[meta-virtualization][PATCH] podman: ignore CVE-2022-2989 and CVE-2023-0778

[meta-virtualization][PATCH] podman: ignore CVE-2022-2989 and CVE-2023-0778

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

NVD shows only redhat links and does not mention fixed-in release
se these CVEs will show-up in reports indefinitely.
They are already fixed in current version, so ignore them.

CVE-2022-2989
* https://github.com/advisories/GHSA-4wjj-jwc9-2x96
* https://github.com/containers/podman/pull/15618
* commit d82a41687e614d9ac8b2d169dee47fe226835e4c Add container GID to additional groups

CVE-2023-0778
* https://github.com/advisories/GHSA-qwqv-rqgf-8qh8
* https://github.com/containers/podman/pull/17528
* commit 6ca857feb07a5fdc96fd947afef03916291673d8 volume,container: chroot to source before exporting content

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 recipes-containers/podman/podman_git.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 145b46f..9060e85 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -34,6 +34,9 @@ S = "${WORKDIR}/git"
 
 PV = "4.6.0-rc1+git${SRCPV}"
 
+CVE_STATUS[CVE-2022-2989] = "fixed-version: fixed since v4.3.0"
+CVE_STATUS[CVE-2023-0778] = "fixed-version: fixed since v4.5.0"
+
 PACKAGES =+ "${PN}-contrib"
 
 PODMAN_PKG = "github.com/containers/libpod"
-- 
2.30.2

Re: [meta-virtualization][PATCH] podman: ignore CVE-2022-2989 and CVE-2023-0778

[Bruce Ashfield]

merged.

Bruce


In message: [meta-virtualization][PATCH] podman: ignore CVE-2022-2989 and CVE-2023-0778
on 29/07/2023 Peter Marko via lists.yoctoproject.org wrote:

> From: Peter Marko <peter.marko@siemens.com>
> 
> NVD shows only redhat links and does not mention fixed-in release
> se these CVEs will show-up in reports indefinitely.
> They are already fixed in current version, so ignore them.
> 
> CVE-2022-2989
> * https://github.com/advisories/GHSA-4wjj-jwc9-2x96
> * https://github.com/containers/podman/pull/15618
> * commit d82a41687e614d9ac8b2d169dee47fe226835e4c Add container GID to additional groups
> 
> CVE-2023-0778
> * https://github.com/advisories/GHSA-qwqv-rqgf-8qh8
> * https://github.com/containers/podman/pull/17528
> * commit 6ca857feb07a5fdc96fd947afef03916291673d8 volume,container: chroot to source before exporting content
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  recipes-containers/podman/podman_git.bb | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
> index 145b46f..9060e85 100644
> --- a/recipes-containers/podman/podman_git.bb
> +++ b/recipes-containers/podman/podman_git.bb
> @@ -34,6 +34,9 @@ S = "${WORKDIR}/git"
>  
>  PV = "4.6.0-rc1+git${SRCPV}"
>  
> +CVE_STATUS[CVE-2022-2989] = "fixed-version: fixed since v4.3.0"
> +CVE_STATUS[CVE-2023-0778] = "fixed-version: fixed since v4.5.0"
> +
>  PACKAGES =+ "${PN}-contrib"
>  
>  PODMAN_PKG = "github.com/containers/libpod"
> -- 
> 2.30.2
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#8150): https://lists.yoctoproject.org/g/meta-virtualization/message/8150
> Mute This Topic: https://lists.yoctoproject.org/mt/100434748/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>