[Buildroot] [PATCH] package/mender: ignore mender CVE because it doesn't affect the client package

[Buildroot] [PATCH] package/mender: ignore mender CVE because it doesn't affect the client package

[Titouan Christophe via buildroot]

CVE-2024-46948 only affects the device management and update server part
of Mender, and not the client running on the devices

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
 package/mender/mender.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/mender/mender.mk b/package/mender/mender.mk
index 146e6b2b73..1050277db1 100644
--- a/package/mender/mender.mk
+++ b/package/mender/mender.mk
@@ -8,6 +8,8 @@ MENDER_VERSION = 3.5.3
 MENDER_SITE = $(call github,mendersoftware,mender,$(MENDER_VERSION))
 MENDER_LICENSE = Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, MIT, OLDAP-2.8
 MENDER_CPE_ID_VENDOR = northern.tech
+# CVE-2024-46948 only affects mender-server
+MENDER_IGNORE_CVES = CVE-2024-46948
 
 # Vendor license paths generated with:
 #    awk '{print $2}' LIC_FILES_CHKSUM.sha256 | grep vendor
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/mender: ignore mender CVE because it doesn't affect the client package

[Thomas Petazzoni via buildroot]

On Tue,  6 May 2025 16:52:36 +0200
Titouan Christophe via buildroot <buildroot@buildroot.org> wrote:

> CVE-2024-46948 only affects the device management and update server part
> of Mender, and not the client running on the devices
> 
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
> ---
>  package/mender/mender.mk | 2 ++
>  1 file changed, 2 insertions(+)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/mender: ignore mender CVE because it doesn't affect the client package

[Arnout Vandecappelle via buildroot]

In reply of:
> CVE-2024-46948 only affects the device management and update server part
> of Mender, and not the client running on the devices
> 
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/mender/mender.mk | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/package/mender/mender.mk b/package/mender/mender.mk
> index 146e6b2b73..1050277db1 100644
> --- a/package/mender/mender.mk
> +++ b/package/mender/mender.mk
> @@ -8,6 +8,8 @@ MENDER_VERSION = 3.5.3
>  MENDER_SITE = $(call github,mendersoftware,mender,$(MENDER_VERSION))
>  MENDER_LICENSE = Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, MIT, OLDAP-2.8
>  MENDER_CPE_ID_VENDOR = northern.tech
> +# CVE-2024-46948 only affects mender-server
> +MENDER_IGNORE_CVES = CVE-2024-46948
>  
>  # Vendor license paths generated with:
>  #    awk '{print $2}' LIC_FILES_CHKSUM.sha256 | grep vendor
> -- 
> 2.49.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot