From patchwork Fri May 19 08:18:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrej Valek X-Patchwork-Id: 24183 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 510CDC7EE26 for ; Fri, 19 May 2023 08:19:27 +0000 (UTC) Received: from EUR05-DB8-obe.outbound.protection.outlook.com (EUR05-DB8-obe.outbound.protection.outlook.com [40.107.20.53]) by mx.groups.io with SMTP id smtpd.web10.20898.1684484361479151809 for ; Fri, 19 May 2023 01:19:22 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=PlPhAKLS; spf=pass (domain: siemens.com, ip: 40.107.20.53, mailfrom: andrej.valek@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XT2a5btHSqhpJ9oSSs67u6RKKWA8dl7c78kgeDEm68S/qUOfsAyM7TFBdA4rlzdpjEPgLLG2wg9ykca8vYmaNJq2vqdOg5N532FVmxnRqF4bPa/mK8wSLZntNAPxN7jknBq9PGVR1kINzRwVpzPLiCSLq5RxfqOSwsAXVqgU9pzRuGN8Xh1CXZDyBNR1DLqe81+Am71Z+7t9PY1L1ZtRp4aeK0V1fiJwFM3kpNqMD26q/KK1nMMo3/Cct4AJMv1JvkX907MYB7iuFqi704Vs0iO3FHTOfrdLHiisWubWYwphwcBw7D8vBW3oeQ7MqUvtHeoD/bLl8Sj7gCF4EVNY4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tpkcnNWjKdZeQA12UhC8lmI6pxyzYnn7Pqq1NzVL7Yo=; b=QMQGJEMTqxPd3YaqL4xHi+x4oGMY935w9LnM8NocrICSZ0UEkSfQht7XDfB4mGMbpvqqvrDAB0GF9CmiFwqOg1DTs3Y+N4C/DMcka8gQbneIRdIZX8vtb0SfOpzHwVCb/nV+AUggE0YlnB7sM0j6hoJDBoacxi/7gCmimqeycVfkSKEqtxyclqAI35S0wDpbW3Tw5m9DAeX/a0mAkV6cCfUzr2cCYQ+LDPhYVIOKP9dp1kHUNezG3gMOVab8sYrTc6ZM8w3o2rk5s2WTtqTXDws/KKXzG+jlk6zcmYD6Dlm9zgaANwKKLlI2/L0A993I4y4zJB8K+TU0GjHWPqiGUA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 194.138.21.74) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=siemens.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=siemens.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tpkcnNWjKdZeQA12UhC8lmI6pxyzYnn7Pqq1NzVL7Yo=; b=PlPhAKLS9b4AY0G6XubwhE8E/E21cHGKPd+sSwxWyGKlYgg8piZ7fkA5aukeKtziu1seYTjkXbXS7EJEnX39boWBVKrsP3gnlKoq8e5X7hVUBikLJ0oaxDfxPPTYVJ4OKljxM81+5jFNIfB3/FXD5sXnu7S0dlKzujw7bFSpazjAzHz5ikW7mAguSzbpkv2mVxWERHjmr6qq5S3OQiSHB1R4vsSZKoZgK8p1cCc4TNnjsEHmTCqmwaLp1bGleXs76zrzAKXxXzDDm1V9iLLeVcQXveF/iMUgPGvuy9ilcYr+oWUB6vk/qlYotqxxYyvx8IQDoCBgXPLxG4V0L63D5A== Received: from GVYP280CA0032.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:f9::12) by VI1PR10MB7781.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:800:1bc::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.17; Fri, 19 May 2023 08:19:16 +0000 Received: from HE1EUR01FT052.eop-EUR01.prod.protection.outlook.com (2603:10a6:150:f9:cafe::f7) by GVYP280CA0032.outlook.office365.com (2603:10a6:150:f9::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.21 via Frontend Transport; Fri, 19 May 2023 08:19:15 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 194.138.21.74) smtp.mailfrom=siemens.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=siemens.com; Received-SPF: Pass (protection.outlook.com: domain of siemens.com designates 194.138.21.74 as permitted sender) receiver=protection.outlook.com; client-ip=194.138.21.74; helo=hybrid.siemens.com; pr=C Received: from hybrid.siemens.com (194.138.21.74) by HE1EUR01FT052.mail.protection.outlook.com (10.152.1.94) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.21 via Frontend Transport; Fri, 19 May 2023 08:19:15 +0000 Received: from DEMCHDC8WBA.ad011.siemens.net (139.25.226.105) by DEMCHDC8VQA.ad011.siemens.net (194.138.21.74) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Fri, 19 May 2023 10:19:13 +0200 Received: from md3hr6tc.ad001.siemens.net (139.22.107.140) by DEMCHDC8WBA.ad011.siemens.net (139.25.226.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Fri, 19 May 2023 10:19:13 +0200 From: Andrej Valek To: CC: Andrej Valek , Peter Marko Subject: [OE-core][PATCH v4 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING Date: Fri, 19 May 2023 10:18:50 +0200 Message-ID: <20230519081850.82586-3-andrej.valek@siemens.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230505111814.491483-1-andrej.valek@siemens.com> References: <20230505111814.491483-1-andrej.valek@siemens.com> MIME-Version: 1.0 X-Originating-IP: [139.22.107.140] X-ClientProxiedBy: DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) To DEMCHDC8WBA.ad011.siemens.net (139.25.226.105) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: HE1EUR01FT052:EE_|VI1PR10MB7781:EE_ X-MS-Office365-Filtering-Correlation-Id: 76425dbb-7de4-49dc-dd9f-08db5841bbef X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: bEj79/rYoSAwK5p+PXNzEaojSCTI/0q/O3gWjbc5vtu5VxJK+2jwJ6AXq6jo+Qgn767T7QYY8tYdEEQ/JoQus7gtGCrTz2lhDO8b+4vq3SDqbkX9I+q//bPk9ATenOTfysebWEB8kuoLYuiE/Qd1JS5e+wIcKo1+Vck+Ks9O2juxsaxiyXaug1LxlcnU1Nr/OtNIZVdQwu1LTjGmn5fyOx+5zAVJqPaJoB9BhinXTP/4Pm3j4fxfceghAt+/hQMRhM0kaAWHSZ/WTsGP+lCY3CPr5QSOgPgm8bwVRqmTwKLeyRRPKiZruMLlg72oT5N0NR5Y/eahQ2M1FQSeOtd3X+1cSCZcL73L1cXgJyV/VTqFj0UOsEM0jS/mI3G6g0p2DqDnGpDS+Oo9nuIj0tFwjATPt7XgEpZXBmdxJ9AkPiLIxQEDWds+OEZFaktTdIKToxVoTjEeF9XZI31jYnTMWfK3J3Hkwe8QU8/8L5xwdILpsYR+dvYDAlhhV5ScsPTc2Y0yeeT+y23BMZdmQI3BuDT8n8n/Lf0Yqo7C2fmMMuwdA9NomibFTA8gekLr70RRe55PY2hrndXxIpZJB2oH2yse9Yv+NKJ1MZn+A65cXJs47E7QYUMsY4n0+9E/i1nq2YjACmTKxJUo/t70AYrbFgi/gkuDZQ28wPyRRi9HIh7RIDCIOZ/W+E27uZPA1I90xXHnEbNwAZ/ZrqQDokQjJKMkvQsV+s8pcQOrPOcC5Q4= X-Forefront-Antispam-Report: CIP:194.138.21.74;CTRY:DE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:hybrid.siemens.com;PTR:hybrid.siemens.com;CAT:NONE;SFS:(13230028)(4636009)(136003)(396003)(39860400002)(346002)(376002)(451199021)(46966006)(40470700004)(36840700001)(40460700003)(66899021)(6666004)(316002)(70206006)(6916009)(4326008)(478600001)(45080400002)(70586007)(966005)(54906003)(36756003)(86362001)(83380400001)(1076003)(47076005)(36860700001)(956004)(16526019)(186003)(26005)(2616005)(107886003)(44832011)(8936002)(5660300002)(336012)(30864003)(40480700001)(2906002)(8676002)(356005)(82310400005)(7636003)(41300700001)(82960400001)(82740400003)(7596003)(579004)(559001);DIR:OUT;SFP:1101; X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 May 2023 08:19:15.1141 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 76425dbb-7de4-49dc-dd9f-08db5841bbef X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;Ip=[194.138.21.74];Helo=[hybrid.siemens.com] X-MS-Exchange-CrossTenant-AuthSource: HE1EUR01FT052.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR10MB7781 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 19 May 2023 08:19:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/181539 - Try to add convert and apply statuses for old CVEs - Drop some obsolete ignores, while they are not relevant for current version Signed-off-by: Andrej Valek Reviewed-by: Peter Marko --- .../distro/include/cve-extra-exclusions.inc | 281 +++++++++++------- meta/recipes-bsp/grub/grub2.inc | 9 +- meta/recipes-connectivity/avahi/avahi_0.8.bb | 4 +- .../recipes-connectivity/bind/bind_9.18.13.bb | 3 +- .../bluez5/bluez5_5.66.bb | 6 +- .../openssh/openssh_9.3p1.bb | 12 +- .../openssl/openssl_3.1.0.bb | 3 +- meta/recipes-core/coreutils/coreutils_9.1.bb | 3 +- meta/recipes-core/glibc/glibc_2.37.bb | 12 +- meta/recipes-core/libxml/libxml2_2.10.4.bb | 3 +- meta/recipes-core/systemd/systemd_253.3.bb | 4 +- meta/recipes-devtools/cmake/cmake.inc | 5 +- meta/recipes-devtools/flex/flex_2.6.4.bb | 3 +- meta/recipes-devtools/gcc/gcc-12.2.inc | 3 - meta/recipes-devtools/git/git_2.39.2.bb | 12 +- meta/recipes-devtools/jquery/jquery_3.6.3.bb | 6 +- .../recipes-devtools/python/python3_3.11.2.bb | 18 +- meta/recipes-devtools/qemu/qemu.inc | 13 +- meta/recipes-devtools/rsync/rsync_3.2.7.bb | 3 - meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 +- meta/recipes-extended/cpio/cpio_2.13.bb | 4 +- meta/recipes-extended/cups/cups.inc | 24 +- .../ghostscript/ghostscript_10.0.0.bb | 3 +- .../iputils/iputils_20221126.bb | 7 +- .../libtirpc/libtirpc_1.3.3.bb | 4 +- meta/recipes-extended/procps/procps_4.0.3.bb | 4 +- meta/recipes-extended/shadow/shadow_4.13.bb | 8 +- meta/recipes-extended/unzip/unzip_6.0.bb | 3 +- .../xinetd/xinetd_2.3.15.4.bb | 3 +- meta/recipes-extended/zip/zip_3.0.bb | 8 +- .../libnotify/libnotify_0.8.2.bb | 4 +- meta/recipes-gnome/librsvg/librsvg_2.54.5.bb | 4 +- meta/recipes-graphics/builder/builder_0.1.bb | 3 +- .../xorg-xserver/xserver-xorg.inc | 13 +- .../linux/cve-exclusion_6.1.inc | 14 +- .../libpng/libpng_1.6.39.bb | 4 +- meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 10 +- .../libgcrypt/libgcrypt_1.10.1.bb | 6 +- .../recipes-support/libxslt/libxslt_1.1.37.bb | 5 +- meta/recipes-support/lz4/lz4_1.9.4.bb | 4 +- meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 13 +- 41 files changed, 325 insertions(+), 230 deletions(-) diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index 0ca75bae3ef..1cb32db814d 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -19,7 +19,8 @@ # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 # CVE is more than 20 years old with no resolution evident # broken links in CVE database references make resolution impractical -CVE_CHECK_IGNORE += "CVE-2000-0006" +CVE_STATUS[CVE-2000-0006] = "Ignored" +CVE_STATUS_REASONING[CVE-2000-0006] = "CVE is more than 20 years old with no resolution evident." # epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238 # The issue here is spoofing of domain names using characters from other character sets. @@ -28,31 +29,39 @@ CVE_CHECK_IGNORE += "CVE-2000-0006" # there is unlikely ever to be a single fix to webkit or epiphany which addresses this # problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further # we can seem to take. -CVE_CHECK_IGNORE += "CVE-2005-0238" +CVE_STATUS[CVE-2005-0238] = "Ignored" +CVE_STATUS_REASONING[CVE-2005-0238] = "There isn't any mitigation or fix or way to progress this further." # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756 # Issue is memory exhaustion via glob() calls, e.g. from within an ftp server # Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 # Upstream don't see it as a security issue, ftp servers shouldn't be passing # this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar -CVE_CHECK_IGNORE += "CVE-2010-4756" +CVE_STATUS[CVE-2010-4756] = "Ignored" +CVE_STATUS_REASONING[CVE-2010-4756] = "Upstream have no plans to add BSD's GLOB_LIMIT or similar." # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509 # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511 # The encoding/xml package in go can potentially be used for security exploits if not used correctly # CVE applies to a netapp product as well as flagging a general issue. We don't ship anything # exposing this interface in an exploitable way -CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511" +CVE_STATUS[CVE-2020-29509] = "Ignored" +CVE_STATUS_REASONING[CVE-2020-29509] = "We don't ship anything exposing this interface in an exploitable way." +CVE_STATUS[CVE-2020-29511] = "Ignored" +CVE_STATUS_REASONING[CVE-2020-29511] = "We don't ship anything exposing this interface in an exploitable way." # db # Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with # supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed. -CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \ +CVE_STATUS_GROUPS += "CVE_STATUS_DB" +CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \ CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \ CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \ CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981" - +CVE_STATUS_DB[status] = "Ignored" +CVE_STATUS_DB[reason] = "Since Oracle relicensed bdb, the open source community is slowly but surely \ +replacing bdb with supported and open source friendly alternatives" # # Kernel CVEs, e.g. linux-yocto* @@ -65,60 +74,77 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981" # issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd # welcome than and then entries can likely be removed from here. # + +CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2010 CVE_STATUS_KERNEL_2017 CVE_STATUS_KERNEL_2018 CVE_STATUS_KERNEL_2019 CVE_STATUS_KERNEL_2020" # 1999-2010 -CVE_CHECK_IGNORE += "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \ - CVE-2008-4609 CVE-2010-0298 CVE-2010-4563" +CVE_STATUS_KERNEL_2010 = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \ + CVE-2008-4609 CVE-2010-0298 CVE-2010-4563" +CVE_STATUS_KERNEL_2010[status] = "Ignored" + # 2011-2017 -CVE_CHECK_IGNORE += "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \ - CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264" +CVE_STATUS_KERNEL_2017 = "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \ + CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264" +CVE_STATUS_KERNEL_2017[status] = "Ignored" + # 2018 -CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \ - CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873 CVE-2018-6559" +CVE_STATUS_KERNEL_2018 = "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \ + CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873 CVE-2018-6559" +CVE_STATUS_KERNEL_2018[status] = "Ignored" + # 2019 -CVE_CHECK_IGNORE += "CVE-2019-10126 CVE-2019-14899 CVE-2019-18910 CVE-2019-3016 CVE-2019-3819 CVE-2019-3846 CVE-2019-3887" +CVE_STATUS_KERNEL_2019 = "CVE-2019-10126 CVE-2019-14899 CVE-2019-18910 CVE-2019-3016 CVE-2019-3819 CVE-2019-3846 CVE-2019-3887" +CVE_STATUS_KERNEL_2019[status] = "Ignored" + # 2020 -CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834" +CVE_STATUS_KERNEL_2020 = "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834" +CVE_STATUS_KERNEL_2020[status] = "Ignored" # https://nvd.nist.gov/vuln/detail/CVE-2020-27784 # Introduced in version v4.1 b26394bd567e5ebe57ec4dee7fe6cd14023c96e9 -# Patched in kernel since v5.10 e8d5f92b8d30bb4ade76494490c3c065e12411b1 -# Backported in version v5.4.73 e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3 -CVE_CHECK_IGNORE += "CVE-2020-27784" +# Patched in kernel since v5.10 e8d5f92b8d30bb4ade76494490c3c065e12411b1 +# Backported in version v5.4.73 e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3 +CVE_STATUS[CVE-2020-27784] = "Patched" +CVE_STATUS_REASONING[CVE-2020-27784] = "Backported in version v5.4.73" # 2021 -CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \ - CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402" +CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2021" +CVE_STATUS_KERNEL_2021 = "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \ + CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402" +CVE_STATUS_KERNEL_2021[status] = "Ignored" # https://nvd.nist.gov/vuln/detail/CVE-2021-3669 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v5.15 20401d1058f3f841f35a594ac2fc1293710e55b9 -CVE_CHECK_IGNORE += "CVE-2021-3669" +CVE_STATUS[CVE-2021-3669] = "Patched" # https://nvd.nist.gov/vuln/detail/CVE-2021-3759 # Introduced in version v4.5 a9bb7e620efdfd29b6d1c238041173e411670996 # Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f # Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92 # Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196 -CVE_CHECK_IGNORE += "CVE-2021-3759" +CVE_STATUS[CVE-2021-3759] = "Patched" +CVE_STATUS_REASONING[CVE-2021-3759] = "Backported in versions v5.4.224 and v5.10.154" # https://nvd.nist.gov/vuln/detail/CVE-2021-4218 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v5.8 32927393dc1ccd60fb2bdc05b9e8e88753761469 -CVE_CHECK_IGNORE += "CVE-2021-4218" +CVE_STATUS[CVE-2021-4218] = "Patched" # 2022 -CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \ - CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \ - CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \ - CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \ - CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \ - CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \ - CVE-2022-29582 CVE-2022-29968" +CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2022" +CVE_STATUS_KERNEL_2022 = "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \ + CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \ + CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \ + CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \ + CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \ + CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \ + CVE-2022-29582 CVE-2022-29968" +CVE_STATUS_KERNEL_2022[status] = "Ignored" # https://nvd.nist.gov/vuln/detail/CVE-2022-0480 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v5.15 0f12156dff2862ac54235fc72703f18770769042 -CVE_CHECK_IGNORE += "CVE-2022-0480" +CVE_STATUS[CVE-2022-0480] = "Patched" # https://nvd.nist.gov/vuln/detail/CVE-2022-1184 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -126,7 +152,8 @@ CVE_CHECK_IGNORE += "CVE-2022-0480" # Backported in version v5.4.198 17034d45ec443fb0e3c0e7297f9cd10f70446064 # Backported in version v5.10.121 da2f05919238c7bdc6e28c79539f55c8355408bb # Backported in version v5.15.46 ca17db384762be0ec38373a12460081d22a8b42d -CVE_CHECK_IGNORE += "CVE-2022-1184" +CVE_STATUS[CVE-2022-1184] = "Patched" +CVE_STATUS_REASONING[CVE-2022-1184] = "Backported in versions v5.4.198, v5.10.121 and v5.15.46" # https://nvd.nist.gov/vuln/detail/CVE-2022-1462 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -134,7 +161,8 @@ CVE_CHECK_IGNORE += "CVE-2022-1184" # Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132 # Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c # Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29 -CVE_CHECK_IGNORE += "CVE-2022-1462" +CVE_STATUS[CVE-2022-1462] = "Patched" +CVE_STATUS_REASONING[CVE-2022-1462] = "Backported in versions v5.4.208, v5.10.134 and v5.15.58" # https://nvd.nist.gov/vuln/detail/CVE-2022-2196 # Introduced in version v5.8 5c911beff20aa8639e7a1f28988736c13e03ed54 @@ -144,19 +172,21 @@ CVE_CHECK_IGNORE += "CVE-2022-1462" # Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349 # Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35 # Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15 -CVE_CHECK_IGNORE += "CVE-2022-2196" +CVE_STATUS[CVE-2022-2196] = "Patched" +CVE_STATUS_REASONING[CVE-2022-2196] = "Backported in versions v5.4.233, v5.10.170, v5.15.96 and v6.1.14" # https://nvd.nist.gov/vuln/detail/CVE-2022-2308 # Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e # Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b # Backported in version v5.15.72 dc248ddf41eab4566e95b1ee2433c8a5134ad94a # Backported in version v5.19.14 38d854c4a11c3bbf6a96ea46f14b282670c784ac -CVE_CHECK_IGNORE += "CVE-2022-2308" +CVE_STATUS[CVE-2022-2308] = "Patched" +CVE_STATUS_REASONING[CVE-2022-2308] = "Backported in versions v5.15.72 and v5.19.14" # https://nvd.nist.gov/vuln/detail/CVE-2022-2327 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v5.10.125 df3f3bb5059d20ef094d6b2f0256c4bf4127a859 -CVE_CHECK_IGNORE += "CVE-2022-2327" +CVE_STATUS[CVE-2022-2327] = "Patched" # https://nvd.nist.gov/vuln/detail/CVE-2022-2663 # Introduced in version v2.6.20 869f37d8e48f3911eb70f38a994feaa8f8380008 @@ -165,19 +195,22 @@ CVE_CHECK_IGNORE += "CVE-2022-2327" # Backported in version v5.10.143 e12ce30fe593dd438c5b392290ad7316befc11ca # Backported in version v5.15.68 451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4 # Backported in version v5.19.9 6cf0609154b2ce8d3ae160e7506ab316400a8d3d -CVE_CHECK_IGNORE += "CVE-2022-2663" +CVE_STATUS[CVE-2022-2663] = "Patched" +CVE_STATUS_REASONING[CVE-2022-2663] = "Backported in versions v5.4.213, v5.10.143, v5.15.68 and v5.19.9" # https://nvd.nist.gov/vuln/detail/CVE-2022-2785 # Introduced in version v5.18 b1d18a7574d0df5eb4117c14742baf8bc2b9bb74 # Patched in kernel since v6.0 86f44fcec22ce2979507742bc53db8400e454f46 # Backported in version v5.19.4 b429d0b9a7a0f3dddb1f782b72629e6353f292fd -CVE_CHECK_IGNORE += "CVE-2022-2785" +CVE_STATUS[CVE-2022-2785] = "Patched" +CVE_STATUS_REASONING[CVE-2022-2785] = "Backported in version v5.19.4" # https://nvd.nist.gov/vuln/detail/CVE-2022-3176 # Introduced in version v5.1 221c5eb2338232f7340386de1c43decc32682e58 # Patched in kernel since v5.17 791f3465c4afde02d7f16cf7424ca87070b69396 # Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5 -CVE_CHECK_IGNORE += "CVE-2022-3176" +CVE_STATUS[CVE-2022-3176] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3176] = "Backported in version v5.15.65" # https://nvd.nist.gov/vuln/detail/CVE-2022-3424 # Introduced in version v2.6.33 55484c45dbeca2eec7642932ec3f60f8a2d4bdbf @@ -186,7 +219,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3176" # Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c # Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106 # Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e -CVE_CHECK_IGNORE += "CVE-2022-3424" +CVE_STATUS[CVE-2022-3424] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3424] = "Backported in versions v5.4.229, v5.10.163, v5.15.86 and v6.1.2" # https://nvd.nist.gov/vuln/detail/CVE-2022-3435 # Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82 @@ -197,13 +231,15 @@ CVE_CHECK_IGNORE += "CVE-2022-3424" # Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32 # Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e # Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133 -CVE_CHECK_IGNORE += "CVE-2022-3435" +CVE_STATUS[CVE-2022-3435] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3435] = "Backported in versions v5.4.226, v5.10.158 and v5.15.82" # https://nvd.nist.gov/vuln/detail/CVE-2022-3526 # Introduced in version v5.13 427f0c8c194b22edcafef1b0a42995ddc5c2227d # Patched in kernel since v5.18 e16b859872b87650bb55b12cca5a5fcdc49c1442 # Backported in version v5.15.35 8f79ce226ad2e9b2ec598de2b9560863b7549d1b -CVE_CHECK_IGNORE += "CVE-2022-3526" +CVE_STATUS[CVE-2022-3526] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3526] = "Backported in version v5.15.35" # https://nvd.nist.gov/vuln/detail/CVE-2022-3534 # Introduced in version v5.10 919d2b1dbb074d438027135ba644411931179a59 @@ -211,20 +247,23 @@ CVE_CHECK_IGNORE += "CVE-2022-3526" # Backported in version v5.10.163 c61650b869e0b6fb0c0a28ed42d928eea969afc8 # Backported in version v5.15.86 a733bf10198eb5bb927890940de8ab457491ed3b # Backported in version v6.1.2 fbe08093fb2334549859829ef81d42570812597d -CVE_CHECK_IGNORE += "CVE-2022-3534" +CVE_STATUS[CVE-2022-3534] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3534] = "Backported in versions v5.10.163, v5.15.86 and v6.1.2" # https://nvd.nist.gov/vuln/detail/CVE-2022-3564 # Introduced in version v3.6 4b51dae96731c9d82f5634e75ac7ffd3b9c1b060 # Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966 # Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569 # Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde -CVE_CHECK_IGNORE += "CVE-2022-3564" +CVE_STATUS[CVE-2022-3564] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3564] = "Backported in versions v5.10.154 and v5.15.78" # https://nvd.nist.gov/vuln/detail/CVE-2022-3619 # Introduced in version v5.12 4d7ea8ee90e42fc75995f6fb24032d3233314528 # Patched in kernel since v6.1 7c9524d929648935bac2bbb4c20437df8f9c3f42 # Backported in version v5.15.78 aa16cac06b752e5f609c106735bd7838f444784c -CVE_CHECK_IGNORE += "CVE-2022-3619" +CVE_STATUS[CVE-2022-3619] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3619] = "Backported in version v5.15.78" # https://nvd.nist.gov/vuln/detail/CVE-2022-3621 # Introduced in version v2.60.30 05fe58fdc10df9ebea04c0eaed57adc47af5c184 @@ -233,7 +272,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3619" # Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2 # Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55 # Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd -CVE_CHECK_IGNORE += "CVE-2022-3621" +CVE_STATUS[CVE-2022-3621] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3621] = "Backported in versions v5.4.218, v5.10.148, v5.15.74 and v5.19.16" # https://nvd.nist.gov/vuln/detail/CVE-2022-3623 # Introduced in version v5.1 5480280d3f2d11d47f9be59d49b20a8d7d1b33e8 @@ -242,12 +282,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3621" # Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850 # Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff # Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54 -CVE_CHECK_IGNORE += "CVE-2022-3623" +CVE_STATUS[CVE-2022-3623] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3623] = "Backported in versions v5.4.228, v5.10.159, v5.15.78 and v5.19.17" # https://nvd.nist.gov/vuln/detail/CVE-2022-3624 # Introduced in version v6.0 d5410ac7b0baeca91cf73ff5241d35998ecc8c9e # Patched in kernel since v6.0 4f5d33f4f798b1c6d92b613f0087f639d9836971 -CVE_CHECK_IGNORE += "CVE-2022-3624" +CVE_STATUS[CVE-2022-3624] = "Patched" # https://nvd.nist.gov/vuln/detail/CVE-2022-3625 # Introduced in version v4.19 45f05def5c44c806f094709f1c9b03dcecdd54f0 @@ -256,7 +297,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3624" # Backported in version v5.10.138 0e28678a770df7989108327cfe86f835d8760c33 # Backported in version v5.15.63 c4d09fd1e18bac11c2f7cf736048112568687301 # Backported in version v5.19.4 26bef5616255066268c0e40e1da10cc9b78b82e9 -CVE_CHECK_IGNORE += "CVE-2022-3625" +CVE_STATUS[CVE-2022-3625] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3625] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4" # https://nvd.nist.gov/vuln/detail/CVE-2022-3629 # Introduced in version v3.9 d021c344051af91f42c5ba9fdedc176740cbd238 @@ -265,13 +307,15 @@ CVE_CHECK_IGNORE += "CVE-2022-3625" # Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50 # Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795 # Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72 -CVE_CHECK_IGNORE += "CVE-2022-3629" +CVE_STATUS[CVE-2022-3629] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3629] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4" # https://nvd.nist.gov/vuln/detail/CVE-2022-3630 # Introduced in version v5.19 85e4ea1049c70fb99de5c6057e835d151fb647da # Patched in kernel since v6.0 fb24771faf72a2fd62b3b6287af3c610c3ec9cf1 # Backported in version v5.19.4 7a369dc87b66acc85d0cffcf39984344a203e20b -CVE_CHECK_IGNORE += "CVE-2022-3630" +CVE_STATUS[CVE-2022-3630] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3630] = "Backported in version v5.19.4" # https://nvd.nist.gov/vuln/detail/CVE-2022-3633 # Introduced in version v5.4 9d71dd0c70099914fcd063135da3c580865e924c @@ -280,7 +324,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3630" # Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027 # Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2 # Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de -CVE_CHECK_IGNORE += "CVE-2022-3633" +CVE_STATUS[CVE-2022-3633] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3633] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4" # https://nvd.nist.gov/vuln/detail/CVE-2022-3635 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -289,12 +334,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3633" # Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e # Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4 # Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835 -CVE_CHECK_IGNORE += "CVE-2022-3635" +CVE_STATUS[CVE-2022-3635] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3635] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4" # https://nvd.nist.gov/vuln/detail/CVE-2022-3636 # Introduced in version v5.19 33fc42de33278b2b3ec6f3390512987bc29a62b7 # Patched in kernel since v5.19 17a5f6a78dc7b8db385de346092d7d9f9dc24df6 -CVE_CHECK_IGNORE += "CVE-2022-3636" +CVE_STATUS[CVE-2022-3636] = "Patched" # https://nvd.nist.gov/vuln/detail/CVE-2022-3640 # Introduced in version v5.19 d0be8347c623e0ac4202a1d4e0373882821f56b0 @@ -305,7 +351,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3636" # Backported in version v5.4.224 c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab # Backported in version v5.10.154 d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd # Backported in version v5.15.78 a3a7b2ac64de232edb67279e804932cb42f0b52a -CVE_CHECK_IGNORE += "CVE-2022-3640" +CVE_STATUS[CVE-2022-3640] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3640] = "Backported in versions v5.4.224, v5.10.154 and v5.15.78" # https://nvd.nist.gov/vuln/detail/CVE-2022-3646 # Introduced in version v2.6.30 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 @@ -314,7 +361,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3640" # Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee # Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc # Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570 -CVE_CHECK_IGNORE += "CVE-2022-3646" +CVE_STATUS[CVE-2022-3646] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3646] = "Backported in versions v5.4.218, v5.10.148, v5.15.74 and v5.19.16" # https://nvd.nist.gov/vuln/detail/CVE-2022-3649 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -323,7 +371,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3646" # Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652 # Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006 # Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4 -CVE_CHECK_IGNORE += "CVE-2022-3649" +CVE_STATUS[CVE-2022-3649] = "Patched" +CVE_STATUS_REASONING[CVE-2022-3649] = "Backported in versions v5.4.220, v5.10.148, v5.15.74 and v5.19.16" # https://nvd.nist.gov/vuln/detail/CVE-2022-4382 # Introduced in version v5.3 e5d82a7360d124ae1a38c2a5eac92ba49b125191 @@ -332,7 +381,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3649" # Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4 # Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9 # Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3 -CVE_CHECK_IGNORE += "CVE-2022-4382" +CVE_STATUS[CVE-2022-4382] = "Patched" +CVE_STATUS_REASONING[CVE-2022-4382] = "Backported in versions v5.4.230, v5.10.165, v5.15.90 and v6.1.8" # https://nvd.nist.gov/vuln/detail/CVE-2022-26365 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -340,7 +390,8 @@ CVE_CHECK_IGNORE += "CVE-2022-4382" # Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506 # Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1 # Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9 -CVE_CHECK_IGNORE += "CVE-2022-26365" +CVE_STATUS[CVE-2022-26365] = "Patched" +CVE_STATUS_REASONING[CVE-2022-26365] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53" # https://nvd.nist.gov/vuln/detail/CVE-2022-33740 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -348,7 +399,8 @@ CVE_CHECK_IGNORE += "CVE-2022-26365" # Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14 # Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404 # Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961 -CVE_CHECK_IGNORE += "CVE-2022-33740" +CVE_STATUS[CVE-2022-33740] = "Patched" +CVE_STATUS_REASONING[CVE-2022-33740] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53" # https://nvd.nist.gov/vuln/detail/CVE-2022-33741 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -356,7 +408,8 @@ CVE_CHECK_IGNORE += "CVE-2022-33740" # Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd # Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca # Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49 -CVE_CHECK_IGNORE += "CVE-2022-33741" +CVE_STATUS[CVE-2022-33741] = "Patched" +CVE_STATUS_REASONING[CVE-2022-33741] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53" # https://nvd.nist.gov/vuln/detail/CVE-2022-33742 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -364,15 +417,17 @@ CVE_CHECK_IGNORE += "CVE-2022-33741" # Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997 # Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6 # Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3 -CVE_CHECK_IGNORE += "CVE-2022-33742" +CVE_STATUS[CVE-2022-33742] = "Patched" +CVE_STATUS_REASONING[CVE-2022-33742] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53" # https://nvd.nist.gov/vuln/detail/CVE-2022-42895 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e -# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422 -# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7 # Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89 -CVE_CHECK_IGNORE += "CVE-2022-42895" +# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7 +# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422 +CVE_STATUS[CVE-2022-42895] = "Patched" +CVE_STATUS_REASONING[CVE-2022-42895] = "Backported in versions v5.4.224, v5.10.154 and v5.15.78" # https://nvd.nist.gov/vuln/detail/CVE-2022-42896 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 @@ -380,7 +435,8 @@ CVE_CHECK_IGNORE += "CVE-2022-42895" # Backported in version v5.4.226 0d87bb6070361e5d1d9cb391ba7ee73413bc109b # Backported in version v5.10.154 6b6f94fb9a74dd2891f11de4e638c6202bc89476 # Backported in version v5.15.78 81035e1201e26d57d9733ac59140a3e29befbc5a -CVE_CHECK_IGNORE += "CVE-2022-42896" +CVE_STATUS[CVE-2022-42896] = "Patched" +CVE_STATUS_REASONING[CVE-2022-42896] = "Backported in versions v5.4.224, v5.10.154 and v5.15.78" # 2023 @@ -390,14 +446,16 @@ CVE_CHECK_IGNORE += "CVE-2022-42896" # Backported in version v5.10.164 550efeff989b041f3746118c0ddd863c39ddc1aa # Backported in version v5.15.89 a8acfe2c6fb99f9375a9325807a179cd8c32e6e3 # Backported in version v6.1.7 76ef74d4a379faa451003621a84e3498044e7aa3 -CVE_CHECK_IGNORE += "CVE-2023-0179" +CVE_STATUS[CVE-2023-0179] = "Patched" +CVE_STATUS_REASONING[CVE-2023-0179] = "Backported in versions v5.10.164, v5.15.89 and v6.1.7" # https://nvd.nist.gov/vuln/detail/CVE-2023-0266 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v6.2 56b88b50565cd8b946a2d00b0c83927b7ebb055e # Backported in version v5.15.88 26350c21bc5e97a805af878e092eb8125843fe2c # Backported in version v6.1.6 d6ad4bd1d896ae1daffd7628cd50f124280fb8b1 -CVE_CHECK_IGNORE += "CVE-2023-0266" +CVE_STATUS[CVE-2023-0266] = "Patched" +CVE_STATUS_REASONING[CVE-2023-0266] = "Backported in versions v5.15.88 and v6.1.6" # https://nvd.nist.gov/vuln/detail/CVE-2023-0394 # Introduced in version 2.6.12 357b40a18b04c699da1d45608436e9b76b50e251 @@ -406,7 +464,8 @@ CVE_CHECK_IGNORE += "CVE-2023-0266" # Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5 # Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf # Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4 -CVE_CHECK_IGNORE += "CVE-2023-0394" +CVE_STATUS[CVE-2023-0394] = "Patched" +CVE_STATUS_REASONING[CVE-2023-0394] = "Backported in versions v5.4.229, v5.10.164, v5.15.89 and v6.1.7" # https://nvd.nist.gov/vuln/detail/CVE-2023-0461 # Introduced in version v4.13 734942cc4ea6478eed125af258da1bdbb4afe578 @@ -415,28 +474,32 @@ CVE_CHECK_IGNORE += "CVE-2023-0394" # Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0 # Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6 # Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c -CVE_CHECK_IGNORE += "CVE-2023-0461" +CVE_STATUS[CVE-2023-0461] = "Patched" +CVE_STATUS_REASONING[CVE-2023-0461] = "Backported in versions v5.4.229, v5.10.163, v5.15.88 and v6.1.7" # https://nvd.nist.gov/vuln/detail/CVE-2023-0386 # Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203 # Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3 -# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81 -# Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e -CVE_CHECK_IGNORE += "CVE-2023-0386" +# Backported in version v5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e +# Backported in version v6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81 +CVE_STATUS[CVE-2023-0386] = "Patched" +CVE_STATUS_REASONING[CVE-2023-0386] = "Backported in versions v5.15.91 and v6.1.9" # https://nvd.nist.gov/vuln/detail/CVE-2023-1073 # Introduced in v3.16 1b15d2e5b8077670b1e6a33250a0d9577efff4a5 # Patched in kernel v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456 -# Backported in version 5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58 -# Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64 -# Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d -CVE_CHECK_IGNORE += "CVE-2023-1073" +# Backported in version v5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58 +# Backported in version v5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64 +# Backported in version v6.1.9 cdcdc0531a51659527fea4b4d064af343452062d +CVE_STATUS[CVE-2023-1073] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1073] = "Backported in versions v5.10.166, v5.15.91 and v6.1.9" # https://nvd.nist.gov/vuln/detail/CVE-2023-1074 # Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f -# Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32 -# Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3 -CVE_CHECK_IGNORE += "CVE-2023-1074" +# Backported in version v5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32 +# Backported in version v6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3 +CVE_STATUS[CVE-2023-1074] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1074] = "Backported in versions v5.15.91 and v6.1.9" # https://nvd.nist.gov/vuln/detail/CVE-2023-1076 # Patched in kernel v6.3 a096ccca6e503a5c575717ff8a36ace27510ab0a @@ -445,19 +508,22 @@ CVE_CHECK_IGNORE += "CVE-2023-1074" # Backported in version v5.15.99 67f9f02928a34aad0a2c11dab5eea269f5ecf427 # Backported in version v6.1.16 b4ada752eaf1341f47bfa3d8ada377eca75a8d44 # Backported in version v6.2.3 4aa4b4b3b3e9551c4de2bf2987247c28805fb8f6 -CVE_CHECK_IGNORE += "CVE-2023-1076" +CVE_STATUS[CVE-2023-1076] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1076] = "Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3" # https://nvd.nist.gov/vuln/detail/CVE-2023-1077 # Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97 -# Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7 -# Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3 -CVE_CHECK_IGNORE += "CVE-2023-1077" +# Backported in version v5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7 +# Backported in version v6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3 +CVE_STATUS[CVE-2023-1077] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1077] = "Backported in versions v5.15.99 and v6.1.16" # https://nvd.nist.gov/vuln/detail/CVE-2023-1078 # Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d -# Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba -# Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3 -CVE_CHECK_IGNORE += "CVE-2023-1078" +# Backported in version v5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba +# Backported in version v6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3 +CVE_STATUS[CVE-2023-1078] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1078] = "Backported in versions v5.15.94 and v6.1.12" # https://nvd.nist.gov/vuln/detail/CVE-2023-1079 # Patched in kernel since v6.3-rc1 4ab3a086d10eeec1424f2e8a968827a6336203df @@ -466,7 +532,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1078" # Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138 # Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e # Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540 -CVE_CHECK_IGNORE += "CVE-2023-1079" +CVE_STATUS[CVE-2023-1079] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1079] = "Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3" # https://nvd.nist.gov/vuln/detail/CVE-2023-1118 # Introduced in version v2.6.36 9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6 @@ -476,7 +543,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1079" # Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28 # Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a # Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555 -CVE_CHECK_IGNORE += "CVE-2023-1118" +CVE_STATUS[CVE-2023-1118] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1118] = "Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3" # https://nvd.nist.gov/vuln/detail/CVE-2023-1281 # Introduced in version v4.14 9b0d4446b56904b59ae3809913b0ac760fa941a6 @@ -484,7 +552,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1118" # Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4 # Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da # Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f -CVE_CHECK_IGNORE += "CVE-2023-1281" +CVE_STATUS[CVE-2023-1281] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1281] = "Backported in versions v5.10.169, v5.15.95 and v6.1.13" # https://nvd.nist.gov/vuln/detail/CVE-2023-1513 # Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952 @@ -492,7 +561,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1281" # Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107 # Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8 # Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb -CVE_CHECK_IGNORE += "CVE-2023-1513" +CVE_STATUS[CVE-2023-1513] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1513] = "Backported in versions v5.4.232, v5.10.169, v5.15.95 and v6.1.13" # https://nvd.nist.gov/vuln/detail/CVE-2023-1652 # Patched in kernel since v6.2 e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd @@ -500,7 +570,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1513" # Backported in version v6.1.9 32d5eb95f8f0e362e37c393310b13b9e95404560 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1652 # Ref: Debian kernel-sec team: https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/retired/CVE-2023-1652 -CVE_CHECK_IGNORE += "CVE-2023-1652" +CVE_STATUS[CVE-2023-1652] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1652] = "Backported in versions v5.15.91 and v6.1.9" # https://nvd.nist.gov/vuln/detail/CVE-2023-1829 # Patched in kernel since v6.3-rc1 8c710f75256bb3cf05ac7b1672c82b92c43f3d28 @@ -511,7 +582,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1652" # Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1829 # Ref: Debian kernel-sec team : https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/active/CVE-2023-1829 -CVE_CHECK_IGNORE += "CVE-2023-1829" +CVE_STATUS[CVE-2023-1829] = "Patched" +CVE_STATUS_REASONING[CVE-2023-1829] = "Backported in versions v5.4.235, v5.10.173, v5.15.100, v6.1.18 and v6.2.5" # https://nvd.nist.gov/vuln/detail/CVE-2023-23005 # Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b @@ -521,7 +593,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1829" # > in which a user can cause the alloc_memory_type error case to be reached. # See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2 # We can safely ignore it. -CVE_CHECK_IGNORE += "CVE-2023-23005" +CVE_STATUS[CVE-2023-23005] = "Patched" +CVE_STATUS_REASONING[CVE-2023-23005] = "Disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached." # https://nvd.nist.gov/vuln/detail/CVE-2023-28466 # Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218 @@ -529,31 +602,33 @@ CVE_CHECK_IGNORE += "CVE-2023-23005" # Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa # Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123 # Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce -CVE_CHECK_IGNORE += "CVE-2023-28466" +CVE_STATUS[CVE-2023-28466] = "Patched" +CVE_STATUS_REASONING[CVE-2023-28466] = "Backported in versions v5.15.105, v6.1.20 and v6.2.7" # Wrong CPE in NVD database # https://nvd.nist.gov/vuln/detail/CVE-2022-3563 # https://nvd.nist.gov/vuln/detail/CVE-2022-3637 # Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git -CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637" +CVE_STATUS[CVE-2022-3563] = "Ignored" +CVE_STATUS_REASONING[CVE-2022-3563] = "Wrong CPE in NVD database" +CVE_STATUS[CVE-2022-3637] = "Ignored" +CVE_STATUS_REASONING[CVE-2022-3637] = "Wrong CPE in NVD database" # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 # There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html # qemu maintainers say the patch is incorrect and should not be applied -# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable -CVE_CHECK_IGNORE += "CVE-2021-20255" +CVE_STATUS[CVE-2021-20255] = "Ignored" +CVE_STATUS_REASONING[CVE-2021-20255] = "Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable." # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067 # There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can # still be reproduced or where exactly any bug is. -# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one. -CVE_CHECK_IGNORE += "CVE-2019-12067" +CVE_STATUS[CVE-2019-12067] = "Ignored" +CVE_STATUS_REASONING[CVE-2019-12067] = "Ignore from OE's perspective as we'll pick up any fix when upstream accepts one." # nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974 # It is a fuzzing related buffer overflow. It is of low impact since most devices # wouldn't expose an assembler. The upstream is inactive and there is little to be # done about the bug, ignore from an OE perspective. -CVE_CHECK_IGNORE += "CVE-2020-18974" - - - +CVE_STATUS[CVE-2020-18974] = "Ignored" +CVE_STATUS_REASONING[CVE-2020-18974] = "Ignore from OE's perspective as the upstream is inactive and there is little to be done about the bug" diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 58b215d79c3..7a457f37b23 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -46,10 +46,11 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" -# Applies only to RHEL -CVE_CHECK_IGNORE += "CVE-2019-14865" -# Applies only to SUSE -CVE_CHECK_IGNORE += "CVE-2021-46705" +CVE_STATUS[CVE-2019-14865] = "Not applicable" +CVE_STATUS_REASONING[CVE-2019-14865] = "Applies only to RHEL" + +CVE_STATUS[CVE-2021-46705] = "Not applicable" +CVE_STATUS_REASONING[CVE-2021-46705] = "Applies only to SUSE" DEPENDS = "flex-native bison-native gettext-native" diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index bf6835e0d6f..a5b6174e37e 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -32,8 +32,8 @@ GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/" SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7" SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda" -# Issue only affects Debian/SUSE, not us -CVE_CHECK_IGNORE += "CVE-2021-26720" +CVE_STATUS[CVE-2021-26720] = "Not applicable" +CVE_STATUS_REASONING[CVE-2021-26720] = "Issue only affects Debian/SUSE" DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native gobject-introspection" diff --git a/meta/recipes-connectivity/bind/bind_9.18.13.bb b/meta/recipes-connectivity/bind/bind_9.18.13.bb index 8617137e870..c5a51695ef2 100644 --- a/meta/recipes-connectivity/bind/bind_9.18.13.bb +++ b/meta/recipes-connectivity/bind/bind_9.18.13.bb @@ -28,7 +28,8 @@ UPSTREAM_CHECK_REGEX = "(?P9.(\d*[02468])+(\.\d+)+(-P\d+)*)/" # Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore # so the issue doesn't affect us. -CVE_CHECK_IGNORE += "CVE-2019-6470" +CVE_STATUS[CVE-2019-6470] = "Not applicable" +CVE_STATUS_REASONING[CVE-2019-6470] = "Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore." inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb index 2208b730b0e..3159584e9b5 100644 --- a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb +++ b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb @@ -2,8 +2,10 @@ require bluez5.inc SRC_URI[sha256sum] = "39fea64b590c9492984a0c27a89fc203e1cdc74866086efb8f4698677ab2b574" -# These issues have kernel fixes rather than bluez fixes so exclude here -CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490" +CVE_STATUS[CVE-2020-12352] = "Ignored" +CVE_STATUS_REASONING[CVE-2020-12352] = "These issues have kernel fixes rather than bluez fixes." +CVE_STATUS[CVE-2020-24490] = "Ignored" +CVE_STATUS_REASONING[CVE-2020-24490] = "These issues have kernel fixes rather than bluez fixes" # noinst programs in Makefile.tools that are conditional on READLINE # support diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb index d3dedd1a5a7..d6ba7ef830e 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb @@ -27,15 +27,17 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar " SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8" -# This CVE is specific to OpenSSH with the pam opie which we don't build/use here -CVE_CHECK_IGNORE += "CVE-2007-2768" +CVE_STATUS[CVE-2007-2768] = "Not applicable" +CVE_STATUS_REASONING[CVE-2007-2768] = "This CVE is specific to OpenSSH with the pam opie which we don't build/use here." # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded -CVE_CHECK_IGNORE += "CVE-2014-9278" +CVE_STATUS[CVE-2014-9278] = "Not applicable" +CVE_STATUS_REASONING[CVE-2014-9278] = "This CVE is specific to OpenSSH server, as used in Fedora and \ +Red Hat Enterprise Linux 7 and when running in a Kerberos environment" -# CVE only applies to some distributed RHEL binaries -CVE_CHECK_IGNORE += "CVE-2008-3844" +CVE_STATUS[CVE-2008-3844] = "Not applicable" +CVE_STATUS_REASONING[CVE-2008-3844] = "Only applies to some distributed RHEL binaries." PAM_SRC_URI = "file://sshd" diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.0.bb b/meta/recipes-connectivity/openssl/openssl_3.1.0.bb index b319c660440..00ee1cda61e 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.1.0.