Message ID | 20230902221425.3577627-1-thomas.petazzoni@bootlin.com |
---|---|
State | Accepted |
Headers | show |
Series | package/python-pip: ignore CVE-2018-20225 | expand |
>>>>> "Thomas" == Thomas Petazzoni via buildroot <buildroot@buildroot.org> writes: > See https://security-tracker.debian.org/tracker/CVE-2018-20225 for the > rationale of ignoring this CVE. Things basically work as intended. > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> > --- > package/python-pip/python-pip.mk | 3 +++ > 1 file changed, 3 insertions(+) > diff --git a/package/python-pip/python-pip.mk b/package/python-pip/python-pip.mk > index 35ad7bede2..040767930e 100644 > --- a/package/python-pip/python-pip.mk > +++ b/package/python-pip/python-pip.mk > @@ -12,6 +12,9 @@ PYTHON_PIP_LICENSE = MIT > PYTHON_PIP_LICENSE_FILES = LICENSE.txt > PYTHON_PIP_CPE_ID_VENDOR = pypa > PYTHON_PIP_CPE_ID_PRODUCT = pip > +# Disputed CVE: things work as designed, and only affects the > +# --extra-index-url option. This CVE will never be fixed. > +PYTHON_PIP_IGNORE_CVES += CVE-2018-20225 Committed, thanks.
>>>>> "Thomas" == Thomas Petazzoni via buildroot <buildroot@buildroot.org> writes: > See https://security-tracker.debian.org/tracker/CVE-2018-20225 for the > rationale of ignoring this CVE. Things basically work as intended. > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Committed to 2023.02.x and 2023.05.x, thanks.
diff --git a/package/python-pip/python-pip.mk b/package/python-pip/python-pip.mk index 35ad7bede2..040767930e 100644 --- a/package/python-pip/python-pip.mk +++ b/package/python-pip/python-pip.mk @@ -12,6 +12,9 @@ PYTHON_PIP_LICENSE = MIT PYTHON_PIP_LICENSE_FILES = LICENSE.txt PYTHON_PIP_CPE_ID_VENDOR = pypa PYTHON_PIP_CPE_ID_PRODUCT = pip +# Disputed CVE: things work as designed, and only affects the +# --extra-index-url option. This CVE will never be fixed. +PYTHON_PIP_IGNORE_CVES += CVE-2018-20225 $(eval $(python-package)) $(eval $(host-python-package))
See https://security-tracker.debian.org/tracker/CVE-2018-20225 for the rationale of ignoring this CVE. Things basically work as intended. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> --- package/python-pip/python-pip.mk | 3 +++ 1 file changed, 3 insertions(+)