[Buildroot] [v2 PATCH 00/15] Remaining CVE_IGNORES

[Buildroot] [v2 PATCH 00/15] Remaining CVE_IGNORES

[Thomas Perale via buildroot]

This should cover the remaining patches that didn't have a 'CVE'
trailer.

It remains 54 'IGNORE_CVES' that are not bounded to a patch. From those entries
we have the following:

- `unzip`: 13 entries. All of them are actually fixed by a patch but come from
  Debian tar.
- `sox`: 14 entries. All of them are resolved because we are using a more
  recent commit hash.
- `python-pip`: 1 entry CVE-2018-20225. This CVE is disputed won't be fixed and
  thus ignored.
- `php`: 1 entry CVE-2024-3566. Only affects windows and match on every
  existing versions.
- `openvmtools`: CVE-2021-31693 wrong entry on the mirror we use but fixed on
  NVD website.
- `mupdf`: 2 entries that are solved in another package but the entry still
  match on the mupdf version.
- `luajit`: 5 entries. Fixed upstream but not trackable because we use commit
  hash.
- `linenoise`: 1 entry. Fixed upstream but not trackable because we use commit
  hash.
- `libuci`: 1 entry. Fixed upstream but not trackable because we use commit
  hash.
- `libmad`: 3 entries. Fixed by a patch but come from Debian tar.
- `heirloom-mailx`: 2 entries. Fixed by a patch but come from Debian tar.
- `glibc`: 2 entries. CVE-2025-8058 not enough information on the db.
  CVE-2010-4756 match every possible versions
- `freeradius-server`: 2 entries. False positive the DB is not uptodate.
- `flex`: 1 entry. CVE-2019-6293 that won't be fixed.
- `emlog`: 2 entries. Emlog doesn't have a CPE id and match another project so
  they might be removed.
- `clamav`: 1 entry CVE-2016-1405 that only affects cisco devices but the CPE
  match on every possible versions.

For better trackability the packages that are patched with Debian tar could
actually be imported in the tree (unzip, libmad, heirloom-mailx).

From that point we will have three categories of vulnerabilities the one that
don't affect the package (sox, php, luajit, linenoise, libuci). The false
positives (openvmtools, mupdf, glibc, freeradius, flex, emlog, clamav). And the
others that we ignore such as python-pip.

v1 -> v2: Remove .checkpackageignore entries + missing SoB

Thomas Perale (15):
  package/xinetd: add CVE trailer in patch
  package/shellinabox: add CVE trailer in patch
  package/patch: add CVE trailer in patches
  package/tiff: remove stale IGNORE_CVES
  package/rsyslog: remove stale IGNORE_CVES
  package/postgresql: remove stale IGNORE_CVES
  package/pixman: remove stale IGNORE_CVES
  package/libssh: remove stale IGNORE_CVES
  package/libcurl: remove stale IGNORE_CVES
  boot/grub2: remove stale IGNORE_CVES
  package/glibc: remove stale IGNORE_CVES
  package/glibc: remove stale IGNORE_CVES
  package/freerdp: remove stale IGNORE_CVES
  package/dovecot: remove stale IGNORE_CVES
  package/cmake: remove stale IGNORE_CVES

 boot/grub2/grub2.mk                           | 11 -----------
 package/cmake/cmake.mk                        |  2 --
 package/dovecot/dovecot.mk                    |  5 -----
 package/freerdp/freerdp.mk                    |  4 ----
 package/glibc/glibc.mk                        | 19 ++-----------------
 package/libcurl/libcurl.mk                    |  4 ----
 package/libssh/libssh.mk                      |  4 ----
 ...x-segfault-with-mangled-rename-patch.patch |  4 ++--
 ...mmand-execution-in-ed-style-patches-.patch |  4 ++--
 ...-directly-instead-of-using-the-shell.patch |  6 ++++--
 ...nks-unless--follow-symlinks-is-given.patch |  5 +++--
 package/pixman/pixman.mk                      |  6 ------
 package/postgresql/postgresql.mk              |  4 ----
 package/rsyslog/rsyslog.mk                    |  4 ----
 ...9-fix-for-broken-multipart-form-data.patch |  4 +++-
 package/tiff/tiff.mk                          |  3 ---
 ...netd-ignores-user-and-group-directiv.patch |  2 ++
 17 files changed, 18 insertions(+), 73 deletions(-)

-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 01/15] package/xinetd: add CVE trailer in patch

[Thomas Perale via buildroot]

Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.

This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.

[1] 1167d0ff3d docs/manual: mention CVE trailer

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 .checkpackageignore                                             | 1 -
 ...5-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch | 2 ++
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.checkpackageignore b/.checkpackageignore
index 3e274f391f..4df0438291 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -1124,7 +1124,6 @@ package/xinetd/0001-ar.patch lib_patch.Upstream
 package/xinetd/0002-destdir.patch lib_patch.Upstream
 package/xinetd/0003-rpc-fix.patch lib_patch.Upstream
 package/xinetd/0004-configure-rlim_t.patch lib_patch.Upstream
-package/xinetd/0005-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch lib_patch.Upstream
 package/xl2tp/xl2tpd lib_shellscript.TrailingSpace
 package/xml-security-c/0001-fix-build-with-libressl-3.5.0.patch lib_patch.Upstream
 package/yajl/0001-Let-the-shared-and-the-static-library-have-the-same-.patch lib_patch.Upstream
diff --git a/package/xinetd/0005-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch b/package/xinetd/0005-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch
index bb2ee1fc9a..c99879b478 100644
--- a/package/xinetd/0005-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch
+++ b/package/xinetd/0005-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch
@@ -6,6 +6,8 @@ Subject: [PATCH] CVE-2013-4342: xinetd: ignores user and group directives for
 
 Originally reported to Debian in 2005 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678> and rediscovered <https://bugzilla.redhat.com/show_bug.cgi?id=1006100>, xinetd would execute TCPMUX services without dropping privilege to match the service configuration allowing the service to run with same privilege as the xinetd process (root).
 
+CVE: CVE-2013-4342
+Upstream: https://github.com/xinetd-org/xinetd/commit/e7c1ba41f4f86b436fb82b0d55cd5d387bd4ecc4
 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 ---
  xinetd/builtins.c | 2 +-
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 02/15] package/shellinabox: add CVE trailer in patch

[Thomas Perale via buildroot]

Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.

This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.

