[Buildroot] [PATCH 2/5] package/libsndfile: annotate _IGNORE_CVES for the included security patches
Peter Korsgaard
peter at korsgaard.com
Wed Feb 19 22:06:59 UTC 2020
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni at bootlin.com> writes:
> On Wed, 19 Feb 2020 22:37:04 +0100
> Peter Korsgaard <peter at korsgaard.com> wrote:
>> > What does "disputed" means in this context ?
>>
>> That someone related to the project claims that it isn't a security
>> issue or cannot reproduce the issue.
>>
>> Specifically for this CVE, see the discussion here:
>>
>> https://github.com/erikd/libsndfile/issues/398
> That's the kind of thing I assumed, but perhaps we need to add at least
> this link next to the IGNORE_CVES line ?
Do you think so? We don't really do it for the other things, E.G. we
simply claim that a specific patch fixes one or more CVEs, without
necessarily providing a lot of details besides the CVE identifier
>From the CVE identifier you can then go and look up a bunch of these
things, E.G. on the Debian securitytracker or on the NVD website.
In a way, this is quite similar to how we claim specific licenses for a
package.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list