking where it is determined that the CVE does not apply to our environment In some cases none of these methods are possible. For example the CVE may be decades old with no apparent resolution, and with broken links that make further research impractical. Some CVEs are vauge with no specific action the project can take too. This patch creates a mechanism for users to remove this type of CVE from the cve-check results via an optional include file. Based on an initial patch from Steve Sakoman <steve@sakoman.com> but extended heavily by RP. (From OE-Core rev: cf282ae03db3f09df42dcd110d7086c2d854642c) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-09-28 21:24:31 +0000