From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/1] package/boost: annotate _IGNORE_CVES for CVE-2009-3654
Date: Sat, 29 Feb 2020 17:36:08 +0100 [thread overview]
Message-ID: <20200229163608.GO8743@scaer> (raw)
In-Reply-To: <20200229094609.2451566-1-fontaine.fabrice@gmail.com>
Fabrice, All,
On 2020-02-29 10:46 +0100, Fabrice Fontaine spake thusly:
> Unspecified vulnerability in Boost before 6.x-1.03, a module for Drupal,
> allows remote attackers to create new webroot directories via unknown
> attack vectors.
Yes, good to know, but the interesting bit is why we are not affected,
which your commit log fails to specify.
Also, the comment should say so as well. Maybe just something like:
# Module for Drupal, not installed in Buildroot
BOOST_IGNORE_CVES +=...
Care to respin with explanations, please?
Regards,
Yann E. MORIN.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> package/boost/boost.mk | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/package/boost/boost.mk b/package/boost/boost.mk
> index 322429a10c..c9e80266e0 100644
> --- a/package/boost/boost.mk
> +++ b/package/boost/boost.mk
> @@ -11,6 +11,9 @@ BOOST_INSTALL_STAGING = YES
> BOOST_LICENSE = BSL-1.0
> BOOST_LICENSE_FILES = LICENSE_1_0.txt
>
> +# module for Drupal
> +BOOST_IGNORE_CVES += CVE-2009-3654
> +
> # keep host variant as minimal as possible
> HOST_BOOST_FLAGS = --without-icu --with-toolset=gcc \
> --without-libraries=$(subst $(space),$(comma),atomic chrono context \
> --
> 2.25.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2020-02-29 16:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-29 9:46 [Buildroot] [PATCH 1/1] package/boost: annotate _IGNORE_CVES for CVE-2009-3654 Fabrice Fontaine
2020-02-29 16:36 ` Yann E. MORIN [this message]
2020-02-29 17:07 ` Peter Korsgaard
2020-02-29 17:11 ` Yann E. MORIN
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200229163608.GO8743@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox