linux/cve-exclusion: correct fixed-version calculation

Current code takes the first version found as "fixed-version".
That is not correct as it is almost always only the oldest backport.
Fix it by unconditionally shift the assigmnet of variable "fixed" so
that we take last instead of first version.

Cc: daniel.turull@ericsson.com
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 68f8e58a249c8adef18e63f0841e8bfea16f354e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>

diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py
index 82fb4264e35092e0dbfd1c968096abe28a4e1bec..5c85c0db8847bde21371da5966a16630a10d6e05 100755 (executable)
--- a/meta/recipes-kernel/linux/generate-cve-exclusions.py
+++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -67,10 +67,9 @@ def get_fixed_versions(cve_info, base_version):
 
                 if not first_affected:
                     first_affected = v
-                    fixed = less_than
+                fixed = less_than
                 if base_version < v and v < next_version:
                     first_affected = v
-                    fixed = less_than
                     fixed_backport = less_than
 
     return first_affected, fixed, fixed_backport