[1] 1167d0ff3d docs/manual: mention CVE trailer

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 .checkpackageignore                                           | 1 -
 ...02-CVE-2018-16789-fix-for-broken-multipart-form-data.patch | 4 +++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.checkpackageignore b/.checkpackageignore
index 4df0438291..94916ecc0f 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -948,7 +948,6 @@ package/shadowsocks-libev/0003-lib-Makefile.am-remove-static-from-LDFLAGS.patch
 package/shairport-sync/S99shairport-sync Shellcheck lib_sysv.Indent lib_sysv.Variables
 package/shared-mime-info/0001-Remove-incorrect-dependency-from-install-data-hook.patch lib_patch.Upstream
 package/shellinabox/0001-Makefile-disable-always-building-statically.patch lib_patch.Upstream
-package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch lib_patch.Upstream
 package/skeleton-init-systemd/fakeroot_tmpfiles.sh Shellcheck
 package/slang/0001-slsh-libs.patch lib_patch.Upstream
 package/smcroute/S41smcroute NotExecutable lib_sysv.Indent lib_sysv.Variables
diff --git a/package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch b/package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch
index 4b15f419e3..5067833056 100644
--- a/package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch
+++ b/package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch
@@ -4,7 +4,9 @@ Date: Fri, 26 Oct 2018 11:51:15 +0200
 Subject: [PATCH] fix for broken multipart/form-data
 
 Malformed multipart/form-data payload results in infinite loop and thus denial of service
-[Upstream status: https://github.com/shellinabox/shellinabox/pull/446]
+
+CVE: CVE-2018-16789
+Upstream: https://github.com/shellinabox/shellinabox/pull/446
 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 ---
  libhttp/url.c | 3 +++
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 03/15] package/patch: add CVE trailer in patches

[Thomas Perale via buildroot]

Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.

This patch adds the relevant information to the patches header as well
as the `Upstream` trailer.

[1] 1167d0ff3d docs/manual: mention CVE trailer

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 .checkpackageignore                                         | 4 ----
 .../patch/0001-Fix-segfault-with-mangled-rename-patch.patch | 4 ++--
 ...x-arbitrary-command-execution-in-ed-style-patches-.patch | 4 ++--
 ...0004-Invoke-ed-directly-instead-of-using-the-shell.patch | 6 ++++--
 ...t-follow-symlinks-unless--follow-symlinks-is-given.patch | 5 +++--
 5 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/.checkpackageignore b/.checkpackageignore
index 94916ecc0f..1e255f80e1 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -798,11 +798,7 @@ package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch li
 package/owfs/S55owserver Shellcheck lib_sysv.Variables
 package/owfs/S60owfs Shellcheck lib_sysv.Variables
 package/owl-linux/0001-fix-for-linux-3.3.x.patch lib_patch.Upstream
-package/patch/0001-Fix-segfault-with-mangled-rename-patch.patch lib_patch.Upstream
 package/patch/0002-Allow-input-files-to-be-missing-for-ed-style-patches.patch lib_patch.Upstream
-package/patch/0003-Fix-arbitrary-command-execution-in-ed-style-patches-.patch lib_patch.Upstream
-package/patch/0004-Invoke-ed-directly-instead-of-using-the-shell.patch lib_patch.Upstream
-package/patch/0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch lib_patch.Upstream
 package/patchelf/0001-Add-option-to-make-the-rpath-relative-under-a-specif.patch lib_patch.Upstream
 package/paxtest/0001-genpaxtest-move-log-location.patch lib_patch.Upstream
 package/paxtest/0002-paxtest-page-alignment-ARM-and-NIOS2-arch.patch lib_patch.Upstream
diff --git a/package/patch/0001-Fix-segfault-with-mangled-rename-patch.patch b/package/patch/0001-Fix-segfault-with-mangled-rename-patch.patch
index 19a67573c4..1b8d954025 100644
--- a/package/patch/0001-Fix-segfault-with-mangled-rename-patch.patch
+++ b/package/patch/0001-Fix-segfault-with-mangled-rename-patch.patch
@@ -7,10 +7,10 @@ http://savannah.gnu.org/bugs/?53132
 * src/pch.c (intuit_diff_type): Ensure that two filenames are specified
 for renames and copies (fix the existing check).
 
+CVE: CVE-2018-6951
+Upstream: https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=f290f48a621867084884bfff87f8093c15195e6a
 Signed-off-by: Baruch Siach <baruch@tkos.co.il>
 ---
-Patch status: upstream commit f290f48a6218
-
  src/pch.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)
 
diff --git a/package/patch/0003-Fix-arbitrary-command-execution-in-ed-style-patches-.patch b/package/patch/0003-Fix-arbitrary-command-execution-in-ed-style-patches-.patch
index b44bdd0fac..18497c153b 100644
--- a/package/patch/0003-Fix-arbitrary-command-execution-in-ed-style-patches-.patch
+++ b/package/patch/0003-Fix-arbitrary-command-execution-in-ed-style-patches-.patch
@@ -10,11 +10,11 @@ instead of rejecting them and carrying on.
 * tests/ed-style: New test case.
 * tests/Makefile.am (TESTS): Add test case.
 
+CVE: CVE-2018-1000156
+Upstream: https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d
 [baruch: drop test hunks to avoid autoreconf]
 Signed-off-by: Baruch Siach <baruch@tkos.co.il>
 ---
-Upstream status: commit 123eaff0d5d1
-
  src/pch.c         | 91 ++++++++++++++++++++++++++++++++++++++++---------------
  tests/Makefile.am |  1 +
  tests/ed-style    | 41 +++++++++++++++++++++++++
diff --git a/package/patch/0004-Invoke-ed-directly-instead-of-using-the-shell.patch b/package/patch/0004-Invoke-ed-directly-instead-of-using-the-shell.patch
index ae64d58b93..7ede9300e4 100644
--- a/package/patch/0004-Invoke-ed-directly-instead-of-using-the-shell.patch
+++ b/package/patch/0004-Invoke-ed-directly-instead-of-using-the-shell.patch
@@ -5,8 +5,10 @@ Subject: Invoke ed directly instead of using the shell
 
 * src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
 command to avoid quoting vulnerabilities.
-[Retrieved from:
-https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0]
+
+CVE: CVE-2018-20969
+CVE: CVE-2019-13638
+Upstream: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 ---
  src/pch.c | 6 ++----
diff --git a/package/patch/0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch b/package/patch/0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch
index e07ae0c670..c0e63081e2 100644
--- a/package/patch/0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch
+++ b/package/patch/0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch
@@ -9,8 +9,9 @@ the O_NOFOLLOW flag to avoid following symlinks.  So far, we were only doing
 that consistently for input files.
 * src/util.c (create_backup): When creating empty backup files, (re)create them
 with O_CREAT | O_EXCL to avoid following symlinks in that case as well.
-[Retrieved from:
-https://git.savannah.gnu.org/cgit/patch.git/commit/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a]
+
+CVE: CVE-2019-13636
+Upstream: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a
 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 ---
  src/inp.c  | 12 ++++++++++--
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 04/15] package/tiff: remove stale IGNORE_CVES

[Thomas Perale via buildroot]

The Buildroot commit [1] introduced this IGNORE_CVES entry that was due
to a bad NVD entry.

The NVD database has now fixed the annotation [2] and it can be removed.

