On Sun, 2023-04-02 at 20:58 +0530, Sundeep KOKKONDA wrote: > This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security > vulnirability when using cargo ssh. > Kirkstone doesn't support rust on-target images and the bitbake using the > 'wget' (which uses 'https') for fetching the sources instead of ssh. > So, cargo-native also not vulnerable to this cve and so added to excluded > list. > > Signed-off-by: Sundeep KOKKONDA <[email protected]> > --- > meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc > b/meta/conf/distro/include/cve-extra-exclusions.inc > index 8b5f8d49b8..cb2d920441 100644 > --- a/meta/conf/distro/include/cve-extra-exclusions.inc > +++ b/meta/conf/distro/include/cve-extra-exclusions.inc > @@ -15,6 +15,11 @@ > # the aim of sharing that work and ensuring we don't duplicate it. > # > > +#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176 > +#cargo security advisor > https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html > +#This CVE is a security issue when using cargo ssh. In kirkstone, rust > 1.59.0 is used and the rust on-target is not supported, so the target images > are not vulnerable to the cve. > +#The bitbake using the 'wget' (which uses 'https') for fetching the sources > instead of ssh. So, the cargo-native are also not vulnerable to this cve and > so added to excluded list. > +CVE_CHECK_IGNORE += "CVE-2022-46176" > > # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 > # CVE is more than 20 years old with no resolution evident
Since I've been following the discussion on this one: Acked-by: Richard Purdie <[email protected]> Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#179611): https://lists.openembedded.org/g/openembedded-core/message/179611 Mute This Topic: https://lists.openembedded.org/mt/98015597/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
