linux-yocto: update CVE exclusions

Update the CVE exclusions to match the kernel version, and add an exclusion file for 5.10. (From OE-Core rev: 33ae699eaa91900ae64e6ab46f6c2bca75eb3184) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-04-18 21:32:12 +02:00 · 2023-09-23 10:43:32 +01:00
parent 7435f15930
commit a1b812eefa
3 changed files with 7372 additions and 35 deletions
--- a/meta/recipes-kernel/linux/cve-exclusion_5.10.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_5.10.inc
--- a/meta/recipes-kernel/linux/cve-exclusion_5.15.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_5.15.inc
@@ -1,9 +1,9 @@

 # Auto-generated CVE metadata, DO NOT EDIT BY HAND.
-# Generated at 2023-08-25 17:27:32.846303 for version 5.15.120
+# Generated at 2023-09-23 10:40:51.641475 for version 5.15.124

 python check_kernel_cve_status_version() {
-    this_version = "5.15.120"
+    this_version = "5.15.124"
    kernel_version = d.getVar("LINUX_VERSION")
    if kernel_version != this_version:
        bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version))
@@ -4839,6 +4839,8 @@ CVE_CHECK_IGNORE += "CVE-2020-27194"
 # fixed-version: Fixed after version 5.6rc4
 CVE_CHECK_IGNORE += "CVE-2020-2732"

+# CVE-2020-27418 has no known resolution
+
 # fixed-version: Fixed after version 5.10rc1
 CVE_CHECK_IGNORE += "CVE-2020-27673"

@@ -6448,7 +6450,7 @@ CVE_CHECK_IGNORE += "CVE-2022-40768"
 # cpe-stable-backport: Backported in 5.15.66
 CVE_CHECK_IGNORE += "CVE-2022-4095"

-# CVE-2022-40982 has no known resolution
+# CVE-2022-40982 needs backporting (fixed from 5.15.125)

 # cpe-stable-backport: Backported in 5.15.87
 CVE_CHECK_IGNORE += "CVE-2022-41218"
@@ -6530,9 +6532,9 @@ CVE_CHECK_IGNORE += "CVE-2022-4382"
 # cpe-stable-backport: Backported in 5.15.75
 CVE_CHECK_IGNORE += "CVE-2022-43945"

-# CVE-2022-44032 has no known resolution
+# CVE-2022-44032 needs backporting (fixed from 6.4rc1)

-# CVE-2022-44033 has no known resolution
+# CVE-2022-44033 needs backporting (fixed from 6.4rc1)

 # CVE-2022-44034 has no known resolution

@@ -6545,13 +6547,16 @@ CVE_CHECK_IGNORE += "CVE-2022-45869"

 # CVE-2022-45885 has no known resolution

-# CVE-2022-45886 has no known resolution
+# cpe-stable-backport: Backported in 5.15.116
+CVE_CHECK_IGNORE += "CVE-2022-45886"

-# CVE-2022-45887 has no known resolution
+# cpe-stable-backport: Backported in 5.15.116
+CVE_CHECK_IGNORE += "CVE-2022-45887"

 # CVE-2022-45888 needs backporting (fixed from 6.2rc1)

-# CVE-2022-45919 has no known resolution
+# cpe-stable-backport: Backported in 5.15.116
+CVE_CHECK_IGNORE += "CVE-2022-45919"

 # cpe-stable-backport: Backported in 5.15.85
 CVE_CHECK_IGNORE += "CVE-2022-45934"
@@ -6612,7 +6617,8 @@ CVE_CHECK_IGNORE += "CVE-2022-48424"
 # cpe-stable-backport: Backported in 5.15.113
 CVE_CHECK_IGNORE += "CVE-2022-48425"

-# CVE-2022-48502 needs backporting (fixed from 5.15.121)
+# cpe-stable-backport: Backported in 5.15.121
+CVE_CHECK_IGNORE += "CVE-2022-48502"

 # fixed-version: Fixed after version 5.0rc1
 CVE_CHECK_IGNORE += "CVE-2023-0030"
@@ -6626,7 +6632,8 @@ CVE_CHECK_IGNORE += "CVE-2023-0047"
 # fixed-version: only affects 6.0rc1 onwards
 CVE_CHECK_IGNORE += "CVE-2023-0122"

-# CVE-2023-0160 has no known resolution
+# cpe-stable-backport: Backported in 5.15.111
+CVE_CHECK_IGNORE += "CVE-2023-0160"

 # cpe-stable-backport: Backported in 5.15.89
 CVE_CHECK_IGNORE += "CVE-2023-0179"
@@ -6708,7 +6715,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1192"
 # fixed-version: only affects 5.16rc1 onwards
 CVE_CHECK_IGNORE += "CVE-2023-1195"

-# CVE-2023-1206 needs backporting (fixed from 5.15.124)
+# cpe-stable-backport: Backported in 5.15.124
+CVE_CHECK_IGNORE += "CVE-2023-1206"

 # cpe-stable-backport: Backported in 5.15.33
 CVE_CHECK_IGNORE += "CVE-2023-1249"
@@ -6789,11 +6797,12 @@ CVE_CHECK_IGNORE += "CVE-2023-2008"
 # cpe-stable-backport: Backported in 5.15.61
 CVE_CHECK_IGNORE += "CVE-2023-2019"

-# CVE-2023-20569 has no known resolution
+# CVE-2023-20569 needs backporting (fixed from 5.15.125)

-# CVE-2023-20588 has no known resolution
+# CVE-2023-20588 needs backporting (fixed from 5.15.126)

-# CVE-2023-20593 needs backporting (fixed from 5.15.122)
+# cpe-stable-backport: Backported in 5.15.122
+CVE_CHECK_IGNORE += "CVE-2023-20593"

 # cpe-stable-backport: Backported in 5.15.61
 CVE_CHECK_IGNORE += "CVE-2023-20928"
@@ -6817,7 +6826,8 @@ CVE_CHECK_IGNORE += "CVE-2023-2124"
 # fixed-version: only affects 5.16rc1 onwards
 CVE_CHECK_IGNORE += "CVE-2023-21255"

-# CVE-2023-21264 needs backporting (fixed from 6.4rc5)
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-21264"

 # CVE-2023-21400 has no known resolution

@@ -6912,6 +6922,8 @@ CVE_CHECK_IGNORE += "CVE-2023-25012"
 # cpe-stable-backport: Backported in 5.15.61
 CVE_CHECK_IGNORE += "CVE-2023-2513"

+# CVE-2023-25775 needs backporting (fixed from 6.6rc1)
+
 # fixed-version: only affects 6.3rc1 onwards
 CVE_CHECK_IGNORE += "CVE-2023-2598"

@@ -6958,7 +6970,8 @@ CVE_CHECK_IGNORE += "CVE-2023-28772"
 # fixed-version: only affects 5.17rc1 onwards
 CVE_CHECK_IGNORE += "CVE-2023-28866"

-# CVE-2023-2898 needs backporting (fixed from 5.15.121)
+# cpe-stable-backport: Backported in 5.15.121
+CVE_CHECK_IGNORE += "CVE-2023-2898"

 # cpe-stable-backport: Backported in 5.15.99
 CVE_CHECK_IGNORE += "CVE-2023-2985"
@@ -6986,7 +6999,7 @@ CVE_CHECK_IGNORE += "CVE-2023-3106"

 # CVE-2023-31082 has no known resolution

-# CVE-2023-31083 has no known resolution
+# CVE-2023-31083 needs backporting (fixed from 6.6rc1)

 # CVE-2023-31084 needs backporting (fixed from 6.4rc3)

@@ -6998,7 +7011,8 @@ CVE_CHECK_IGNORE += "CVE-2023-3111"
 # cpe-stable-backport: Backported in 5.15.118
 CVE_CHECK_IGNORE += "CVE-2023-3117"

-# CVE-2023-31248 needs backporting (fixed from 5.15.121)
+# cpe-stable-backport: Backported in 5.15.121
+CVE_CHECK_IGNORE += "CVE-2023-31248"

 # cpe-stable-backport: Backported in 5.15.113
 CVE_CHECK_IGNORE += "CVE-2023-3141"
@@ -7056,7 +7070,8 @@ CVE_CHECK_IGNORE += "CVE-2023-3317"
 # cpe-stable-backport: Backported in 5.15.105
 CVE_CHECK_IGNORE += "CVE-2023-33203"

-# CVE-2023-33250 has no known resolution
+# fixed-version: only affects 6.2rc1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-33250"

 # cpe-stable-backport: Backported in 5.15.105
 CVE_CHECK_IGNORE += "CVE-2023-33288"
@@ -7095,11 +7110,13 @@ CVE_CHECK_IGNORE += "CVE-2023-34255"
 # cpe-stable-backport: Backported in 5.15.112
 CVE_CHECK_IGNORE += "CVE-2023-34256"

-# CVE-2023-34319 has no known resolution
+# fixed-version: only affects 6.1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-34319"

 # CVE-2023-3439 needs backporting (fixed from 5.18rc5)

-# CVE-2023-35001 needs backporting (fixed from 5.15.121)
+# cpe-stable-backport: Backported in 5.15.121
+CVE_CHECK_IGNORE += "CVE-2023-35001"

 # cpe-stable-backport: Backported in 5.15.93
 CVE_CHECK_IGNORE += "CVE-2023-3567"
@@ -7132,19 +7149,26 @@ CVE_CHECK_IGNORE += "CVE-2023-3609"
 # cpe-stable-backport: Backported in 5.15.119
 CVE_CHECK_IGNORE += "CVE-2023-3610"

-# CVE-2023-3611 needs backporting (fixed from 5.15.121)
+# cpe-stable-backport: Backported in 5.15.121
+CVE_CHECK_IGNORE += "CVE-2023-3611"

 # CVE-2023-3640 has no known resolution

-# CVE-2023-37453 has no known resolution
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-37453"