[1] 740412aefc package/tiff: ignore CVE-2025-8851
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-8851

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/tiff/tiff.mk | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/package/tiff/tiff.mk b/package/tiff/tiff.mk
index 32bebcf95f..e64a6baf83 100644
--- a/package/tiff/tiff.mk
+++ b/package/tiff/tiff.mk
@@ -13,9 +13,6 @@ TIFF_CPE_ID_VENDOR = libtiff
 TIFF_CPE_ID_PRODUCT = libtiff
 TIFF_INSTALL_STAGING = YES
 
-# Fixed in 4.7.0
-TIFF_IGNORE_CVES += CVE-2025-8851
-
 # webp has a (optional) dependency on tiff, so we can't have webp
 # support in tiff, or that would create a circular dependency.
 TIFF_CONF_OPTS = \
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 05/15] package/rsyslog: remove stale IGNORE_CVES

[Thomas Perale via buildroot]

Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.

The CVE-2015-3243 is then no longer matched to the rsyslog package.

For more information, see the explanation in commit [1].

[1] 35f376d88e support/scripts/cve.py: fix CPE matching

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/rsyslog/rsyslog.mk | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
index 69128afbac..dedecdc572 100644
--- a/package/rsyslog/rsyslog.mk
+++ b/package/rsyslog/rsyslog.mk
@@ -9,10 +9,6 @@ RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
 RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0
 RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
 RSYSLOG_CPE_ID_VENDOR = rsyslog
-# rsyslog uses weak permissions for generating log files.
-# Ignoring this CVE as Buildroot normally doesn't have local users and a build
-# could customize the rsyslog.conf to be more restrictive ($FileCreateMode 0640)
-RSYSLOG_IGNORE_CVES += CVE-2015-3243
 RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf
 RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99'
 
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 06/15] package/postgresql: remove stale IGNORE_CVES

[Thomas Perale via buildroot]

Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.

The CVE-2017-8806 is then no longer matched to the postgresql package.

For more information, see the explanation in commit [1].

[1] 35f376d88e support/scripts/cve.py: fix CPE matching

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Reviewed-by: Maxim Kochetkov <fido_max@inbox.ru>
---
 package/postgresql/postgresql.mk | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/package/postgresql/postgresql.mk b/package/postgresql/postgresql.mk
index 78d7cef4f6..38403b0f45 100644
--- a/package/postgresql/postgresql.mk
+++ b/package/postgresql/postgresql.mk
@@ -28,10 +28,6 @@ POSTGRESQL_DEPENDENCIES = \
 	host-bison \
 	host-flex
 
-# CVE-2017-8806 is related to postgresql-common package
-# It is false positive for postgresql
-POSTGRESQL_IGNORE_CVES += CVE-2017-8806
-
 ifeq ($(BR2_PACKAGE_POSTGRESQL_FULL),y)
 POSTGRESQL_NINJA_OPTS += world
 POSTGRESQL_INSTALL_TARGET_OPTS += DESTDIR=$(TARGET_DIR) install-world
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 07/15] package/pixman: remove stale IGNORE_CVES

[Thomas Perale via buildroot]

Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.

The CVE-2023-37769 is then no longer matched to the pixman package.

For more information, see the explanation in commit [1].

[1] 35f376d88e support/scripts/cve.py: fix CPE matching

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/pixman/pixman.mk | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/package/pixman/pixman.mk b/package/pixman/pixman.mk
index 63d9ccd10b..d02bb0a260 100644
--- a/package/pixman/pixman.mk
+++ b/package/pixman/pixman.mk
@@ -26,12 +26,6 @@ PIXMAN_CONF_OPTS = \
 	-Dlibpng=disabled \
 	-Dtests=disabled
 
-# Affects only tests, and we don't build tests.
-# See https://gitlab.freedesktop.org/pixman/pixman/-/issues/76, which says
-# "not sure why NVD keeps assigning CVEs like this. This is just a test
-# executable".
-PIXMAN_IGNORE_CVES += CVE-2023-37769
-
 ifeq ($(BR2_X86_CPU_HAS_MMX),y)
 PIXMAN_CONF_OPTS += -Dmmx=enabled
 else
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 08/15] package/libssh: remove stale IGNORE_CVES

[Thomas Perale via buildroot]

The entry was added in commit [1]. But since then the NVD database
updated the version end specifier.

This IGNORE_CVES entry is then no longer needed.

[1] 51b1e1daf5 package/libssh: ignore CVE-2025-5318

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/libssh/libssh.mk | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/package/libssh/libssh.mk b/package/libssh/libssh.mk
index 2be9013454..3c7e77a206 100644
--- a/package/libssh/libssh.mk
+++ b/package/libssh/libssh.mk
@@ -17,10 +17,6 @@ LIBSSH_CONF_OPTS = \
 	-DWITH_STACK_PROTECTOR=OFF \
 	-DWITH_EXAMPLES=OFF
 
-# NVD database is missing an upper version specifier.
-# This vulnerability only affects libssh<0.11.2
-LIBSSH_IGNORE_CVES = CVE-2025-5318
-
 ifeq ($(BR2_ARM_INSTRUCTIONS_THUMB),y)
 LIBSSH_CONF_OPTS += -DWITH_STACK_CLASH_PROTECTION=OFF
 endif
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 09/15] package/libcurl: remove stale IGNORE_CVES

[Thomas Perale via buildroot]

Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.

The CVE-2024-32928 introduced in [2] is then no longer matched to the
libcurl package.

For more information, see the explanation in commit [1].

[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 7e739d49b2 package/libcurl: ignore CVE-2024-32928

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/libcurl/libcurl.mk | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 9e32c38d97..6924631735 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -25,10 +25,6 @@ LIBCURL_CONF_OPTS = \
 	--disable-ldap \
 	--disable-ldaps
 
-# Only affects Nest products.
-# https://nvd.nist.gov/vuln/detail/CVE-2024-32928
-LIBCURL_IGNORE_CVES += CVE-2024-32928
-
 # threaded resolver cannot be used with c-ares
 # https://github.com/curl/curl/commit/d364f1347f05c53eea5d25a15b4ad8a62ecc85b8
 ifeq ($(BR2_TOOLCHAIN_HAS_THREADS)x$(BR2_PACKAGE_C_ARES),yx)
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 10/15] boot/grub2: remove stale IGNORE_CVES

[Thomas Perale via buildroot]

Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.

The IGNORE_CVES entries introduced in [2][3][4] are then no longer
matched to the grub2 package.

For more information, see the explanation in commit [1].

