diff mbox series

[meta-oe,kirkstone,1/1] openvpn: ignore CVE-2023-7235

Message ID 20240307092113.3674886-1-soumya.sambu@windriver.com
State New
Headers show
Series [meta-oe,kirkstone,1/1] openvpn: ignore CVE-2023-7235 | expand

Commit Message

Sambu, Soumya March 7, 2024, 9:21 a.m. UTC 
From: Soumya Sambu <soumya.sambu@windriver.com>

This CVE is related to OpenVPN 2.x GUI on Windows.

References:
https://community.openvpn.net/openvpn/wiki/CVE-2023-7235
https://security-tracker.debian.org/tracker/CVE-2023-7235

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
 meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb | 3 +++
 1 file changed, 3 insertions(+)

Comments

Yoann Congal March 7, 2024, 1:49 p.m. UTC | #1 
Hi,

Le jeu. 7 mars 2024 à 10:21, Soumya via lists.openembedded.org
<soumya.sambu=windriver.com@lists.openembedded.org> a écrit :

> From: Soumya Sambu <soumya.sambu@windriver.com>
>
> This CVE is related to OpenVPN 2.x GUI on Windows.
>
> References:
> https://community.openvpn.net/openvpn/wiki/CVE-2023-7235
> https://security-tracker.debian.org/tracker/CVE-2023-7235
>
> Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
> ---
>  meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb
> b/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb
> index 218e72b7a..828cd5033 100644
> --- a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb
> +++ b/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb
> @@ -19,6 +19,9 @@ SRC_URI[sha256sum] =
> "333a7ef3d5b317968aca2c77bdc29aa7c6d6bb3316eb3f79743b59c532
>  # CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not
> for openvpn.
>  CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569"
>
> +# CVE-2023-7235 is specific to Windows platform
> +CVE_CHECK_IGNORE += "CVE-2023-7235"
>

That's weird, this CVE does not appear as applicable neither locally for me
or on the AB:
https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-kirkstone.txt
Did you do something specific to see this CVE?


> +
>  SYSTEMD_SERVICE:${PN} += "openvpn@loopback-server.service
> openvpn@loopback-client.service"
>  SYSTEMD_AUTO_ENABLE = "disable"
>
> --
> 2.40.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#109193):
> https://lists.openembedded.org/g/openembedded-devel/message/109193
> Mute This Topic: https://lists.openembedded.org/mt/104784192/4316185
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [
> yoann.congal@smile.fr]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
ChenQi March 20, 2024, 2:16 a.m. UTC | #2 
Hi Yoann,

This is because OE's cve-checker uses the configuration field to check. 
If a CVE lacks such field, it's not on the list.
https://nvd.nist.gov/vuln/detail/CVE-2023-7235

Regards,
Qi

On 3/7/24 21:49, Yoann Congal wrote:
> Hi,
>
> Le jeu. 7 mars 2024 à 10:21, Soumya via lists.openembedded.org 
> <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbC7WVPqoU$> 
> <soumya.sambu=windriver.com@lists.openembedded.org> a écrit :
>
>     From: Soumya Sambu <soumya.sambu@windriver.com>
>
>     This CVE is related to OpenVPN 2.x GUI on Windows.
>
>     References:
>     https://community.openvpn.net/openvpn/wiki/CVE-2023-7235
>     <https://urldefense.com/v3/__https://community.openvpn.net/openvpn/wiki/CVE-2023-7235__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbC7x8FYAr$>
>     https://security-tracker.debian.org/tracker/CVE-2023-7235
>     <https://urldefense.com/v3/__https://security-tracker.debian.org/tracker/CVE-2023-7235__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbC1oOLnVU$>
>
>     Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
>     ---
>      meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb
>     <https://urldefense.com/v3/__http://openvpn_2.5.6.bb__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbCzrRMlgD$>
>     | 3 +++
>      1 file changed, 3 insertions(+)
>
>     diff --git
>     a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb
>     <https://urldefense.com/v3/__http://openvpn_2.5.6.bb__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbCzrRMlgD$>
>     b/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb
>     <https://urldefense.com/v3/__http://openvpn_2.5.6.bb__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbCzrRMlgD$>
>     index 218e72b7a..828cd5033 100644
>     --- a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb
>     <https://urldefense.com/v3/__http://openvpn_2.5.6.bb__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbCzrRMlgD$>
>     +++ b/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb
>     <https://urldefense.com/v3/__http://openvpn_2.5.6.bb__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbCzrRMlgD$>
>     @@ -19,6 +19,9 @@ SRC_URI[sha256sum] =
>     "333a7ef3d5b317968aca2c77bdc29aa7c6d6bb3316eb3f79743b59c532
>      # CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN
>     client, not for openvpn.
>      CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569"
>
>     +# CVE-2023-7235 is specific to Windows platform
>     +CVE_CHECK_IGNORE += "CVE-2023-7235"
>
>
> That's weird, this CVE does not appear as applicable neither locally 
> for me or on the AB: 
> https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-kirkstone.txt 
> <https://urldefense.com/v3/__https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-kirkstone.txt__;!!AjveYdw8EvQ!efu39gdY-VT0kOFF-gisQEpi1N-G0Om2Sjy3YpnhJnnfYFyOjN6m7W4grKZT1tyLWrMWxvHBGbpnRfFU5KYbCwBzRMAA$>
> Did you do something specific to see this CVE?
>
>     +
>      SYSTEMD_SERVICE:${PN} += "openvpn@loopback-server.service
>     openvpn@loopback-client.service"
>      SYSTEMD_AUTO_ENABLE = "disable"
>
>     -- 
>     2.40.0
>
>
>
>
>
>
> -- 
> Yoann Congal
> Smile ECS - Tech expert
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#109196):https://lists.openembedded.org/g/openembedded-devel/message/109196
> Mute This Topic:https://lists.openembedded.org/mt/104784192/7304865
> Group Owner:openembedded-devel+owner@lists.openembedded.org
> Unsubscribe:https://lists.openembedded.org/g/openembedded-devel/unsub  [Qi.Chen@eng.windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
diff mbox series

Patch

diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb b/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb
index 218e72b7a..828cd5033 100644
--- a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb
+++ b/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb
@@ -19,6 +19,9 @@  SRC_URI[sha256sum] = "333a7ef3d5b317968aca2c77bdc29aa7c6d6bb3316eb3f79743b59c532
 # CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn.
 CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569"
 
+# CVE-2023-7235 is specific to Windows platform
+CVE_CHECK_IGNORE += "CVE-2023-7235"
+
 SYSTEMD_SERVICE:${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service"
 SYSTEMD_AUTO_ENABLE = "disable"