On Fri, Jan 15, 2021 at 04:48:13PM +0000, Richard Purdie wrote: > On Fri, 2021-01-15 at 12:48 +0200, Mikko Rapeli wrote: > > https://nvd.nist.gov/vuln/detail/CVE-2018-13410 is disputed and > > also Debian considers it not a vulnerability: > > > > https://security-tracker.debian.org/tracker/CVE-2018-13410 > > > > http://seclists.org/fulldisclosure/2018/Jul/24 > > "Negligible security impact, would involve that a untrusted party controls > > the -TT value." > > > > https://nvd.nist.gov/vuln/detail/CVE-2018-13684 is not for zip, also Debian > > concludes this: > > > > https://security-tracker.debian.org/tracker/CVE-2018-13684 > > > > "NOT-FOR-US: smart contract implementation for ZIP" > > > > Signed-off-by: Mikko Rapeli <[email protected]> > > --- > > meta/recipes-extended/zip/zip_3.0.bb | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/meta/recipes-extended/zip/zip_3.0.bb > > b/meta/recipes-extended/zip/zip_3.0.bb > > index c00a932763..47e6fc5278 100644 > > --- a/meta/recipes-extended/zip/zip_3.0.bb > > +++ b/meta/recipes-extended/zip/zip_3.0.bb > > @@ -19,6 +19,9 @@ UPSTREAM_VERSION_UNKNOWN = "1" > > SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37" > > SRC_URI[sha256sum] = > > "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369" > > > > > > +CVE_CHECK_WHITELIST += "CVE-2018-13410" > > +CVE_CHECK_WHITELIST += "CVE-2018-13684" > > + > > Where we're adding these can we put a small comment in as well just > saying why we're whitelisting it?
Sure, but lets try to be consistent then. > I appreciate the info is in the commit but I think its important enough > to list in the recipe as a comment too. I agree. Though it's not clear if these should be removed when updating recipe versions. Sometimes NVD data is good, sometimes bad, sometimes it's not clear howto fix... Doing local builds with INHERIT += "cve-check" is the only way to find out, I guess. Cheers, -Mikko > Cheers, > > Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146839): https://lists.openembedded.org/g/openembedded-core/message/146839 Mute This Topic: https://lists.openembedded.org/mt/79698852/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