[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 2495630383 boot/grub2: ignore CVE-2024-1048
[3] e2f46ed03d boot/grub2: ignore CVE-2023-4001
[4] a490687571 boot/grub2: ignore the last 3 remaining CVEs

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 boot/grub2/grub2.mk | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/boot/grub2/grub2.mk b/boot/grub2/grub2.mk
index f543c53cd8..fdf274d9aa 100644
--- a/boot/grub2/grub2.mk
+++ b/boot/grub2/grub2.mk
@@ -15,17 +15,6 @@ HOST_GRUB2_DEPENDENCIES = host-bison host-flex host-gawk \
 	$(BR2_PYTHON3_HOST_DEPENDENCY)
 GRUB2_INSTALL_IMAGES = YES
 
-# CVE-2019-14865 is about a flaw in the grub2-set-bootflag tool, which
-# doesn't exist upstream, but is added by the Redhat/Fedora
-# packaging. Not applicable to Buildroot.
-GRUB2_IGNORE_CVES += CVE-2019-14865
-# vulnerability is specific to the Redhat distribution, affects a
-# downstream change from Redhat related to password authentication
-GRUB2_IGNORE_CVES += CVE-2023-4001
-# vulnerability is specific to the Redhat distribution, affects the
-# grub2-set-bootflag tool, which doesn't exist upstream
-GRUB2_IGNORE_CVES += CVE-2024-1048
-
 # 0004-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch (yes, two
 # CVEs are fixed by this patch)
 GRUB2_IGNORE_CVES += CVE-2024-45782
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 11/15] package/glibc: remove stale IGNORE_CVES

[Thomas Perale via buildroot]

Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.

These IGNORE_CVES entries introduced in [2] are then no longer matched to
the glibc package.

For more information, see the explanation in commit [1].

[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] adaae82c58 package/glibc: ignore CVEs not considered as security issues by upstream

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/glibc/glibc.mk | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index a7727cbad8..924274a7d6 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -34,19 +34,10 @@ GLIBC_IGNORE_CVES += CVE-2025-5702
 # Fixed by glibc-2.41-64-g1e16d0096d80a6e12d5bfa8e0aafdd13c47efd65
 GLIBC_IGNORE_CVES += CVE-2025-8058
 
-# All these CVEs are considered as not being security issues by
+# This CVE is considered as not being security issues by
 # upstream glibc:
 #  https://security-tracker.debian.org/tracker/CVE-2010-4756
-#  https://security-tracker.debian.org/tracker/CVE-2019-1010022
-#  https://security-tracker.debian.org/tracker/CVE-2019-1010023
-#  https://security-tracker.debian.org/tracker/CVE-2019-1010024
-#  https://security-tracker.debian.org/tracker/CVE-2019-1010025
-GLIBC_IGNORE_CVES += \
-	CVE-2010-4756 \
-	CVE-2019-1010022 \
-	CVE-2019-1010023 \
-	CVE-2019-1010024 \
-	CVE-2019-1010025
+GLIBC_IGNORE_CVES += CVE-2010-4756
 
 # glibc is part of the toolchain so disable the toolchain dependency
 GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 12/15] package/glibc: remove stale IGNORE_CVES

[Thomas Perale via buildroot]

The IGNORE_CVES entries introduced in [1] no longer match to the glibc
package following the bump to v2.42 in [2]. The version boundaries
specified on the NVD DB are specific to 2.40 & 2.41.

The CVE-2025-8058 though don't have any information available on the NVD
DB and will remain on the IGNORE_CVES then.

[1] feaf53585a package/glibc: security bump to version 2.41-70
[2] fb6256c0ef package/{glibc, localdef}: bump to version 2.42

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/glibc/glibc.mk | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 924274a7d6..9c3ff7124e 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -25,12 +25,6 @@ GLIBC_CPE_ID_VENDOR = gnu
 # allow proper matching with the CPE database.
 GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
 
-# Fixed by glibc-2.41-57-g84bdbf8a6f2fdafd3661489dbb7f79835a52da82
-GLIBC_IGNORE_CVES += CVE-2025-5745
-
-# Fixed by glibc-2.41-60-g0c76c951620f9e12df2a89b2c684878b55bb6795
-GLIBC_IGNORE_CVES += CVE-2025-5702
-
 # Fixed by glibc-2.41-64-g1e16d0096d80a6e12d5bfa8e0aafdd13c47efd65
 GLIBC_IGNORE_CVES += CVE-2025-8058
 
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 13/15] package/freerdp: remove stale IGNORE_CVES

[Thomas Perale via buildroot]

The NVD DB is now correctly tracking the vulnerability starting version
3.0 (see [1]). The IGNORE_CVES entry introduced in [2] is then no longer
needed.

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-4478
[2] f741e8f6e6 package/freerdp: ignore CVE-2025-4478

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/freerdp/freerdp.mk | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/package/freerdp/freerdp.mk b/package/freerdp/freerdp.mk
index 391b9a4675..3a1ba61621 100644
--- a/package/freerdp/freerdp.mk
+++ b/package/freerdp/freerdp.mk
@@ -13,10 +13,6 @@ FREERDP_LICENSE = Apache-2.0
 FREERDP_LICENSE_FILES = LICENSE
 FREERDP_CPE_ID_VENDOR = freerdp
 
-# As explained on https://github.com/FreeRDP/FreeRDP/pull/11573#issuecomment-2904160524,
-# the affected code is new with 3.x, was not there on 2.x
-FREERDP_IGNORE_CVES += CVE-2025-4478
-
 FREERDP_INSTALL_STAGING = YES
 
 FREERDP_CONF_OPTS = -DWITH_MANPAGES=OFF -Wno-dev -DWITH_GSTREAMER_0_10=OFF
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 14/15] package/dovecot: remove stale IGNORE_CVES

[Thomas Perale via buildroot]

Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.

These IGNORE_CVES entry introduced in [2] is then no longer matched to
the dovecot package.

For more information, see the explanation in commit [1].

[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 948e71689a package/dovecot: ignore CVE-2016-4983

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/dovecot/dovecot.mk | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/package/dovecot/dovecot.mk b/package/dovecot/dovecot.mk
index 6612787a94..a4c799221c 100644
--- a/package/dovecot/dovecot.mk
+++ b/package/dovecot/dovecot.mk
@@ -21,12 +21,7 @@ DOVECOT_DEPENDENCIES = \
 	$(if $(BR2_PACKAGE_LIBICONV),libiconv) \
 	openssl
 
-# CVE-2016-4983 is an issue in a postinstall script in the dovecot rpm, which
-# is part of the Red Hat packaging and not part of upstream dovecot
-DOVECOT_IGNORE_CVES += CVE-2016-4983
-
 # 0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch
-
 # Note: this ignore CVE entry is reported as stale by pkg-stats, but
 # the NVD database is incorrect:
 # https://lore.kernel.org/buildroot/20250517181815.02ce0393@windsurf/
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 15/15] package/cmake: remove stale IGNORE_CVES

[Thomas Perale via buildroot]

Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.

These IGNORE_CVES entry introduced in [2] is then no longer matched to
the cmake package.

For more information, see the explanation in commit [1].

[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 5ce1e773b9 package/cmake: ignore CVE-2016-10642

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/cmake/cmake.mk | 2 --
 1 file changed, 2 deletions(-)

diff --git a/package/cmake/cmake.mk b/package/cmake/cmake.mk
index e9752640e5..ef4f6aa98e 100644
--- a/package/cmake/cmake.mk
+++ b/package/cmake/cmake.mk
@@ -11,8 +11,6 @@ CMAKE_SITE = https://cmake.org/files/v$(CMAKE_VERSION_MAJOR)
 CMAKE_LICENSE = BSD-3-Clause
 CMAKE_LICENSE_FILES = LICENSE.rst
 CMAKE_CPE_ID_VALID = YES
-# Tool download MITM attack warning if using npm package to install cmake
-CMAKE_IGNORE_CVES = CVE-2016-10642
 
 # The package is a dependency to ccache so ccache cannot be a dependency
 HOST_CMAKE_ADD_CCACHE_DEPENDENCY = NO
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [v2 PATCH 00/15] Remaining CVE_IGNORES

[Thomas Petazzoni via buildroot]

Hello Thomas,

On Tue, 30 Dec 2025 09:19:02 +0100
Thomas Perale via buildroot <buildroot@buildroot.org> wrote:

> Thomas Perale (15):
>   package/xinetd: add CVE trailer in patch
>   package/shellinabox: add CVE trailer in patch
>   package/patch: add CVE trailer in patches
>   package/tiff: remove stale IGNORE_CVES
>   package/rsyslog: remove stale IGNORE_CVES
>   package/postgresql: remove stale IGNORE_CVES
>   package/pixman: remove stale IGNORE_CVES
>   package/libssh: remove stale IGNORE_CVES
>   package/libcurl: remove stale IGNORE_CVES
>   boot/grub2: remove stale IGNORE_CVES
>   package/glibc: remove stale IGNORE_CVES
>   package/glibc: remove stale IGNORE_CVES
>   package/freerdp: remove stale IGNORE_CVES
>   package/dovecot: remove stale IGNORE_CVES
>   package/cmake: remove stale IGNORE_CVES

Thanks, series applied!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 10/15] boot/grub2: remove stale IGNORE_CVES

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
> versions using '-'.
> 
> The IGNORE_CVES entries introduced in [2][3][4] are then no longer
> matched to the grub2 package.
> 
> For more information, see the explanation in commit [1].
> 
> [1] 35f376d88e support/scripts/cve.py: fix CPE matching
> [2] 2495630383 boot/grub2: ignore CVE-2024-1048
> [3] e2f46ed03d boot/grub2: ignore CVE-2023-4001
> [4] a490687571 boot/grub2: ignore the last 3 remaining CVEs
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  boot/grub2/grub2.mk | 11 -----------
>  1 file changed, 11 deletions(-)
> 
> diff --git a/boot/grub2/grub2.mk b/boot/grub2/grub2.mk
> index f543c53cd8..fdf274d9aa 100644
> --- a/boot/grub2/grub2.mk
> +++ b/boot/grub2/grub2.mk
> @@ -15,17 +15,6 @@ HOST_GRUB2_DEPENDENCIES = host-bison host-flex host-gawk \
>  	$(BR2_PYTHON3_HOST_DEPENDENCY)
>  GRUB2_INSTALL_IMAGES = YES
>  
> -# CVE-2019-14865 is about a flaw in the grub2-set-bootflag tool, which
> -# doesn't exist upstream, but is added by the Redhat/Fedora
> -# packaging. Not applicable to Buildroot.
> -GRUB2_IGNORE_CVES += CVE-2019-14865
> -# vulnerability is specific to the Redhat distribution, affects a
> -# downstream change from Redhat related to password authentication
> -GRUB2_IGNORE_CVES += CVE-2023-4001
> -# vulnerability is specific to the Redhat distribution, affects the
> -# grub2-set-bootflag tool, which doesn't exist upstream
> -GRUB2_IGNORE_CVES += CVE-2024-1048
> -
>  # 0004-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch (yes, two
>  # CVEs are fixed by this patch)
>  GRUB2_IGNORE_CVES += CVE-2024-45782
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 15/15] package/cmake: remove stale IGNORE_CVES

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
> versions using '-'.
> 
> These IGNORE_CVES entry introduced in [2] is then no longer matched to
> the cmake package.
> 
> For more information, see the explanation in commit [1].
> 
> [1] 35f376d88e support/scripts/cve.py: fix CPE matching
> [2] 5ce1e773b9 package/cmake: ignore CVE-2016-10642
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/cmake/cmake.mk | 2 --
>  1 file changed, 2 deletions(-)
> 
> diff --git a/package/cmake/cmake.mk b/package/cmake/cmake.mk
> index e9752640e5..ef4f6aa98e 100644
> --- a/package/cmake/cmake.mk
> +++ b/package/cmake/cmake.mk
> @@ -11,8 +11,6 @@ CMAKE_SITE = https://cmake.org/files/v$(CMAKE_VERSION_MAJOR)
>  CMAKE_LICENSE = BSD-3-Clause
>  CMAKE_LICENSE_FILES = LICENSE.rst
>  CMAKE_CPE_ID_VALID = YES
> -# Tool download MITM attack warning if using npm package to install cmake
> -CMAKE_IGNORE_CVES = CVE-2016-10642
>  
>  # The package is a dependency to ccache so ccache cannot be a dependency
>  HOST_CMAKE_ADD_CCACHE_DEPENDENCY = NO
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 14/15] package/dovecot: remove stale IGNORE_CVES

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
> versions using '-'.
> 
> These IGNORE_CVES entry introduced in [2] is then no longer matched to
> the dovecot package.
> 
> For more information, see the explanation in commit [1].
> 
> [1] 35f376d88e support/scripts/cve.py: fix CPE matching
> [2] 948e71689a package/dovecot: ignore CVE-2016-4983
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/dovecot/dovecot.mk | 5 -----
>  1 file changed, 5 deletions(-)
> 
> diff --git a/package/dovecot/dovecot.mk b/package/dovecot/dovecot.mk
> index 6612787a94..a4c799221c 100644
> --- a/package/dovecot/dovecot.mk
> +++ b/package/dovecot/dovecot.mk
> @@ -21,12 +21,7 @@ DOVECOT_DEPENDENCIES = \
>  	$(if $(BR2_PACKAGE_LIBICONV),libiconv) \
>  	openssl
>  
> -# CVE-2016-4983 is an issue in a postinstall script in the dovecot rpm, which
> -# is part of the Red Hat packaging and not part of upstream dovecot
> -DOVECOT_IGNORE_CVES += CVE-2016-4983
> -
>  # 0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch
> -
>  # Note: this ignore CVE entry is reported as stale by pkg-stats, but
>  # the NVD database is incorrect:
>  # https://lore.kernel.org/buildroot/20250517181815.02ce0393@windsurf/
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 13/15] package/freerdp: remove stale IGNORE_CVES

[Arnout Vandecappelle via buildroot]

