From: Andrei Gherzan <[email protected]> This CVE was fixed[1] in the container image go library skopeo is using (vendoring). The current version of the image go module is v5.20.0 while the fix landed since v3.0.0[2].
See RedHat's resolution[3] for more details. [1] https://github.com/containers/image/issues/654 [2] https://github.com/containers/image/pull/669/commits/a3d69a4a89244803d2f5350aca6dd0fcbe444551 [3] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214 Signed-off-by: Andrei Gherzan <[email protected]> --- recipes-containers/skopeo/skopeo_git.bb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/recipes-containers/skopeo/skopeo_git.bb b/recipes-containers/skopeo/skopeo_git.bb index 35377a8..d32c525 100644 --- a/recipes-containers/skopeo/skopeo_git.bb +++ b/recipes-containers/skopeo/skopeo_git.bb @@ -35,6 +35,12 @@ S = "${WORKDIR}/git" inherit goarch inherit pkgconfig +# This CVE was fixed in the container image go library skopeo is using. +# See: +# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214 +# https://github.com/containers/image/issues/654 +CVE_CHECK_IGNORE += "CVE-2019-10214" + # This disables seccomp and apparmor, which are on by default in the # go package. EXTRA_OEMAKE="BUILDTAGS=''" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7567): https://lists.yoctoproject.org/g/meta-virtualization/message/7567 Mute This Topic: https://lists.yoctoproject.org/mt/93253352/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
