On Fri, 2021-01-15 at 12:48 +0200, Mikko Rapeli wrote: > https://nvd.nist.gov/vuln/detail/CVE-2018-13410 is disputed and > also Debian considers it not a vulnerability: > > https://security-tracker.debian.org/tracker/CVE-2018-13410 > > http://seclists.org/fulldisclosure/2018/Jul/24 > "Negligible security impact, would involve that a untrusted party controls > the -TT value." > > https://nvd.nist.gov/vuln/detail/CVE-2018-13684 is not for zip, also Debian > concludes this: > > https://security-tracker.debian.org/tracker/CVE-2018-13684 > > "NOT-FOR-US: smart contract implementation for ZIP" > > Signed-off-by: Mikko Rapeli <[email protected]> > --- > meta/recipes-extended/zip/zip_3.0.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-extended/zip/zip_3.0.bb > b/meta/recipes-extended/zip/zip_3.0.bb > index c00a932763..47e6fc5278 100644 > --- a/meta/recipes-extended/zip/zip_3.0.bb > +++ b/meta/recipes-extended/zip/zip_3.0.bb > @@ -19,6 +19,9 @@ UPSTREAM_VERSION_UNKNOWN = "1" > SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37" > SRC_URI[sha256sum] = > "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369" > > > +CVE_CHECK_WHITELIST += "CVE-2018-13410" > +CVE_CHECK_WHITELIST += "CVE-2018-13684" > +
Where we're adding these can we put a small comment in as well just saying why we're whitelisting it? I appreciate the info is in the commit but I think its important enough to list in the recipe as a comment too. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146836): https://lists.openembedded.org/g/openembedded-core/message/146836 Mute This Topic: https://lists.openembedded.org/mt/79698852/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