In reply of:
> The NVD DB is now correctly tracking the vulnerability starting version
> 3.0 (see [1]). The IGNORE_CVES entry introduced in [2] is then no longer
> needed.
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2025-4478
> [2] f741e8f6e6 package/freerdp: ignore CVE-2025-4478
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/freerdp/freerdp.mk | 4 ----
>  1 file changed, 4 deletions(-)
> 
> diff --git a/package/freerdp/freerdp.mk b/package/freerdp/freerdp.mk
> index 391b9a4675..3a1ba61621 100644
> --- a/package/freerdp/freerdp.mk
> +++ b/package/freerdp/freerdp.mk
> @@ -13,10 +13,6 @@ FREERDP_LICENSE = Apache-2.0
>  FREERDP_LICENSE_FILES = LICENSE
>  FREERDP_CPE_ID_VENDOR = freerdp
>  
> -# As explained on https://github.com/FreeRDP/FreeRDP/pull/11573#issuecomment-2904160524,
> -# the affected code is new with 3.x, was not there on 2.x
> -FREERDP_IGNORE_CVES += CVE-2025-4478
> -
>  FREERDP_INSTALL_STAGING = YES
>  
>  FREERDP_CONF_OPTS = -DWITH_MANPAGES=OFF -Wno-dev -DWITH_GSTREAMER_0_10=OFF
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 11/15] package/glibc: remove stale IGNORE_CVES

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
> versions using '-'.
> 
> These IGNORE_CVES entries introduced in [2] are then no longer matched to
> the glibc package.
> 
> For more information, see the explanation in commit [1].
> 
> [1] 35f376d88e support/scripts/cve.py: fix CPE matching
> [2] adaae82c58 package/glibc: ignore CVEs not considered as security issues by upstream
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/glibc/glibc.mk | 13 ++-----------
>  1 file changed, 2 insertions(+), 11 deletions(-)
> 
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index a7727cbad8..924274a7d6 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -34,19 +34,10 @@ GLIBC_IGNORE_CVES += CVE-2025-5702
>  # Fixed by glibc-2.41-64-g1e16d0096d80a6e12d5bfa8e0aafdd13c47efd65
>  GLIBC_IGNORE_CVES += CVE-2025-8058
>  
> -# All these CVEs are considered as not being security issues by
> +# This CVE is considered as not being security issues by
>  # upstream glibc:
>  #  https://security-tracker.debian.org/tracker/CVE-2010-4756
> -#  https://security-tracker.debian.org/tracker/CVE-2019-1010022
> -#  https://security-tracker.debian.org/tracker/CVE-2019-1010023
> -#  https://security-tracker.debian.org/tracker/CVE-2019-1010024
> -#  https://security-tracker.debian.org/tracker/CVE-2019-1010025
> -GLIBC_IGNORE_CVES += \
> -	CVE-2010-4756 \
> -	CVE-2019-1010022 \
> -	CVE-2019-1010023 \
> -	CVE-2019-1010024 \
> -	CVE-2019-1010025
> +GLIBC_IGNORE_CVES += CVE-2010-4756
>  
>  # glibc is part of the toolchain so disable the toolchain dependency
>  GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 09/15] package/libcurl: remove stale IGNORE_CVES

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
> versions using '-'.
> 
> The CVE-2024-32928 introduced in [2] is then no longer matched to the
> libcurl package.
> 
> For more information, see the explanation in commit [1].
> 
> [1] 35f376d88e support/scripts/cve.py: fix CPE matching
> [2] 7e739d49b2 package/libcurl: ignore CVE-2024-32928
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/libcurl/libcurl.mk | 4 ----
>  1 file changed, 4 deletions(-)
> 
> diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
> index 9e32c38d97..6924631735 100644
> --- a/package/libcurl/libcurl.mk
> +++ b/package/libcurl/libcurl.mk
> @@ -25,10 +25,6 @@ LIBCURL_CONF_OPTS = \
>  	--disable-ldap \
>  	--disable-ldaps
>  
> -# Only affects Nest products.
> -# https://nvd.nist.gov/vuln/detail/CVE-2024-32928
> -LIBCURL_IGNORE_CVES += CVE-2024-32928
> -
>  # threaded resolver cannot be used with c-ares
>  # https://github.com/curl/curl/commit/d364f1347f05c53eea5d25a15b4ad8a62ecc85b8
>  ifeq ($(BR2_TOOLCHAIN_HAS_THREADS)x$(BR2_PACKAGE_C_ARES),yx)
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 08/15] package/libssh: remove stale IGNORE_CVES

[Arnout Vandecappelle via buildroot]

In reply of:
> The entry was added in commit [1]. But since then the NVD database
> updated the version end specifier.
> 
> This IGNORE_CVES entry is then no longer needed.
> 
> [1] 51b1e1daf5 package/libssh: ignore CVE-2025-5318
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/libssh/libssh.mk | 4 ----
>  1 file changed, 4 deletions(-)
> 
> diff --git a/package/libssh/libssh.mk b/package/libssh/libssh.mk
> index 2be9013454..3c7e77a206 100644
> --- a/package/libssh/libssh.mk
> +++ b/package/libssh/libssh.mk
> @@ -17,10 +17,6 @@ LIBSSH_CONF_OPTS = \
>  	-DWITH_STACK_PROTECTOR=OFF \
>  	-DWITH_EXAMPLES=OFF
>  
> -# NVD database is missing an upper version specifier.
> -# This vulnerability only affects libssh<0.11.2
> -LIBSSH_IGNORE_CVES = CVE-2025-5318
> -
>  ifeq ($(BR2_ARM_INSTRUCTIONS_THUMB),y)
>  LIBSSH_CONF_OPTS += -DWITH_STACK_CLASH_PROTECTION=OFF
>  endif
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 03/15] package/patch: add CVE trailer in patches

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patches header as well
> as the `Upstream` trailer.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  .checkpackageignore                                         | 4 ----
>  .../patch/0001-Fix-segfault-with-mangled-rename-patch.patch | 4 ++--
>  ...x-arbitrary-command-execution-in-ed-style-patches-.patch | 4 ++--
>  ...0004-Invoke-ed-directly-instead-of-using-the-shell.patch | 6 ++++--
>  ...t-follow-symlinks-unless--follow-symlinks-is-given.patch | 5 +++--
>  5 files changed, 11 insertions(+), 12 deletions(-)
> 
> diff --git a/.checkpackageignore b/.checkpackageignore
> index 94916ecc0f..1e255f80e1 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -798,11 +798,7 @@ package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch li
>  package/owfs/S55owserver Shellcheck lib_sysv.Variables
>  package/owfs/S60owfs Shellcheck lib_sysv.Variables
>  package/owl-linux/0001-fix-for-linux-3.3.x.patch lib_patch.Upstream
> -package/patch/0001-Fix-segfault-with-mangled-rename-patch.patch lib_patch.Upstream
>  package/patch/0002-Allow-input-files-to-be-missing-for-ed-style-patches.patch lib_patch.Upstream
> -package/patch/0003-Fix-arbitrary-command-execution-in-ed-style-patches-.patch lib_patch.Upstream
> -package/patch/0004-Invoke-ed-directly-instead-of-using-the-shell.patch lib_patch.Upstream
> -package/patch/0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch lib_patch.Upstream
>  package/patchelf/0001-Add-option-to-make-the-rpath-relative-under-a-specif.patch lib_patch.Upstream
>  package/paxtest/0001-genpaxtest-move-log-location.patch lib_patch.Upstream
>  package/paxtest/0002-paxtest-page-alignment-ARM-and-NIOS2-arch.patch lib_patch.Upstream
> diff --git a/package/patch/0001-Fix-segfault-with-mangled-rename-patch.patch b/package/patch/0001-Fix-segfault-with-mangled-rename-patch.patch
> index 19a67573c4..1b8d954025 100644
> --- a/package/patch/0001-Fix-segfault-with-mangled-rename-patch.patch
> +++ b/package/patch/0001-Fix-segfault-with-mangled-rename-patch.patch
> @@ -7,10 +7,10 @@ http://savannah.gnu.org/bugs/?53132
>  * src/pch.c (intuit_diff_type): Ensure that two filenames are specified
>  for renames and copies (fix the existing check).
>  
> +CVE: CVE-2018-6951
> +Upstream: https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=f290f48a621867084884bfff87f8093c15195e6a
>  Signed-off-by: Baruch Siach <baruch@tkos.co.il>
>  ---
> -Patch status: upstream commit f290f48a6218
> -
>   src/pch.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
>  
> diff --git a/package/patch/0003-Fix-arbitrary-command-execution-in-ed-style-patches-.patch b/package/patch/0003-Fix-arbitrary-command-execution-in-ed-style-patches-.patch
> index b44bdd0fac..18497c153b 100644
> --- a/package/patch/0003-Fix-arbitrary-command-execution-in-ed-style-patches-.patch
> +++ b/package/patch/0003-Fix-arbitrary-command-execution-in-ed-style-patches-.patch
> @@ -10,11 +10,11 @@ instead of rejecting them and carrying on.
>  * tests/ed-style: New test case.
>  * tests/Makefile.am (TESTS): Add test case.
>  
> +CVE: CVE-2018-1000156
> +Upstream: https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d
>  [baruch: drop test hunks to avoid autoreconf]
>  Signed-off-by: Baruch Siach <baruch@tkos.co.il>
>  ---
> -Upstream status: commit 123eaff0d5d1
> -
>   src/pch.c         | 91 ++++++++++++++++++++++++++++++++++++++++---------------
>   tests/Makefile.am |  1 +
>   tests/ed-style    | 41 +++++++++++++++++++++++++
> diff --git a/package/patch/0004-Invoke-ed-directly-instead-of-using-the-shell.patch b/package/patch/0004-Invoke-ed-directly-instead-of-using-the-shell.patch
> index ae64d58b93..7ede9300e4 100644
> --- a/package/patch/0004-Invoke-ed-directly-instead-of-using-the-shell.patch
> +++ b/package/patch/0004-Invoke-ed-directly-instead-of-using-the-shell.patch
> @@ -5,8 +5,10 @@ Subject: Invoke ed directly instead of using the shell
>  
>  * src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
>  command to avoid quoting vulnerabilities.
> -[Retrieved from:
> -https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0]
> +
> +CVE: CVE-2018-20969
> +CVE: CVE-2019-13638
> +Upstream: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
>  Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>  ---
>   src/pch.c | 6 ++----
> diff --git a/package/patch/0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch b/package/patch/0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch
> index e07ae0c670..c0e63081e2 100644
> --- a/package/patch/0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch
> +++ b/package/patch/0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch
> @@ -9,8 +9,9 @@ the O_NOFOLLOW flag to avoid following symlinks.  So far, we were only doing
>  that consistently for input files.
>  * src/util.c (create_backup): When creating empty backup files, (re)create them
>  with O_CREAT | O_EXCL to avoid following symlinks in that case as well.
> -[Retrieved from:
> -https://git.savannah.gnu.org/cgit/patch.git/commit/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a]
> +
> +CVE: CVE-2019-13636
> +Upstream: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a
>  Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>  ---
>   src/inp.c  | 12 ++++++++++--
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 07/15] package/pixman: remove stale IGNORE_CVES

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
> versions using '-'.
> 
> The CVE-2023-37769 is then no longer matched to the pixman package.
> 
> For more information, see the explanation in commit [1].
> 
> [1] 35f376d88e support/scripts/cve.py: fix CPE matching
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/pixman/pixman.mk | 6 ------
>  1 file changed, 6 deletions(-)
> 
> diff --git a/package/pixman/pixman.mk b/package/pixman/pixman.mk
> index 63d9ccd10b..d02bb0a260 100644
> --- a/package/pixman/pixman.mk
> +++ b/package/pixman/pixman.mk
> @@ -26,12 +26,6 @@ PIXMAN_CONF_OPTS = \
>  	-Dlibpng=disabled \
>  	-Dtests=disabled
>  
> -# Affects only tests, and we don't build tests.
> -# See https://gitlab.freedesktop.org/pixman/pixman/-/issues/76, which says
> -# "not sure why NVD keeps assigning CVEs like this. This is just a test
> -# executable".
> -PIXMAN_IGNORE_CVES += CVE-2023-37769
> -
>  ifeq ($(BR2_X86_CPU_HAS_MMX),y)
>  PIXMAN_CONF_OPTS += -Dmmx=enabled
>  else
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 06/15] package/postgresql: remove stale IGNORE_CVES

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
> versions using '-'.
> 
> The CVE-2017-8806 is then no longer matched to the postgresql package.
> 
> For more information, see the explanation in commit [1].
> 
> [1] 35f376d88e support/scripts/cve.py: fix CPE matching
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> Reviewed-by: Maxim Kochetkov <fido_max@inbox.ru>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/postgresql/postgresql.mk | 4 ----
>  1 file changed, 4 deletions(-)
> 
> diff --git a/package/postgresql/postgresql.mk b/package/postgresql/postgresql.mk
> index 78d7cef4f6..38403b0f45 100644
> --- a/package/postgresql/postgresql.mk
> +++ b/package/postgresql/postgresql.mk
> @@ -28,10 +28,6 @@ POSTGRESQL_DEPENDENCIES = \
>  	host-bison \
>  	host-flex
>  
> -# CVE-2017-8806 is related to postgresql-common package
> -# It is false positive for postgresql
> -POSTGRESQL_IGNORE_CVES += CVE-2017-8806
> -
>  ifeq ($(BR2_PACKAGE_POSTGRESQL_FULL),y)
>  POSTGRESQL_NINJA_OPTS += world
>  POSTGRESQL_INSTALL_TARGET_OPTS += DESTDIR=$(TARGET_DIR) install-world
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 05/15] package/rsyslog: remove stale IGNORE_CVES

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
> versions using '-'.
> 
> The CVE-2015-3243 is then no longer matched to the rsyslog package.
> 
> For more information, see the explanation in commit [1].
> 
> [1] 35f376d88e support/scripts/cve.py: fix CPE matching
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/rsyslog/rsyslog.mk | 4 ----
>  1 file changed, 4 deletions(-)
> 
> diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
> index 69128afbac..dedecdc572 100644
> --- a/package/rsyslog/rsyslog.mk
> +++ b/package/rsyslog/rsyslog.mk
> @@ -9,10 +9,6 @@ RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
>  RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0
>  RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
>  RSYSLOG_CPE_ID_VENDOR = rsyslog
> -# rsyslog uses weak permissions for generating log files.
> -# Ignoring this CVE as Buildroot normally doesn't have local users and a build
> -# could customize the rsyslog.conf to be more restrictive ($FileCreateMode 0640)
> -RSYSLOG_IGNORE_CVES += CVE-2015-3243
>  RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf
>  RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99'
>  
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 02/15] package/shellinabox: add CVE trailer in patch

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patch header
> and adds the `Upstream` trailer.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  .checkpackageignore                                           | 1 -
>  ...02-CVE-2018-16789-fix-for-broken-multipart-form-data.patch | 4 +++-
>  2 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/.checkpackageignore b/.checkpackageignore
> index 4df0438291..94916ecc0f 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -948,7 +948,6 @@ package/shadowsocks-libev/0003-lib-Makefile.am-remove-static-from-LDFLAGS.patch
>  package/shairport-sync/S99shairport-sync Shellcheck lib_sysv.Indent lib_sysv.Variables
>  package/shared-mime-info/0001-Remove-incorrect-dependency-from-install-data-hook.patch lib_patch.Upstream
>  package/shellinabox/0001-Makefile-disable-always-building-statically.patch lib_patch.Upstream
> -package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch lib_patch.Upstream
>  package/skeleton-init-systemd/fakeroot_tmpfiles.sh Shellcheck
>  package/slang/0001-slsh-libs.patch lib_patch.Upstream
>  package/smcroute/S41smcroute NotExecutable lib_sysv.Indent lib_sysv.Variables
> diff --git a/package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch b/package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch
> index 4b15f419e3..5067833056 100644
> --- a/package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch
> +++ b/package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch
> @@ -4,7 +4,9 @@ Date: Fri, 26 Oct 2018 11:51:15 +0200
>  Subject: [PATCH] fix for broken multipart/form-data
>  
>  Malformed multipart/form-data payload results in infinite loop and thus denial of service
> -[Upstream status: https://github.com/shellinabox/shellinabox/pull/446]
> +
> +CVE: CVE-2018-16789
> +Upstream: https://github.com/shellinabox/shellinabox/pull/446
>  Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>  ---
>   libhttp/url.c | 3 +++
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 04/15] package/tiff: remove stale IGNORE_CVES

[Arnout Vandecappelle via buildroot]

In reply of:
> The Buildroot commit [1] introduced this IGNORE_CVES entry that was due
> to a bad NVD entry.
> 
> The NVD database has now fixed the annotation [2] and it can be removed.
> 
> [1] 740412aefc package/tiff: ignore CVE-2025-8851
> [2] https://nvd.nist.gov/vuln/detail/CVE-2025-8851
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/tiff/tiff.mk | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/package/tiff/tiff.mk b/package/tiff/tiff.mk
> index 32bebcf95f..e64a6baf83 100644
> --- a/package/tiff/tiff.mk
> +++ b/package/tiff/tiff.mk
> @@ -13,9 +13,6 @@ TIFF_CPE_ID_VENDOR = libtiff
>  TIFF_CPE_ID_PRODUCT = libtiff
>  TIFF_INSTALL_STAGING = YES
>  
> -# Fixed in 4.7.0
> -TIFF_IGNORE_CVES += CVE-2025-8851
> -
>  # webp has a (optional) dependency on tiff, so we can't have webp
>  # support in tiff, or that would create a circular dependency.
>  TIFF_CONF_OPTS = \
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 01/15] package/xinetd: add CVE trailer in patch

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patch header
> and adds the `Upstream` trailer.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  .checkpackageignore                                             | 1 -
>  ...5-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch | 2 ++
>  2 files changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/.checkpackageignore b/.checkpackageignore
> index 3e274f391f..4df0438291 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -1124,7 +1124,6 @@ package/xinetd/0001-ar.patch lib_patch.Upstream
>  package/xinetd/0002-destdir.patch lib_patch.Upstream
>  package/xinetd/0003-rpc-fix.patch lib_patch.Upstream
>  package/xinetd/0004-configure-rlim_t.patch lib_patch.Upstream
> -package/xinetd/0005-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch lib_patch.Upstream
>  package/xl2tp/xl2tpd lib_shellscript.TrailingSpace
>  package/xml-security-c/0001-fix-build-with-libressl-3.5.0.patch lib_patch.Upstream
>  package/yajl/0001-Let-the-shared-and-the-static-library-have-the-same-.patch lib_patch.Upstream
> diff --git a/package/xinetd/0005-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch b/package/xinetd/0005-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch
> index bb2ee1fc9a..c99879b478 100644
> --- a/package/xinetd/0005-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch
> +++ b/package/xinetd/0005-CVE-2013-4342-xinetd-ignores-user-and-group-directiv.patch
> @@ -6,6 +6,8 @@ Subject: [PATCH] CVE-2013-4342: xinetd: ignores user and group directives for
>  
>  Originally reported to Debian in 2005 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678> and rediscovered <https://bugzilla.redhat.com/show_bug.cgi?id=1006100>, xinetd would execute TCPMUX services without dropping privilege to match the service configuration allowing the service to run with same privilege as the xinetd process (root).
>  
> +CVE: CVE-2013-4342
> +Upstream: https://github.com/xinetd-org/xinetd/commit/e7c1ba41f4f86b436fb82b0d55cd5d387bd4ecc4
>  Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>  ---
>   xinetd/builtins.c | 2 +-
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 12/15] package/glibc: remove stale IGNORE_CVES

[Arnout Vandecappelle via buildroot]

In reply of:
> The IGNORE_CVES entries introduced in [1] no longer match to the glibc
> package following the bump to v2.42 in [2]. The version boundaries
> specified on the NVD DB are specific to 2.40 & 2.41.
> 
> The CVE-2025-8058 though don't have any information available on the NVD
> DB and will remain on the IGNORE_CVES then.
> 
> [1] feaf53585a package/glibc: security bump to version 2.41-70
> [2] fb6256c0ef package/{glibc, localdef}: bump to version 2.42
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.11.x. Thanks

> ---
>  package/glibc/glibc.mk | 6 ------
>  1 file changed, 6 deletions(-)
> 
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index 924274a7d6..9c3ff7124e 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -25,12 +25,6 @@ GLIBC_CPE_ID_VENDOR = gnu
>  # allow proper matching with the CPE database.
>  GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
>  
> -# Fixed by glibc-2.41-57-g84bdbf8a6f2fdafd3661489dbb7f79835a52da82
> -GLIBC_IGNORE_CVES += CVE-2025-5745
> -
> -# Fixed by glibc-2.41-60-g0c76c951620f9e12df2a89b2c684878b55bb6795
> -GLIBC_IGNORE_CVES += CVE-2025-5702
> -
>  # Fixed by glibc-2.41-64-g1e16d0096d80a6e12d5bfa8e0aafdd13c47efd65
>  GLIBC_IGNORE_CVES += CVE-2025-8058
>  
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot