[nanbield,12/23] linux-yocto/6.1: update CVE exclusions

Message ID	dfd3c5c6fbe2cd3b0723879bd2b6574eb59a5860.1706322780.git.steve@sakoman.com
State	Accepted
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.214.173, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][nanbield 12/23] linux-yocto/6.1: update CVE exclusions Date: Fri, 26 Jan 2024 16:37:20 -1000 Message-Id: <dfd3c5c6fbe2cd3b0723879bd2b6574eb59a5860.1706322780.git.steve@sakoman.com> In-Reply-To: <cover.1706322780.git.steve@sakoman.com> References: <cover.1706322780.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[nanbield,01/23] libatomic-ops: upgrade 7.8.0 -> 7.8.2 \| expand [nanbield,01/23] libatomic-ops: upgrade 7.8.0 -> 7.8.2 [nanbield,02/23] libva-utils: upgrade 2.20.0 -> 2.20.1 [nanbield,03/23] libadwaita: update 1.4.0 -> 1.4.2 [nanbield,04/23] kea: upgrade 2.4.0 -> 2.4.1 [nanbield,05/23] linux-yocto/6.1: update to v6.1.69 [nanbield,06/23] linux-yocto/6.1: update to v6.1.70 [nanbield,07/23] linux-yocto/6.1: update CVE exclusions [nanbield,08/23] linux-yocto/6.1: update to v6.1.72 [nanbield,09/23] linux-yocto/6.1: update CVE exclusions [nanbield,10/23] linux-yocto/6.1: security/cfg: add configs to harden protection [nanbield,11/23] linux-yocto/6.1: update to v6.1.73 [nanbield,12/23] linux-yocto/6.1: update CVE exclusions [nanbield,13/23] nfs-utils: Update Upstream-Status [nanbield,14/23] python3-license-expression: Fix the ptest failure [nanbield,15/23] dtc: preserve version also from shallow git clones [nanbield,16/23] curl: Disable two intermittently failing tests [nanbield,17/23] devtool: deploy: provide max_process to strip_execs [nanbield,18/23] ncurses: Fix - tty is hung after reset [nanbield,19/23] uninative-tarball.xz - reproducibility fix [nanbield,20/23] classes-global/sstate: Fix variable typo [nanbield,21/23] lib/prservice: Improve lock handling robustness [nanbield,22/23] oeqa/selftest/prservice: Improve test robustness [nanbield,23/23] package.py: OEHasPackage: Add MLPREFIX to packagename

Message ID

dfd3c5c6fbe2cd3b0723879bd2b6574eb59a5860.1706322780.git.steve@sakoman.com

State

Accepted

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][nanbield 12/23] linux-yocto/6.1: update CVE exclusions
Date: Fri, 26 Jan 2024 16:37:20 -1000
Message-Id: 
 <dfd3c5c6fbe2cd3b0723879bd2b6574eb59a5860.1706322780.git.steve@sakoman.com>
In-Reply-To: <cover.1706322780.git.steve@sakoman.com>
References: <cover.1706322780.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[nanbield,01/23] libatomic-ops: upgrade 7.8.0 -> 7.8.2 | expand

Commit Message

Steve Sakoman Jan. 27, 2024, 2:37 a.m. UTC

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Data pulled from: https://github.com/nluedtke/linux_kernel_cves

    1/1 [
        Author: Nicholas Luedtke
        Email: nicholas.luedtke@uwalumni.com
        Subject: Update 15Jan24
        Date: Mon, 15 Jan 2024 12:48:45 -0500

    ]

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 74bf102eb4ae7377527a146e3db1d9ee1da1f2da)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../linux/cve-exclusion_6.1.inc               | 34 +++++++++++++++----
 1 file changed, 27 insertions(+), 7 deletions(-)

diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
index 4183ceab04..45fcc7b260 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -1,9 +1,9 @@ 
 
 # Auto-generated CVE metadata, DO NOT EDIT BY HAND.
-# Generated at 2024-01-11 18:31:26.124059+00:00 for version 6.1.72
+# Generated at 2024-01-18 21:10:06.148505+00:00 for version 6.1.73
 
 python check_kernel_cve_status_version() {
-    this_version = "6.1.72"
+    this_version = "6.1.73"
     kernel_version = d.getVar("LINUX_VERSION")
     if kernel_version != this_version:
         bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version))
@@ -4584,6 +4584,8 @@  CVE_STATUS[CVE-2022-48425] = "cpe-stable-backport: Backported in 6.1.33"
 
 CVE_STATUS[CVE-2022-48502] = "cpe-stable-backport: Backported in 6.1.40"
 
+CVE_STATUS[CVE-2022-48619] = "fixed-version: Fixed from version 5.18rc1"
+
 CVE_STATUS[CVE-2023-0030] = "fixed-version: Fixed from version 5.0rc1"
 
 CVE_STATUS[CVE-2023-0045] = "cpe-stable-backport: Backported in 6.1.5"
@@ -4644,7 +4646,7 @@  CVE_STATUS[CVE-2023-1118] = "cpe-stable-backport: Backported in 6.1.16"
 
