| Message ID | 20231205132311.2485515-1-ross.burton@arm.com |
|---|---|
| State | Accepted, archived |
| Commit | 34835847442c15ebe12970bc31b6a949e66da48e |
| Headers | show |
| Series | linux-yocto: update CVE exclusions | expand |
Note that this depends on Bruce’s latest kernel patches. Ross > On 5 Dec 2023, at 13:23, Ross Burton via lists.openembedded.org <ross.burton=arm.com@lists.openembedded.org> wrote: > > From: Ross Burton <ross.burton@arm.com> > > Signed-off-by: Ross Burton <ross.burton@arm.com> > --- > .../linux/cve-exclusion_6.1.inc | 26 +++++++++++++++---- > .../linux/cve-exclusion_6.5.inc | 22 +++++++++++++--- > 2 files changed, 40 insertions(+), 8 deletions(-) > > diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc > index 1216e0c2ddd..1e366481ff6 100644 > --- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc > +++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc > @@ -1,9 +1,9 @@ > > # Auto-generated CVE metadata, DO NOT EDIT BY HAND. > -# Generated at 2023-11-09 17:12:27.365962+00:00 for version 6.1.61 > +# Generated at 2023-12-05 13:22:34.961692+00:00 for version 6.1.65 > > python check_kernel_cve_status_version() { > - this_version = "6.1.61" > + this_version = "6.1.65" > kernel_version = d.getVar("LINUX_VERSION") > if kernel_version != this_version: > bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version)) > @@ -4524,7 +4524,7 @@ CVE_STATUS[CVE-2022-43945] = "fixed-version: Fixed from version 6.1rc1" > > # CVE-2022-44033 needs backporting (fixed from 6.4rc1) > > -# CVE-2022-44034 has no known resolution > +# CVE-2022-44034 needs backporting (fixed from 6.4rc1) > > # CVE-2022-4543 has no known resolution > > @@ -5016,6 +5016,10 @@ CVE_STATUS[CVE-2023-39193] = "cpe-stable-backport: Backported in 6.1.53" > > CVE_STATUS[CVE-2023-39194] = "cpe-stable-backport: Backported in 6.1.47" > > +CVE_STATUS[CVE-2023-39197] = "cpe-stable-backport: Backported in 6.1.39" > + > +CVE_STATUS[CVE-2023-39198] = "cpe-stable-backport: Backported in 6.1.47" > + > CVE_STATUS[CVE-2023-4004] = "cpe-stable-backport: Backported in 6.1.42" > > # CVE-2023-4010 has no known resolution > @@ -5104,7 +5108,7 @@ CVE_STATUS[CVE-2023-4881] = "cpe-stable-backport: Backported in 6.1.54" > > CVE_STATUS[CVE-2023-4921] = "cpe-stable-backport: Backported in 6.1.54" > > -# CVE-2023-5090 needs backporting (fixed from 6.6rc7) > +CVE_STATUS[CVE-2023-5090] = "cpe-stable-backport: Backported in 6.1.62" > > CVE_STATUS[CVE-2023-5158] = "cpe-stable-backport: Backported in 6.1.57" > > @@ -5114,7 +5118,19 @@ CVE_STATUS[CVE-2023-5197] = "cpe-stable-backport: Backported in 6.1.56" > > CVE_STATUS[CVE-2023-5345] = "cpe-stable-backport: Backported in 6.1.56" > > -# CVE-2023-5633 needs backporting (fixed from 6.6rc6) > +CVE_STATUS[CVE-2023-5633] = "fixed-version: only affects 6.2 onwards" > > CVE_STATUS[CVE-2023-5717] = "cpe-stable-backport: Backported in 6.1.60" > > +# CVE-2023-5972 needs backporting (fixed from 6.6rc7) > + > +# CVE-2023-6039 needs backporting (fixed from 6.5rc5) > + > +CVE_STATUS[CVE-2023-6111] = "fixed-version: only affects 6.6rc3 onwards" > + > +# CVE-2023-6121 needs backporting (fixed from 6.7rc3) > + > +CVE_STATUS[CVE-2023-6176] = "cpe-stable-backport: Backported in 6.1.54" > + > +# CVE-2023-6238 has no known resolution > + > diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.5.inc b/meta/recipes-kernel/linux/cve-exclusion_6.5.inc > index b4086d436c4..6304d80844c 100644 > --- a/meta/recipes-kernel/linux/cve-exclusion_6.5.inc > +++ b/meta/recipes-kernel/linux/cve-exclusion_6.5.inc > @@ -1,9 +1,9 @@ > > # Auto-generated CVE metadata, DO NOT EDIT BY HAND. > -# Generated at 2023-11-09 17:13:01.267965+00:00 for version 6.5.10 > +# Generated at 2023-12-05 13:22:43.339114+00:00 for version 6.5.13 > > python check_kernel_cve_status_version() { > - this_version = "6.5.10" > + this_version = "6.5.13" > kernel_version = d.getVar("LINUX_VERSION") > if kernel_version != this_version: > bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version)) > @@ -4524,7 +4524,7 @@ CVE_STATUS[CVE-2022-44032] = "fixed-version: Fixed from version 6.4rc1" > > CVE_STATUS[CVE-2022-44033] = "fixed-version: Fixed from version 6.4rc1" > > -# CVE-2022-44034 has no known resolution > +CVE_STATUS[CVE-2022-44034] = "fixed-version: Fixed from version 6.4rc1" > > # CVE-2022-4543 has no known resolution > > @@ -5016,6 +5016,10 @@ CVE_STATUS[CVE-2023-39193] = "cpe-stable-backport: Backported in 6.5.3" > > CVE_STATUS[CVE-2023-39194] = "fixed-version: Fixed from version 6.5rc7" > > +CVE_STATUS[CVE-2023-39197] = "fixed-version: Fixed from version 6.5rc1" > + > +CVE_STATUS[CVE-2023-39198] = "fixed-version: Fixed from version 6.5rc7" > + > CVE_STATUS[CVE-2023-4004] = "fixed-version: Fixed from version 6.5rc3" > > # CVE-2023-4010 has no known resolution > @@ -5118,3 +5122,15 @@ CVE_STATUS[CVE-2023-5633] = "cpe-stable-backport: Backported in 6.5.8" > > CVE_STATUS[CVE-2023-5717] = "cpe-stable-backport: Backported in 6.5.9" > > +CVE_STATUS[CVE-2023-5972] = "cpe-stable-backport: Backported in 6.5.9" > + > +CVE_STATUS[CVE-2023-6039] = "fixed-version: Fixed from version 6.5rc5" > + > +CVE_STATUS[CVE-2023-6111] = "fixed-version: only affects 6.6rc3 onwards" > + > +# CVE-2023-6121 needs backporting (fixed from 6.7rc3) > + > +CVE_STATUS[CVE-2023-6176] = "cpe-stable-backport: Backported in 6.5.4" > + > +# CVE-2023-6238 has no known resolution > + > -- > 2.34.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#191818): https://lists.openembedded.org/g/openembedded-core/message/191818 > Mute This Topic: https://lists.openembedded.org/mt/102991079/6875888 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ross.burton@arm.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc index 1216e0c2ddd..1e366481ff6 100644 --- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc +++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc @@ -1,9 +1,9 @@ # Auto-generated CVE metadata, DO NOT EDIT BY HAND. -# Generated at 2023-11-09 17:12:27.365962+00:00 for version 6.1.61 +# Generated at 2023-12-05 13:22:34.961692+00:00 for version 6.1.65 python check_kernel_cve_status_version() { - this_version = "6.1.61" + this_version = "6.1.65" kernel_version = d.getVar("LINUX_VERSION") if kernel_version != this_version: bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version)) @@ -4524,7 +4524,7 @@ CVE_STATUS[CVE-2022-43945] = "fixed-version: Fixed from version 6.1rc1" # CVE-2022-44033 needs backporting (fixed from 6.4rc1) -# CVE-2022-44034 has no known resolution +# CVE-2022-44034 needs backporting (fixed from 6.4rc1) # CVE-2022-4543 has no known resolution @@ -5016,6 +5016,10 @@ CVE_STATUS[CVE-2023-39193] = "cpe-stable-backport: Backported in 6.1.53" CVE_STATUS[CVE-2023-39194] = "cpe-stable-backport: Backported