From: Peter Marko <[email protected]> Investigation based on https://bugzilla.mozilla.org/show_bug.cgi?id=1774654 leads to following: * fixed in 3.87 (https://hg.mozilla.org/projects/nss/rev/a7f363511333b8062945557607691002fd6e40b9) * changed code was introduced in 3.77 (https://hg.mozilla.org/projects/nss/rev/be6a97823bfe10fa08e17c9584938a2d525a38da) * NVD claims fix in 3.81, but there is no evidence for it in commit history (https://hg.mozilla.org/projects/nss/graph/a7f363511333b8062945557607691002fd6e40b9) * Debian also says for old versions "nss <not-affected> (Vulnerable code not present/was introduced later)" (https://security-tracker.debian.org/tracker/CVE-2022-3479)
Signed-off-by: Peter Marko <[email protected]> --- meta-oe/recipes-support/nss/nss_3.74.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-oe/recipes-support/nss/nss_3.74.bb b/meta-oe/recipes-support/nss/nss_3.74.bb index a7048f0fe..38407a7c4 100644 --- a/meta-oe/recipes-support/nss/nss_3.74.bb +++ b/meta-oe/recipes-support/nss/nss_3.74.bb @@ -289,3 +289,6 @@ CVE_CHECK_IGNORE += "CVE-2006-5201" # CVES CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698 only affect # the legacy db (libnssdbm), only compiled with --enable-legacy-db. CVE_CHECK_IGNORE += "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698" + +# vulnerability was introduced in 3.77 and fixed in 3.87 +CVE_CHECK_IGNORE += "CVE-2022-3479" -- 2.30.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#103097): https://lists.openembedded.org/g/openembedded-devel/message/103097 Mute This Topic: https://lists.openembedded.org/mt/99282841/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
