[bootlin/training-materials updates] master: slides/buildroot-advanced-packages: add one slide on <pkg>_IGNORE_CVES (662d218e)

Thomas Petazzoni thomas.petazzoni at bootlin.com
Sat Mar 11 17:29:20 CET 2023 

Repository : https://github.com/bootlin/training-materials
On branch  : master
Link       : https://github.com/bootlin/training-materials/commit/662d218eece258fc0160ea838192f9c4f452647c

>---------------------------------------------------------------

commit 662d218eece258fc0160ea838192f9c4f452647c
Author: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
Date:   Sat Mar 11 17:29:20 2023 +0100

    slides/buildroot-advanced-packages: add one slide on <pkg>_IGNORE_CVES
    
    Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>


>---------------------------------------------------------------

662d218eece258fc0160ea838192f9c4f452647c
 .../buildroot-advanced-packages.tex                | 30 ++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/slides/buildroot-advanced-packages/buildroot-advanced-packages.tex b/slides/buildroot-advanced-packages/buildroot-advanced-packages.tex
index c219ae10..8fdaa45f 100644
--- a/slides/buildroot-advanced-packages/buildroot-advanced-packages.tex
+++ b/slides/buildroot-advanced-packages/buildroot-advanced-packages.tex
@@ -192,6 +192,36 @@ LIBFFI_CPE_ID_UPDATE = rc0
 
 \end{frame}
 
+\begin{frame}[fragile]{{\tt <pkg>\_IGNORE\_CVES} variable}
+
+  \begin{itemize}
+  \item There are cases where a CVE reported by the {\em pkg-stats}
+    tool in fact is not relevant:
+    \begin{itemize}
+    \item The security fix has been backported into Buildroot
+    \item The vulnerability does not affect Buildroot due to how the
+      package is configured or used
+    \end{itemize}
+  \item The \code{<pkg>_IGNORE_CVES} variable allows a package to tell
+    {\em pkg-stats} to ignore a particular CVE
+  \end{itemize}
+
+  \begin{block}{\code{package/bind/bind.mk}}
+\begin{verbatim}
+# Only applies to RHEL6.x with DNSSEC validation on
+BIND_IGNORE_CVES = CVE-2017-3139
+\end{verbatim}
+  \end{block}
+
+  \begin{block}{\code{package/avahi/avahi.mk}}
+\begin{verbatim}
+# 0001-Fix-NULL-pointer-crashes-from-175.patch
+AVAHI_IGNORE_CVES += CVE-2021-36217
+\end{verbatim}
+  \end{block}
+
+\end{frame}
+
 \subsection{Patching packages}
 
 \begin{frame}{Patching packages: why?}

More information about the training-materials-updates mailing list