Message ID | 20220602122005.17173-1-anolgajbhiye99@gmail.com |
---|---|
State | New, archived |
Headers | show |
Series | [dunfell] systemd: Whitelist CVE-2018-21029 | expand |
Hi Steve, Is there any reason to not take this? Thanks, Ranjitsinh Rathod
On Tue, Jun 7, 2022 at 6:10 AM Ranjitsinh Rathod
<ranjitsinhrathod1991@gmail.com> wrote:
> Is there any reason to not take this?
I'm puzzled by this question! A patch with this subject line hasn't
been submitted to the list for dunfell. Also, the referenced CVE
doesn't show up on the CVE report for dunfell.
Steve
On 2022-06-07 12:18, Steve Sakoman wrote: > On Tue, Jun 7, 2022 at 6:10 AM Ranjitsinh Rathod > <ranjitsinhrathod1991@gmail.com> wrote: > >> Is there any reason to not take this? > I'm puzzled by this question! A patch with this subject line hasn't > been submitted to the list for dunfell. I see the original patch, with a timestamp of 2022-06-02, 08:20 ET. Do you need it to be resent? > Also, the referenced CVE > doesn't show up on the CVE report for dunfell. That's odd. Are you looking into that or is the CVE report ignoring it since only version: systemd 239 <= v < 243 are vulnerable and dunfell has 245.5: http://cgit.openembedded.org/openembedded-core/tree/meta/recipes-core/systemd/systemd_244.5.bb?h=dunfell I'm woefully ignorant of the YP CVE report. Yet another thing to make time for... > > Steve > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#166678): https://lists.openembedded.org/g/openembedded-core/message/166678 > Mute This Topic: https://lists.openembedded.org/mt/91497880/3616765 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Tue, Jun 7, 2022 at 1:24 PM Randy MacLeod <randy.macleod@windriver.com> wrote: > > On 2022-06-07 12:18, Steve Sakoman wrote: > > On Tue, Jun 7, 2022 at 6:10 AM Ranjitsinh Rathod > > <ranjitsinhrathod1991@gmail.com> wrote: > > > >> Is there any reason to not take this? > > I'm puzzled by this question! A patch with this subject line hasn't > > been submitted to the list for dunfell. > I see the original patch, with a timestamp of 2022-06-02, 08:20 ET. > Do you need it to be resent? Sorry for the delay in responding, I've been having some email strangeness the past couple of weeks. Gmail decided the original patch was spam and moved it to the spam folder (along with this followup) Seems to have gotten more aggressive in spam detection lately, since I see other patches there too :-( > > Also, the referenced CVE > > doesn't show up on the CVE report for dunfell. > That's odd. Are you looking into that or is > the CVE report ignoring it since only version: > systemd 239 <= v < 243 are vulnerable and dunfell has 245.5 This is indeed the reason it doesn't show up in the report: our version is not affected. Hence no need for this patch. > I'm woefully ignorant of the YP CVE report. Yet another thing to make > time for... Never enough hours in the day . . . Steve
diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb index a648272bc0..711d23a26e 100644 --- a/meta/recipes-core/systemd/systemd_244.5.bb +++ b/meta/recipes-core/systemd/systemd_244.5.bb @@ -65,6 +65,9 @@ SRC_URI_MUSL = "\ # already applied in 244.5 CVE_CHECK_WHITELIST += "CVE-2020-13776" +# Whitelist the CVE because cve patch is already present +CVE_CHECK_WHITELIST += "CVE-2018-21029" + PAM_PLUGINS = " \ pam-plugin-unix \ pam-plugin-loginuid \