From: Mikko Rapeli <mikko.rap...@bmw.de> https://nvd.nist.gov/vuln/detail/CVE-2018-13410 is disputed and also Debian considers it not a vulnerability:
https://security-tracker.debian.org/tracker/CVE-2018-13410 http://seclists.org/fulldisclosure/2018/Jul/24 "Negligible security impact, would involve that a untrusted party controls the -TT value." https://nvd.nist.gov/vuln/detail/CVE-2018-13684 is not for zip, also Debian concludes this: https://security-tracker.debian.org/tracker/CVE-2018-13684 "NOT-FOR-US: smart contract implementation for ZIP" Signed-off-by: Mikko Rapeli <mikko.rap...@bmw.de> Signed-off-by: Anuj Mittal <anuj.mit...@intel.com> --- meta/recipes-extended/zip/zip_3.0.bb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb index c00a932763..97e5e57533 100644 --- a/meta/recipes-extended/zip/zip_3.0.bb +++ b/meta/recipes-extended/zip/zip_3.0.bb @@ -19,6 +19,12 @@ UPSTREAM_VERSION_UNKNOWN = "1" SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37" SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369" +# Disputed and also Debian doesn't consider a vulnerability +CVE_CHECK_WHITELIST += "CVE-2018-13410" + +# Not for zip but for smart contract implementation for it +CVE_CHECK_WHITELIST += "CVE-2018-13684" + # zip.inc sets CFLAGS, but what Makefile actually uses is # CFLAGS_NOOPT. It will also force -O3 optimization, overriding # whatever we set. -- 2.29.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#147070): https://lists.openembedded.org/g/openembedded-core/message/147070 Mute This Topic: https://lists.openembedded.org/mt/80007691/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
