From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Bagas Sanjaya <bagasdotme@gmail.com>
Cc: "buildroot@buildroot.org" <buildroot@buildroot.org>
Subject: Re: [Buildroot] [autobuild.buildroot.net] Your daily results for 2023-04-02
Date: Mon, 3 Apr 2023 10:53:52 +0200 [thread overview]
Message-ID: <20230403105352.03d8a9e8@windsurf> (raw)
In-Reply-To: <c4df1e01-285e-fcfe-cbfb-bc63ebd561e5@gmail.com>
Hello Bagas,
On Mon, 3 Apr 2023 15:03:20 +0700
Bagas Sanjaya <bagasdotme@gmail.com> wrote:
> > name | CVE | link
> > -------------------------------+------------------+--------------------------------------------------------------
> > git | CVE-2022-24765 | https://security-tracker.debian.org/tracker/CVE-2022-24765
> Should have been already fixed by upstream release v2.31.7 (which is
> already in Buildroot).
The NVD information says versions up to 2.35.2 are affected:
https://nvd.nist.gov/vuln/detail/CVE-2022-24765.
If 2.31.x a maintenance branch into which the fix has been backported?
> > git | CVE-2022-24975 | https://security-tracker.debian.org/tracker/CVE-2022-24975
> It is known outstanding issue (maybe docfix upstream is enough)?
This is a pretty silly CVE :-/ Complaining about the doc not making
things clear enough? Sounds odd. I think in the context of Buildroot,
we could ignore it.
> > git | CVE-2022-41953 | https://security-tracker.debian.org/tracker/CVE-2022-41953
> Windows-specific.
> > git | CVE-2023-22743 | https://security-tracker.debian.org/tracker/CVE-2023-22743
> Again, Windows-specific.
For both of these, and probably CVE-2022-24975, you can send a patch
adding those CVEs to GIT_IGNORE_CVES, and bit like this:
# CVE only affects the documentation
GIT_IGNORE_CVES += CVE-2022-24975
# CVEs only affect Windows systems
GIT_IGNORE_CVES += CVE-2022-41953 CVE-2023-22743
Thanks a lot for following-up on this, it's nice to see that some
Buildroot contributors are looking into the CVE details!
Best regards,
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
parent reply other threads:[~2023-04-03 8:54 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <c4df1e01-285e-fcfe-cbfb-bc63ebd561e5@gmail.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230403105352.03d8a9e8@windsurf \
--to=buildroot@buildroot.org \
--cc=bagasdotme@gmail.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox