From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/1] package/boost: annotate _IGNORE_CVES for CVE-2009-3654
Date: Sat, 29 Feb 2020 18:11:56 +0100 [thread overview]
Message-ID: <20200229171156.GR8743@scaer> (raw)
In-Reply-To: <87k145gw45.fsf@dell.be.48ers.dk>
Peter, Fabrice, All,
On 2020-02-29 18:07 +0100, Peter Korsgaard spake thusly:
> >>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
>
> > Fabrice, All,
> > On 2020-02-29 10:46 +0100, Fabrice Fontaine spake thusly:
> >> Unspecified vulnerability in Boost before 6.x-1.03, a module for Drupal,
> >> allows remote attackers to create new webroot directories via unknown
> >> attack vectors.
>
> > Yes, good to know, but the interesting bit is why we are not affected,
> > which your commit log fails to specify.
>
> > Also, the comment should say so as well. Maybe just something like:
>
> > # Module for Drupal, not installed in Buildroot
> > BOOST_IGNORE_CVES +=...
>
> It is not because we don't install some optional part of boost, it is
> simply that our CVE logic thinks that this CVE applies to our boost
> package, whereas it is really for some kind of drupal module:
>
> https://nvd.nist.gov/vuln/detail/CVE-2009-3654
Ah, it is the other way around, then...
I'll apply to master with a bit of rephrasing to make that obvious,
then.
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
prev parent reply other threads:[~2020-02-29 17:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-29 9:46 [Buildroot] [PATCH 1/1] package/boost: annotate _IGNORE_CVES for CVE-2009-3654 Fabrice Fontaine
2020-02-29 16:36 ` Yann E. MORIN
2020-02-29 17:07 ` Peter Korsgaard
2020-02-29 17:11 ` Yann E. MORIN [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200229171156.GR8743@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox