I'm wondering if we could restrict CVE_PRODUCT to 'gnu:tar' as an
alternative solution.
Regards,
Qi
On 09/13/2021 12:27 AM, Armin Kuster wrote:
These three CVEs are specific to the Node package node-tar.
exclude: CVE-2021-37701 CVE-2021-37712 CVE-2021-37713
Signed-off-by: Armin Kuster <[email protected]>
---
meta/recipes-extended/tar/tar_1.34.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-extended/tar/tar_1.34.bb
b/meta/recipes-extended/tar/tar_1.34.bb
index a6a417a1a5..3488a6c955 100644
--- a/meta/recipes-extended/tar/tar_1.34.bb
+++ b/meta/recipes-extended/tar/tar_1.34.bb
@@ -65,3 +65,4 @@ BBCLASSEXTEND = "native nativesdk"
# These are both specific to the NPM package node-tar
CVE_CHECK_WHITELIST += "CVE-2021-32803 CVE-2021-32804"
+CVE_CHECK_WHITELIST += "CVE-2021-37701 CVE-2021-37712 CVE-2021-37713"
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#155963):
https://lists.openembedded.org/g/openembedded-core/message/155963
Mute This Topic: https://lists.openembedded.org/mt/85554957/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
