[Buildroot] [autobuild.buildroot.net] Daily results for 2020-09-06
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Mon Sep 7 13:52:58 UTC 2020
Hello,
On Mon, 7 Sep 2020 11:47:59 +0200
Nicolas Cavallari <nicolas.cavallari at green-communications.fr> wrote:
> On 07/09/2020 09:08, Thomas Petazzoni wrote:>
> libgit2 | CVE-2014-9390 |
> https://security-tracker.debian.org/tracker/CVE-2014-9390
> So libgit2 is affected by a 6 year old security vulnerability that has
> been fixed before the package was actually introduced in buildroot...
>
> This apparently comes directly from the nvd database, do i wait for it
> to be fixed, or should i add it to LIBGIT2_IGNORE_CVES ? The manual
> doesn't say anything about this case.
Thanks for getting back to us about this.
According to what
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774048 says, it was
fixed upstream in version 0.21.3, and a quick inspection indeed shows
this commit between 0.21.2 and 0.21.3:
commit 928429c5c96a701bcbcafacb2421a82602b36915
Author: Vicent Martí <vicent at github.com>
Date: Tue Nov 25 00:14:52 2014 +0100
tree: Check for `.git` with case insensitivy
So I believe that the NVD database should be updated to indicate that
only versions up to 0.21.2 are affected.
Matt has documented at
https://elinux.org/Buildroot:Security_Vulnerability_Management how to
request updates of NVD entries, but I've never followed the process
myself.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list