nss: ignore CVE-2022-3479

Investigation based on https://bugzilla.mozilla.org/show_bug.cgi?id=1774654 leads to following: * fixed in 3.87 (a7f3635113) * changed code was introduced in 3.77 (be6a97823b) * NVD claims fix in 3.81, but there is no evidence for it in commit history (a7f3635113) * Debian also says for old versions "nss <not-affected> (Vulnerable code not present/was introduced later)" (https://security-tracker.debian.org/tracker/CVE-2022-3479) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-01-01 13:58:06 +00:00 · 2023-06-02 11:18:20 +02:00 · 2023-06-02 11:18:20 +02:00 · 81c18e0797
commit 81c18e0797
parent 110f60fff7
1 changed files with 3 additions and 0 deletions
--- a/meta-oe/recipes-support/nss/nss_3.74.bb
+++ b/meta-oe/recipes-support/nss/nss_3.74.bb
@ -289,3 +289,6 @@ CVE_CHECK_IGNORE += "CVE-2006-5201"
 # CVES CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698 only affect
 # the legacy db (libnssdbm), only compiled with --enable-legacy-db.
 CVE_CHECK_IGNORE += "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698"
+
+# vulnerability was introduced in 3.77 and fixed in 3.87
+CVE_CHECK_IGNORE += "CVE-2022-3479"