diff options
Diffstat (limited to 'poky/meta/recipes-core')
-rw-r--r-- | poky/meta/recipes-core/glibc/glibc-version.inc | 1 | ||||
-rw-r--r-- | poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb | 2 | ||||
-rw-r--r-- | poky/meta/recipes-core/images/core-image-ptest.bb | 2 | ||||
-rw-r--r-- | poky/meta/recipes-core/libxml/libxml2_2.11.7.bb (renamed from poky/meta/recipes-core/libxml/libxml2_2.11.5.bb) | 2 | ||||
-rw-r--r-- | poky/meta/recipes-core/meta/cve-update-nvd2-native.bb | 35 |
5 files changed, 30 insertions, 12 deletions
diff --git a/poky/meta/recipes-core/glibc/glibc-version.inc b/poky/meta/recipes-core/glibc/glibc-version.inc index 212f960cb5..ee89762ae6 100644 --- a/poky/meta/recipes-core/glibc/glibc-version.inc +++ b/poky/meta/recipes-core/glibc/glibc-version.inc @@ -11,7 +11,6 @@ CVE_STATUS[CVE-2023-4527] = "fixed-version: Fixed in stable branch updates" CVE_STATUS[CVE-2023-4911] = "fixed-version: Fixed in stable branch updates" CVE_STATUS[CVE-2023-4806] = "fixed-version: Fixed in stable branch updates" CVE_STATUS[CVE-2023-5156] = "fixed-version: Fixed in stable branch updates" -CVE_STATUS[CVE-2023-4527] = "fixed-version: Fixed in stable branch updates" CVE_STATUS[CVE-2023-0687] = "fixed-version: Fixed in stable branch updates" CVE_STATUS[CVE-2023-6246] = "fixed-version: Fixed in stable branch updates" CVE_STATUS[CVE-2023-6779] = "fixed-version: Fixed in stable branch updates" diff --git a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb index d63079bb34..07764a1826 100644 --- a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -26,7 +26,7 @@ inherit core-image setuptools3 features_check REQUIRED_DISTRO_FEATURES += "xattr" -SRCREV ?= "17635c5e4d2460a762152f550ac98d66b9090904" +SRCREV ?= "8730750b335c2eb9c3af673262dd83f4a861e075" SRC_URI = "git://git.yoctoproject.org/poky;branch=nanbield \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ diff --git a/poky/meta/recipes-core/images/core-image-ptest.bb b/poky/meta/recipes-core/images/core-image-ptest.bb index b6f5c2fd60..f2d0ae94b8 100644 --- a/poky/meta/recipes-core/images/core-image-ptest.bb +++ b/poky/meta/recipes-core/images/core-image-ptest.bb @@ -21,7 +21,7 @@ BBCLASSEXTEND = "${@' '.join(['mcextend:'+x for x in d.getVar('PTESTS').split()] IMAGE_OVERHEAD_FACTOR = "1.0" IMAGE_ROOTFS_EXTRA_SPACE = "324288" IMAGE_ROOTFS_EXTRA_SPACE:virtclass-mcextend-mdadm = "1524288" -IMAGE_ROOTFS_EXTRA_SPACE:virtclass-mcextend-strace = "1024288" +IMAGE_ROOTFS_EXTRA_SPACE:virtclass-mcextend-strace = "1524288" IMAGE_ROOTFS_EXTRA_SPACE:virtclass-mcextend-lttng-tools = "1524288" # tar-ptest in particular needs more space diff --git a/poky/meta/recipes-core/libxml/libxml2_2.11.5.bb b/poky/meta/recipes-core/libxml/libxml2_2.11.7.bb index fc82912df2..482ce9042d 100644 --- a/poky/meta/recipes-core/libxml/libxml2_2.11.5.bb +++ b/poky/meta/recipes-core/libxml/libxml2_2.11.7.bb @@ -18,7 +18,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt file://install-tests.patch \ " -SRC_URI[archive.sha256sum] = "3727b078c360ec69fa869de14bd6f75d7ee8d36987b071e6928d4720a28df3a6" +SRC_URI[archive.sha256sum] = "fb27720e25eaf457f94fd3d7189bcf2626c6dccf4201553bc8874d50e3560162" SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273" # Disputed as a security issue, but fixed in d39f780 diff --git a/poky/meta/recipes-core/meta/cve-update-nvd2-native.bb b/poky/meta/recipes-core/meta/cve-update-nvd2-native.bb index bfe48b27e7..1901641965 100644 --- a/poky/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/poky/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -26,13 +26,17 @@ NVDCVE_API_KEY ?= "" # Use a negative value to skip the update CVE_DB_UPDATE_INTERVAL ?= "86400" -# Number of attmepts for each http query to nvd server before giving up +# CVE database incremental update age threshold, in seconds. If the database is +# older than this threshold, do a full re-download, else, do an incremental +# update. By default: the maximum allowed value from NVD: 120 days (120*24*60*60) +# Use 0 to force a full download. +CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000" + +# Number of attempts for each http query to nvd server before giving up CVE_DB_UPDATE_ATTEMPTS ?= "5" CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db" -CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db" - python () { if not bb.data.inherits_class("cve-check", d): raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") @@ -119,7 +123,8 @@ def nvd_request_wait(attempt, min_wait): def nvd_request_next(url, attempts, api_key, args, min_wait): """ - Request next part of the NVD dabase + Request next part of the NVD database + NVD API documentation: https://nvd.nist.gov/developers/vulnerabilities """ import urllib.request @@ -172,18 +177,24 @@ def update_db_file(db_tmp_file, d, database_time): req_args = {'startIndex' : 0} - # The maximum range for time is 120 days - # Force a complete update if our range is longer - if (database_time != 0): + incr_update_threshold = int(d.getVar("CVE_DB_INCR_UPDATE_AGE_THRES")) + if database_time != 0: database_date = datetime.datetime.fromtimestamp(database_time, tz=datetime.timezone.utc) today_date = datetime.datetime.now(tz=datetime.timezone.utc) delta = today_date - database_date - if delta.days < 120: + if incr_update_threshold == 0: + bb.note("CVE database: forced full update") + elif delta < datetime.timedelta(seconds=incr_update_threshold): bb.note("CVE database: performing partial update") + # The maximum range for time is 120 days + if delta > datetime.timedelta(days=120): + bb.error("CVE database: Trying to do an incremental update on a larger than supported range") req_args['lastModStartDate'] = database_date.isoformat() req_args['lastModEndDate'] = today_date.isoformat() else: bb.note("CVE database: file too old, forcing a full update") + else: + bb.note("CVE database: no preexisting database, do a full download") with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f: @@ -313,6 +324,10 @@ def update_db(conn, elt): vectorString = None cveId = elt['cve']['id'] if elt['cve']['vulnStatus'] == "Rejected": + c = conn.cursor() + c.execute("delete from PRODUCTS where ID = ?;", [cveId]) + c.execute("delete from NVD where ID = ?;", [cveId]) + c.close() return cveDesc = "" for desc in elt['cve']['descriptions']: @@ -346,6 +361,10 @@ def update_db(conn, elt): [cveId, cveDesc, cvssv2, cvssv3, date, accessVector, vectorString]).close() try: + # Remove any pre-existing CVE configuration. Even for partial database + # update, those will be repopulated. This ensures that old + # configuration is not kept for an updated CVE. + conn.execute("delete from PRODUCTS where ID = ?", [cveId]).close() for config in elt['cve']['configurations']: # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing for node in config["nodes"]: |