[Buildroot] [autobuild.buildroot.net] Your daily results for 2023-04-02
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Mon Apr 3 08:53:52 UTC 2023
Hello Bagas,
On Mon, 3 Apr 2023 15:03:20 +0700
Bagas Sanjaya <bagasdotme at gmail.com> wrote:
> > name | CVE | link
> > -------------------------------+------------------+--------------------------------------------------------------
> > git | CVE-2022-24765 | https://security-tracker.debian.org/tracker/CVE-2022-24765
> Should have been already fixed by upstream release v2.31.7 (which is
> already in Buildroot).
The NVD information says versions up to 2.35.2 are affected:
https://nvd.nist.gov/vuln/detail/CVE-2022-24765.
If 2.31.x a maintenance branch into which the fix has been backported?
> > git | CVE-2022-24975 | https://security-tracker.debian.org/tracker/CVE-2022-24975
> It is known outstanding issue (maybe docfix upstream is enough)?
This is a pretty silly CVE :-/ Complaining about the doc not making
things clear enough? Sounds odd. I think in the context of Buildroot,
we could ignore it.
> > git | CVE-2022-41953 | https://security-tracker.debian.org/tracker/CVE-2022-41953
> Windows-specific.
> > git | CVE-2023-22743 | https://security-tracker.debian.org/tracker/CVE-2023-22743
> Again, Windows-specific.
For both of these, and probably CVE-2022-24975, you can send a patch
adding those CVEs to GIT_IGNORE_CVES, and bit like this:
# CVE only affects the documentation
GIT_IGNORE_CVES += CVE-2022-24975
# CVEs only affect Windows systems
GIT_IGNORE_CVES += CVE-2022-41953 CVE-2023-22743
Thanks a lot for following-up on this, it's nice to see that some
Buildroot contributors are looking into the CVE details!
Best regards,
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
More information about the buildroot
mailing list