One qemu CVE has a pending CPE change, the other is still being pondered by upstream qemu, document the status.
Exclude a glibc CVE entry since it is for a specific corner case in ftp servers which are unlikely to apply for us and upstream have no plans to change it. Signed-off-by: Richard Purdie <[email protected]> --- .../conf/distro/include/cve-extra-exclusions.inc | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index f81b24b5284..cdaa8daa4d3 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -25,6 +25,13 @@ CVE_CHECK_WHITELIST += "CVE-2000-0006" # we can seem to take. CVE_CHECK_WHITELIST += "CVE-2005-0238" +# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756 +# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server +# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 +# Upstream don't see it as a security issue, ftp servers shouldn't be passing +# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar +CVE_CHECK_WHITELIST += "CVE-2010-4756" + # grub:grub-efi:grub-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14865 # Looks like grub-set-bootflag is patched in by Fedora/RHEL: # https://src.fedoraproject.org/rpms/grub2/blob/498ea7003b4dd8079fc075fad7e19e0b190d0f97/f/0133-Add-grub-set-bootflag-utility.patch @@ -33,8 +40,17 @@ CVE_CHECK_WHITELIST += "CVE-2005-0238" # Reported to the database for update by RP 2021/5/9 #CVE_CHECK_WHITELIST += "CVE-2019-14865" +#qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4539 * +# Fixed in https://git.qemu.org/?p=qemu.git;a=commit;h=65d35a09979e63541afc5bfc595b9f1b1b4ae069 +# which was in 0.10.0. Reported to the database for update by RP 2021/5/10 +#CVE_CHECK_WHITELIST += "CVE-2008-4539" + # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 # There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html # however qemu maintainers are sure the patch is incorrect and should not be applied. #CVE_CHECK_WHITELIST += "CVE-2021-20255" +# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18438 +# There were proposed patches: https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02396.html +# but nothing seems to have merged. Not sure if there was a different fix? +#CVE_CHECK_WHITELIST += "CVE-2018-18438" -- 2.30.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#151563): https://lists.openembedded.org/g/openembedded-core/message/151563 Mute This Topic: https://lists.openembedded.org/mt/82721832/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