 # CVE-2023-37454 has no known resolution

-# CVE-2023-3772 has no known resolution
+# CVE-2023-3772 needs backporting (fixed from 5.15.128)

-# CVE-2023-3773 has no known resolution
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-3773"

-# CVE-2023-3776 needs backporting (fixed from 5.15.121)
+# cpe-stable-backport: Backported in 5.15.121
+CVE_CHECK_IGNORE += "CVE-2023-3776"
+
+# cpe-stable-backport: Backported in 5.15.123
+CVE_CHECK_IGNORE += "CVE-2023-3777"

 # cpe-stable-backport: Backported in 5.15.78
 CVE_CHECK_IGNORE += "CVE-2023-3812"
@@ -7167,27 +7191,84 @@ CVE_CHECK_IGNORE += "CVE-2023-38429"

 # CVE-2023-38431 needs backporting (fixed from 6.4rc6)

-# CVE-2023-38432 needs backporting (fixed from 5.15.121)
+# cpe-stable-backport: Backported in 5.15.121
+CVE_CHECK_IGNORE += "CVE-2023-38432"

-# CVE-2023-3863 needs backporting (fixed from 5.15.121)
+# cpe-stable-backport: Backported in 5.15.121
+CVE_CHECK_IGNORE += "CVE-2023-3863"

-# CVE-2023-4004 needs backporting (fixed from 5.15.123)
+# cpe-stable-backport: Backported in 5.15.121
+CVE_CHECK_IGNORE += "CVE-2023-3865"
+
+# cpe-stable-backport: Backported in 5.15.121
+CVE_CHECK_IGNORE += "CVE-2023-3866"
+
+# CVE-2023-3867 needs backporting (fixed from 6.5rc1)
+
+# cpe-stable-backport: Backported in 5.15.123
+CVE_CHECK_IGNORE += "CVE-2023-4004"

 # CVE-2023-4010 has no known resolution

-# CVE-2023-4128 needs backporting (fixed from 6.5rc5)
+# cpe-stable-backport: Backported in 5.15.124
+CVE_CHECK_IGNORE += "CVE-2023-4015"

-# CVE-2023-4132 needs backporting (fixed from 5.15.121)
+# CVE-2023-40283 needs backporting (fixed from 5.15.126)
+
+# CVE-2023-4128 needs backporting (fixed from 5.15.126)
+
+# cpe-stable-backport: Backported in 5.15.121
+CVE_CHECK_IGNORE += "CVE-2023-4132"

 # CVE-2023-4133 needs backporting (fixed from 6.3)

 # CVE-2023-4134 needs backporting (fixed from 6.5rc1)

-# CVE-2023-4147 needs backporting (fixed from 5.15.124)
+# cpe-stable-backport: Backported in 5.15.124
+CVE_CHECK_IGNORE += "CVE-2023-4147"

-# CVE-2023-4155 has no known resolution
+# CVE-2023-4155 needs backporting (fixed from 6.5rc6)

-# CVE-2023-4194 needs backporting (fixed from 6.5rc5)
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-4194"

-# CVE-2023-4273 needs backporting (fixed from 6.5rc5)
+# CVE-2023-4206 needs backporting (fixed from 5.15.126)
+
+# CVE-2023-4207 needs backporting (fixed from 5.15.126)
+
+# CVE-2023-4208 needs backporting (fixed from 5.15.126)
+
+# CVE-2023-4244 needs backporting (fixed from 6.5rc7)
+
+# CVE-2023-4273 needs backporting (fixed from 5.15.128)
+
+# cpe-stable-backport: Backported in 5.15.46
+CVE_CHECK_IGNORE += "CVE-2023-4385"
+
+# cpe-stable-backport: Backported in 5.15.42
+CVE_CHECK_IGNORE += "CVE-2023-4387"
+
+# cpe-stable-backport: Backported in 5.15.35
+CVE_CHECK_IGNORE += "CVE-2023-4389"
+
+# fixed-version: only affects 5.16rc1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-4394"
+
+# cpe-stable-backport: Backported in 5.15.42
+CVE_CHECK_IGNORE += "CVE-2023-4459"
+
+# CVE-2023-4563 needs backporting (fixed from 6.5rc6)
+
+# CVE-2023-4569 needs backporting (fixed from 5.15.128)
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-4611"
+
+# CVE-2023-4622 needs backporting (fixed from 6.5rc1)
+
+# CVE-2023-4623 needs backporting (fixed from 6.6rc1)
+
+# CVE-2023-4881 needs backporting (fixed from 6.6rc1)
+
+# CVE-2023-4921 needs backporting (fixed from 6.6rc1)

--- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -1,6 +1,7 @@
 KBRANCH ?= "v5.10/standard/base"

 require recipes-kernel/linux/linux-yocto.inc
+include cve-exclusion_5.10.inc

 # board specific branches
 KBRANCH:qemuarm  ?= "v5.10/standard/arm-versatile-926ejs"