* [PATCH] cve-check.bbclass: CVE-2014-2524 / readline v5.2
@ 2016-11-04 11:06 André Draszik
0 siblings, 0 replies; only message in thread
From: André Draszik @ 2016-11-04 11:06 UTC (permalink / raw)
To: openembedded-core
From: André Draszik <adraszik@tycoint.com>
Contrary to the CVE report, the vulnerable trace functions
don't exist in readline v5.2 (which we keep for GPLv2+
purposes), they were added in readline v6.0 only - let's
whitelist that CVE in order to avoid false positives.
See also the discussion in
https://patchwork.openembedded.org/patch/81765/
Signed-off-by: André Draszik <adraszik@tycoint.com>
Reviewed-by: Lukasz Nowak <lnowak@tycoint.com>
---
meta/classes/cve-check.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 1425a40..b0febfb 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -39,7 +39,7 @@ CVE_CHECK_PN_WHITELIST = "\
# Whitelist for CVE and version of package
CVE_CHECK_CVE_WHITELIST = "{\
- 'CVE-2014-2524': ('6.3',), \
+ 'CVE-2014-2524': ('6.3','5.2',), \
}"
python do_cve_check () {
--
2.10.2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2016-11-04 11:06 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-04 11:06 [PATCH] cve-check.bbclass: CVE-2014-2524 / readline v5.2 André Draszik
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.