[Buildroot] [PATCH 1/1] package/boost: annotate _IGNORE_CVES for CVE-2009-3654
Peter Korsgaard
peter at korsgaard.com
Sat Feb 29 17:07:54 UTC 2020
>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:
> Fabrice, All,
> On 2020-02-29 10:46 +0100, Fabrice Fontaine spake thusly:
>> Unspecified vulnerability in Boost before 6.x-1.03, a module for Drupal,
>> allows remote attackers to create new webroot directories via unknown
>> attack vectors.
> Yes, good to know, but the interesting bit is why we are not affected,
> which your commit log fails to specify.
> Also, the comment should say so as well. Maybe just something like:
> # Module for Drupal, not installed in Buildroot
> BOOST_IGNORE_CVES +=...
It is not because we don't install some optional part of boost, it is
simply that our CVE logic thinks that this CVE applies to our boost
package, whereas it is really for some kind of drupal module:
https://nvd.nist.gov/vuln/detail/CVE-2009-3654
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list