[Buildroot] [PATCH 2/5] package/libsndfile: annotate _IGNORE_CVES for the included security patches

Peter Korsgaard peter at korsgaard.com
Wed Feb 19 22:06:59 UTC 2020


>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni at bootlin.com> writes:

 > On Wed, 19 Feb 2020 22:37:04 +0100
 > Peter Korsgaard <peter at korsgaard.com> wrote:

 >> > What does "disputed" means in this context ?  
 >> 
 >> That someone related to the project claims that it isn't a security
 >> issue or cannot reproduce the issue.
 >> 
 >> Specifically for this CVE, see the discussion here:
 >> 
 >> https://github.com/erikd/libsndfile/issues/398

 > That's the kind of thing I assumed, but perhaps we need to add at least
 > this link next to the IGNORE_CVES line ?

Do you think so? We don't really do it for the other things, E.G. we
simply claim that a specific patch fixes one or more CVEs, without
necessarily providing a lot of details besides the CVE identifier

>From the CVE identifier you can then go and look up a bunch of these
things, E.G. on the Debian securitytracker or on the NVD website.

In a way, this is quite similar to how we claim specific licenses for a
package.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list