[Buildroot] [PATCH] package/atop: ignore already fixed CVE-2011-3618
Ricardo Martincoski
ricardo.martincoski at gmail.com
Sun Dec 5 07:51:37 UTC 2021
Yann,
On Sat, Dec 04, 2021 at 08:23 AM, Yann E. MORIN wrote:
> Ricardo, All,
>
> On 2021-11-14 20:25 -0300, Ricardo Martincoski spake thusly:
>> https://security-tracker.debian.org/tracker/CVE-2011-3618
>>
>> The patch used by debian
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622794
>> has equivalent code merged in upstream:
>>
>> rawlog.c, changed in 2012, release v2.1
>> https://github.com/Atoptool/atop/commit/7c17a309ef97a59a8ee1f5a593f48eeac9d46bc8
>>
>> acctproc.c, changed in 2016, release v2.3.0
>> https://github.com/Atoptool/atop/commit/2820b1144ce403c7917cd2e09b05e78d2c9dbc07
>>
>> So ignore the wrong CVE report.
>
> Instead, shouldn't the CVE be updated to state that it does not affect
> version >= 2.3.0 ?
Indeed. Thank you for pointing this out.
Searching in the mailing list I found this URL
https://www.elinux.org/Buildroot:Security_Vulnerability_Management
I just filled a form at https://cveform.mitre.org/
I guess this patch can be Rejected.
Regards,
Ricardo
More information about the buildroot
mailing list