Details: https://nvd.nist.gov/vuln/detail/CVE-2023-3748 https://nvd.nist.gov/vuln/detail/CVE-2023-41359 https://nvd.nist.gov/vuln/detail/CVE-2023-41360 https://nvd.nist.gov/vuln/detail/CVE-2023-41361
Regarding CVE-2023-3748: Based on Debian's investigation, the vulnerability was solved by [1]. However that vulnerable code that was fixed was introduced after the recipe version, only in version 8.4.0[2]. Since the recipe version isn't affected by this CVE, ignore it. Regarding CVE-2023-41359: The pull request[3] referenced by the NVD report references another pull request[4] which was opened to backport the fix. The conversion on this PR confirms that the vulnerable feature was introduced in 8.5. Due to this, ignore this CVE. Regarding CVE-2023-41360: The vulnerable code was introduced[5] in version 8.4.0, and the recipe version is not vulnerable. Due to this ignore this CVE. Regarding CVE-2023-41361: The vulnerable code was introduced[6] in version 9.0 and the recipe version is not vulnerable. Due to this ignore this CVE. [1]: https://github.com/FRRouting/frr/commit/0a95d121ca8e1f43d41d952d6c82d111ca850085 [2]: https://github.com/FRRouting/frr/commit/54a3e60b3ebd3621c4dd90b0b49e8e36e4e100d8 [3]: https://github.com/FRRouting/frr/pull/14232 [4]: https://github.com/FRRouting/frr/pull/15927 [5]: https://github.com/FRRouting/frr/commit/f1aa49293a4a8302b70989aaa9ceb715385c3a7e [6]: https://github.com/FRRouting/frr/commit/234f6fd4f4804bb17bd8cbb1dd91994a914f38d2 Signed-off-by: Gyorgy Sarvari <[email protected]> --- meta-networking/recipes-protocols/frr/frr_8.2.2.bb | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb index f8a3404e9b..a30c05b563 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb @@ -42,6 +42,15 @@ SRCREV = "79188bf710e92acf42fb5b9b0a2e9593a5ee9b05" CVE_PRODUCT = "frrouting" +# the vulnerability was introduced in v8.4.0 +CVE_CHECK_IGNORE += "CVE-2023-3748 CVE-2023-41360" + +# the vulnerability did not exist until 8.5 +CVE_CHECK_IGNORE += "CVE-2023-41359" + +# the vulnerability was introduced in 9.0 +CVE_CHECK_IGNORE += "CVE-2023-41361" + S = "${WORKDIR}/git" # Due to libyang not supported on these arches:
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123981): https://lists.openembedded.org/g/openembedded-devel/message/123981 Mute This Topic: https://lists.openembedded.org/mt/117522700/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
