Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30583 https://nvd.nist.gov/vuln/detail/CVE-2023-30584 https://nvd.nist.gov/vuln/detail/CVE-2023-30587
None of these vulnerabilities are present in the recipe version. CVE-2023-30583: While the main feature (blob) was intruced in v16, the vulnerable code (load blobs from file) was introduced in v20[1], and as such, the vulnerability is not present in the recipe version. CVE-2023-30584, CVE-2023-30587: The whole vulnerable feature (permission model) was introduced[2] in v20. Ignore these CVE IDs. [1]: https://github.com/nodejs/node/commit/950cec4c2642c15e2913f35babadda56c1d8a723 [2]: https://github.com/nodejs/node/commit/00c222593e49d817281bc88a322f41f8dca95885 Signed-off-by: Gyorgy Sarvari <[email protected]> --- meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb index 05a6706c10..b2872bfd98 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb @@ -46,6 +46,9 @@ S = "${WORKDIR}/node-v${PV}" CVE_PRODUCT = "nodejs node.js" +# the vulnerabilities were introduced in v20 +CVE_CHECK_IGNORE = "CVE-2023-30583 CVE-2023-30584 CVE-2023-30587" + # v8 errors out if you have set CCACHE CCACHE = ""
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123091): https://lists.openembedded.org/g/openembedded-devel/message/123091 Mute This Topic: https://lists.openembedded.org/mt/117039634/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
