[poky][master][PATCH] glibc: Added and whitelisted CVE patches

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: "saloni" <saloni.jain@kpit.com>
To: openembedded-core@lists.openembedded.org, raj.khem@gmail.com
Cc: nisha.parrakat@kpit.com, anuj.chougule@kpit.com,
	Saloni Jain <Saloni.Jain@kpit.com>
Subject: [poky][master][PATCH] glibc: Added and whitelisted CVE patches
Date: Wed, 28 Oct 2020 20:54:20 +0530	[thread overview]
Message-ID: <1603898660-15302-1-git-send-email-Saloni.Jain@kpit.com> (raw)

From: Saloni Jain <Saloni.Jain@kpit.com>

Below CVE patches are whitelisted as not considered
as security threats by Upstream Community:
1. CVE-2019-1010022
Link: https://security-tracker.debian.org/tracker/CVE-2019-1010022
2. CVE-2019-1010023
Link: https://security-tracker.debian.org/tracker/CVE-2019-1010023
3. CVE-2019-1010024
Link: https://security-tracker.debian.org/tracker/CVE-2019-1010024
4. CVE-2019-1010025
Link: https://security-tracker.debian.org/tracker/CVE-2019-1010025

Below CVE patches are whitelisted as the changes are
already present in the source-code:
1. CVE-2020-1751
Link: https://security-tracker.debian.org/tracker/CVE-2020-1751
2. CVE-2020-1752
Link: https://security-tracker.debian.org/tracker/CVE-2020-1752
3. CVE-2020-6096
Link: https://security-tracker.debian.org/tracker/CVE-2020-6096
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1820331
4. CVE-2015-8985
Link: https://security-tracker.debian.org/tracker/CVE-2015-8985
Link: https://sourceware.org/git/?p=glibc.git;a=patch;h=eb04c21373e2a2885f3d52ff192b0499afe3c672
5. CVE-2016-10739
Link: https://security-tracker.debian.org/tracker/CVE-2016-10739
Link: https://sourceware.org/git/?p=glibc.git;a=patch;h=108bc4049f8ae82710aec26a92ffdb4b439c83fd
6. CVE-2020-10029
Link: https://security-tracker.debian.org/tracker/CVE-2020-10029
Link: https://sourceware.org/git/?p=glibc.git;a=patch;h=9333498794cde1d5cca518badf79533a24114b6f
7. CVE-2009-5155
Link: https://security-tracker.debian.org/tracker/CVE-2009-5155
Link: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672

Upstream-Status: Pending
Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com>
---
 meta/recipes-core/glibc/glibc_2.32.bb | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb
index 2a0e464..7c56f6b 100644
--- a/meta/recipes-core/glibc/glibc_2.32.bb
+++ b/meta/recipes-core/glibc/glibc_2.32.bb
@@ -1,7 +1,24 @@
 require glibc.inc
 require glibc-version.inc

-CVE_CHECK_WHITELIST += "CVE-2020-10029"
+#As confirmed by Upstream Community below patches are not considered security threats, hence whitelisted.
+CVE_CHECK_WHITELIST += "\
+    CVE-2019-1010022 \
+    CVE-2019-1010023 \
+    CVE-2019-1010024 \
+    CVE-2019-1010025 \
+"
+#Changes are already present in source-code, hence whitelisted.
+CVE_CHECK_WHITELIST += "\
+    CVE-2009-5155 \
+    CVE-2016-10739 \
+    CVE-2020-10029 \
+    CVE-2015-8985 \
+    CVE-2020-6096 \
+    CVE-2016-10228 \
+    CVE-2020-1751 \
+    CVE-2020-1752 \
+"

 DEPENDS += "gperf-native bison-native make-native"

--
2.7.4

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

next             reply	other threads:[~2020-10-28 15:24 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-28 15:24 saloni [this message]
2020-10-28 15:53 ` [poky][master][PATCH] glibc: Added and whitelisted CVE patches Khem Raj
2020-10-28 16:11   ` saloni
2020-10-28 18:15 ` [OE-core] " Steve Sakoman
  -- strict thread matches above, loose matches on Subject: below --
2020-10-28 16:09 saloni

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2a0e464 dfblob:7c56f6b )
 OR (
bs:"[poky][master][PATCH] glibc: Added and whitelisted CVE patches" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1603898660-15302-1-git-send-email-Saloni.Jain@kpit.com \
    --to=saloni.jain@kpit.com \
    --cc=anuj.chougule@kpit.com \
    --cc=nisha.parrakat@kpit.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=raj.khem@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox