Message ID | 20221023091009.18544-1-fontaine.fabrice@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [1/2] package/lz4: fix LZ4_CPE_ID_VENDOR | expand |
On Sun, 23 Oct 2022 11:10:08 +0200 Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote: > cpe:2.3:a:yann_collet:lz4, which was added by commit > 63332c33aa0771532807fd2684d4eee4eb952435, was never a valid CPE > identifier for this package: > > https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ayann_collet%3Alz4 > > cpe:2.3:a:lz4_project:lz4 is a valid CPE identifier for this package: > > https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alz4_project%3Alz4 > > While at it, also drop the note added by commit > 45db4bb08e3e550db483d8745fe8aaede2fa7e98 > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > --- > package/lz4/lz4.mk | 8 +------- > 1 file changed, 1 insertion(+), 7 deletions(-) Both applied, thanks! Thomas
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > cpe:2.3:a:yann_collet:lz4, which was added by commit > 63332c33aa0771532807fd2684d4eee4eb952435, was never a valid CPE > identifier for this package: > https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ayann_collet%3Alz4 > cpe:2.3:a:lz4_project:lz4 is a valid CPE identifier for this package: > https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alz4_project%3Alz4 > While at it, also drop the note added by commit > 45db4bb08e3e550db483d8745fe8aaede2fa7e98 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed to 2022.08.x and 2022.02.x, thanks.
diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk index 9b9b6198c3..541a03473a 100644 --- a/package/lz4/lz4.mk +++ b/package/lz4/lz4.mk @@ -9,13 +9,7 @@ LZ4_SITE = $(call github,lz4,lz4,v$(LZ4_VERSION)) LZ4_INSTALL_STAGING = YES LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs) LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING -LZ4_CPE_ID_VENDOR = yann_collet - -# CVE-2014-4715 is misclassified (by our CVE tracker) as affecting version -# 1.9.2, while in fact this issue has been fixed since lz4-r130: -# https://github.com/lz4/lz4/commit/140e6e72ddb6fc5f7cd28ce0c8ec3812ef4a9c08 -# See https://github.com/lz4/lz4/issues/818 -LZ4_IGNORE_CVES += CVE-2014-4715 +LZ4_CPE_ID_VENDOR = lz4_project # 0001-Fix-potential-memory-corruption-with-negative-memmov.patch LZ4_IGNORE_CVES += CVE-2021-3520
cpe:2.3:a:yann_collet:lz4, which was added by commit 63332c33aa0771532807fd2684d4eee4eb952435, was never a valid CPE identifier for this package: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ayann_collet%3Alz4 cpe:2.3:a:lz4_project:lz4 is a valid CPE identifier for this package: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alz4_project%3Alz4 While at it, also drop the note added by commit 45db4bb08e3e550db483d8745fe8aaede2fa7e98 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/lz4/lz4.mk | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-)