Message ID | 20220731114235.93784-1-bernd.kuhls@t-online.de |
---|---|
State | Handled Elsewhere |
Headers | show |
Series | [1/1] package/php: ignore various CVEs | expand |
Hi Bernd, On Sun, Jul 31 2022, Bernd Kuhls wrote: > Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> > --- > package/php/php.mk | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/package/php/php.mk b/package/php/php.mk > index cb7a8d71d4..8e362ba144 100644 > --- a/package/php/php.mk > +++ b/package/php/php.mk > @@ -14,6 +14,12 @@ PHP_DEPENDENCIES = host-pkgconf pcre2 > PHP_LICENSE = PHP-3.01 > PHP_LICENSE_FILES = LICENSE > PHP_CPE_ID_VENDOR = php > +# fixed with version 5.x: https://ubuntu.com/security/notices/USN-485-1 > +PHP_IGNORE_CVES += CVE-2007-2728 Why do we need to ignore these old CVEs? Isn't the package version check sufficient? Same question for a few other similar patches that you posted earlier. baruch > +# not a security vulnerability according to Red Hat > +PHP_IGNORE_CVES += CVE-2007-3205 > +# not a security vulnerability according to Mandriva > +PHP_IGNORE_CVES += CVE-2007-4596 > PHP_CONF_OPTS = \ > --mandir=/usr/share/man \ > --infodir=/usr/share/info \
Am Sun, 31 Jul 2022 14:45:27 +0300 schrieb Baruch Siach via buildroot:
> Why do we need to ignore these old CVEs?
Hi,
to reduce the lenght of the weekly mail:
https://lists.buildroot.org/pipermail/buildroot/2022-July/646199.html
Regards, Bernd
Hi Bernd, On Sun, Jul 31 2022, Bernd Kuhls wrote: > Am Sun, 31 Jul 2022 14:45:27 +0300 schrieb Baruch Siach via buildroot: > >> Why do we need to ignore these old CVEs? > > to reduce the lenght of the weekly mail: > https://lists.buildroot.org/pipermail/buildroot/2022-July/646199.html I share your desire to make the weekly list more useful. My question is why current version check method does not filter out these CVEs automatically? I think that the value in moving the list from the weekly mail to a permanent location in Buildroot source tree is questionable. An explanation of why this is necessary would be nice. baruch
Am Sun, 31 Jul 2022 15:02:57 +0300 schrieb Baruch Siach via buildroot: > I share your desire to make the weekly list more useful. My question is > why current version check method does not filter out these CVEs > automatically? Hi Baruch, because many CVS entries I added to the ignore lists do not contain any version number in the NVD database, for example: https://nvd.nist.gov/vuln/detail/CVE-1999-0236 cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:* Regards, Bernd
diff --git a/package/php/php.mk b/package/php/php.mk index cb7a8d71d4..8e362ba144 100644 --- a/package/php/php.mk +++ b/package/php/php.mk @@ -14,6 +14,12 @@ PHP_DEPENDENCIES = host-pkgconf pcre2 PHP_LICENSE = PHP-3.01 PHP_LICENSE_FILES = LICENSE PHP_CPE_ID_VENDOR = php +# fixed with version 5.x: https://ubuntu.com/security/notices/USN-485-1 +PHP_IGNORE_CVES += CVE-2007-2728 +# not a security vulnerability according to Red Hat +PHP_IGNORE_CVES += CVE-2007-3205 +# not a security vulnerability according to Mandriva +PHP_IGNORE_CVES += CVE-2007-4596 PHP_CONF_OPTS = \ --mandir=/usr/share/man \ --infodir=/usr/share/info \
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> --- package/php/php.mk | 6 ++++++ 1 file changed, 6 insertions(+)