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.1.0.bb @@ -256,4 +256,5 @@ CVE_VERSION_SUFFIX = "alphabetical" # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 # Apache in meta-webserver is already recent enough -CVE_CHECK_IGNORE += "CVE-2019-0190" +CVE_STATUS[CVE-2019-0190] = "Ignored" +CVE_STATUS_REASONING[CVE-2019-0190] = "Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37" diff --git a/meta/recipes-core/coreutils/coreutils_9.1.bb b/meta/recipes-core/coreutils/coreutils_9.1.bb index e12a6d67971..7b201b0d797 100644 --- a/meta/recipes-core/coreutils/coreutils_9.1.bb +++ b/meta/recipes-core/coreutils/coreutils_9.1.bb @@ -23,7 +23,8 @@ SRC_URI[sha256sum] = "61a1f410d78ba7e7f37a5a4f50e6d1320aca33375484a3255eddf17a38 # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842 # runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue. -CVE_CHECK_IGNORE += "CVE-2016-2781" +CVE_STATUS[CVE-2016-2781] = "Ignored" +CVE_STATUS_REASONING[CVE-2016-2781] = "runcon is not really a sandbox command" EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}" EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname" diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb index b27f98fb199..98493442f91 100644 --- a/meta/recipes-core/glibc/glibc_2.37.bb +++ b/meta/recipes-core/glibc/glibc_2.37.bb @@ -6,16 +6,20 @@ require glibc-version.inc # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024 # Upstream glibc maintainers dispute there is any issue and have no plans to address it further. # "this is being treated as a non-security bug and no real threat." -CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024" +CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE" +CVE_STATUS_RECIPE = "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024" +CVE_STATUS_RECIPE[status] = "Ignored" +CVE_STATUS_RECIPE[reason] = "Upstream glibc maintainers dispute there is any issue and have no plans to address it further." # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025 # Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow # easier access for another. "ASLR bypass itself is not a vulnerability." # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853 -CVE_CHECK_IGNORE += "CVE-2019-1010025" +CVE_STATUS[CVE-2019-1010025] = "Ignored" +CVE_STATUS_REASONING[CVE-2019-1010025] = "ASLR bypass itself is not a vulnerability." -# This is integrated into the 2.37 branch as of 07b9521fc6 -CVE_CHECK_IGNORE += "CVE-2023-25139" +CVE_STATUS[CVE-2023-25139] = "Patched" +CVE_STATUS_REASONING[CVE-2023-25139] = "This is integrated into the 2.37 branch as of 07b9521fc6" DEPENDS += "gperf-native bison-native" diff --git a/meta/recipes-core/libxml/libxml2_2.10.4.bb b/meta/recipes-core/libxml/libxml2_2.10.4.bb index 288631504ce..d97a310aac0 100644 --- a/meta/recipes-core/libxml/libxml2_2.10.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.10.4.bb @@ -28,7 +28,8 @@ BINCONFIG = "${bindir}/xml2-config" # Fixed since 2.9.11 via # https://gitlab.gnome.org/GNOME/libxml2/-/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f -CVE_CHECK_IGNORE += "CVE-2016-3709" +CVE_STATUS[CVE-2016-3709] = "Patched" +CVE_STATUS_REASONING[CVE-2016-3709] = "Fixed since 2.9.11" PACKAGECONFIG ??= "python \ ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \ diff --git a/meta/recipes-core/systemd/systemd_253.3.bb b/meta/recipes-core/systemd/systemd_253.3.bb index a79d6cb3ca0..a0ff4ac7da2 100644 --- a/meta/recipes-core/systemd/systemd_253.3.bb +++ b/meta/recipes-core/systemd/systemd_253.3.bb @@ -831,5 +831,5 @@ pkg_prerm:udev-hwdb () { rm -f $D${sysconfdir}/udev/hwdb.bin } -# This was also fixed in 252.4 with 9b75a3d0 -CVE_CHECK_IGNORE += "CVE-2022-4415" +CVE_STATUS[CVE-2022-4415] = "Patched" +CVE_STATUS_REASONING[CVE-2022-4415] = "This was also fixed in 252.4 with 9b75a3d0" diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc index 2b6554690b6..60bd018d4a5 100644 --- a/meta/recipes-devtools/cmake/cmake.inc +++ b/meta/recipes-devtools/cmake/cmake.inc @@ -23,6 +23,5 @@ SRC_URI[sha256sum] = "bbd8d39217509d163cb544a40d6428ac666ddc83e22905d3e52c925781 UPSTREAM_CHECK_REGEX = "cmake-(?P\d+(\.\d+)+)\.tar" -# This is specific to the npm package that installs cmake, so isn't -# relevant to OpenEmbedded -CVE_CHECK_IGNORE += "CVE-2016-10642" +CVE_STATUS[CVE-2016-10642] = "Ignored" +CVE_STATUS_REASONING[CVE-2016-10642] = "This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded" diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb index 15cf6f5ccad..1cb9c5d07b4 100644 --- a/meta/recipes-devtools/flex/flex_2.6.4.bb +++ b/meta/recipes-devtools/flex/flex_2.6.4.bb @@ -29,7 +29,8 @@ GITHUB_BASE_URI = "https://github.com/westes/flex/releases" # Disputed - yes there is stack exhaustion but no bug and it is building the # parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address # https://github.com/westes/flex/issues/414 -CVE_CHECK_IGNORE += "CVE-2019-6293" +CVE_STATUS[CVE-2019-6293] = "Ignored" +CVE_STATUS_REASONING[CVE-2019-6293] = "There is stack exhaustion but no bug and it is building the parser, not running it" inherit autotools gettext texinfo ptest github-releases diff --git a/meta/recipes-devtools/gcc/gcc-12.2.inc b/meta/recipes-devtools/gcc/gcc-12.2.inc index 0dbbecad4ad..432c9094fe0 100644 --- a/meta/recipes-devtools/gcc/gcc-12.2.inc +++ b/meta/recipes-devtools/gcc/gcc-12.2.inc @@ -109,6 +109,3 @@ EXTRA_OECONF_PATHS = "\ --with-sysroot=/not/exist \ --with-build-sysroot=${STAGING_DIR_TARGET} \ " - -# Is a binutils 2.26 issue, not gcc -CVE_CHECK_IGNORE += "CVE-2021-37322" diff --git a/meta/recipes-devtools/git/git_2.39.2.bb b/meta/recipes-devtools/git/git_2.39.2.bb index 222e545f609..460cee42f1a 100644 --- a/meta/recipes-devtools/git/git_2.39.2.bb +++ b/meta/recipes-devtools/git/git_2.39.2.bb @@ -28,11 +28,13 @@ LIC_FILES_CHKSUM = "\ CVE_PRODUCT = "git-scm:git" # This is about a manpage not mentioning --mirror may "leak" information -# in mirrored git repos. Most OE users wouldn't build the docs and -# we don't see this as a major issue for our general users/usecases. -CVE_CHECK_IGNORE += "CVE-2022-24975" -# This is specific to Git-for-Windows -CVE_CHECK_IGNORE += "CVE-2022-41953" +# in mirrored git repos. +CVE_STATUS[CVE-2022-24975] = "Ignored" +CVE_STATUS_REASONING[CVE-2022-24975] = "Most OE users wouldn't build the docs and \ +we don't see this as a major issue for our general users/usecases." + +CVE_STATUS[CVE-2022-41953] = "Not applicable" +CVE_STATUS_REASONING[CVE-2022-41953] = "Issue only applies on Windows" PACKAGECONFIG ??= "expat curl" PACKAGECONFIG[cvsserver] = "" diff --git a/meta/recipes-devtools/jquery/jquery_3.6.3.bb b/meta/recipes-devtools/jquery/jquery_3.6.3.bb index 93f87f730d4..c3b67a3b7b2 100644 --- a/meta/recipes-devtools/jquery/jquery_3.6.3.bb +++ b/meta/recipes-devtools/jquery/jquery_3.6.3.bb @@ -20,9 +20,9 @@ SRC_URI[map.sha256sum] = "156b740931ade6c1a98d99713eeb186f93847ffc56057e973becab UPSTREAM_CHECK_REGEX = "jquery-(?P\d+(\.\d+)+)\.js" # https://github.com/jquery/jquery/issues/3927 -# There are ways jquery can expose security issues but any issues are in the apps exposing them -# and there is little we can directly do -CVE_CHECK_IGNORE += "CVE-2007-2379" +CVE_STATUS[CVE-2007-2379] = "Ignored" +CVE_STATUS_REASONING[CVE-2007-2379] = "There are ways jquery can expose security issues \ +but any issues are in the apps exposing them and there is little we can directly do." inherit allarch diff --git a/meta/recipes-devtools/python/python3_3.11.2.bb b/meta/recipes-devtools/python/python3_3.11.2.bb index 421a305e22f..32d83aff6c6 100644 --- a/meta/recipes-devtools/python/python3_3.11.2.bb +++ b/meta/recipes-devtools/python/python3_3.11.2.bb @@ -47,15 +47,17 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/" CVE_PRODUCT = "python" -# Upstream consider this expected behaviour -CVE_CHECK_IGNORE += "CVE-2007-4559" -# This is not exploitable when glibc has CVE-2016-10739 fixed. -CVE_CHECK_IGNORE += "CVE-2019-18348" -# These are specific to Microsoft Windows -CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488" -# The mailcap module is insecure by design, so this can't be fixed in a meaningful way. +CVE_STATUS[CVE-2007-4559] = "Ignored" +CVE_STATUS_REASONING[CVE-2007-4559] = "Upstream consider this expected behaviour" +CVE_STATUS[CVE-2019-18348] = "Ignored" +CVE_STATUS_REASONING[CVE-2019-18348] = "This is not exploitable when glibc has CVE-2016-10739 fixed" +CVE_STATUS[CVE-2020-15523] = "Not applicable" +CVE_STATUS_REASONING[CVE-2020-15523] = "Issue only applies on Windows" +CVE_STATUS[CVE-2022-26488] = "Not applicable" +CVE_STATUS_REASONING[CVE-2022-26488] = "Issue only applies on Windows" # The module will be removed in the future and flaws documented. -CVE_CHECK_IGNORE += "CVE-2015-20107" +CVE_STATUS[CVE-2015-20107] = "Ignored" +CVE_STATUS_REASONING[CVE-2015-20107] = "The mailcap module is insecure by design, so this can't be fixed in a meaningful way" PYTHON_MAJMIN = "3.11" diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 394fa2acabf..b3ff0d81763 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -39,16 +39,15 @@ SRC_URI[sha256sum] = "bb60f0341531181d6cc3969dd19a013d0427a87f918193970d9adb9113 SRC_URI:append:class-target = " file://cross.patch" SRC_URI:append:class-nativesdk = " file://cross.patch" -# Applies against virglrender < 0.6.0 and not qemu itself -CVE_CHECK_IGNORE += "CVE-2017-5957" +CVE_STATUS[CVE-2017-5957] = "Not applicable" +CVE_STATUS_REASONING[CVE-2017-5957] = "Applies against virglrender < 0.6.0 and not qemu itself" -# The VNC server can expose host files uder some circumstances. We don't -# enable it by default. -CVE_CHECK_IGNORE += "CVE-2007-0998" +CVE_STATUS[CVE-2007-0998] = "Ignored" +CVE_STATUS_REASONING[CVE-2007-0998] = "The VNC server can expose host files uder some circumstances. We don't enable it by default." -# 'The issues identified by this CVE were determined to not constitute a vulnerability.' # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 -CVE_CHECK_IGNORE += "CVE-2018-18438" +CVE_STATUS[CVE-2018-18438] = "Ignored" +CVE_STATUS_REASONING[CVE-2018-18438] = "The issues identified by this CVE were determined to not constitute a vulnerability." # As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664 # https://bugzilla.redhat.com/show_bug.cgi?id=2167423 diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb index 19574bcb1cd..130581a7853 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb @@ -18,9 +18,6 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ " SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb" -# -16548 required for v3.1.3pre1. Already in v3.1.3. -CVE_CHECK_IGNORE += " CVE-2017-16548 " - inherit autotools-brokensep PACKAGECONFIG ??= "acl attr \ diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb index 982f370edb7..00db737b7d6 100644 --- a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb +++ b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb @@ -29,9 +29,9 @@ SRC_URI[sha256sum] = "c61f0d6699e2bc7691f119b41963aaa8dc980f23532c4e937739832a5f SRC_URI:class-native = "${BASE_SRC_URI}" -# Upstream don't believe this is an exploitable issue # https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7 -CVE_CHECK_IGNORE += "CVE-2021-35331" +CVE_STATUS[CVE-2021-35331] = "Ignored" +CVE_STATUS_REASONING[CVE-2021-35331] = "Upstream don't believe this is an exploitable issue" UPSTREAM_CHECK_URI = "https://www.tcl.tk/software/tcltk/download.html" UPSTREAM_CHECK_REGEX = "tcl(?P\d+(\.\d+)+)-src" diff --git a/meta/recipes-extended/cpio/cpio_2.13.bb b/meta/recipes-extended/cpio/cpio_2.13.bb index 55bcc606b37..93a3360135d 100644 --- a/meta/recipes-extended/cpio/cpio_2.13.bb +++ b/meta/recipes-extended/cpio/cpio_2.13.bb @@ -22,8 +22,8 @@ SRC_URI[sha256sum] = "e87470d9c984317f658567c03bfefb6b0c829ff17dbf6b0de48d71a4c8 inherit autotools gettext texinfo ptest -# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us -CVE_CHECK_IGNORE += "CVE-2010-4226" +CVE_STATUS[CVE-2010-4226] = "Not applicable" +CVE_STATUS_REASONING[CVE-2010-4226] = "Issue applies to use of cpio in SUSE/OBS" EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}" diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index da320b10855..086c467b00c 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -19,14 +19,18 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" -# Issue only applies to MacOS -CVE_CHECK_IGNORE += "CVE-2008-1033" -# Issue affects pdfdistiller plugin used with but not part of cups -CVE_CHECK_IGNORE += "CVE-2009-0032" -# This is an Ubuntu only issue. -CVE_CHECK_IGNORE += "CVE-2018-6553" -# This is fixed in 2.4.2 but the cve-check class still reports it -CVE_CHECK_IGNORE += "CVE-2022-26691" +CVE_STATUS[CVE-2008-1033] = "Not applicable" +CVE_STATUS_REASONING[CVE-2008-1033] = "Issue only applies to MacOS" +CVE_STATUS[CVE-2009-0032] = "Ignored" +CVE_STATUS_REASONING[CVE-2009-0032] = "Issue affects pdfdistiller plugin used with but not part of cups" +CVE_STATUS[CVE-2018-6553] = "Not applicable" +CVE_STATUS_REASONING[CVE-2018-6553] = "This is an Ubuntu only issue" +CVE_STATUS[CVE-2022-26691] = "Patched" +CVE_STATUS_REASONING[CVE-2022-26691] = "This is fixed in 2.4.2 but the cve-check class still reports it" + +# -25317 concerns /var/log/cups having lp ownership. +CVE_STATUS[CVE-2021-25317] = "Ignored" +CVE_STATUS_REASONING[CVE-2009-0032] = "Our /var/log/cups is root:root, so this doesn't apply." LEAD_SONAME = "libcupsdriver.so" @@ -114,7 +118,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess" cups_sysroot_preprocess () { sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:' } - -# -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is -# root:root, so this doesn't apply. -CVE_CHECK_IGNORE += "CVE-2021-25317" diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb index 86ecdbe24af..79a9d255749 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb @@ -21,7 +21,8 @@ UPSTREAM_CHECK_REGEX = "(?P\d+(\.\d+)+)\.tar" # As of ghostscript 9.54.0 the jpeg issue in the CVE is present in the gs jpeg sources # however we use an external jpeg which doesn't have the issue. -CVE_CHECK_IGNORE += "CVE-2013-6629" +CVE_STATUS[CVE-2013-6629] = "Ignored" +CVE_STATUS_REASONING[CVE-2013-6629] = "We use an external jpeg which doesn't have the issue" def gs_verdir(v): return "".join(v.split(".")) diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb index cd5fe9bd3ea..7891f0ffa35 100644 --- a/meta/recipes-extended/iputils/iputils_20221126.bb +++ b/meta/recipes-extended/iputils/iputils_20221126.bb @@ -17,9 +17,10 @@ S = "${WORKDIR}/git" UPSTREAM_CHECK_GITTAGREGEX = "(?P20\d+)" -# Fixed in 2000-10-10, but the versioning of iputils -# breaks the version order. -CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214" +CVE_STATUS[CVE-2000-1213] = "Patched" +CVE_STATUS_REASONING[CVE-2000-1213] = "Fixed in 2000-10-10, but the versioning of iputils breaks the version order." +CVE_STATUS[CVE-2000-1214] = "Patched" +CVE_STATUS_REASONING[CVE-2000-1214] = "Fixed in 2000-10-10, but the versioning of iputils breaks the version order." PACKAGECONFIG ??= "libcap" PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native" diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb index f55e0b0ed1d..fcccf68f070 100644 --- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb +++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb @@ -14,8 +14,8 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/" UPSTREAM_CHECK_REGEX = "(?P\d+(\.\d+)+)/" SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3" -# Was fixed in 1.3.3rc1 so not present in 1.3.3 -CVE_CHECK_IGNORE += "CVE-2021-46828" +CVE_STATUS[CVE-2021-46828] = "Patched" +CVE_STATUS_REASONING[CVE-2021-46828] = "fixed in 1.3.3rc1 so not present in 1.3.3" inherit autotools pkgconfig diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb index cc3420df4e0..d9571445288 100644 --- a/meta/recipes-extended/procps/procps_4.0.3.bb +++ b/meta/recipes-extended/procps/procps_4.0.3.bb @@ -72,9 +72,9 @@ python __anonymous() { d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog)) } -# 'ps' isn't suitable for use as a security tool so whitelist this CVE. # https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3 -CVE_CHECK_IGNORE += "CVE-2018-1121" +CVE_STATUS[CVE-2018-1121] = "Ignored" +CVE_STATUS_REASONING[CVE-2018-1121] = "'ps' isn't suitable for use as a security tool so whitelist this CVE." PROCPS_PACKAGES = "${PN}-lib \ ${PN}-ps \ diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb index d1a3fd5593b..adef0461905 100644 --- a/meta/recipes-extended/shadow/shadow_4.13.bb +++ b/meta/recipes-extended/shadow/shadow_4.13.bb @@ -6,9 +6,9 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p BBCLASSEXTEND = "native nativesdk" -# Severity is low and marked as closed and won't fix. # https://bugzilla.redhat.com/show_bug.cgi?id=884658 -CVE_CHECK_IGNORE += "CVE-2013-4235" +CVE_STATUS[CVE-2013-4235] = "Ignored" +CVE_STATUS_REASONING[CVE-2013-4235] = "Severity is low and marked as closed and won't fix." -# This is an issue for a different shadow -CVE_CHECK_IGNORE += "CVE-2016-15024" +CVE_STATUS[CVE-2016-15024] = "Ignored" +CVE_STATUS_REASONING[CVE-2016-15024] = "This is an issue for a different shadow" diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index a4d10c30aa2..bd3e7f1fc88 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb @@ -39,7 +39,8 @@ SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37" # Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source -CVE_CHECK_IGNORE += "CVE-2008-0888" +CVE_STATUS[CVE-2008-0888] = "Patched" +CVE_STATUS_REASONING[CVE-2008-0888] = "Patch applied to 6.0 source" # exclude version 5.5.2 which triggers a false positive UPSTREAM_CHECK_REGEX = "unzip(?P(?!552).