Update a CVE status with the data sent upstream to the database, document another as unifxable by us and add the status of another sent upstream for a database entry change.
Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org> --- .../distro/include/cve-extra-exclusions.inc | 23 ++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index 956b3a9a3ca..714db0544eb 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -12,7 +12,24 @@ CVE_CHECK_WHITELIST += "CVE-2000-0006" # groff:groff-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803 -# CVE is more than 20 years old with no resolution evident -# broken links in CVE database references make resolution impractical -CVE_CHECK_WHITELIST += "CVE-2000-0803" +# Appears it was fixed in https://git.savannah.gnu.org/cgit/groff.git/commit/?id=07f95f1674217275ed4612f1dcaa95a88435c6a7 +# so from 1.17 onwards. Reported to the database for update by RP 2021/5/9 +#CVE_CHECK_WHITELIST += "CVE-2000-0803" + +# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238 +# The issue here is spoofing of domain names using characters from other character sets. +# There has been much discussion amongst the epiphany and webkit developers and +# whilst there are improvements about how domains are handled and displayed to the user +# there is unlikely ever to be a single fix to webkit or epiphany which addresses this +# problem. Whitelisted as there isn't any mitigation or fix or way to progress this further +# we can seem to take. +CVE_CHECK_WHITELIST += "CVE-2005-0238" + +# grub:grub-efi:grub-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14865 +# Looks like grub-set-bootflag is patched in by Fedora/RHEL: +# https://src.fedoraproject.org/rpms/grub2/blob/498ea7003b4dd8079fc075fad7e19e0b190d0f97/f/0133-Add-grub-set-bootflag-utility.patch +# Does not exist in upstream grub2: +# https://git.savannah.gnu.org/cgit/grub.git/tree/util +# Reported to the database for update by RP 2021/5/9 +#CVE_CHECK_WHITELIST += "CVE-2019-14865" -- 2.30.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#151510): https://lists.openembedded.org/g/openembedded-core/message/151510 Mute This Topic: https://lists.openembedded.org/mt/82716230/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-