| Message ID | 20240218165256.2804353-1-simone.p.weiss@posteo.com |
|---|---|
| State | Accepted, archived |
| Commit | a975960baffd341cd07cb093bef107c031c9b956 |
| Headers | show |
| Series | qemu: Set CVE_STATUS for wrong CVEs | expand |
On Sun, 2024-02-18 at 16:52 +0000, Simone Weiß wrote: > From: Simone Weiß <simone.p.weiss@posteo.com> > > All are already fixed in 8.2.1, NVD was informed that cpes are wrong. > > Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> > --- > meta/recipes-devtools/qemu/qemu.inc | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc > index 5d953e5ef5..233652fc49 100644 > --- a/meta/recipes-devtools/qemu/qemu.inc > +++ b/meta/recipes-devtools/qemu/qemu.inc > @@ -68,6 +68,12 @@ CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies on Wind > # As per https://bugzilla.redhat.com/show_bug.cgi?id=2203387 > CVE_STATUS[CVE-2023-2680] = "not-applicable-platform: RHEL specific issue." > > +CVE_STATUS[CVE-2023-3019] = "cpe-incorrect: Applies against versions > 8.2.0 only" > + > +CVE_STATUS[CVE-2023-5088] = "cpe-incorrect: Applies against versions >= 8.2.0 only" > + > +CVE_STATUS[CVE-2023-6693] = "cpe-incorrect: Applies against versions >= 8.2.0 only" > + > COMPATIBLE_HOST:mipsarchn32 = "null" > COMPATIBLE_HOST:mipsarchn64 = "null" > COMPATIBLE_HOST:riscv32 = "null" > Thanks for trying to resolve these. I'm struggling a little to read the above since to me that says the CVE applies to versions greater than 8.2.0 so 8.2.1 would be affected? Should the operators be the other way around, or should we spell it out ("applies to versions 8.2.0 and earlier")? Cheers, Richard
On Sun, 2024-02-18 at 17:42 +0000, Richard Purdie wrote: > On Sun, 2024-02-18 at 16:52 +0000, Simone Weiß wrote: > > From: Simone Weiß <simone.p.weiss@posteo.com> > > > > All are already fixed in 8.2.1, NVD was informed that cpes are wrong. > > > > Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> > > --- > > meta/recipes-devtools/qemu/qemu.inc | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes- > > devtools/qemu/qemu.inc > > index 5d953e5ef5..233652fc49 100644 > > --- a/meta/recipes-devtools/qemu/qemu.inc > > +++ b/meta/recipes-devtools/qemu/qemu.inc > > @@ -68,6 +68,12 @@ CVE_STATUS[CVE-2023-0664] = "not-applicable- > > platform: Issue only applies on Wind > > # As per https://bugzilla.redhat.com/show_bug.cgi?id=2203387 > > CVE_STATUS[CVE-2023-2680] = "not-applicable-platform: RHEL specific > > issue." > > > > +CVE_STATUS[CVE-2023-3019] = "cpe-incorrect: Applies against versions > > > 8.2.0 only" > > + > > +CVE_STATUS[CVE-2023-5088] = "cpe-incorrect: Applies against versions > > >= 8.2.0 only" > > + > > +CVE_STATUS[CVE-2023-6693] = "cpe-incorrect: Applies against versions > > >= 8.2.0 only" > > + > > COMPATIBLE_HOST:mipsarchn32 = "null" > > COMPATIBLE_HOST:mipsarchn64 = "null" > > COMPATIBLE_HOST:riscv32 = "null" > > > > Thanks for trying to resolve these. > > I'm struggling a little to read the above since to me that says the CVE > applies to versions greater than 8.2.0 so 8.2.1 would be affected? > Should the operators be the other way around, or should we spell it out > ("applies to versions 8.2.0 and earlier")? > > Cheers, > > Richard I'll spell it out > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#195840): > https://lists.openembedded.org/g/openembedded-core/message/195840 > Mute This Topic: https://lists.openembedded.org/mt/104430283/8052774 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: > https://lists.openembedded.org/g/openembedded-core/unsub [simone.p.weiss@posteo.com > ] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 5d953e5ef5..233652fc49 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -68,6 +68,12 @@ CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies on Wind # As per https://bugzilla.redhat.com/show_bug.cgi?id=2203387 CVE_STATUS[CVE-2023-2680] = "not-applicable-platform: RHEL specific issue." +CVE_STATUS[CVE-2023-3019] = "cpe-incorrect: Applies against versions > 8.2.0 only" + +CVE_STATUS[CVE-2023-5088] = "cpe-incorrect: Applies against versions >= 8.2.0 only" + +CVE_STATUS[CVE-2023-6693] = "cpe-incorrect: Applies against versions >= 8.2.0 only" + COMPATIBLE_HOST:mipsarchn32 = "null" COMPATIBLE_HOST:mipsarchn64 = "null" COMPATIBLE_HOST:riscv32 = "null"