diff options
Diffstat (limited to 'meta/conf/distro/include/cve-extra-exclusions.inc')
-rw-r--r-- | meta/conf/distro/include/cve-extra-exclusions.inc | 31 |
1 files changed, 15 insertions, 16 deletions
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index e02a4d1fde..70442df991 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc | |||
@@ -53,24 +53,23 @@ CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4 | |||
53 | CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \ | 53 | CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \ |
54 | CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981" | 54 | CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981" |
55 | 55 | ||
56 | #### CPE update pending #### | ||
57 | |||
58 | # groff:groff-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803 | ||
59 | # Appears it was fixed in https://git.savannah.gnu.org/cgit/groff.git/commit/?id=07f95f1674217275ed4612f1dcaa95a88435c6a7 | ||
60 | # so from 1.17 onwards. Reported to the database for update by RP 2021/5/9. Update accepted 2021/5/10. | ||
61 | #CVE_CHECK_WHITELIST += "CVE-2000-0803" | ||
62 | |||
63 | |||
64 | |||
65 | #### Upstream still working on #### | ||
66 | |||
67 | # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 | 56 | # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 |
68 | # There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html | 57 | # There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html |
69 | # however qemu maintainers are sure the patch is incorrect and should not be applied. | 58 | # qemu maintainers say the patch is incorrect and should not be applied |
70 | 59 | # Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable | |
71 | # wget https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31879 | 60 | CVE_CHECK_IGNORE += "CVE-2021-20255" |
72 | # https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html | 61 | |
73 | # No response upstream as of 2021/5/12 | 62 | # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067 |
63 | # There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can | ||
64 | # still be reproduced or where exactly any bug is. | ||
65 | # Ignore from OE's perspective as we'll pick up any fix when upstream accepts one. | ||
66 | CVE_CHECK_IGNORE += "CVE-2019-12067" | ||
67 | |||
68 | # nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974 | ||
69 | # It is a fuzzing related buffer overflow. It is of low impact since most devices | ||
70 | # wouldn't expose an assembler. The upstream is inactive and there is little to be | ||
71 | # done about the bug, ignore from an OE perspective. | ||
72 | CVE_CHECK_IGNORE += "CVE-2020-18974" | ||
74 | 73 | ||
75 | 74 | ||
76 | 75 | ||