Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* Re: [Buildroot] [autobuild.buildroot.net] Your daily results for 2023-04-02
       [not found] ` <c4df1e01-285e-fcfe-cbfb-bc63ebd561e5@gmail.com>
@ 2023-04-03  8:53   ` Thomas Petazzoni via buildroot
  0 siblings, 0 replies; only message in thread
From: Thomas Petazzoni via buildroot @ 2023-04-03  8:53 UTC (permalink / raw)
  To: Bagas Sanjaya; +Cc: buildroot@buildroot.org

Hello Bagas,

On Mon, 3 Apr 2023 15:03:20 +0700
Bagas Sanjaya <bagasdotme@gmail.com> wrote:

> >              name              |       CVE        |                             link                            
> > -------------------------------+------------------+--------------------------------------------------------------
> >                            git | CVE-2022-24765   | https://security-tracker.debian.org/tracker/CVE-2022-24765    
> Should have been already fixed by upstream release v2.31.7 (which is
> already in Buildroot).

The NVD information says versions up to 2.35.2 are affected:
https://nvd.nist.gov/vuln/detail/CVE-2022-24765.

If 2.31.x a maintenance branch into which the fix has been backported?

> >                            git | CVE-2022-24975   | https://security-tracker.debian.org/tracker/CVE-2022-24975    
> It is known outstanding issue (maybe docfix upstream is enough)?

This is a pretty silly CVE :-/ Complaining about the doc not making
things clear enough? Sounds odd. I think in the context of Buildroot,
we could ignore it.

> >                            git | CVE-2022-41953   | https://security-tracker.debian.org/tracker/CVE-2022-41953    
> Windows-specific.
> >                            git | CVE-2023-22743   | https://security-tracker.debian.org/tracker/CVE-2023-22743    
> Again, Windows-specific.

For both of these, and probably CVE-2022-24975, you can send a patch
adding those CVEs to GIT_IGNORE_CVES, and bit like this:

# CVE only affects the documentation
GIT_IGNORE_CVES += CVE-2022-24975

# CVEs only affect Windows systems
GIT_IGNORE_CVES += CVE-2022-41953 CVE-2023-22743

Thanks a lot for following-up on this, it's nice to see that some
Buildroot contributors are looking into the CVE details!

Best regards,

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2023-04-03  8:54 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <642a6e97.050a0220.1d642.3446SMTPIN_ADDED_MISSING@mx.google.com>
     [not found] ` <c4df1e01-285e-fcfe-cbfb-bc63ebd561e5@gmail.com>
2023-04-03  8:53   ` [Buildroot] [autobuild.buildroot.net] Your daily results for 2023-04-02 Thomas Petazzoni via buildroot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox