[Buildroot] [PATCH 1/1] package/freeradius-server: ignore CVE-2002-0318 and CVE-2011-4966
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Sat Apr 19 14:07:09 UTC 2025
Hello Raphaël,
On Mon, 14 Apr 2025 12:46:12 +0200
Raphaël Mélotte via buildroot <buildroot at buildroot.org> wrote:
> CVE-2002-0318 has been mitigated by adding a new config option in
> freeradius-server commit f0f762d1439336fff9c8b90291364ddff583f698,
> which is part of release_0_5_0 onwards.
> See also the original report ([1]).
> The NVD database's CPE configuration doesn't have an associated
> version number, which is why our CVE check still reports it.
>
> For CVE-2011-4966, the CVE description (see [2]) mentions the issue is
> fixed in version 2.2.0 onwards, but the CPE again doesn't use a
> version number.
>
> To reduce the noise in the list of CVEs that pkg-stats reports, ignore
> them.
Did you report these to upstream NVD, to get the database updated/fixed?
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
More information about the buildroot
mailing list