* [poky][master][PATCH] gnutls: Whitelisted CVE patches @ 2020-10-28 17:17 saloni 2020-10-28 18:26 ` [OE-core] " Steve Sakoman 2020-10-29 14:01 ` Ross Burton 0 siblings, 2 replies; 4+ messages in thread From: saloni @ 2020-10-28 17:17 UTC (permalink / raw) To: openembedded-core, raj.khem; +Cc: nisha.parrakat, anuj.chougule, Saloni Jain From: Saloni Jain <Saloni.Jain@kpit.com> Below CVE patches are whitelisted as changes are already present in source code: 1. CVE-2018-10844 Link: https://security-tracker.debian.org/tracker/CVE-2018-10844 Link: https://gitlab.com/gnutls/gnutls/commit/c32a8690f9f9b05994078fe9d2e7a41b18da5b09 2. CVE-2018-10845 Link: https://security-tracker.debian.org/tracker/CVE-2018-10845 Link: https://gitlab.com/gnutls/gnutls/commit/cc14ec5ece856cb083d64e6a5a8657323da661cb 3. CVE-2018-10846 Link: https://security-tracker.debian.org/tracker/CVE-2018-10846 Link: https://gitlab.com/gnutls/gnutls/commit/ce671a6db9e47006cff152d485091141b1569f39 4. CVE-2018-16868 Link: https://gitlab.com/gnutls/gnutls/-/merge_requests/832 Link: https://gitlab.com/gnutls/gnutls/-/commit/4804febddc2ed958e5ae774de2a8f85edeeff538 Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com> --- meta/recipes-support/gnutls/gnutls_3.6.14.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb index 51578b4..727a12f 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb @@ -17,6 +17,9 @@ DEPENDS_append_libc-musl = " argp-standalone" SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" +#Changes are already present in source-code, hence whitelisted. +CVE_CHECK_WHITELIST += "CVE-2018-16868 CVE-2018-10844 CVE-2018-10845 CVE-2018-10845" + SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \ file://arm_eabi.patch \ file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \ -- 2.7.4 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core] [poky][master][PATCH] gnutls: Whitelisted CVE patches 2020-10-28 17:17 [poky][master][PATCH] gnutls: Whitelisted CVE patches saloni @ 2020-10-28 18:26 ` Steve Sakoman 2020-10-29 14:01 ` Ross Burton 1 sibling, 0 replies; 4+ messages in thread From: Steve Sakoman @ 2020-10-28 18:26 UTC (permalink / raw) To: saloni Cc: Patches and discussions about the oe-core layer, Khem Raj, nisha.parrakat, anuj.chougule Note that the first three CVE's no longer appear in a CVE scan for master or dunfell: https://lists.yoctoproject.org/g/yocto-security/topic/oe_core_cve_metrics_for/77795960?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,77795960 https://lists.yoctoproject.org/g/yocto-security/topic/oe_core_cve_metrics_for/77796289?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,77796289 You'll see them in the "removed this week" since I sent in database updates last week. I still need to deal with getting CVE-2018-16868 updated, but hopefully will get that done later this week. So there should be no need for this patch in either master or dunfell. In general I'd prefer to get the CVE database updated rather than add whitelist entries. If you'd like to help me with this CVE reduction program let's coordinate off list! Steve On Wed, Oct 28, 2020 at 7:17 AM saloni <saloni.jain@kpit.com> wrote: > > From: Saloni Jain <Saloni.Jain@kpit.com> > > Below CVE patches are whitelisted as changes > are already present in source code: > 1. CVE-2018-10844 > Link: https://security-tracker.debian.org/tracker/CVE-2018-10844 > Link: https://gitlab.com/gnutls/gnutls/commit/c32a8690f9f9b05994078fe9d2e7a41b18da5b09 > 2. CVE-2018-10845 > Link: https://security-tracker.debian.org/tracker/CVE-2018-10845 > Link: https://gitlab.com/gnutls/gnutls/commit/cc14ec5ece856cb083d64e6a5a8657323da661cb > 3. CVE-2018-10846 > Link: https://security-tracker.debian.org/tracker/CVE-2018-10846 > Link: https://gitlab.com/gnutls/gnutls/commit/ce671a6db9e47006cff152d485091141b1569f39 > 4. CVE-2018-16868 > Link: https://gitlab.com/gnutls/gnutls/-/merge_requests/832 > Link: https://gitlab.com/gnutls/gnutls/-/commit/4804febddc2ed958e5ae774de2a8f85edeeff538 > > Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com> > --- > meta/recipes-support/gnutls/gnutls_3.6.14.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb > index 51578b4..727a12f 100644 > --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb > +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb > @@ -17,6 +17,9 @@ DEPENDS_append_libc-musl = " argp-standalone" > > SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" > > +#Changes are already present in source-code, hence whitelisted. > +CVE_CHECK_WHITELIST += "CVE-2018-16868 CVE-2018-10844 CVE-2018-10845 CVE-2018-10845" > + > SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \ > file://arm_eabi.patch \ > file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \ > -- > 2.7.4 > > This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. > > > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [poky][master][PATCH] gnutls: Whitelisted CVE patches 2020-10-28 17:17 [poky][master][PATCH] gnutls: Whitelisted CVE patches saloni 2020-10-28 18:26 ` [OE-core] " Steve Sakoman @ 2020-10-29 14:01 ` Ross Burton 2020-10-30 5:37 ` saloni 1 sibling, 1 reply; 4+ messages in thread From: Ross Burton @ 2020-10-29 14:01 UTC (permalink / raw) To: saloni; +Cc: OE-core, Khem Raj, nisha.parrakat, anuj.chougule Echoing what Steve says: where this is due to incorrect information in the CVE database we should definitely fix the CVE database instead of working around this in the recipes. The only reason to whitelist in the recipe is if the vulnerability is based on the build configuration or we've decided that it's not relevant. Ross On Wed, 28 Oct 2020 at 17:17, saloni <saloni.jain@kpit.com> wrote: > > From: Saloni Jain <Saloni.Jain@kpit.com> > > Below CVE patches are whitelisted as changes > are already present in source code: > 1. CVE-2018-10844 > Link: https://security-tracker.debian.org/tracker/CVE-2018-10844 > Link: https://gitlab.com/gnutls/gnutls/commit/c32a8690f9f9b05994078fe9d2e7a41b18da5b09 > 2. CVE-2018-10845 > Link: https://security-tracker.debian.org/tracker/CVE-2018-10845 > Link: https://gitlab.com/gnutls/gnutls/commit/cc14ec5ece856cb083d64e6a5a8657323da661cb > 3. CVE-2018-10846 > Link: https://security-tracker.debian.org/tracker/CVE-2018-10846 > Link: https://gitlab.com/gnutls/gnutls/commit/ce671a6db9e47006cff152d485091141b1569f39 > 4. CVE-2018-16868 > Link: https://gitlab.com/gnutls/gnutls/-/merge_requests/832 > Link: https://gitlab.com/gnutls/gnutls/-/commit/4804febddc2ed958e5ae774de2a8f85edeeff538 > > Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com> > --- > meta/recipes-support/gnutls/gnutls_3.6.14.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb > index 51578b4..727a12f 100644 > --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb > +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb > @@ -17,6 +17,9 @@ DEPENDS_append_libc-musl = " argp-standalone" > > SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" > > +#Changes are already present in source-code, hence whitelisted. > +CVE_CHECK_WHITELIST += "CVE-2018-16868 CVE-2018-10844 CVE-2018-10845 CVE-2018-10845" > + > SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \ > file://arm_eabi.patch \ > file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \ > -- > 2.7.4 > > This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. > > > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [poky][master][PATCH] gnutls: Whitelisted CVE patches 2020-10-29 14:01 ` Ross Burton @ 2020-10-30 5:37 ` saloni 0 siblings, 0 replies; 4+ messages in thread From: saloni @ 2020-10-30 5:37 UTC (permalink / raw) To: Ross Burton; +Cc: OE-core, Khem Raj, Nisha Parrakat, Anuj Chougule [-- Attachment #1: Type: text/plain, Size: 7341 bytes --] Hello Ross, Understood, I also had a discussion with Steve and doing a complete check for all the reported CVEs, and after gathering all the relevant information, will send request for Database Update. Thanks & Regards, Saloni ________________________________ From: Ross Burton <ross@burtonini.com> Sent: Thursday, October 29, 2020 7:31 PM To: Saloni Jain <Saloni.Jain@kpit.com> Cc: OE-core <openembedded-core@lists.openembedded.org>; Khem Raj <raj.khem@gmail.com>; Nisha Parrakat <Nisha.Parrakat@kpit.com>; Anuj Chougule <Anuj.Chougule@kpit.com> Subject: Re: [OE-core] [poky][master][PATCH] gnutls: Whitelisted CVE patches Echoing what Steve says: where this is due to incorrect information in the CVE database we should definitely fix the CVE database instead of working around this in the recipes. The only reason to whitelist in the recipe is if the vulnerability is based on the build configuration or we've decided that it's not relevant. Ross On Wed, 28 Oct 2020 at 17:17, saloni <saloni.jain@kpit.com> wrote: > > From: Saloni Jain <Saloni.Jain@kpit.com> > > Below CVE patches are whitelisted as changes > are already present in source code: > 1. CVE-2018-10844 > Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2018-10844&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=IUHjGTABdWyfm21S2JYnDcBJ1JVhDBWIYOL8%2BHqOJLo%3D&reserved=0 > Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fgnutls%2Fgnutls%2Fcommit%2Fc32a8690f9f9b05994078fe9d2e7a41b18da5b09&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=bczWLVL1zm%2FnJKurrv50LqIbWhg3F%2FKIRzVEf5DUKcE%3D&reserved=0 > 2. CVE-2018-10845 > Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2018-10845&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Mfb7lzixlhq2StFfp3jWUzyP6Kf6%2BmYmzE5e7iGyskQ%3D&reserved=0 > Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fgnutls%2Fgnutls%2Fcommit%2Fcc14ec5ece856cb083d64e6a5a8657323da661cb&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=19eJZsU4QHOmrXYRRTHRs1SYMD3n3VBk9wIQDlykTI0%3D&reserved=0 > 3. CVE-2018-10846 > Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2018-10846&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=eKamkR%2BOMPhaZmHERj4PbQDeAwjX2ePXPUvw%2FwxDgcE%3D&reserved=0 > Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fgnutls%2Fgnutls%2Fcommit%2Fce671a6db9e47006cff152d485091141b1569f39&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=yivTKPgkmU1yzUYE4llzyiBt935ittt3uufrAOmH3G4%3D&reserved=0 > 4. CVE-2018-16868 > Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fgnutls%2Fgnutls%2F-%2Fmerge_requests%2F832&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Q5RNFxjmUTFIvcIVFidJvArRKVGv271QDlNyINu7rA4%3D&reserved=0 > Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fgnutls%2Fgnutls%2F-%2Fcommit%2F4804febddc2ed958e5ae774de2a8f85edeeff538&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=39gGszLFMIbOCtI5V47gbThBh5sGSt%2FeF79PSpIYG9M%3D&reserved=0 > > Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com> > --- > meta/recipes-support/gnutls/gnutls_3.6.14.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb > index 51578b4..727a12f 100644 > --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb > +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb > @@ -17,6 +17,9 @@ DEPENDS_append_libc-musl = " argp-standalone" > > SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" > > +#Changes are already present in source-code, hence whitelisted. > +CVE_CHECK_WHITELIST += "CVE-2018-16868 CVE-2018-10844 CVE-2018-10845 CVE-2018-10845" > + > SRC_URI = "https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.gnupg.org%2Fftp%2Fgcrypt%2Fgnutls%2Fv%24&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956838179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2BX0mUSC%2BOoWUD3TS4YNXDQrU6thiS642N1jHs3sOBQc%3D&reserved=0{SHRT_VER}/gnutls-${PV}.tar.xz \ > file://arm_eabi.patch \ > file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \ > -- > 2.7.4 > > This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. > > > This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. [-- Attachment #2: Type: text/html, Size: 12832 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-30 5:37 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-10-28 17:17 [poky][master][PATCH] gnutls: Whitelisted CVE patches saloni 2020-10-28 18:26 ` [OE-core] " Steve Sakoman 2020-10-29 14:01 ` Ross Burton 2020-10-30 5:37 ` saloni
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox