diff options
author | Sundeep KOKKONDA <sundeep.kokkonda@gmail.com> | 2023-04-02 20:58:36 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-04-26 04:03:21 -1000 |
commit | d8ff3c3fb31b7fb8b6a003fef899aa3dceab2491 (patch) | |
tree | fa2ae7b2593ab0efdef354b037912b8a7b008968 | |
parent | 4fa1c52c9e8c4b71c41b846e6631ed2648153577 (diff) | |
download | poky-d8ff3c3fb31b7fb8b6a003fef899aa3dceab2491.tar.gz |
cargo : non vulnerable cve-2022-46176 added to excluded list
This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh.
Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh.
So, cargo-native also not vulnerable to this cve and so added to excluded list.
(From OE-Core rev: 7e4037fd0a66a860b4809be72a89e2de97960a17)
Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
Acked-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/conf/distro/include/cve-extra-exclusions.inc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index 8b5f8d49b8..cb2d920441 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc | |||
@@ -15,6 +15,11 @@ | |||
15 | # the aim of sharing that work and ensuring we don't duplicate it. | 15 | # the aim of sharing that work and ensuring we don't duplicate it. |
16 | # | 16 | # |
17 | 17 | ||
18 | #cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176 | ||
19 | #cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html | ||
20 | #This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve. | ||
21 | #The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list. | ||
22 | CVE_CHECK_IGNORE += "CVE-2022-46176" | ||
18 | 23 | ||
19 | # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 | 24 | # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 |
20 | # CVE is more than 20 years old with no resolution evident | 25 | # CVE is more than 20 years old with no resolution evident |