1 files changed, 20 insertions, 11 deletions

diff --git a/poky/meta/recipes-kernel/linux/generate-cve-exclusions.py b/poky/meta/recipes-kernel/linux/generate-cve-exclusions.py
index 4d96f19fe7..aa9195aab4 100755
--- a/poky/meta/recipes-kernel/linux/generate-cve-exclusions.py
+++ b/poky/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -42,9 +42,18 @@ def main(argp=None):
     with open(datadir / "data" / "stream_fixes.json", "r") as f:
         stream_data = json.load(f)
 
-    print("# Auto-generated CVE metadata, DO NOT EDIT BY HAND.")
-    print(f"# Generated at {datetime.datetime.now()} for version {version}")
-    print()
+    print(f"""
+# Auto-generated CVE metadata, DO NOT EDIT BY HAND.
+# Generated at {datetime.datetime.now(datetime.timezone.utc)} for version {version}
+
+python check_kernel_cve_status_version() {{
+    this_version = "{version}"
+    kernel_version = d.getVar("LINUX_VERSION")
+    if kernel_version != this_version:
+        bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version))
+}}
+do_cve_check[prefuncs] += "check_kernel_cve_status_version"
+""")
 
     for cve, data in cve_data.items():
         if "affected_versions" not in data:
@@ -53,24 +62,24 @@ def main(argp=None):
             continue
 
         affected = data["affected_versions"]
-        first_affected, last_affected = re.search(r"(.+) to (.+)", affected).groups()
+        first_affected, fixed = re.search(r"(.+) to (.+)", affected).groups()
         first_affected = parse_version(first_affected)
-        last_affected = parse_version(last_affected)
+        fixed = parse_version(fixed)
 
-        if not last_affected:
+        if not fixed:
             print(f"# {cve} has no known resolution")
         elif first_affected and version < first_affected:
             print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"')
-        elif last_affected < version:
+        elif fixed <= version:
             print(
-                f'CVE_STATUS[{cve}] = "fixed-version: Fixed after version {last_affected}"'
+                f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"'
             )
         else:
             if cve in stream_data:
                 backport_data = stream_data[cve]
                 if base_version in backport_data:
                     backport_ver = Version(backport_data[base_version]["fixed_version"])
-                    if backport_ver < version:
+                    if backport_ver <= version:
                         print(
                             f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"'
                         )
@@ -78,9 +87,9 @@ def main(argp=None):
                         # TODO print a note that the kernel needs bumping
                         print(f"# {cve} needs backporting (fixed from {backport_ver})")
                 else:
-                    print(f"# {cve} needs backporting (fixed from {last_affected})")
+                    print(f"# {cve} needs backporting (fixed from {fixed})")
             else:
-                print(f"# {cve} needs backporting (fixed from {last_affected})")
+                print(f"# {cve} needs backporting (fixed from {fixed})")
 
         print()