* [PATCH] cve-check.bbclass: CVE-2014-2524 / readline v5.2
@ 2016-11-04 11:06 André Draszik
0 siblings, 0 replies; only message in thread
From: André Draszik @ 2016-11-04 11:06 UTC (permalink / raw)
To: openembedded-core
From: André Draszik <adraszik@tycoint.com>
Contrary to the CVE report, the vulnerable trace functions
don't exist in readline v5.2 (which we keep for GPLv2+
purposes), they were added in readline v6.0 only - let's
whitelist that CVE in order to avoid false positives.
See also the discussion in
https://patchwork.openembedded.org/patch/81765/
Signed-off-by: André Draszik <adraszik@tycoint.com>
Reviewed-by: Lukasz Nowak <lnowak@tycoint.com>
---
meta/classes/cve-check.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 1425a40..b0febfb 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -39,7 +39,7 @@ CVE_CHECK_PN_WHITELIST = "\
# Whitelist for CVE and version of package
CVE_CHECK_CVE_WHITELIST = "{\
- 'CVE-2014-2524': ('6.3',), \
+ 'CVE-2014-2524': ('6.3','5.2',), \
}"
python do_cve_check () {
--
2.10.2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2016-11-04 11:06 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-04 11:06 [PATCH] cve-check.bbclass: CVE-2014-2524 / readline v5.2 André Draszik
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox