aboutsummaryrefslogtreecommitdiffstats
path: root/meta/conf/distro/include/cve-extra-exclusions.inc
blob: 561386b70690ad4ae10b30599d76d1c0d0cd4c82 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# This file contains a list of CVE's where resolution has proven to be impractical
# or there is no reasonable action the Yocto Project can take to resolve the issue.
# It contains all the information we are aware of about an issue and analysis about
# why we believe it can't be fixed/handled. Additional information is welcome through
# patches to the file.
#
# Include this file in your local.conf or distro.conf to exclude these CVE's
# from the cve-check results or add to the bitbake command with:
#     -R conf/distro/include/cve-extra-exclusions.inc
#
# The file is not included by default since users should review this data to ensure
# it matches their expectations and usage of the project.
#
# We may also include "in-flight" information about current/ongoing CVE work with
# the aim of sharing that work and ensuring we don't duplicate it.
#


# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
# CVE is more than 20 years old with no resolution evident
# broken links in CVE database references make resolution impractical
CVE_CHECK_WHITELIST += "CVE-2000-0006"

# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
# The issue here is spoofing of domain names using characters from other character sets.
# There has been much discussion amongst the epiphany and webkit developers and
# whilst there are improvements about how domains are handled and displayed to the user
# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
# problem. Whitelisted as there isn't any mitigation or fix or way to progress this further
# we can seem to take.
CVE_CHECK_WHITELIST += "CVE-2005-0238"

# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
# Upstream don't see it as a security issue, ftp servers shouldn't be passing
# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
CVE_CHECK_WHITELIST += "CVE-2010-4756"

# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
# The encoding/xml package in go can potentially be used for security exploits if not used correctly
# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
# exposing this interface in an exploitable way
CVE_CHECK_WHITELIST += "CVE-2020-29509 CVE-2020-29511"