'Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openembedded-core
Subject:    Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs
From:       "Marta Rybczynska" <rybczynska () gmail ! com>
Date:       2023-02-28 20:41:08
Message-ID: CAApg2=R0F0nkR+iPY1gE_YJP9QGMBW0JzCkQXfcBY3Dew--rMg () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Thank you for the explanation and the work done. Could you contact me off
list so that we confirm what and where was send? 14 days is longer than
I've ever had as a response time from NVD.

Kind regards
Marta

On Tue, 28 Feb 2023, 10:05 Geoffrey GIRY, <geoffrey.giry@smile.fr> wrote:

> Hello Marta, Richard,
>
> We sent to NVD an update for one CVE (CVE-2020-27784) 14 days ago, we
> are still waiting for an answer.
> This is the first time we ever do this, so we did send only the first as =
a
> test.
> When the change is accepted, we will send updates requests for each
> already patched CVE.
>
> Richard, thank you for the details provided.
>
> Regards,
> Geoffrey GIRY
> Research and Development Engineer
> SMILE
>
>
>
> Le lun. 27 f=C3=A9vr. 2023 =C3=A0 23:02, Richard Purdie
> <richard.purdie@linuxfoundation.org> a =C3=A9crit :
> >
> > On Mon, 2023-02-27 at 18:49 +0100, Marta Rybczynska wrote:
> > > Thank you for the work. Have you contacted NVD to update the database
> > > instead? What did they say?
> >
> > Ideally a large portion of these should be sent to NVD but we did talk
> > a little about the on the call last week. We agreed that it will take
> > time and it was better to document this and fix our reporting in the
> > meantime as well as share these useful details more widely. I'd suggest
> > that as things are submitted we could document that, hopefully we'll
> > also be able to remove many of these entries.
> >
> > I'm sure Geoffrey can provide more status but I wanted to update on why
> > this was sent and why I think we should take it.
> >
> > I will drop the kernel filtering so new kernel CVEs then show up in all
> > our metrics going forward.
> >
> > Cheers,
> >
> > Richard
> >
> >
>

[Attachment #5 (text/html)]

<div dir="auto"><div>Thank you for the explanation and the work done. Could you \
contact me off list so that we confirm what and where was send? 14 days is longer \
than I&#39;ve ever had as a response time from NVD.</div><div \
dir="auto"><br></div><div dir="auto">Kind regards  </div><div \
dir="auto">Marta<br><br><div class="gmail_quote" dir="auto"><div dir="ltr" \
class="gmail_attr">On Tue, 28 Feb 2023, 10:05 Geoffrey GIRY, &lt;<a \
href="mailto:geoffrey.giry@smile.fr">geoffrey.giry@smile.fr</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Marta, Richard,<br> <br>
We sent to NVD an update for one CVE (CVE-2020-27784) 14 days ago, we<br>
are still waiting for an answer.<br>
This is the first time we ever do this, so we did send only the first as a test.<br>
When the change is accepted, we will send updates requests for each<br>
already patched CVE.<br>
<br>
Richard, thank you for the details provided.<br>
<br>
Regards,<br>
Geoffrey GIRY<br>
Research and Development Engineer<br>
SMILE<br>
<br>
<br>
<br>
Le lun. 27 fÃ©vr. 2023 Ã  23:02, Richard Purdie<br>
&lt;<a href="mailto:richard.purdie@linuxfoundation.org" target="_blank" \
rel="noreferrer">richard.purdie@linuxfoundation.org</a>&gt; a Ã©crit :<br> &gt;<br>
&gt; On Mon, 2023-02-27 at 18:49 +0100, Marta Rybczynska wrote:<br>
&gt; &gt; Thank you for the work. Have you contacted NVD to update the database<br>
&gt; &gt; instead? What did they say?<br>
&gt;<br>
&gt; Ideally a large portion of these should be sent to NVD but we did talk<br>
&gt; a little about the on the call last week. We agreed that it will take<br>
&gt; time and it was better to document this and fix our reporting in the<br>
&gt; meantime as well as share these useful details more widely. I&#39;d suggest<br>
&gt; that as things are submitted we could document that, hopefully we&#39;ll<br>
&gt; also be able to remove many of these entries.<br>
&gt;<br>
&gt; I&#39;m sure Geoffrey can provide more status but I wanted to update on why<br>
&gt; this was sent and why I think we should take it.<br>
&gt;<br>
&gt; I will drop the kernel filtering so new kernel CVEs then show up in all<br>
&gt; our metrics going forward.<br>
&gt;<br>
&gt; Cheers,<br>
&gt;<br>
&gt; Richard<br>
&gt;<br>
&gt;<br>
</blockquote></div></div></div>



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#177857): https://lists.openembedded.org/g/openembedded-core/message/177857
Mute This Topic: https://lists.openembedded.org/mt/97263529/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic