| Message ID | 20221004062437.2541052-3-mbriand@witekio.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | [meta-networking,1/3] mbedtls: Fix CVE product name | expand |
On 4 Oct 2022, at 07:24, Mathieu Dubois-Briand via lists.openembedded.org <mathieu.dubois-briand=hyprua.org@lists.openembedded.org> wrote: > +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 > +CVE_CHECK_IGNORE += "CVE-2021-43666" > +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c > +CVE_CHECK_IGNORE += "CVE-2021-45451" If possible it’s best to contact NIST and get the CPE entries updated instead of whitelisting, as more accurate data is always better. It’s complicated in this situation because of the backports, but I’ve mailed them to see what can be done. Ross
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.1.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.1.bb index 44b2a5e3c8e1..742414dd8aed 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.1.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.1.bb @@ -44,3 +44,8 @@ FILES:${PN}-programs = "${bindir}/" BBCLASSEXTEND = "native nativesdk" CVE_PRODUCT = "mbed_tls" + +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 +CVE_CHECK_IGNORE += "CVE-2021-43666" +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c +CVE_CHECK_IGNORE += "CVE-2021-45451"
Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> --- .../recipes-connectivity/mbedtls/mbedtls_2.28.1.bb | 5 +++++ 1 file changed, 5 insertions(+)