[OE-core] [PATCH] iputils: Whitelist CVE-2000-1213 CVE-2000-1214
Ross Burton
ross.burton at intel.com
Tue Nov 5 11:59:04 UTC 2019
On 05/11/2019 11:01, Adrian Bunk wrote:
> On Tue, Nov 05, 2019 at 10:38:32AM +0000, Ross Burton wrote:
>> On 04/11/2019 20:55, Adrian Bunk wrote:
>>> +# Fixed in 2000-10-10, but the versioning of iputils
>>> +# breaks the version order.
>>> +CVE_CHECK_WHITELIST += "CVE-2000-1213 CVE-2000-1214"
>>
>> So the problem is that our PV matches the upstream git tags, which don't
>> match the naming convention in the CPE entries.
>>
>> The tags are of the form s20190709, but the CPE uses 2010-10-10.
>>
>> If we assume that the CPE version scheme will remain the same
>> ...
>
> CVE-2010-2529 had an explicit list of affected versions of the
> scheme 20100214.
>
> These 19 year old ones from a time when CVE was new are outliers.
> I would expect versions in new CVE to match the OE versioning,
> except that the 's' might (or might not) be missing.
<shakes fist>
Of course -2529 uses a different CPE product/vendor name to -1213 so
didn't appear in my search.
Okay, lets use the whitelist approach.
Ross
More information about the Openembedded-core
mailing list