From d8ff3c3fb31b7fb8b6a003fef899aa3dceab2491 Mon Sep 17 00:00:00 2001 From: Sundeep KOKKONDA Date: Sun, 2 Apr 2023 20:58:36 +0530 Subject: cargo : non vulnerable cve-2022-46176 added to excluded list This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh. Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, cargo-native also not vulnerable to this cve and so added to excluded list. (From OE-Core rev: 7e4037fd0a66a860b4809be72a89e2de97960a17) Signed-off-by: Sundeep KOKKONDA Acked-by: Richard Purdie Signed-off-by: Steve Sakoman --- meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'meta') diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index 8b5f8d49b8..cb2d920441 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -15,6 +15,11 @@ # the aim of sharing that work and ensuring we don't duplicate it. # +#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176 +#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html +#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve. +#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list. +CVE_CHECK_IGNORE += "CVE-2022-46176" # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 # CVE is more than 20 years old with no resolution evident -- cgit v1.2.3-54-g00ecf