diff options
-rw-r--r-- | meta/conf/distro/include/cve-extra-exclusions.inc | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc new file mode 100644 index 0000000000..561386b706 --- /dev/null +++ b/meta/conf/distro/include/cve-extra-exclusions.inc | |||
@@ -0,0 +1,45 @@ | |||
1 | # This file contains a list of CVE's where resolution has proven to be impractical | ||
2 | # or there is no reasonable action the Yocto Project can take to resolve the issue. | ||
3 | # It contains all the information we are aware of about an issue and analysis about | ||
4 | # why we believe it can't be fixed/handled. Additional information is welcome through | ||
5 | # patches to the file. | ||
6 | # | ||
7 | # Include this file in your local.conf or distro.conf to exclude these CVE's | ||
8 | # from the cve-check results or add to the bitbake command with: | ||
9 | # -R conf/distro/include/cve-extra-exclusions.inc | ||
10 | # | ||
11 | # The file is not included by default since users should review this data to ensure | ||
12 | # it matches their expectations and usage of the project. | ||
13 | # | ||
14 | # We may also include "in-flight" information about current/ongoing CVE work with | ||
15 | # the aim of sharing that work and ensuring we don't duplicate it. | ||
16 | # | ||
17 | |||
18 | |||
19 | # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 | ||
20 | # CVE is more than 20 years old with no resolution evident | ||
21 | # broken links in CVE database references make resolution impractical | ||
22 | CVE_CHECK_WHITELIST += "CVE-2000-0006" | ||
23 | |||
24 | # epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238 | ||
25 | # The issue here is spoofing of domain names using characters from other character sets. | ||
26 | # There has been much discussion amongst the epiphany and webkit developers and | ||
27 | # whilst there are improvements about how domains are handled and displayed to the user | ||
28 | # there is unlikely ever to be a single fix to webkit or epiphany which addresses this | ||
29 | # problem. Whitelisted as there isn't any mitigation or fix or way to progress this further | ||
30 | # we can seem to take. | ||
31 | CVE_CHECK_WHITELIST += "CVE-2005-0238" | ||
32 | |||
33 | # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756 | ||
34 | # Issue is memory exhaustion via glob() calls, e.g. from within an ftp server | ||
35 | # Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 | ||
36 | # Upstream don't see it as a security issue, ftp servers shouldn't be passing | ||
37 | # this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar | ||
38 | CVE_CHECK_WHITELIST += "CVE-2010-4756" | ||
39 | |||
40 | # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509 | ||
41 | # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511 | ||
42 | # The encoding/xml package in go can potentially be used for security exploits if not used correctly | ||
43 | # CVE applies to a netapp product as well as flagging a general issue. We don't ship anything | ||
44 | # exposing this interface in an exploitable way | ||
45 | CVE_CHECK_WHITELIST += "CVE-2020-29509 CVE-2020-29511" | ||