diff --git a/0000-cover-letter.patch b/0000-cover-letter.patch new file mode 100644 index 00000000000..4cf246d2fb0 --- /dev/null +++ b/0000-cover-letter.patch @@ -0,0 +1,17 @@ +From 2971f8b570529dbac05d8300cd4c0ca82d16fa6e Mon Sep 17 00:00:00 2001 +From: Ninette Adhikari +Date: Wed, 3 Jul 2024 09:27:31 -0700 +Subject: [PATCH 0/1] apache2:apache2-native: CVE status update for + CVE-1999-0289 + +CVE only applies for Windows + +Ninette Adhikari (1): + apache2:apache2-native: CVE status update for CVE-1999-0289 + + meta-webserver/recipes-httpd/apache2/apache2_2.4.59.bb | 1 + + 1 file changed, 1 insertion(+) + +-- +2.44.0 + diff --git a/0001-apache2-apache2-native-CVE-status-update-for-CVE-199.patch b/0001-apache2-apache2-native-CVE-status-update-for-CVE-199.patch new file mode 100644 index 00000000000..66ff75a0f4f --- /dev/null +++ b/0001-apache2-apache2-native-CVE-status-update-for-CVE-199.patch @@ -0,0 +1,28 @@ +From 2971f8b570529dbac05d8300cd4c0ca82d16fa6e Mon Sep 17 00:00:00 2001 +From: Ninette Adhikari +Date: Wed, 3 Jul 2024 09:25:47 -0700 +Subject: [PATCH 1/1] apache2:apache2-native: CVE status update for + CVE-1999-0289 + +CVE only applies for Windows + +Signed-off-by: Ninette Adhikari +--- + meta-webserver/recipes-httpd/apache2/apache2_2.4.59.bb | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.59.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.59.bb +index 6dfecef8d..7b0ed338b 100644 +--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.59.bb ++++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.59.bb +@@ -41,6 +41,7 @@ CVE_STATUS[CVE-2007-6421] = "cpe-incorrect: The current version (2.4.59) is not + CVE_STATUS[CVE-2007-6422] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)" + CVE_STATUS[CVE-2007-6423] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions from 2.2.x to 2.2.7-dev" + CVE_STATUS[CVE-2008-2168] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions up to 2.2.6 (excl.)" ++CVE_STATUS[CVE-1999-0289] = "not-applicable-platform: CVE only applies for Windows" + + SSTATE_SCAN_FILES += "apxs config_vars.mk config.nice" + +-- +2.44.0 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.60.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.60.bb index 48bb773dd49..ab19ff1dc33 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.60.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.60.bb @@ -37,10 +37,13 @@ DEPENDS = "openssl expat pcre apr apr-util apache2-native " CVE_PRODUCT = "apache:http_server" +CVE_STATUS[CVE-1999-0289] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows" +CVE_STATUS[CVE-2007-0450] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows." CVE_STATUS[CVE-2007-6421] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)" CVE_STATUS[CVE-2007-6422] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)" CVE_STATUS[CVE-2007-6423] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions from 2.2.x to 2.2.7-dev" CVE_STATUS[CVE-2008-2168] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions up to 2.2.6 (excl.)" +CVE_STATUS[CVE-2010-0425] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows." SSTATE_SCAN_FILES += "apxs config_vars.mk config.nice" diff --git a/v2-0001-apache2-apache2-native-Update-CVE-status.patch b/v2-0001-apache2-apache2-native-Update-CVE-status.patch new file mode 100644 index 00000000000..db5e8a28c88 --- /dev/null +++ b/v2-0001-apache2-apache2-native-Update-CVE-status.patch @@ -0,0 +1,31 @@ +From 5cfc3a15f22ed057253602e4dc9cf2982bc04090 Mon Sep 17 00:00:00 2001 +From: Ninette Adhikari +Date: Wed, 3 Jul 2024 11:37:33 -0700 +Subject: [PATCH v2] apache2:apache2-native: Update CVE status + +Update CVE status for: CVE-1999-0289, CVE-2007-0450, CVE-2010-0425 + +The current version (2.4.6) is not affected. It only applies for Windows. + +Signed-off-by: Ninette Adhikari +--- + meta-webserver/recipes-httpd/apache2/apache2_2.4.60.bb | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.60.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.60.bb +index 48bb773dd..265313b3f 100644 +--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.60.bb ++++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.60.bb +@@ -41,6 +41,9 @@ CVE_STATUS[CVE-2007-6421] = "cpe-incorrect: The current version (2.4.59) is not + CVE_STATUS[CVE-2007-6422] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)" + CVE_STATUS[CVE-2007-6423] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions from 2.2.x to 2.2.7-dev" + CVE_STATUS[CVE-2008-2168] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions up to 2.2.6 (excl.)" ++CVE_STATUS[CVE-1999-0289] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows" ++CVE_STATUS[CVE-2007-0450] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows." ++CVE_STATUS[CVE-2010-0425] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows." + + SSTATE_SCAN_FILES += "apxs config_vars.mk config.nice" + +-- +2.44.0 + diff --git a/v3-0001-apache2-apache2-native-sort-CVE-status.patch b/v3-0001-apache2-apache2-native-sort-CVE-status.patch new file mode 100644 index 00000000000..144f722bc39 --- /dev/null +++ b/v3-0001-apache2-apache2-native-sort-CVE-status.patch @@ -0,0 +1,35 @@ +From 334c70f1c8009785a6a769fc132bac05ea477f9e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alba=20Herrer=C3=ADas?= +Date: Thu, 4 Jul 2024 10:53:04 +0100 +Subject: [PATCH v3] apache2:apache2-native: sort CVE status +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Alba HerrerĂ­as +--- + meta-webserver/recipes-httpd/apache2/apache2_2.4.60.bb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.60.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.60.bb +index 265313b3f..ab19ff1dc 100644 +--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.60.bb ++++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.60.bb +@@ -37,12 +37,12 @@ DEPENDS = "openssl expat pcre apr apr-util apache2-native " + + CVE_PRODUCT = "apache:http_server" + ++CVE_STATUS[CVE-1999-0289] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows" ++CVE_STATUS[CVE-2007-0450] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows." + CVE_STATUS[CVE-2007-6421] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)" + CVE_STATUS[CVE-2007-6422] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)" + CVE_STATUS[CVE-2007-6423] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions from 2.2.x to 2.2.7-dev" + CVE_STATUS[CVE-2008-2168] = "cpe-incorrect: The current version (2.4.59) is not affected by the CVE which affects versions up to 2.2.6 (excl.)" +-CVE_STATUS[CVE-1999-0289] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows" +-CVE_STATUS[CVE-2007-0450] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows." + CVE_STATUS[CVE-2010-0425] = "not-applicable-platform: The current version (2.4.6) is not affected. It only applies for Windows." + + SSTATE_SCAN_FILES += "apxs config_vars.mk config.nice" +-- +2.40.1 +