1 files changed, 15 insertions, 15 deletions
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 993ee2811a..8b5f8d49b8 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -90,24 +90,24 @@ CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE
                     CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
                     CVE-2022-29582 CVE-2022-29968"
-#### CPE update pending ####
-# groff:groff-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803
-# Appears it was fixed in https://git.savannah.gnu.org/cgit/groff.git/commit/?id=07f95f1674217275ed4612f1dcaa95a88435c6a7
-# so from 1.17 onwards. Reported to the database for update by RP 2021/5/9. Update accepted 2021/5/10.
-#CVE_CHECK_IGNORE += "CVE-2000-0803"
-#### Upstream still working on ####
 # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
 # There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
-# however qemu maintainers are sure the patch is incorrect and should not be applied.
+# qemu maintainers say the patch is incorrect and should not be applied
+# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
-# wget https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31879
+CVE_CHECK_IGNORE += "CVE-2021-20255"
-# https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html
-# No response upstream as of 2021/5/12
+# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
+# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
+# still be reproduced or where exactly any bug is.
+# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
+CVE_CHECK_IGNORE += "CVE-2019-12067"
+# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
+# It is a fuzzing related buffer overflow. It is of low impact since most devices
+# wouldn't expose an assembler. The upstream is inactive and there is little to be
+# done about the bug, ignore from an OE perspective.
+CVE_CHECK_IGNORE += "CVE-2020-18974"

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index 993ee2811a..8b5f8d49b8 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -90,24 +90,24 @@ CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE
90	CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \	90	CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
91	CVE-2022-29582 CVE-2022-29968"	91	CVE-2022-29582 CVE-2022-29968"
92		92
93	#### CPE update pending ####
94
95	# groff:groff-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803
96	# Appears it was fixed in https://git.savannah.gnu.org/cgit/groff.git/commit/?id=07f95f1674217275ed4612f1dcaa95a88435c6a7
97	# so from 1.17 onwards. Reported to the database for update by RP 2021/5/9. Update accepted 2021/5/10.
98	#CVE_CHECK_IGNORE += "CVE-2000-0803"
99
100
101
102	#### Upstream still working on ####
103		93
104	# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255	94	# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
105	# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html	95	# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
106	# however qemu maintainers are sure the patch is incorrect and should not be applied.	96	# qemu maintainers say the patch is incorrect and should not be applied
107		97	# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
108	# wget https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31879	98	CVE_CHECK_IGNORE += "CVE-2021-20255"
109	# https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html	99
110	# No response upstream as of 2021/5/12	100	# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
		101	# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
		102	# still be reproduced or where exactly any bug is.
		103	# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
		104	CVE_CHECK_IGNORE += "CVE-2019-12067"
		105
		106	# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
		107	# It is a fuzzing related buffer overflow. It is of low impact since most devices
		108	# wouldn't expose an assembler. The upstream is inactive and there is little to be
		109	# done about the bug, ignore from an OE perspective.
		110	CVE_CHECK_IGNORE += "CVE-2020-18974"
111		111
112		112
113		113