From: Paul Barker <paul@pbarker.dev>
To: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>,
"yocto@lists.yoctoproject.org" <yocto@lists.yoctoproject.org>,
linux-yocto@lists.yoctoproject.org
Subject: linux-yocto CVEs in need of triage
Date: Mon, 29 Jun 2026 20:33:10 +0100 [thread overview]
Message-ID: <4ac849a706feb16688020d5bcc3e74aececd63cf.camel@pbarker.dev> (raw)
[-- Attachment #1: Type: text/plain, Size: 1601 bytes --]
Hi all,
We would appreciate help triaging the following CVEs filed against the
Linux Kernel, which therefore affect linux-yocto.
Each of these is missing an upstream fix version in the CVE data, so
they show as unresolved in our CVE metrics. However, they may well be
fixed already in the kernel versions that we ship. So we need some help
to determine the appropriate upstream fix versions.
For each CVE, at a minimum we need to know if they are resolved in the
mainline kernel, and if so then which release they were resolved in. A
pointer to the exact upstream commit resolving the issue would be
preferred. This may involve a bit of investigation, so please share the
information you find that proves that a CVE is resolved in a particular
kernel version.
Once you've investigated a particular CVE, if it is resolved upstream
then please send a patch to update the linux-yocto cve-exclusion.inc
file with the appropriate information. See recent commits to this file
for examples of what we need, e.g:
https://git.openembedded.org/openembedded-core/commit/?id=ded28ca69b326e51ac5cf363f06c6f0931a9c1bd
Once we've got patches merged into the master branch, we can look at
backporting to wrynose & scarthgap as appropriate.
The open linux-yocto CVEs lacking an upstream fix version and not
currently tracked in cve-exclusion.inc are:
- CVE-2019-14899
- CVE-2021-3714
- CVE-2021-3864
- CVE-2022-0400
- CVE-2022-1247
- CVE-2022-4543
- CVE-2023-3397
- CVE-2023-3640
- CVE-2023-4010
- CVE-2023-6238
- CVE-2023-6240
Best regards,
--
Paul Barker
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
reply other threads:[~2026-06-29 19:33 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ac849a706feb16688020d5bcc3e74aececd63cf.camel@pbarker.dev \
--to=paul@pbarker.dev \
--cc=linux-yocto@lists.yoctoproject.org \
--cc=openembedded-core@lists.openembedded.org \
--cc=yocto@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox