Whitelisted below CVEs reported for openssh: CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux and certain packages may have been compromised and has been fixed by Red Hat. This CVE is not applicable as our source is OpenBSD. Hence, this CVE is not reported for other distros and can be whitelisted. Links: https://securitytracker.com/id?1020730 https://www.securityfocus.com/bid/30794
For CVE-2020-15778 OpenSSH through 8.3p1 is affected. Hence, it can be whitelisted for 8.2p1 https://nvd.nist.gov/vuln/detail/CVE-2020-15778 Signed-off-by: Sana Kazi <sana.k...@kpit.com> --- meta/recipes-connectivity/openssh/openssh_8.2p1.bb | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index fe94f30503..f8037db986 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb @@ -32,6 +32,20 @@ SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded CVE_CHECK_WHITELIST += "CVE-2014-9278" +# CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux +# and certain packages may have been compromised and has been fixed +# by Red Hat. This CVE is not applicable as our source is OpenBSD. +# Hence, this CVE is not reported for other distros +# and can be marked whitelisted. +# https://securitytracker.com/id?1020730 +# https://www.securityfocus.com/bid/30794 +CVE_CHECK_WHITELIST += "CVE-2008-3844" + +# For CVE-2020-15778 OpenSSH through 8.3p1 is affected. +# Hence, it can be whitelisted for 8.2p1 +# https://nvd.nist.gov/vuln/detail/CVE-2020-15778 +CVE_CHECK_WHITELIST += "CVE-2020-15778" + PAM_SRC_URI = "file://sshd" inherit manpages useradd update-rc.d update-alternatives systemd -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#150210): https://lists.openembedded.org/g/openembedded-core/message/150210 Mute This Topic: https://lists.openembedded.org/mt/81863467/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
