From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
To: buildroot@buildroot.org
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Subject: [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR
Date: Sun, 23 Oct 2022 11:10:08 +0200 [thread overview]
Message-ID: <20221023091009.18544-1-fontaine.fabrice@gmail.com> (raw)
cpe:2.3:a:yann_collet:lz4, which was added by commit
63332c33aa0771532807fd2684d4eee4eb952435, was never a valid CPE
identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ayann_collet%3Alz4
cpe:2.3:a:lz4_project:lz4 is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alz4_project%3Alz4
While at it, also drop the note added by commit
45db4bb08e3e550db483d8745fe8aaede2fa7e98
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/lz4/lz4.mk | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk
index 9b9b6198c3..541a03473a 100644
--- a/package/lz4/lz4.mk
+++ b/package/lz4/lz4.mk
@@ -9,13 +9,7 @@ LZ4_SITE = $(call github,lz4,lz4,v$(LZ4_VERSION))
LZ4_INSTALL_STAGING = YES
LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs)
LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING
-LZ4_CPE_ID_VENDOR = yann_collet
-
-# CVE-2014-4715 is misclassified (by our CVE tracker) as affecting version
-# 1.9.2, while in fact this issue has been fixed since lz4-r130:
-# https://github.com/lz4/lz4/commit/140e6e72ddb6fc5f7cd28ce0c8ec3812ef4a9c08
-# See https://github.com/lz4/lz4/issues/818
-LZ4_IGNORE_CVES += CVE-2014-4715
+LZ4_CPE_ID_VENDOR = lz4_project
# 0001-Fix-potential-memory-corruption-with-negative-memmov.patch
LZ4_IGNORE_CVES += CVE-2021-3520
--
2.35.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next reply other threads:[~2022-10-23 9:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-23 9:10 Fabrice Fontaine [this message]
2022-10-23 9:10 ` [Buildroot] [PATCH 2/2] package/lz4: bump to version 1.9.4 Fabrice Fontaine
2022-11-08 19:55 ` Peter Korsgaard
2022-10-28 6:54 ` [Buildroot] [PATCH 1/2] package/lz4: fix LZ4_CPE_ID_VENDOR Thomas Petazzoni via buildroot
2022-11-08 19:55 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221023091009.18544-1-fontaine.fabrice@gmail.com \
--to=fontaine.fabrice@gmail.com \
--cc=buildroot@buildroot.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.