I don't know how that CVE tool is doing the checks, but it's doing something wrong. Both the CVEs that are mentioned in the list, have nothing to do with the current library that is built with the recipe. I am actually curious as to who is using this library anyway, because it seems to be some random implementation with a very similar name. The widely used library is the one at: https://github.com/arvidn/libtorrent (this is the one used in stuff like Deluge, and other torrent software).
CVE-2016-5301 was fixed in: https://github.com/arvidn/libtorrent/pull/782. CVE-2009-1760 was fixed in: https://github.com/arvidn/libtorrent/commit/eb2203abf51e63b1d5ba0c3e5d972936df96c31a Maybe we should replace the current recipe or add a separate one to build the other library. On Wed, 10 Apr 2024 at 18:12, Khem Raj <[email protected]> wrote: > > Beniamin what is the resolution based on ? before we revert we should find > > On Wed, Apr 10, 2024 at 10:02 AM Marko, Peter <[email protected]> wrote: > > > > This CVE reappeared in > > https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt > > So it should not have been applied. > > > > Peter > > > > -----Original Message----- > > From: [email protected] > > <[email protected]> On Behalf Of Khem Raj via > > lists.openembedded.org > > Sent: Sunday, April 7, 2024 17:43 > > To: [email protected]; Beniamin Sandu > > <[email protected]> > > Cc: Khem Raj <[email protected]> > > Subject: Re: [oe] [meta-oe][PATCH] libtorrent: remove CVE mention > > > > > > On Fri, 05 Apr 2024 16:13:35 +0100, Beniamin Sandu wrote: > > > The CVE mentioned in the recipe applies to a different libtorrent > > > library, from: > > > https://github.com/arvidn/libtorrent > > > > > > > > > > Applied, thanks! > > > > [1/1] libtorrent: remove CVE mention > > commit: 0597c931ffbadf2a2242d8ed9cccb8567953d489 > > > > Best regards, > > -- > > Khem Raj <[email protected]>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109908): https://lists.openembedded.org/g/openembedded-devel/message/109908 Mute This Topic: https://lists.openembedded.org/mt/105350320/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
