All of lore.kernel.org
 help / color / mirror / Atom feed
* Re: [Buildroot] [autobuild.buildroot.net] Your daily results for 2023-04-02
       [not found] ` <c4df1e01-285e-fcfe-cbfb-bc63ebd561e5@gmail.com>
@ 2023-04-03  8:53   ` Thomas Petazzoni via buildroot
  0 siblings, 0 replies; only message in thread
From: Thomas Petazzoni via buildroot @ 2023-04-03  8:53 UTC (permalink / raw)
  To: Bagas Sanjaya; +Cc: buildroot@buildroot.org

Hello Bagas,

On Mon, 3 Apr 2023 15:03:20 +0700
Bagas Sanjaya <bagasdotme@gmail.com> wrote:

> >              name              |       CVE        |                             link                            
> > -------------------------------+------------------+--------------------------------------------------------------
> >                            git | CVE-2022-24765   | https://security-tracker.debian.org/tracker/CVE-2022-24765    
> Should have been already fixed by upstream release v2.31.7 (which is
> already in Buildroot).

The NVD information says versions up to 2.35.2 are affected:
https://nvd.nist.gov/vuln/detail/CVE-2022-24765.

If 2.31.x a maintenance branch into which the fix has been backported?

> >                            git | CVE-2022-24975   | https://security-tracker.debian.org/tracker/CVE-2022-24975    
> It is known outstanding issue (maybe docfix upstream is enough)?

This is a pretty silly CVE :-/ Complaining about the doc not making
things clear enough? Sounds odd. I think in the context of Buildroot,
we could ignore it.

> >                            git | CVE-2022-41953   | https://security-tracker.debian.org/tracker/CVE-2022-41953    
> Windows-specific.
> >                            git | CVE-2023-22743   | https://security-tracker.debian.org/tracker/CVE-2023-22743    
> Again, Windows-specific.

For both of these, and probably CVE-2022-24975, you can send a patch
adding those CVEs to GIT_IGNORE_CVES, and bit like this:

# CVE only affects the documentation
GIT_IGNORE_CVES += CVE-2022-24975

# CVEs only affect Windows systems
GIT_IGNORE_CVES += CVE-2022-41953 CVE-2023-22743

Thanks a lot for following-up on this, it's nice to see that some
Buildroot contributors are looking into the CVE details!

Best regards,

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2023-04-03  8:54 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <642a6e97.050a0220.1d642.3446SMTPIN_ADDED_MISSING@mx.google.com>
     [not found] ` <c4df1e01-285e-fcfe-cbfb-bc63ebd561e5@gmail.com>
2023-04-03  8:53   ` [Buildroot] [autobuild.buildroot.net] Your daily results for 2023-04-02 Thomas Petazzoni via buildroot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.