diff mbox series

[meta-oe,master,langdale,kirkstone] ntp: whitelist CVE-2019-11331

Message ID 20230314194928.7787-1-peter.marko@siemens.com
State Under Review
Headers show
Series [meta-oe,master,langdale,kirkstone] ntp: whitelist CVE-2019-11331 | expand

Commit Message

Peter Marko March 14, 2023, 7:49 p.m. UTC 
Links from https://nvd.nist.gov/vuln/detail/CVE-2019-11331 lead to
conclusion that this is how icurrent ntp protocol is designed.
New RFC is propsed for future but it will not be compatible with current
one.

See https://support.f5.com/csp/article/K09940637

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb | 2 ++
 1 file changed, 2 insertions(+)
diff mbox series

Patch

diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
index 2ae53dc64..c4589c20f 100644
--- a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
+++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
@@ -30,6 +30,7 @@  SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
 SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19"
 
 # CVE-2016-9312 is only for windows.
+# CVE-2019-11331 is inherent to RFC 5905 and cannot be fixed without breaking compatibility
 # The other CVEs are not correctly identified because cve-check
 # is not able to check the version correctly (it only checks for 4.2.8 omitting p15 that makes the difference)
 CVE_CHECK_IGNORE += "\
@@ -53,6 +54,7 @@  CVE_CHECK_IGNORE += "\
     CVE-2016-7433 \
     CVE-2016-9310 \
     CVE-2016-9311 \
+    CVE-2019-11331 \
 "