[OE-core] [poky][master][PATCH] openssl: whitelisted CVE-2018-12433, CVE-2018-12437, CVE-2018-12438

Sun, 07 Mar 2021 10:16:26 -0800 

From: "Saloni.Jain" <saloni.j...@kpit.com>

Whitelisted below CVEs:
1. CVE-2018-12433 is disputed and reported for
crypt libraries.
Link: https://security-tracker.debian.org/tracker/CVE-2018-12433
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12433

2. CVE-2018-12437 is reported for libtomcrypt and
is duplicate of CVE-2018-0495.
Link: https://security-tracker.debian.org/tracker/CVE-2018-12437
Link: https://github.com/libtom/libtomcrypt/pull/408
Link: https://access.redhat.com/security/cve/CVE-2018-12437

3. CVE-2018-12438 is also reported for crypt libraries and
no details are available for which versions are affected.
Link: https://security-tracker.debian.org/tracker/CVE-2018-12438
Link: https://ubuntu.com/security/CVE-2018-12438

Signed-off-by: Saloni Jain <saloni.j...@kpit.com>
---
 meta/recipes-connectivity/openssl/openssl_1.1.1j.bb | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1j.bb 
b/meta/recipes-connectivity/openssl/openssl_1.1.1j.bb
index 181790e6ab..3d96533580 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1j.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1j.bb
@@ -241,3 +241,13 @@ CVE_VERSION_SUFFIX = "alphabetical"
 # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
 # Apache in meta-webserver is already recent enough
 CVE_CHECK_WHITELIST += "CVE-2019-0190"
+
+# CVE-2018-12433 is disputed and reported for crypt libraries
+CVE_CHECK_WHITELIST += "CVE-2018-12433"
+
+# CVE-2018-12437 is reported for libtomcrypt and is duplicate of CVE-2018-0495
+CVE_CHECK_WHITELIST += "CVE-2018-12437"
+
+# CVE-2018-12438 is also reported for crypt libraries and no details are
+# available for which versions are affected.
+CVE_CHECK_WHITELIST += "CVE-2018-12438"
--
2.17.1

This message contains information that may be privileged or confidential and is 
the property of the KPIT Technologies Ltd. It is intended only for the person 
to whom it is addressed. If you are not the intended recipient, you are not 
authorized to read, print, retain copy, disseminate, distribute, or use this 
message or any part thereof. If you receive this message in error, please 
notify the sender immediately and delete all copies of this message. KPIT 
Technologies Ltd. does not accept any liability for virus infected mails.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#149083): 
https://lists.openembedded.org/g/openembedded-core/message/149083
Mute This Topic: https://lists.openembedded.org/mt/81154980/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to