in 6.1.47" +CVE_STATUS[CVE-2023-39197] = "cpe-stable-backport: Backported in 6.1.39" + +CVE_STATUS[CVE-2023-39198] = "cpe-stable-backport: Backported in 6.1.47" + CVE_STATUS[CVE-2023-4004] = "cpe-stable-backport: Backported in 6.1.42" # CVE-2023-4010 has no known resolution @@ -5104,7 +5108,7 @@ CVE_STATUS[CVE-2023-4881] = "cpe-stable-backport: Backported in 6.1.54" CVE_STATUS[CVE-2023-4921] = "cpe-stable-backport: Backported in 6.1.54" -# CVE-2023-5090 needs backporting (fixed from 6.6rc7) +CVE_STATUS[CVE-2023-5090] = "cpe-stable-backport: Backported in 6.1.62" CVE_STATUS[CVE-2023-5158] = "cpe-stable-backport: Backported in 6.1.57" @@ -5114,7 +5118,19 @@ CVE_STATUS[CVE-2023-5197] = "cpe-stable-backport: Backported in 6.1.56" CVE_STATUS[CVE-2023-5345] = "cpe-stable-backport: Backported in 6.1.56" -# CVE-2023-5633 needs backporting (fixed from 6.6rc6) +CVE_STATUS[CVE-2023-5633] = "fixed-version: only affects 6.2 onwards" CVE_STATUS[CVE-2023-5717] = "cpe-stable-backport: Backported in 6.1.60" +# CVE-2023-5972 needs backporting (fixed from 6.6rc7) + +# CVE-2023-6039 needs backporting (fixed from 6.5rc5) + +CVE_STATUS[CVE-2023-6111] = "fixed-version: only affects 6.6rc3 onwards" + +# CVE-2023-6121 needs backporting (fixed from 6.7rc3) + +CVE_STATUS[CVE-2023-6176] = "cpe-stable-backport: Backported in 6.1.54" + +# CVE-2023-6238 has no known resolution + diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.5.inc b/meta/recipes-kernel/linux/cve-exclusion_6.5.inc index b4086d436c4..6304d80844c 100644 --- a/meta/recipes-kernel/linux/cve-exclusion_6.5.inc +++ b/meta/recipes-kernel/linux/cve-exclusion_6.5.inc @@ -1,9 +1,9 @@ # Auto-generated CVE metadata, DO NOT EDIT BY HAND. -# Generated at 2023-11-09 17:13:01.267965+00:00 for version 6.5.10 +# Generated at 2023-12-05 13:22:43.339114+00:00 for version 6.5.13 python check_kernel_cve_status_version() { - this_version = "6.5.10" + this_version = "6.5.13" kernel_version = d.getVar("LINUX_VERSION") if kernel_version != this_version: bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version)) @@ -4524,7 +4524,7 @@ CVE_STATUS[CVE-2022-44032] = "fixed-version: Fixed from version 6.4rc1" CVE_STATUS[CVE-2022-44033] = "fixed-version: Fixed from version 6.4rc1" -# CVE-2022-44034 has no known resolution +CVE_STATUS[CVE-2022-44034] = "fixed-version: Fixed from version 6.4rc1" # CVE-2022-4543 has no known resolution @@ -5016,6 +5016,10 @@ CVE_STATUS[CVE-2023-39193] = "cpe-stable-backport: Backported in 6.5.3" CVE_STATUS[CVE-2023-39194] = "fixed-version: Fixed from version 6.5rc7" +CVE_STATUS[CVE-2023-39197] = "fixed-version: Fixed from version 6.5rc1" + +CVE_STATUS[CVE-2023-39198] = "fixed-version: Fixed from version 6.5rc7" + CVE_STATUS[CVE-2023-4004] = "fixed-version: Fixed from version 6.5rc3" # CVE-2023-4010 has no known resolution @@ -5118,3 +5122,15 @@ CVE_STATUS[CVE-2023-5633] = "cpe-stable-backport: Backported in 6.5.8" CVE_STATUS[CVE-2023-5717] = "cpe-stable-backport: Backported in 6.5.9" +CVE_STATUS[CVE-2023-5972] = "cpe-stable-backport: Backported in 6.5.9" + +CVE_STATUS[CVE-2023-6039] = "fixed-version: Fixed from version 6.5rc5" + +CVE_STATUS[CVE-2023-6111] = "fixed-version: only affects 6.6rc3 onwards" + +# CVE-2023-6121 needs backporting (fixed from 6.7rc3) + +CVE_STATUS[CVE-2023-6176] = "cpe-stable-backport: Backported in 6.5.4" + +# CVE-2023-6238 has no known resolution +