diff options
Diffstat (limited to 'meta/conf/distro/include/cve-extra-exclusions.inc')
-rw-r--r-- | meta/conf/distro/include/cve-extra-exclusions.inc | 31 |
1 files changed, 15 insertions, 16 deletions
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index e02a4d1fde..f3490db9dd 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -53,24 +53,23 @@ CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4 CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981" -#### CPE update pending #### - -# groff:groff-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803 -# Appears it was fixed in https://git.savannah.gnu.org/cgit/groff.git/commit/?id=07f95f1674217275ed4612f1dcaa95a88435c6a7 -# so from 1.17 onwards. Reported to the database for update by RP 2021/5/9. Update accepted 2021/5/10. -#CVE_CHECK_WHITELIST += "CVE-2000-0803" - - - -#### Upstream still working on #### - # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 # There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html -# however qemu maintainers are sure the patch is incorrect and should not be applied. - -# wget https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31879 -# https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html -# No response upstream as of 2021/5/12 +# qemu maintainers say the patch is incorrect and should not be applied +# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable +CVE_CHECK_WHITELIST += "CVE-2021-20255" + +# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067 +# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can +# still be reproduced or where exactly any bug is. +# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one. +CVE_CHECK_WHITELIST += "CVE-2019-12067" + +# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974 +# It is a fuzzing related buffer overflow. It is of low impact since most devices +# wouldn't expose an assembler. The upstream is inactive and there is little to be +# done about the bug, ignore from an OE perspective. +CVE_CHECK_WHITELIST += "CVE-2020-18974" |