mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-01-29 21:08:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

cargo : non vulnerable cve-2022-46176 added to excluded list

Browse Source 
This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh.
Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh.
So, cargo-native also not vulnerable to this cve and so added to excluded list.

(From OE-Core rev: 7e4037fd0a66a860b4809be72a89e2de97960a17)

Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
Acked-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Sundeep KOKKONDA
2023-04-02 20:58:36 +05:30
committed by Steve Sakoman
parent 4fa1c52c9e
commit d8ff3c3fb3
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
meta/conf/distro/include/cve-extra-exclusions.inc
View File

@@ -15,6 +15,11 @@
# the aim of sharing that work and ensuring we don't duplicate it.
#
#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176
#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve.
#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list.
CVE_CHECK_IGNORE += "CVE-2022-46176"
# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
# CVE is more than 20 years old with no resolution evident