Details: https://nvd.nist.gov/vuln/detail/CVE-2024-22017
The vulnerability is related to the io_uring usage of libuv. Libuv first introduced io_uring support in v1.45[1]. oe-core ships a non-vulnerable version (1.44.2), and nodejs vendors also an older version (1.43). Mark this CVE as ignored for this recipe version. [1]: https://github.com/libuv/libuv/commit/d2c31f429b87b476a7f1344d145dad4752a406d4 Signed-off-by: Gyorgy Sarvari <[email protected]> --- meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb index 2feec12f21..9c279d1463 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb @@ -50,6 +50,9 @@ CVE_PRODUCT = "nodejs node.js" # the vulnerabilities were introduced in v20 CVE_CHECK_IGNORE = "CVE-2023-30583 CVE-2023-30584 CVE-2023-30587" +# the vulnerability was introduced later (with libuv 1.45) +CVE_CHECK_IGNORE += "CVE-2024-22017" + # v8 errors out if you have set CCACHE CCACHE = ""
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123093): https://lists.openembedded.org/g/openembedded-devel/message/123093 Mute This Topic: https://lists.openembedded.org/mt/117039637/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
