From b4498a6b734661fdfe3ff4e0a9850e796b72005c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Draszik?= Date: Fri, 4 Nov 2016 11:06:31 +0000 Subject: cve-check.bbclass: CVE-2014-2524 / readline v5.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Contrary to the CVE report, the vulnerable trace functions don't exist in readline v5.2 (which we keep for GPLv2+ purposes), they were added in readline v6.0 only - let's whitelist that CVE in order to avoid false positives. See also the discussion in https://patchwork.openembedded.org/patch/81765/ (From OE-Core rev: b881a288eec598002685f68da80a24e0478fa496) Signed-off-by: André Draszik Reviewed-by: Lukasz Nowak Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- meta/classes/cve-check.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'meta/classes') diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 1425a40554..b0febfb2e5 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -39,7 +39,7 @@ CVE_CHECK_PN_WHITELIST = "\ # Whitelist for CVE and version of package CVE_CHECK_CVE_WHITELIST = "{\ - 'CVE-2014-2524': ('6.3',), \ + 'CVE-2014-2524': ('6.3','5.2',), \ }" python do_cve_check () { -- cgit v1.2.3