From: André Draszik <adras...@tycoint.com> Contrary to the CVE report, the vulnerable trace functions don't exist in readline v5.2 (which we keep for GPLv2+ purposes), they were added in readline v6.0 only - let's whitelist that CVE in order to avoid false positives.
See also the discussion in https://patchwork.openembedded.org/patch/81765/ Signed-off-by: André Draszik <adras...@tycoint.com> Reviewed-by: Lukasz Nowak <lno...@tycoint.com> --- meta/classes/cve-check.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 1425a40..b0febfb 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -39,7 +39,7 @@ CVE_CHECK_PN_WHITELIST = "\ # Whitelist for CVE and version of package CVE_CHECK_CVE_WHITELIST = "{\ - 'CVE-2014-2524': ('6.3',), \ + 'CVE-2014-2524': ('6.3','5.2',), \ }" python do_cve_check () { -- 2.10.2 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
