diff mbox series

[meta-networking,master,kirkstone] ntp: ignore many CVEs

Message ID 20220704145836.87886-1-davide.gardenal@huawei.com
State Accepted, archived
Delegated to: Armin Kuster
Headers show
Series [meta-networking,master,kirkstone] ntp: ignore many CVEs | expand

Commit Message

Davide Gardenal July 4, 2022, 2:58 p.m. UTC 
cve-check is not able to correctly identify many of the patched
CVEs because of the non standard version number. All the ignored
CVEs were manually checked with the NVD database and deemed not
applicable to the current version.

Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
---
 .../recipes-support/ntp/ntp_4.2.8p15.bb       | 26 ++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
index fe2bd0773..a30f720bb 100644
--- a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
+++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
@@ -29,7 +29,31 @@  SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
 SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19"
 
 # CVE-2016-9312 is only for windows.
-CVE_CHECK_IGNORE += "CVE-2016-9312"
+# The other CVEs are not correctly identified because cve-check
+# is not able to check the version correctly (it only checks for 4.2.8 omitting p15 that makes the difference)
+CVE_CHECK_IGNORE += "\
+    CVE-2016-9312 \
+    CVE-2015-5146 \
+    CVE-2015-5300 \
+    CVE-2015-7975 \
+    CVE-2015-7976 \
+    CVE-2015-7977 \
+    CVE-2015-7978 \
+    CVE-2015-7979 \
+    CVE-2015-8138 \
+    CVE-2015-8139 \
+    CVE-2015-8140 \
+    CVE-2015-8158 \
+    CVE-2016-1547 \
+    CVE-2016-2516 \
+    CVE-2016-2517 \
+    CVE-2016-2519 \
+    CVE-2016-7429 \
+    CVE-2016-7433 \
+    CVE-2016-9310 \
+    CVE-2016-9311 \
+"
+
 
 inherit autotools update-rc.d useradd systemd pkgconfig