* [meta-oe][PATCH] nss: ignore CVE-2022-3479
@ 2023-06-02 9:18 Peter Marko
0 siblings, 0 replies; only message in thread
From: Peter Marko @ 2023-06-02 9:18 UTC (permalink / raw)
To: openembedded-devel; +Cc: Peter Marko
From: Peter Marko <peter.marko@siemens.com>
Investigation based on https://bugzilla.mozilla.org/show_bug.cgi?id=1774654 leads to following:
* fixed in 3.87
(https://hg.mozilla.org/projects/nss/rev/a7f363511333b8062945557607691002fd6e40b9)
* changed code was introduced in 3.77
(https://hg.mozilla.org/projects/nss/rev/be6a97823bfe10fa08e17c9584938a2d525a38da)
* NVD claims fix in 3.81, but there is no evidence for it in commit history
(https://hg.mozilla.org/projects/nss/graph/a7f363511333b8062945557607691002fd6e40b9)
* Debian also says for old versions "nss <not-affected> (Vulnerable code not present/was introduced later)"
(https://security-tracker.debian.org/tracker/CVE-2022-3479)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
meta-oe/recipes-support/nss/nss_3.74.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta-oe/recipes-support/nss/nss_3.74.bb b/meta-oe/recipes-support/nss/nss_3.74.bb
index a7048f0fe..38407a7c4 100644
--- a/meta-oe/recipes-support/nss/nss_3.74.bb
+++ b/meta-oe/recipes-support/nss/nss_3.74.bb
@@ -289,3 +289,6 @@ CVE_CHECK_IGNORE += "CVE-2006-5201"
# CVES CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698 only affect
# the legacy db (libnssdbm), only compiled with --enable-legacy-db.
CVE_CHECK_IGNORE += "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698"
+
+# vulnerability was introduced in 3.77 and fixed in 3.87
+CVE_CHECK_IGNORE += "CVE-2022-3479"
--
2.30.2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2023-06-02 9:19 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-02 9:18 [meta-oe][PATCH] nss: ignore CVE-2022-3479 Peter Marko
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).