From: "Monsees, Steven C (US)" <steven.monsees@baesystems.com>
To: "yocto@lists.yoctoproject.org" <yocto@lists.yoctoproject.org>
Subject: RE: [yocto] CVE patch updates
Date: Thu, 24 Mar 2022 18:56:30 +0000 [thread overview]
Message-ID: <20220324185702.83CDDC433FE@smtp.lore.kernel.org> (raw)
In-Reply-To: <MADEUP.16DF6308F3F50D79.7324@lists.yoctoproject.org>
[-- Attachment #1: Type: text/plain, Size: 13491 bytes --]
So, my only change to my build is the INHERIT =+ “cve-check”…
No issue seen until this line added…
Can someone tell me why when I build from scratch, clean, I see the following error ?
Who’s certificate failure is being flagged ?
Initialising tasks: 100% |#######################################################################################| Time: 0:00:04
Checking sstate mirror object availability: 100% |###############################################################| Time: 0:00:00
Sstate summary: Wanted 2258 Found 2229 Missed 29 Current 0 (98% match, 0% complete)
NOTE: Executing Tasks
NOTE: Setscene tasks completed
ERROR: cve-update-db-native-1.0-r0 do_populate_cve_db: Error executing a python function in exec_python_func() autogenerated:
The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_python_func() autogenerated', lineno: 2, function: <module>
0001:
*** 0002:do_populate_cve_db(d)
0003:
File: '/disk0/scratch/smonsees/yocto/workspace_1/poky/meta/recipes-core/meta/cve-update-db-native.bb', lineno: 69, function: do_populate_cve_db
0065: meta_url = year_url + ".meta"
0066: json_url = year_url + ".json.gz"
0067:
0068: # Retrieve meta last modified date
*** 0069: response = urllib.request.urlopen(meta_url)
0070: if response:
0071: for l in response.read().decode("utf-8").splitlines():
0072: key, value = l.split(":", 1)
0073: if key == "lastModifiedDate":
File: '/usr/lib64/python3.6/urllib/request.py', lineno: 223, function: urlopen
0219: elif _opener is None:
0220: _opener = opener = build_opener()
0221: else:
0222: opener = _opener
*** 0223: return opener.open(url, data, timeout)
0224:
0225:def install_opener(opener):
0226: global _opener
0227: _opener = opener
File: '/usr/lib64/python3.6/urllib/request.py', lineno: 526, function: open
0522: for processor in self.process_request.get(protocol, []):
0523: meth = getattr(processor, meth_name)
0524: req = meth(req)
0525:
*** 0526: response = self._open(req, data)
0527:
0528: # post-process response
0529: meth_name = protocol+"_response"
0530: for processor in self.process_response.get(protocol, []):
File: '/usr/lib64/python3.6/urllib/request.py', lineno: 544, function: _open
0540: return result
0541:
0542: protocol = req.type
0543: result = self._call_chain(self.handle_open, protocol, protocol +
*** 0544: '_open', req)
0545: if result:
0546: return result
0547:
0548: return self._call_chain(self.handle_open, 'unknown',
File: '/usr/lib64/python3.6/urllib/request.py', lineno: 504, function: _call_chain
0500: # could. Otherwise, they return the response.
0501: handlers = chain.get(kind, ())
0502: for handler in handlers:
0503: func = getattr(handler, meth_name)
*** 0504: result = func(*args)
0505: if result is not None:
0506: return result
0507:
0508: def open(self, fullurl, data=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT):
File: '/usr/lib64/python3.6/urllib/request.py', lineno: 1392, function: https_open
1388: self._check_hostname = check_hostname
1389:
1390: def https_open(self, req):
1391: return self.do_open(http.client.HTTPSConnection, req,
*** 1392: context=self._context, check_hostname=self._check_hostname)
1393:
1394: https_request = AbstractHTTPHandler.do_request_
1395:
1396: __all__.append('HTTPSHandler')
File: '/usr/lib64/python3.6/urllib/request.py', lineno: 1351, function: do_open
1347: try:
1348: h.request(req.get_method(), req.selector, req.data, headers,
1349: encode_chunked=req.has_header('Transfer-encoding'))
1350: except OSError as err: # timeout error
*** 1351: raise URLError(err)
1352: r = h.getresponse()
1353: except:
1354: h.close()
1355: raise
Exception: urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)>
ERROR: Logfile of failure stored in: /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/work/x86_64-linux/cve-update-db-native/1.0-r0/temp/log.do_populate_cve_db.4499
ERROR: Task (/disk0/scratch/smonsees/yocto/workspace_1/poky/meta/recipes-core/meta/cve-update-db-native.bb:do_populate_cve_db) failed with exit code '1'
NOTE: Tasks Summary: Attempted 5772 tasks of which 5228 didn't need to be rerun and 1 failed.
Summary: 1 task failed:
/disk0/scratch/smonsees/yocto/workspace_1/poky/meta/recipes-core/meta/cve-update-db-native.bb:do_populate_cve_db
Summary: There was 1 ERROR message shown, returning a non-zero exit code.
14:41 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default>find . -name '_ssl.c' -print
14:47 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default>
From: yocto@lists.yoctoproject.org <yocto@lists.yoctoproject.org> On Behalf Of Monsees, Steven C (US) via lists.yoctoproject.org
Sent: Thursday, March 24, 2022 2:00 PM
To: yocto@lists.yoctoproject.org
Subject: Re: [yocto] CVE patch updates
External Email Alert
This email has been sent from an account outside of the BAE Systems network.
