Re: CVEs missing from the NIST database

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVEs missing from the NIST database

From:	Mark H Weaver
Subject:	Re: CVEs missing from the NIST database
Date:	Wed, 17 Mar 2021 00:15:55 -0400

Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

> Yes, that can happen when the CVE doesn’t list affected versions:
>
>   https://www.openwall.com/lists/oss-security/2017/03/15/3

Thank you for pointing out that thread, and for starting it 4 years ago.
I found it illuminating.

> The solution here is to add a ‘lint-hidden-cve’ property to the
> package with a comment explaining why we think these CVEs can be
> ignored (info "(guix) Invoking guix lint").

I've now done so for 'gnome-shell' and 'gvfs'.

    Thanks,
      Mark

[Prev in Thread]

Current Thread

[Next in Thread]

CVEs missing from the NIST database, Ludovic Courtès, 2021/03/12
- Re: CVEs missing from the NIST database, Leo Famulari, 2021/03/12
- Re: CVEs missing from the NIST database, Mark H Weaver, 2021/03/12
  - Re: CVEs missing from the NIST database, Ludovic Courtès, 2021/03/15
    - Re: CVEs missing from the NIST database, Mark H Weaver <=

Prev by Date: Re: [opinion] CVE-patching is not sufficient for package security patching
Next by Date: Re: [opinion] CVE-patching is not sufficient for package security patching
Previous by thread: Re: CVEs missing from the NIST database
Next by thread: regression: “guix pack” Docker images no longer work on AWS
Index(es):
- Date
- Thread