[Buildroot] [PATCH 00/10] Misc CVE ignores

Peter Korsgaard peter at korsgaard.com
Mon Apr 26 20:29:59 UTC 2021

>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:

 > Matt, All,
 > On 2021-04-21 15:42 -0500, Matt Weber spake thusly:
 >> * I'm working on upstream NVD fixes for some of these.
 >> * There are roughly half of the ignore cases that are a bit of a
 >> challenge to identify where the fix was clearly tracked into
 >> a specific version. I tried to document in each commit as much
 >> as a could by linking to conversations clarifying the details.
 >> Matt Weber (10):
 >> package/bind: ignore CVE-2017-3139
 >> package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223
 >> package/bind: ignore CVE-2019-6470
 >> package/cmake: ignore CVE-2016-10642
 >> package/flex: ignore CVE-2019-6293

 > For this one, I've switched to using the actual upstream URL, rather
 > that of a downstream consumer:
 >     https://github.com/westes/flex/issues/414

 >> package/hostapd: ignore CVE-2021-30004 when using openssl
 >> package/wpa_supplicant: ignore CVE-2021-30004 when using openssl
 >> package/ncurses: ignore CVE-2018-10754, CVE-2018-19211,
 >> CVE-2018-19217, CVE-2019-17594, CVE-2019-17595
 >> package/rsyslog: ignore CVE-2015-3243
 >> package/tar: ignore CVE-2007-4476

 > Series applied to master, thanks.

I am not so happy with the hostapd/wpa_supplicant/rsyslog ignores, but I
have applied the series to 2021.02.x anyway and will send followup
patches to master (and 2021.02.x) to improve those packages later.

Bye, Peter Korsgaard

More information about the buildroot mailing list