mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
nodejs: ignore CVE-2023-30583, CVE-2023-30584 and CVE-2023-30587
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30583 https://nvd.nist.gov/vuln/detail/CVE-2023-30584 https://nvd.nist.gov/vuln/detail/CVE-2023-30587 None of these vulnerabilities are present in the recipe version. CVE-2023-30583: While the main feature (blob) was intruced in v16, the vulnerable code (load blobs from file) was introduced in v20[1], and as such, the vulnerability is not present in the recipe version. CVE-2023-30584, CVE-2023-30587: The whole vulnerable feature (permission model) was introduced[2] in v20. Ignore these CVE IDs. [1]: https://github.com/nodejs/node/commit/950cec4c2642c15e2913f35babadda56c1d8a723 [2]: https://github.com/nodejs/node/commit/00c222593e49d817281bc88a322f41f8dca95885 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
@@ -46,6 +46,9 @@ S = "${WORKDIR}/node-v${PV}"
|
|||||||
|
|
||||||
CVE_PRODUCT = "nodejs node.js"
|
CVE_PRODUCT = "nodejs node.js"
|
||||||
|
|
||||||
|
# the vulnerabilities were introduced in v20
|
||||||
|
CVE_CHECK_IGNORE = "CVE-2023-30583 CVE-2023-30584 CVE-2023-30587"
|
||||||
|
|
||||||
# v8 errors out if you have set CCACHE
|
# v8 errors out if you have set CCACHE
|
||||||
CCACHE = ""
|
CCACHE = ""
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user