From 1914cd0ccc784fb86eb411a2d3f0ff6365b37eb6 Mon Sep 17 00:00:00 2001 From: Ninette Adhikari Date: Wed, 26 Jun 2024 07:18:28 -0700 Subject: [PATCH 1/2] mercurial: Update CVE status for CVE-2022-43410 The recipe used in the `meta-openembedded` is a different mercurial package compared to the one which has the CVE issue. Package used in `meta-embedded`: https://www.mercurial-scm.org/ Package with CVE issue is a Jenkins plugin: https://plugins.jenkins.io/mercurial/ (This is reflected in the CPE) Signed-off-by: Ninette Adhikari --- meta-oe/recipes-devtools/mercurial/mercurial_6.6.3.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-oe/recipes-devtools/mercurial/mercurial_6.6.3.bb b/meta-oe/recipes-devtools/mercurial/mercurial_6.6.3.bb index 89e6744dca7..395a3307906 100644 --- a/meta-oe/recipes-devtools/mercurial/mercurial_6.6.3.bb +++ b/meta-oe/recipes-devtools/mercurial/mercurial_6.6.3.bb @@ -34,3 +34,4 @@ PACKAGES =+ "${PN}-python" FILES:${PN} += "${PYTHON_SITEPACKAGES_DIR} ${datadir}" FILES:${PN}-python = "${nonarch_libdir}/${PYTHON_DIR}" +CVE_STATUS[CVE-2022-43410] = "cpe-incorrect: The recipe used in the `meta-openembedded` is a different mercurial package compared to the one which has the CVE issue." From 72096048754abbfb590bf7d299f9252549b28ce7 Mon Sep 17 00:00:00 2001 From: Ninette Adhikari Date: Wed, 26 Jun 2024 07:21:32 -0700 Subject: [PATCH 2/2] add patch files --- 0000-cover-letter.patch | 19 +++++++++++++ ...Update-CVE-status-for-CVE-2022-43410.patch | 27 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 0000-cover-letter.patch create mode 100644 0001-mercurial-Update-CVE-status-for-CVE-2022-43410.patch diff --git a/0000-cover-letter.patch b/0000-cover-letter.patch new file mode 100644 index 00000000000..be4744a903e --- /dev/null +++ b/0000-cover-letter.patch @@ -0,0 +1,19 @@ +From 1914cd0ccc784fb86eb411a2d3f0ff6365b37eb6 Mon Sep 17 00:00:00 2001 +From: Ninette Adhikari +Date: Wed, 26 Jun 2024 07:20:05 -0700 +Subject: [PATCH 0/1] mercurial: Update CVE status for CVE-2022-43410 + +The recipe used in the `meta-openembedded` is a different mercurial package compared to the one which has the CVE issue. +Package used in `meta-embedded`: https://www.mercurial-scm.org/ +Package with CVE issue is a Jenkins plugin: https://plugins.jenkins.io/mercurial/ +(This is reflected in the CPE) + +Ninette Adhikari (1): + mercurial: Update CVE status for CVE-2022-43410 + + meta-oe/recipes-devtools/mercurial/mercurial_6.6.3.bb | 1 + + 1 file changed, 1 insertion(+) + +-- +2.44.0 + diff --git a/0001-mercurial-Update-CVE-status-for-CVE-2022-43410.patch b/0001-mercurial-Update-CVE-status-for-CVE-2022-43410.patch new file mode 100644 index 00000000000..6d2030ba452 --- /dev/null +++ b/0001-mercurial-Update-CVE-status-for-CVE-2022-43410.patch @@ -0,0 +1,27 @@ +From 1914cd0ccc784fb86eb411a2d3f0ff6365b37eb6 Mon Sep 17 00:00:00 2001 +From: Ninette Adhikari +Date: Wed, 26 Jun 2024 07:18:28 -0700 +Subject: [PATCH 1/1] mercurial: Update CVE status for CVE-2022-43410 + +The recipe used in the `meta-openembedded` is a different mercurial package compared to the one which has the CVE issue. +Package used in `meta-embedded`: https://www.mercurial-scm.org/ +Package with CVE issue is a Jenkins plugin: https://plugins.jenkins.io/mercurial/ +(This is reflected in the CPE) + +Signed-off-by: Ninette Adhikari +--- + meta-oe/recipes-devtools/mercurial/mercurial_6.6.3.bb | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/meta-oe/recipes-devtools/mercurial/mercurial_6.6.3.bb b/meta-oe/recipes-devtools/mercurial/mercurial_6.6.3.bb +index 89e6744dc..395a33079 100644 +--- a/meta-oe/recipes-devtools/mercurial/mercurial_6.6.3.bb ++++ b/meta-oe/recipes-devtools/mercurial/mercurial_6.6.3.bb +@@ -34,3 +34,4 @@ PACKAGES =+ "${PN}-python" + FILES:${PN} += "${PYTHON_SITEPACKAGES_DIR} ${datadir}" + FILES:${PN}-python = "${nonarch_libdir}/${PYTHON_DIR}" + ++CVE_STATUS[CVE-2022-43410] = "cpe-incorrect: The recipe used in the `meta-openembedded` is a different mercurial package compared to the one which has the CVE issue." +-- +2.44.0 +