On 6 October 2015 at 09:11, Petter Mabäcker <pet...@technux.se> wrote:
> I played around with the new meta-security-isafw layer and the > cve-check-tool. In readline the cve CVE-2014-2524 is marked as 'missing' by > the framework and I was confused to start with, since I saw that this > commit was included. But after looking at the actual patch I realized that > it only contains a report and not the patch itself. My question is if that > is with purpose and due to some decision that the CVE isn't really causing > any harm or if it's by mistake? > > As can be seen at http://lists.gnu.org/archive/html/bug-readline/2014-03/msg00057.html the CVE patch is simply adding a #if defined (DEBUG), which is in the patch included in oe-core master as readline-6.3/readline63-003. The tool is probably reporting it as missing as -- if i recall correctly -- it identifies CVE patches by filename. Ross
-- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
