Message ID | 20210421204235.5956-1-matthew.weber@rockwellcollins.com |
---|---|
Headers | show |
Series | Misc CVE ignores | expand |
Matt, All, On 2021-04-21 15:42 -0500, Matt Weber spake thusly: > * I'm working on upstream NVD fixes for some of these. > > * There are roughly half of the ignore cases that are a bit of a > challenge to identify where the fix was clearly tracked into > a specific version. I tried to document in each commit as much > as a could by linking to conversations clarifying the details. > > Matt Weber (10): > package/bind: ignore CVE-2017-3139 > package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223 > package/bind: ignore CVE-2019-6470 > package/cmake: ignore CVE-2016-10642 > package/flex: ignore CVE-2019-6293 For this one, I've switched to using the actual upstream URL, rather that of a downstream consumer: https://github.com/westes/flex/issues/414 > package/hostapd: ignore CVE-2021-30004 when using openssl > package/wpa_supplicant: ignore CVE-2021-30004 when using openssl > package/ncurses: ignore CVE-2018-10754, CVE-2018-19211, > CVE-2018-19217, CVE-2019-17594, CVE-2019-17595 > package/rsyslog: ignore CVE-2015-3243 > package/tar: ignore CVE-2007-4476 Series applied to master, thanks. Regards, Yann E. MORIN. > package/bind/bind.mk | 4 ++++ > package/cmake/cmake.mk | 2 ++ > package/coreutils/coreutils.mk | 4 ++++ > package/flex/flex.mk | 3 +++ > package/hostapd/hostapd.mk | 2 ++ > package/ncurses/ncurses.mk | 6 ++++++ > package/rsyslog/rsyslog.mk | 4 ++++ > package/tar/tar.mk | 2 ++ > package/wpa_supplicant/wpa_supplicant.mk | 2 ++ > 9 files changed, 29 insertions(+) > > -- > 2.17.1 > > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes: > Matt, All, > On 2021-04-21 15:42 -0500, Matt Weber spake thusly: >> * I'm working on upstream NVD fixes for some of these. >> >> * There are roughly half of the ignore cases that are a bit of a >> challenge to identify where the fix was clearly tracked into >> a specific version. I tried to document in each commit as much >> as a could by linking to conversations clarifying the details. >> >> Matt Weber (10): >> package/bind: ignore CVE-2017-3139 >> package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223 >> package/bind: ignore CVE-2019-6470 >> package/cmake: ignore CVE-2016-10642 >> package/flex: ignore CVE-2019-6293 > For this one, I've switched to using the actual upstream URL, rather > that of a downstream consumer: > https://github.com/westes/flex/issues/414 >> package/hostapd: ignore CVE-2021-30004 when using openssl >> package/wpa_supplicant: ignore CVE-2021-30004 when using openssl >> package/ncurses: ignore CVE-2018-10754, CVE-2018-19211, >> CVE-2018-19217, CVE-2019-17594, CVE-2019-17595 >> package/rsyslog: ignore CVE-2015-3243 >> package/tar: ignore CVE-2007-4476 > Series applied to master, thanks. I am not so happy with the hostapd/wpa_supplicant/rsyslog ignores, but I have applied the series to 2021.02.x anyway and will send followup patches to master (and 2021.02.x) to improve those packages later.