On Tue, Feb 2, 2021 at 8:09 AM saloni <saloni.j...@kpit.com> wrote: > > Whitelisted below CVEs as their status is disputed > and ignored and not affecting the Ubuntu and Debian > environments. Hence, marked them whitelisted.
I'm not sure why you are referencing Ubuntu and Debian environments. We care about whether it is affecting the Yocto implementation. Could you explain your reasoning a bit more? Are you saying that Ubuntu and Debian maintainers don't consider these CVE's to be a serious enough issue to mitigate and thus it is safe for us to do the same? Thanks! Steve > 1. CVE-2018-12433 > Link: https://security-tracker.debian.org/tracker/CVE-2018-12433 > > 2. CVE-2018-12438 > Link: https://security-tracker.debian.org/tracker/CVE-2018-12438 > > Signed-off-by: Saloni Jain <saloni.j...@kpit.com> > --- > meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb > b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb > index 4e0eb0a..ba3666f 100644 > --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb > +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb > @@ -29,6 +29,9 @@ SRC_URI = > "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ > SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743" > SRC_URI[sha256sum] = > "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3" > > +# Below whitelisted CVEs are disputed and not affecting Ubuntu and Debian > environments. > +CVE_CHECK_WHITELIST += "CVE-2018-12433 CVE-2018-12438" > + > BINCONFIG = "${bindir}/libgcrypt-config" > > inherit autotools texinfo binconfig-disabled pkgconfig > -- > 2.7.4 > > This message contains information that may be privileged or confidential and > is the property of the KPIT Technologies Ltd. It is intended only for the > person to whom it is addressed. If you are not the intended recipient, you > are not authorized to read, print, retain copy, disseminate, distribute, or > use this message or any part thereof. If you receive this message in error, > please notify the sender immediately and delete all copies of this message. > KPIT Technologies Ltd. does not accept any liability for virus infected mails. > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#147628): https://lists.openembedded.org/g/openembedded-core/message/147628 Mute This Topic: https://lists.openembedded.org/mt/80321678/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
