[Buildroot] [PATCH 1/1] package/smack: annotate CVE-2016-10027
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Sun Mar 1 20:01:27 UTC 2020
On Sun, 1 Mar 2020 20:35:27 +0100
Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:
> CVE-2016-10027 is misclassified (by our CVE tracker) as affecting smack, while
> in fact it affects https://github.com/igniterealtime/Smack.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ---
> package/smack/smack.mk | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/package/smack/smack.mk b/package/smack/smack.mk
> index d2ac005ab9..1237c8356c 100644
> --- a/package/smack/smack.mk
> +++ b/package/smack/smack.mk
> @@ -11,6 +11,10 @@ SMACK_LICENSE_FILES = COPYING
> SMACK_INSTALL_STAGING = YES
> SMACK_DEPENDENCIES = host-pkgconf
>
> +# CVE-2016-10027 is misclassified (by our CVE tracker) as affecting smack, while
> +# in fact it affects https://github.com/igniterealtime/Smack.
> +SMACK_IGNORE_CVES += CVE-2016-10027
I think this should be resolved by adding CPE mappings, not by adding
an IGNORE_CVES value.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list