[Buildroot] [PATCH 1/1] package/boost: annotate _IGNORE_CVES for CVE-2009-3654
Yann E. MORIN
yann.morin.1998 at free.fr
Sat Feb 29 17:11:56 UTC 2020
Peter, Fabrice, All,
On 2020-02-29 18:07 +0100, Peter Korsgaard spake thusly:
> >>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:
>
> > Fabrice, All,
> > On 2020-02-29 10:46 +0100, Fabrice Fontaine spake thusly:
> >> Unspecified vulnerability in Boost before 6.x-1.03, a module for Drupal,
> >> allows remote attackers to create new webroot directories via unknown
> >> attack vectors.
>
> > Yes, good to know, but the interesting bit is why we are not affected,
> > which your commit log fails to specify.
>
> > Also, the comment should say so as well. Maybe just something like:
>
> > # Module for Drupal, not installed in Buildroot
> > BOOST_IGNORE_CVES +=...
>
> It is not because we don't install some optional part of boost, it is
> simply that our CVE logic thinks that this CVE applies to our boost
> package, whereas it is really for some kind of drupal module:
>
> https://nvd.nist.gov/vuln/detail/CVE-2009-3654
Ah, it is the other way around, then...
I'll apply to master with a bit of rephrasing to make that obvious,
then.
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list