-
Notifications
You must be signed in to change notification settings - Fork 316
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2024-35326, CVE-2024-35328, CVE-2024-35329 #302
Comments
I'm starting to think someone is abusing the CVE process to spam maintainers with low quality bug reports. |
CVE-2024-35326, CVE-2024-35328 |
Use an existing defined CVE_CHECK_STATUSMAP key in meta/lib/oe/cve_check.py in order to avoid following complaint from BitBake: WARNING: libyaml-native-0.2.5-r0 do_create_spdx: Invalid detail "wontfix" for CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - yaml/libyaml#302", fallback to Unpatched (From OE-Core rev: c66d9a2a0d197498fa21ee8ca51a4afb59f75473) Signed-off-by: Niko Mauno <[email protected]> Signed-off-by: Richard Purdie <[email protected]>
Use an existing defined CVE_CHECK_STATUSMAP key in meta/lib/oe/cve_check.py in order to avoid following complaint from BitBake: WARNING: libyaml-native-0.2.5-r0 do_create_spdx: Invalid detail "wontfix" for CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - yaml/libyaml#302", fallback to Unpatched Signed-off-by: Niko Mauno <[email protected]> Signed-off-by: Richard Purdie <[email protected]>
Use an existing defined CVE_CHECK_STATUSMAP key in meta/lib/oe/cve_check.py in order to avoid following complaint from BitBake: WARNING: libyaml-native-0.2.5-r0 do_create_spdx: Invalid detail "wontfix" for CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - yaml/libyaml#302", fallback to Unpatched (From OE-Core rev: c66d9a2a0d197498fa21ee8ca51a4afb59f75473) Signed-off-by: Niko Mauno <niko.maunovaisala.com> Signed-off-by: Richard Purdie <richard.purdielinuxfoundation.org>
Use an existing defined CVE_CHECK_STATUSMAP key in meta/lib/oe/cve_check.py in order to avoid following complaint from BitBake: WARNING: libyaml-native-0.2.5-r0 do_create_spdx: Invalid detail "wontfix" for CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - yaml/libyaml#302", fallback to Unpatched (From OE-Core rev: c66d9a2a0d197498fa21ee8ca51a4afb59f75473) Signed-off-by: Niko Mauno <niko.maunovaisala.com> Signed-off-by: Richard Purdie <richard.purdielinuxfoundation.org>
Use an existing defined CVE_CHECK_STATUSMAP key in meta/lib/oe/cve_check.py in order to avoid following complaint from BitBake: WARNING: libyaml-native-0.2.5-r0 do_create_spdx: Invalid detail "wontfix" for CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - yaml/libyaml#302", fallback to Unpatched (From OE-Core rev: c66d9a2a0d197498fa21ee8ca51a4afb59f75473) Signed-off-by: Niko Mauno <niko.maunovaisala.com> Signed-off-by: Richard Purdie <richard.purdielinuxfoundation.org>
Other projects have experienced this spam. Mitre responded appropriately to one in curl (IIRC) but they seem to act very slowly. |
I have a pull request #305 that might close out issues with #302, specifically CVE-2024-35326. Even with the reject, a little defensive coding rarely hurts. |
The above CVEs are REJECTED now (not security issues) |
The following CVEs I do not consider as vulnerabilties:
They are all missing to initialize structs with the according proper functions for that, so there doesn't exist any working code that could be exploited.
I already contacted mitre.org for CVE-2024-35329 over a month ago to reject this, but no reply :(
There has already been some discussion in #298 but I decided to create a new issue because the thread is hard to read because of the discussion of how those CVEs were (not) reported and published.
The text was updated successfully, but these errors were encountered: