Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/python-pip: ignore CVE-2018-20225
@ 2023-09-02 22:14 Thomas Petazzoni via buildroot
  2023-09-03 19:33 ` Peter Korsgaard
  2023-09-14  9:48 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Thomas Petazzoni via buildroot @ 2023-09-02 22:14 UTC (permalink / raw)
  To: buildroot; +Cc: Asaf Kahlon, Thomas Petazzoni

See https://security-tracker.debian.org/tracker/CVE-2018-20225 for the
rationale of ignoring this CVE. Things basically work as intended.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/python-pip/python-pip.mk | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/package/python-pip/python-pip.mk b/package/python-pip/python-pip.mk
index 35ad7bede2..040767930e 100644
--- a/package/python-pip/python-pip.mk
+++ b/package/python-pip/python-pip.mk
@@ -12,6 +12,9 @@ PYTHON_PIP_LICENSE = MIT
 PYTHON_PIP_LICENSE_FILES = LICENSE.txt
 PYTHON_PIP_CPE_ID_VENDOR = pypa
 PYTHON_PIP_CPE_ID_PRODUCT = pip
+# Disputed CVE: things work as designed, and only affects the
+# --extra-index-url option. This CVE will never be fixed.
+PYTHON_PIP_IGNORE_CVES += CVE-2018-20225
 
 $(eval $(python-package))
 $(eval $(host-python-package))
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-09-14  9:48 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-02 22:14 [Buildroot] [PATCH] package/python-pip: ignore CVE-2018-20225 Thomas Petazzoni via buildroot
2023-09-03 19:33 ` Peter Korsgaard
2023-09-14  9:48 ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox