From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Bagas Sanjaya <bagasdotme@gmail.com>
Cc: "buildroot@buildroot.org" <buildroot@buildroot.org>
Subject: Re: [Buildroot] [autobuild.buildroot.net] Your daily results for 2023-04-02
Date: Mon, 3 Apr 2023 10:53:52 +0200 [thread overview]
Message-ID: <20230403105352.03d8a9e8@windsurf> (raw)
In-Reply-To: <c4df1e01-285e-fcfe-cbfb-bc63ebd561e5@gmail.com>
Hello Bagas,
On Mon, 3 Apr 2023 15:03:20 +0700
Bagas Sanjaya <bagasdotme@gmail.com> wrote:
> > name | CVE | link
> > -------------------------------+------------------+--------------------------------------------------------------
> > git | CVE-2022-24765 | https://security-tracker.debian.org/tracker/CVE-2022-24765
> Should have been already fixed by upstream release v2.31.7 (which is
> already in Buildroot).
The NVD information says versions up to 2.35.2 are affected:
https://nvd.nist.gov/vuln/detail/CVE-2022-24765.
If 2.31.x a maintenance branch into which the fix has been backported?
> > git | CVE-2022-24975 | https://security-tracker.debian.org/tracker/CVE-2022-24975
> It is known outstanding issue (maybe docfix upstream is enough)?
This is a pretty silly CVE :-/ Complaining about the doc not making
things clear enough? Sounds odd. I think in the context of Buildroot,
we could ignore it.
> > git | CVE-2022-41953 | https://security-tracker.debian.org/tracker/CVE-2022-41953
> Windows-specific.
> > git | CVE-2023-22743 | https://security-tracker.debian.org/tracker/CVE-2023-22743
> Again, Windows-specific.
For both of these, and probably CVE-2022-24975, you can send a patch
adding those CVEs to GIT_IGNORE_CVES, and bit like this:
# CVE only affects the documentation
GIT_IGNORE_CVES += CVE-2022-24975
# CVEs only affect Windows systems
GIT_IGNORE_CVES += CVE-2022-41953 CVE-2023-22743
Thanks a lot for following-up on this, it's nice to see that some
Buildroot contributors are looking into the CVE details!
Best regards,
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
parent reply other threads:[~2023-04-03 8:54 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <c4df1e01-285e-fcfe-cbfb-bc63ebd561e5@gmail.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230403105352.03d8a9e8@windsurf \
--to=buildroot@buildroot.org \
--cc=bagasdotme@gmail.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.