ntp: ignore many CVEs

cve-check is not able to correctly identify many of the patched CVEs because of the non standard version number. All the ignored CVEs were manually checked with the NVD database and deemed not applicable to the current version. Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Davide Gardenal <davidegarde2000@gmail.com> 2022-07-04 16:58:36 +0200
committer: Khem Raj <raj.khem@gmail.com> 2022-07-05 09:23:04 -0400
commit: 1973a0adc6983273db2db0e9be195979e747eddc (patch)
tree: d74ec9831fac8b5d0b7c578fce5693b1b6ab8669 /meta-networking/recipes-support/ntp
parent: 279fce2c87c990c942bcb2b72ea83a67e0d74170 (diff)
download: meta-openembedded-1973a0adc6983273db2db0e9be195979e747eddc.tar.gz
1 files changed, 25 insertions, 1 deletions
diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
index fe2bd0773..a30f720bb 100644
--- a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
+++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
@@ -29,7 +29,31 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
 SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19"
 # CVE-2016-9312 is only for windows.
-CVE_CHECK_IGNORE += "CVE-2016-9312"
+# The other CVEs are not correctly identified because cve-check
+# is not able to check the version correctly (it only checks for 4.2.8 omitting p15 that makes the difference)
+CVE_CHECK_IGNORE += "\
+    CVE-2016-9312 \
+    CVE-2015-5146 \
+    CVE-2015-5300 \
+    CVE-2015-7975 \
+    CVE-2015-7976 \
+    CVE-2015-7977 \
+    CVE-2015-7978 \
+    CVE-2015-7979 \
+    CVE-2015-8138 \
+    CVE-2015-8139 \
+    CVE-2015-8140 \
+    CVE-2015-8158 \
+    CVE-2016-1547 \
+    CVE-2016-2516 \
+    CVE-2016-2517 \
+    CVE-2016-2519 \
+    CVE-2016-7429 \
+    CVE-2016-7433 \
+    CVE-2016-9310 \
+    CVE-2016-9311 \
+"
 inherit autotools update-rc.d useradd systemd pkgconfig
author	Davide Gardenal <davidegarde2000@gmail.com>	2022-07-04 16:58:36 +0200
committer	Khem Raj <raj.khem@gmail.com>	2022-07-05 09:23:04 -0400
commit	1973a0adc6983273db2db0e9be195979e747eddc (patch)
tree	d74ec9831fac8b5d0b7c578fce5693b1b6ab8669 /meta-networking/recipes-support/ntp
parent	279fce2c87c990c942bcb2b72ea83a67e0d74170 (diff)
download	meta-openembedded-1973a0adc6983273db2db0e9be195979e747eddc.tar.gz

diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb index fe2bd0773..a30f720bb 100644 --- a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb +++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
@@ -29,7 +29,31 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
29	SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19"	29	SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19"
30		30
31	# CVE-2016-9312 is only for windows.	31	# CVE-2016-9312 is only for windows.
32	CVE_CHECK_IGNORE += "CVE-2016-9312"	32	# The other CVEs are not correctly identified because cve-check
		33	# is not able to check the version correctly (it only checks for 4.2.8 omitting p15 that makes the difference)
		34	CVE_CHECK_IGNORE += "\
		35	CVE-2016-9312 \
		36	CVE-2015-5146 \
		37	CVE-2015-5300 \
		38	CVE-2015-7975 \
		39	CVE-2015-7976 \
		40	CVE-2015-7977 \
		41	CVE-2015-7978 \
		42	CVE-2015-7979 \
		43	CVE-2015-8138 \
		44	CVE-2015-8139 \
		45	CVE-2015-8140 \
		46	CVE-2015-8158 \
		47	CVE-2016-1547 \
		48	CVE-2016-2516 \
		49	CVE-2016-2517 \
		50	CVE-2016-2519 \
		51	CVE-2016-7429 \
		52	CVE-2016-7433 \
		53	CVE-2016-9310 \
		54	CVE-2016-9311 \
		55	"
		56
33		57
34	inherit autotools update-rc.d useradd systemd pkgconfig	58	inherit autotools update-rc.d useradd systemd pkgconfig
35		59