[Buildroot] [PATCH 00/10] Misc CVE ignores
peter at korsgaard.com
Mon Apr 26 20:29:59 UTC 2021
>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:
> Matt, All,
> On 2021-04-21 15:42 -0500, Matt Weber spake thusly:
>> * I'm working on upstream NVD fixes for some of these.
>> * There are roughly half of the ignore cases that are a bit of a
>> challenge to identify where the fix was clearly tracked into
>> a specific version. I tried to document in each commit as much
>> as a could by linking to conversations clarifying the details.
>> Matt Weber (10):
>> package/bind: ignore CVE-2017-3139
>> package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223
>> package/bind: ignore CVE-2019-6470
>> package/cmake: ignore CVE-2016-10642
>> package/flex: ignore CVE-2019-6293
> For this one, I've switched to using the actual upstream URL, rather
> that of a downstream consumer:
>> package/hostapd: ignore CVE-2021-30004 when using openssl
>> package/wpa_supplicant: ignore CVE-2021-30004 when using openssl
>> package/ncurses: ignore CVE-2018-10754, CVE-2018-19211,
>> CVE-2018-19217, CVE-2019-17594, CVE-2019-17595
>> package/rsyslog: ignore CVE-2015-3243
>> package/tar: ignore CVE-2007-4476
> Series applied to master, thanks.
I am not so happy with the hostapd/wpa_supplicant/rsyslog ignores, but I
have applied the series to 2021.02.x anyway and will send followup
patches to master (and 2021.02.x) to improve those packages later.
Bye, Peter Korsgaard
More information about the buildroot