+)\.tgz" diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb index c390fcf33c4..7b1e8cd02a2 100644 --- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb +++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb @@ -18,7 +18,8 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4" S = "${WORKDIR}/git" # https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision -CVE_CHECK_IGNORE += "CVE-2013-4342" +CVE_STATUS[CVE-2013-4342] = "Patched" +CVE_STATUS_REASONING[CVE-2013-4342] = "Fixed directly in git tree revision" inherit autotools update-rc.d systemd pkgconfig diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb index 1930a40140b..60cd565fe81 100644 --- a/meta/recipes-extended/zip/zip_3.0.bb +++ b/meta/recipes-extended/zip/zip_3.0.bb @@ -25,11 +25,11 @@ UPSTREAM_VERSION_UNKNOWN = "1" SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37" SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369" -# Disputed and also Debian doesn't consider a vulnerability -CVE_CHECK_IGNORE += "CVE-2018-13410" +CVE_STATUS[CVE-2018-13410] = "Ignored" +CVE_STATUS_REASONING[CVE-2018-13410] = "Disputed and also Debian doesn't consider a vulnerability" -# Not for zip but for smart contract implementation for it -CVE_CHECK_IGNORE += "CVE-2018-13684" +CVE_STATUS[CVE-2018-13684] = "Not applicable" +CVE_STATUS_REASONING[CVE-2018-13684] = "Not for zip but for smart contract implementation for it" # Enable largefile support CFLAGS += "-DLARGE_FILE_SUPPORT" diff --git a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb index 08e9899d00c..91dba7466da 100644 --- a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb +++ b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb @@ -32,5 +32,5 @@ RPROVIDES:${PN} += "libnotify3" RCONFLICTS:${PN} += "libnotify3" RREPLACES:${PN} += "libnotify3" -# -7381 is specific to the NodeJS bindings -CVE_CHECK_IGNORE += "CVE-2013-7381" +CVE_STATUS[CVE-2013-7381] = "Ignored" +CVE_STATUS_REASONING[CVE-2013-7381] = "-7381 is specific to the NodeJS bindings" diff --git a/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb b/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb index 59278d1b169..5f4fd79bc0e 100644 --- a/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb +++ b/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb @@ -50,8 +50,8 @@ do_compile:prepend() { sed -ie 's,"linker": ".*","linker": "${RUST_TARGET_CC}",g' ${RUST_TARGETS_DIR}/${RUST_HOST_SYS}.json } -# Issue only on windows -CVE_CHECK_IGNORE += "CVE-2018-1000041" +CVE_STATUS[CVE-2018-1000041] = "Not applicable" +CVE_STATUS_REASONING[CVE-2018-1000041] = "Issue only applies on Windows" CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders" diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb index 39be3bd63ff..e70b30a7639 100644 --- a/meta/recipes-graphics/builder/builder_0.1.bb +++ b/meta/recipes-graphics/builder/builder_0.1.bb @@ -30,4 +30,5 @@ do_install () { } # -4178 is an unrelated 'builder' -CVE_CHECK_IGNORE = "CVE-2008-4178" +CVE_STATUS[CVE-2008-4178] = "Ignored" +CVE_STATUS_REASONING[CVE-2008-4178] = "This CVE is for an unrelated builder" diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc index ecb164ddf76..189619d8715 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc @@ -20,16 +20,19 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz" UPSTREAM_CHECK_REGEX = "xorg-server-(?P\d+(\.(?!99)\d+)+)\.tar" CVE_PRODUCT = "xorg-server x_server" -# This is specific to Debian's xserver-wrapper.c -CVE_CHECK_IGNORE += "CVE-2011-4613" +CVE_STATUS[CVE-2011-4613] = "Not applicable" +CVE_STATUS_REASONING[CVE-2011-4613] = "This is specific to Debian's xserver-wrapper.c" + # As per upstream, exploiting this flaw is non-trivial and it requires exact # timing on the behalf of the attacker. Many graphical applications exit if their # connection to the X server is lost, so a typical desktop session is either # impossible or difficult to exploit. There is currently no upstream patch # available for this flaw. -CVE_CHECK_IGNORE += "CVE-2020-25697" -# This is specific to XQuartz, which is the macOS X server port -CVE_CHECK_IGNORE += "CVE-2022-3553" +CVE_STATUS[CVE-2020-25697] = "Ignored" +CVE_STATUS_REASONING[CVE-2020-25697] = "As per upstream, exploiting this flaw is non-trivial and it requires exact timing on the behalf of the attacker" + +CVE_STATUS[CVE-2022-3553] = "Not applicable" +CVE_STATUS_REASONING[CVE-2022-3553] = "This is specific to XQuartz, which is the macOS X server port" S = "${WORKDIR}/${XORG_PN}-${PV}" diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc index 4cc151901b8..a7b12e3b57e 100644 --- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc +++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc @@ -1,17 +1,17 @@ # https://nvd.nist.gov/vuln/detail/CVE-2022-3523 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33 -CVE_CHECK_IGNORE += "CVE-2022-3523" +CVE_STATUS[CVE-2022-3523] = "Ignored" # https://nvd.nist.gov/vuln/detail/CVE-2022-3566 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 -CVE_CHECK_IGNORE += "CVE-2022-3566" +CVE_STATUS[CVE-2022-3566] = "Ignored" # https://nvd.nist.gov/vuln/detail/CVE-2022-3567 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 # Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6 -CVE_CHECK_IGNORE += "CVE-2022-3567" +CVE_STATUS[CVE-2022-3567] = "Ignored" # 2023 @@ -26,11 +26,15 @@ CVE_CHECK_IGNORE += "CVE-2022-3567" # * https://www.linuxkernelcves.com/cves/CVE-2022-38457 # * https://www.linuxkernelcves.com/cves/CVE-2022-40133 # * https://lore.kernel.org/all/CAODzB9q3OBD0k6W2bcWrSZo2jC3EvV0PrLyWmO07rxR4nQgkJA@mail.gmail.com/T/ -CVE_CHECK_IGNORE += "CVE-2022-38457 CVE-2022-40133" +CVE_STATUS[CVE-2022-38457] = "Ignored" +CVE_STATUS_REASONING[CVE-2022-38457] = "Backported in version 6.1.7" +CVE_STATUS[CVE-2022-40133] = "Ignored" +CVE_STATUS_REASONING[CVE-2022-40133] = "Backported in version 6.1.7" # https://nvd.nist.gov/vuln/detail/CVE-2023-1075 # Introduced in v4.20 a42055e8d2c30d4decfc13ce943d09c7b9dad221 # Patched in kernel v6.2 ffe2a22562444720b05bdfeb999c03e810d84cbb # Backported in version 6.1.11 37c0cdf7e4919e5f76381ac60817b67bcbdacb50 # 5.15 still has issue, include/net/tls.h:is_tx_ready() would need patch -CVE_CHECK_IGNORE += "CVE-2023-1075" +CVE_STATUS[CVE-2023-1075] = "Ignored" +CVE_STATUS_REASONING[CVE-2023-1075] = "Backported in version 6.1.11" diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb index a6c229f5cf0..38e18542c21 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb @@ -32,5 +32,5 @@ FILES:${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp" BBCLASSEXTEND = "native nativesdk" -# CVE-2019-17371 is actually a memory leak in gif2png 2.x -CVE_CHECK_IGNORE += "CVE-2019-17371" +CVE_STATUS[CVE-2019-17371] = "Not applicable" +CVE_STATUS_REASONING[CVE-2019-17371] = "A memory leak in gif2png 2.x" diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb index f8a2482a848..499687207d1 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb @@ -16,14 +16,8 @@ SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c # exclude betas UPSTREAM_CHECK_REGEX = "tiff-(?P\d+(\.\d+)+).tar" -# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 -# and 4.3.0 doesn't have the issue -CVE_CHECK_IGNORE += "CVE-2015-7313" -# These issues only affect libtiff post-4.3.0 but before 4.4.0, -# caused by 3079627e and fixed by b4e79bfa. -CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623" -# Issue is in jbig which we don't enable -CVE_CHECK_IGNORE += "CVE-2022-1210" +CVE_STATUS[CVE-2022-1210] = "Ignored" +CVE_STATUS_REASONING[CVE-2022-1210] = "Issue is in jbig which we don't enable" inherit autotools multilib_header diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb index bf9d7cbd102..bf59069cfa5 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb @@ -29,8 +29,10 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ " SRC_URI[sha256sum] = "ef14ae546b0084cd84259f61a55e07a38c3b53afc0f546bffcef2f01baffe9de" -# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro. -CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438" +CVE_STATUS[CVE-2018-12433] = "Ignored" +CVE_STATUS_REASONING[CVE-2018-12433] = "CVE is disputed and not affecting crypto libraries for any distro." +CVE_STATUS[CVE-2018-12438] = "Ignored" +CVE_STATUS_REASONING[CVE-2018-12438] = "CVE is disputed and not affecting crypto libraries for any distro." BINCONFIG = "${bindir}/libgcrypt-config" diff --git a/meta/recipes-support/libxslt/libxslt_1.1.37.bb b/meta/recipes-support/libxslt/libxslt_1.1.37.bb index 361bb0f8dc9..76f7a34d05a 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.37.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.37.bb @@ -19,9 +19,8 @@ SRC_URI[sha256sum] = "3a4b27dc8027ccd6146725950336f1ec520928f320f144eb5fa7990ae6 UPSTREAM_CHECK_REGEX = "libxslt-(?P\d+(\.\d+)+)\.tar" -# We have libxml2 2.9.14 and we don't link statically with it anyway -# so this isn't an issue. -CVE_CHECK_IGNORE += "CVE-2022-29824" +CVE_STATUS[CVE-2022-29824] = "Ignored" +CVE_STATUS_REASONING[CVE-2022-29824] = "Static linking to libxml2 is not enabled." S = "${WORKDIR}/libxslt-${PV}" diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb index d2a25fd5b09..97217781f42 100644 --- a/meta/recipes-support/lz4/lz4_1.9.4.bb +++ b/meta/recipes-support/lz4/lz4_1.9.4.bb @@ -21,8 +21,8 @@ S = "${WORKDIR}/git" inherit ptest -# Fixed in r118, which is larger than the current version. -CVE_CHECK_IGNORE += "CVE-2014-4715" +CVE_STATUS[CVE-2014-4715] = "Patched" +CVE_STATUS_REASONING[CVE-2014-4715] = "Fixed in r118, which is larger than the current version." EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no" diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb index b09e8e7f557..6af884b58fe 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb @@ -7,8 +7,11 @@ SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz" SRC_URI[sha256sum] = "e98c100dd1da4e30fa460761dab7c0b91a50b785e167f8c57acc46514fae9499" # -19242 is only an issue in specific development branch commits -CVE_CHECK_IGNORE += "CVE-2019-19242" -# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA) -CVE_CHECK_IGNORE += "CVE-2015-3717" -# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f -CVE_CHECK_IGNORE += "CVE-2021-36690" +CVE_STATUS[CVE-2019-19242] = "Ignored" +CVE_STATUS_REASONING[CVE-2019-19242] = "This CVE is only an issue in specific development branch commits" +# https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA +CVE_STATUS[CVE-2015-3717] = "Not applicable" +CVE_STATUS_REASONING[CVE-2015-3717] = "This is believed to be iOS specific" +# Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f +CVE_STATUS[CVE-2021-36690] = "Patched" +CVE_STATUS_REASONING[CVE-2021-36690] = "Issue in an experimental extension we don't have/use."