Please treat the email with caution, especially if you are requested to click on a link, decrypt/open an attachment, or enable macros. For further information on how to spot phishing, access “Cybersecurity OneSpace Page” and report phishing by clicking the button “Report Phishing” on the Outlook toolbar.
When building in cve-check to see what is reported, it generated all blank/empty report files…
Can someone explain this ?, my local.conf does have the proper modification (INHERIT += “cve-check”).
10:55 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default> bitbake -k sbca-defaultfs-full
Parsing recipes: 100% |#############################################################################################| Time: 0:01:07
Parsing of 2555 .bb files complete (0 cached, 2555 parsed). 3769 targets, 96 skipped, 0 masked, 0 errors.
NOTE: Resolving any missing task queue dependencies
Build Configuration:
BB_VERSION = "1.44.0"
BUILD_SYS = "x86_64-linux"
NATIVELSBSTRING = "rhel-7.9"
TARGET_SYS = "x86_64-poky-linux"
MACHINE = "sbca-default"
DISTRO = "limws"
DISTRO_VERSION = "3.0.4"
TUNE_FEATURES = "m64 corei7"
TARGET_FPU = ""
meta
meta-poky = "my_yocto_3.0.4:2f9bca440204f9e73158705a4ec04698b1f6ad42"
meta-perl
meta-python
meta-filesystems
meta-networking
meta-initramfs
meta-oe = "zeus:2b5dd1eb81cd08bc065bc76125f2856e9383e98b"
meta-virtualization = "zeus:7e5219669ff6f8e9c8c33ffd230e95a6b2b025f4"
meta = "master:a32ddd2b2a51b26c011fa50e441df39304651503"
meta-clang = "zeus:f5355ca9b86fb5de5930132ffd95a9b352d694f9"
meta-intel = "zeus:d9942d4c3a710406b051852de7232db03c297f4e"
meta-intel = "LIMWSSWARE-682-oews-meta-bae-clean-up:99f116056452f1fefe83fe458f533b48f52fe4ba"
Initialising tasks: 100% |##########################################################################################| Time: 0:00:04
Checking sstate mirror object availability: 100% |##################################################################| Time: 0:00:02
Sstate summary: Wanted 2258 Found 15 Missed 2243 Current 0 (0% match, 0% complete)
NOTE: Executing Tasks
NOTE: Setscene tasks completed
Image CVE report stored in: /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/core-image-minimal-initramfs-sbca-default-20220324145629.rootfs.cve
Image CVE report stored in: /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/aiox_orange-sbca-default-20220324145629.rootfs.cve
NOTE: Tasks Summary: Attempted 6753 tasks of which 77 didn't need to be rerun and all succeeded.
13:33 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default>ls -l /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/core-image-minimal-initramfs-sbca-default-20220324145629.rootfs.cve
-rw-r--r--. 1 smonsees none 0 Mar 24 13:16 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/core-image-minimal-initramfs-sbca-default-20220324145629.rootfs.cve
13:33 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default>ls -l /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/aiox_orange-sbca-default-20220324145629.rootfs.cve
-rw-r--r--. 1 smonsees none 0 Mar 24 13:17 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/aiox_orange-sbca-default-20220324145629.rootfs.cve
13:33 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default>
13:27 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/cve>ls -l
total 0
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 binutils
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 binutils-cross-x86_64
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 binutils-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 bluez5
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 boost
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 cairo
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 cairo-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:16 cpio-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 curl
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 curl-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 dbus
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 dbus-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 e2fsprogs
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 e2fsprogs-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 file-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 flex
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 flex-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 gcc-source-9.2.0
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 gettext-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 glib-2.0
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 glib-2.0-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 glibc
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 gnutls
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 go-cross-corei7-64
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 go-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 go-runtime
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 icu
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 icu-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 libarchive-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 libgcrypt
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 libjpeg-turbo
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 libjpeg-turbo-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 libpcre
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 libpcre2
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 libpcre-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 libxml2
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 libxml2-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 libxslt-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 mailx
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 nasm-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 ncurses
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 ncurses-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:14 nfs-utils
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:14 openssh
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 patch-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 perl
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 perl-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 python3
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 python3-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 qemu-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:14 rsync
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 sqlite3
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 sqlite3-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 sudo
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 sysstat
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 unzip
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 unzip-native
13:27 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/cve>
From: Monsees, Steven C (US)
Sent: Thursday, March 24, 2022 12:56 PM
To: yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org>
Subject: CVE patch updates
I am currently building in cve-check to see what is reported, and I was curious if Yocto might provide any CVE based patch repositories ?
Is there a yocto page somewhere that goes over this side of things ?,
I did not see much in the mega-manual… I am running on zeus based platforms (for both armarch64 and x86_64).
Thanks,
Steve
[-- Attachment #2: Type: text/html, Size: 38194 bytes --]
next parent reply other threads:[~2022-03-24 18:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <MADEUP.16DF6308F3F50D79.7324@lists.yoctoproject.org>
2022-03-24 18:56 ` Monsees, Steven C (US) [this message]
[not found] <MADEUP.16DF5F8906D065B9.27042@lists.yoctoproject.org>
[not found] ` <a789cfc1a41ac9b17dc81efb7aab3b56716a64bb.camel@linuxfoundation.org>
2022-03-25 1:02 ` [yocto] CVE patch updates Tim Orling
2022-03-25 10:32 ` Monsees, Steven C (US)
2022-03-25 10:58 ` Monsees, Steven C (US)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220324185702.83CDDC433FE@smtp.lore.kernel.org \
--to=steven.monsees@baesystems.com \
--cc=yocto@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.