 CVE_STATUS[CVE-2023-1192] = "cpe-stable-backport: Backported in 6.1.33"
 
-# CVE-2023-1193 needs backporting (fixed from 6.3rc6)
+CVE_STATUS[CVE-2023-1193] = "cpe-stable-backport: Backported in 6.1.71"
 
 CVE_STATUS[CVE-2023-1194] = "cpe-stable-backport: Backported in 6.1.34"
 
@@ -4666,6 +4668,8 @@  CVE_STATUS[CVE-2023-1382] = "fixed-version: Fixed from version 6.1rc7"
 
 CVE_STATUS[CVE-2023-1390] = "fixed-version: Fixed from version 5.11rc4"
 
+# CVE-2023-1476 has no known resolution
+
 CVE_STATUS[CVE-2023-1513] = "cpe-stable-backport: Backported in 6.1.13"
 
 CVE_STATUS[CVE-2023-1582] = "fixed-version: Fixed from version 5.17rc4"
@@ -5088,7 +5092,7 @@  CVE_STATUS[CVE-2023-45871] = "cpe-stable-backport: Backported in 6.1.53"
 
 CVE_STATUS[CVE-2023-45898] = "fixed-version: only affects 6.5rc1 onwards"
 
-# CVE-2023-4610 needs backporting (fixed from 6.4)
+CVE_STATUS[CVE-2023-4610] = "fixed-version: only affects 6.4rc1 onwards"
 
 CVE_STATUS[CVE-2023-4611] = "fixed-version: only affects 6.4rc1 onwards"
 
@@ -5112,7 +5116,7 @@  CVE_STATUS[CVE-2023-5090] = "cpe-stable-backport: Backported in 6.1.62"
 
 CVE_STATUS[CVE-2023-5158] = "cpe-stable-backport: Backported in 6.1.57"
 
-# CVE-2023-51779 needs backporting (fixed from 6.7rc7)
+CVE_STATUS[CVE-2023-51779] = "cpe-stable-backport: Backported in 6.1.70"
 
 CVE_STATUS[CVE-2023-5178] = "cpe-stable-backport: Backported in 6.1.60"
 
@@ -5134,6 +5138,8 @@  CVE_STATUS[CVE-2023-5972] = "fixed-version: only affects 6.2rc1 onwards"
 
 # CVE-2023-6039 needs backporting (fixed from 6.5rc5)
 
+CVE_STATUS[CVE-2023-6040] = "fixed-version: Fixed from version 5.18rc1"
+
 CVE_STATUS[CVE-2023-6111] = "fixed-version: only affects 6.6rc3 onwards"
 
 CVE_STATUS[CVE-2023-6121] = "cpe-stable-backport: Backported in 6.1.65"
@@ -5142,8 +5148,12 @@  CVE_STATUS[CVE-2023-6176] = "cpe-stable-backport: Backported in 6.1.54"
 
 # CVE-2023-6238 has no known resolution
 
+# CVE-2023-6270 has no known resolution
+
 # CVE-2023-6356 has no known resolution
 
+CVE_STATUS[CVE-2023-6531] = "cpe-stable-backport: Backported in 6.1.68"
+
 # CVE-2023-6535 has no known resolution
 
 # CVE-2023-6536 has no known resolution
@@ -5152,13 +5162,13 @@  CVE_STATUS[CVE-2023-6546] = "cpe-stable-backport: Backported in 6.1.47"
 
 # CVE-2023-6560 needs backporting (fixed from 6.7rc4)
 
-# CVE-2023-6606 needs backporting (fixed from 6.7rc7)
+CVE_STATUS[CVE-2023-6606] = "cpe-stable-backport: Backported in 6.1.70"
 
 # CVE-2023-6610 needs backporting (fixed from 6.7rc7)
 
 CVE_STATUS[CVE-2023-6622] = "cpe-stable-backport: Backported in 6.1.68"
 
-# CVE-2023-6679 needs backporting (fixed from 6.7rc6)
+CVE_STATUS[CVE-2023-6679] = "fixed-version: only affects 6.7rc1 onwards"
 
 CVE_STATUS[CVE-2023-6817] = "cpe-stable-backport: Backported in 6.1.68"
 
@@ -5168,3 +5178,13 @@  CVE_STATUS[CVE-2023-6932] = "cpe-stable-backport: Backported in 6.1.66"
 
 # CVE-2023-7042 has no known resolution
 
+CVE_STATUS[CVE-2023-7192] = "cpe-stable-backport: Backported in 6.1.18"
+
+CVE_STATUS[CVE-2024-0193] = "fixed-version: only affects 6.5rc6 onwards"
+
+# CVE-2024-0340 needs backporting (fixed from 6.4rc6)
+
+CVE_STATUS[CVE-2024-0443] = "fixed-version: only affects 6.2rc1 onwards"
+
+# Skipping dd=CVE-2023-1476, no affected_versions
+

[nanbield,12/23] linux-yocto/6.1: update CVE exclusions

Commit Message

Patch