summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@arm.com>2023-09-04 22:33:22 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2023-09-06 17:52:37 +0100
commita8db0735e228465715cf885d3b889fddfd68efc6 (patch)
treebb634fbb200096c7d72223b6c20d15e1da4c003b
parent2020aee444868742590f44d149d11565fc9f58c4 (diff)
downloadopenembedded-core-a8db0735e228465715cf885d3b889fddfd68efc6.tar.gz
linux: review some historic CVE_STATUS
Do manual review and disposition these CVEs as appropriate. Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
-rw-r--r--meta/conf/distro/include/cve-extra-exclusions.inc4
-rw-r--r--meta/recipes-kernel/linux/cve-exclusion.inc12
2 files changed, 13 insertions, 3 deletions
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 51926f342a..cfee028e5b 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -68,9 +68,7 @@ replacing bdb with supported and open source friendly alternatives. As a result
CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_HISTORIC"
CVE_STATUS_KERNEL_HISTORIC = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 \
- CVE-2008-2544 CVE-2008-4609 CVE-2010-0298 CVE-2010-4563 CVE-2011-0640 \
- CVE-2014-2648 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 CVE-2017-1000377 \
- CVE-2017-6264"
+ CVE-2008-2544 CVE-2008-4609 CVE-2010-0298 CVE-2010-4563 CVE-2011-0640"
CVE_STATUS_KERNEL_HISTORIC[status] = "ignored"
diff --git a/meta/recipes-kernel/linux/cve-exclusion.inc b/meta/recipes-kernel/linux/cve-exclusion.inc
index 42f1c195c9..28f9c8ff2b 100644
--- a/meta/recipes-kernel/linux/cve-exclusion.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion.inc
@@ -1,3 +1,15 @@
+CVE_STATUS[CVE-2014-2648] = "cpe-incorrect: not Linux"
+
+CVE_STATUS[CVE-2016-0774] = "ignored: result of incomplete backport"
+
+CVE_STATUS[CVE-2016-3695] = "not-applicable-platform: specific to RHEL with securelevel patches"
+
+CVE_STATUS[CVE-2016-3699] = "not-applicable-platform: specific to RHEL with securelevel patches"
+
+CVE_STATUS[CVE-2017-6264] = "not-applicable-platform: Android specific"
+
+CVE_STATUS[CVE-2017-1000377] = "not-applicable-platform: GRSecurity specific"
+
CVE_STATUS[CVE-2018-6559] = "not-applicable-platform: Issue only affects Ubuntu"
CVE_STATUS[CVE-2020-11935] = "not-applicable-config: Issue only affects aufs, which is not in linux-yocto"