From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Daniel Lang <dalang@gmx.at>
Cc: Joris Lijssens <joris.lijssens@gmail.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862
Date: Thu, 7 Sep 2023 15:25:35 +0200 [thread overview]
Message-ID: <20230907152535.5b47810c@windsurf> (raw)
In-Reply-To: <20230906194420.279926-4-dalang@gmx.at>
On Wed, 6 Sep 2023 21:44:19 +0200
Daniel Lang <dalang@gmx.at> wrote:
> According to a collaborator [0] the affected code isn't in 4.3.1
>
> [0]: https://github.com/obgm/libcoap/issues/1117
>
> Signed-off-by: Daniel Lang <dalang@gmx.at>
> ---
> package/libcoap/libcoap.mk | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/package/libcoap/libcoap.mk b/package/libcoap/libcoap.mk
> index 3773ad293c..94bfc59702 100644
> --- a/package/libcoap/libcoap.mk
> +++ b/package/libcoap/libcoap.mk
> @@ -16,6 +16,8 @@ LIBCOAP_CONF_OPTS = \
> LIBCOAP_AUTORECONF = YES
> # 0001-Backport-fix-for-CVE-2023-30362.patch
> LIBCOAP_IGNORE_CVES += CVE-2023-30362
> +# Doesn't affect 4.3.1, see https://github.com/obgm/libcoap/issues/1117
> +LIBCOAP_IGNORE_CVES += CVE-2023-35862
Then instead the NVD maintainers need to be reported this issue, so
that the NVD database gets fixed. At least for now that's how we've
tried to resolve such issues.
However, admittedly, the last bug reports I did to NVD people were
ignored, while in the past, they used to be taken into account quite
efficiently.
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2023-09-07 13:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-06 19:44 [Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362 Daniel Lang
2023-09-06 19:44 ` [Buildroot] [PATCH 2/2] package/libcoap: ignore CVE-2023-35862 Daniel Lang
2023-09-07 13:25 ` Thomas Petazzoni via buildroot [this message]
2023-09-22 19:12 ` Arnout Vandecappelle via buildroot
2023-09-26 6:10 ` Peter Korsgaard
2023-09-22 19:07 ` [Buildroot] [PATCH 1/2] package/libcoap: fix CVE-2023-30362 Arnout Vandecappelle via buildroot
2023-09-26 6:10 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230907152535.5b47810c@windsurf \
--to=buildroot@buildroot.org \
--cc=dalang@gmx.at \
--cc=joris.lijssens@gmail.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox