diff options
| author |   Ross Burton <ross.burton@arm.com> | 2023-09-05 11:54:20 +0100 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-09-07 14:42:28 +0100 |
| commit | fe1c0b9725f88d15ba48b02b5fef01f2cf2e9d78 (patch) | |
| tree | 55d4301ae966f9715f19ec6991fd3990eaa38e58 /meta/conf/distro/include/cve-extra-exclusions.inc | |
| parent | 5ec557467dda29309e25102b507bb919275bedbb (diff) | |
| download | openembedded-core-contrib-fe1c0b9725f88d15ba48b02b5fef01f2cf2e9d78.tar.gz | |
cve-exclusion: review the last of the historical kernel CVEs
Review the last of the historical kernel CVEs. Issues which are
specific to other platforms or distributions are ignored in the kernel
recipe itself, whereas general security concerns like "ICMP leaks
information" and "USB has flaws" are ignored with more details in the
extra-exclusions file as before.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/conf/distro/include/cve-extra-exclusions.inc')
| -rw-r--r-- | meta/conf/distro/include/cve-extra-exclusions.inc | 21 |
1 files changed, 7 insertions, 14 deletions
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index cfee028e5b..fcef6a14fb 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -53,24 +53,17 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981" CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \ replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed." -# -# Kernel CVEs, e.g. linux-yocto* +# Kernel CVEs that are generic but can't be added to the kernel's hand-maintained cve-exclusion.inc +# or machine-maintained cve-exclusion_VERSION.inc files, such as issues that describe TCP/IP design +# flaws or processor-specific exploits that can't be mitigated. # # For OE-Core our policy is to stay as close to the kernel stable releases as we can. This should # ensure the bulk of the major kernel CVEs are fixed and we don't dive into each individual issue # as the stable maintainers are much more able to do that. -# -# We have a script (generate-cve-exclusions.py) to have correct CVE status for backported issues, -# but the data on linuxkernelcves.com isn't 100% complete for the older CVEs. These historical -# CVEs need review and typically linuxkernelcves.com updated and then removed from here. -# - -CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_HISTORIC" - -CVE_STATUS_KERNEL_HISTORIC = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 \ - CVE-2008-2544 CVE-2008-4609 CVE-2010-0298 CVE-2010-4563 CVE-2011-0640" -CVE_STATUS_KERNEL_HISTORIC[status] = "ignored" - +CVE_STATUS[CVE-1999-0524] = "ignored: issue is that ICMP exists, can be filewalled if required" +CVE_STATUS[CVE-2008-4609] = "ignored: describes design flaws in TCP" +CVE_STATUS[CVE-2010-4563] = "ignored: low impact, only enables detection of hosts which are sniffing network traffic" +CVE_STATUS[CVE-2011-0640] = "ignored: requires physical access and any mitigation would mean USB is impractical to use" # qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255 CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \ |