diff mbox series

[1/1] smarty: Update status for CVE-2020-10375

Message ID 20240614111911.46353-2-ninette@thehoodiefirm.com
State Accepted
Headers show
Series smarty: Update status for CVE-2020-10375 | expand

Commit Message

Ninette Adhikari June 14, 2024, 11:19 a.m. UTC 
The recipe used in the meta-openembedded is a different package compared to the one which has the CVE issue.
Package used in meta-embedded: https://www.smarty.net/
Package with CVE issue is from newmediacompany: https://www.smarty-online.de
No action required.

Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
---
 meta-oe/recipes-support/smarty/smarty_4.4.1.bb | 2 ++
 1 file changed, 2 insertions(+)

--
2.44.0

Comments

Marta Rybczynska June 18, 2024, 1:31 p.m. UTC | #1 
On Fri, Jun 14, 2024 at 1:19 PM Ninette Adhikari via lists.openembedded.org
<ninette=thehoodiefirm.com@lists.openembedded.org> wrote:

> The recipe used in the meta-openembedded is a different package compared
> to the one which has the CVE issue.
> Package used in meta-embedded: https://www.smarty.net/
> Package with CVE issue is from newmediacompany:
> https://www.smarty-online.de
> No action required.
>
> Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
> ---
>  meta-oe/recipes-support/smarty/smarty_4.4.1.bb | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/meta-oe/recipes-support/smarty/smarty_4.4.1.bb
> b/meta-oe/recipes-support/smarty/smarty_4.4.1.bb
> index 1caa4cd1b..e0979bb5a 100644
> --- a/meta-oe/recipes-support/smarty/smarty_4.4.1.bb
> +++ b/meta-oe/recipes-support/smarty/smarty_4.4.1.bb
> @@ -24,3 +24,5 @@ do_install() {
>          install -m 0644 ${S}/libs/sysplugins/*.php
> ${D}${datadir}/php/smarty3/libs/sysplugins/
>  }
>  FILES:${PN} = "${datadir}/php/smarty3/"
> +
> +CVE_STATUS[CVE-2020-10375] = "cpe-incorrect: The recipe used in the
> meta-openembedded is a different smarty package compared to the one which
> has the CVE issue."
> --
> 2.44.0
>
>
Hello,
I think that here, instead of CVE_STATUS, it would be better to clarify the
CPE. Recent CVEs in "the PHP smarty" use smarty:smarty CPE, see:
https://nvd.nist.gov/products/cpe/detail/1CEBBFA2-1F23-49CA-99EE-4EC44979607B?namingFormat=2.2&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Asmarty%3Asmarty&status=FINAL%2CDEPRECATED

Kind regards,
Marta
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/smarty/smarty_4.4.1.bb b/meta-oe/recipes-support/smarty/smarty_4.4.1.bb
index 1caa4cd1b..e0979bb5a 100644
--- a/meta-oe/recipes-support/smarty/smarty_4.4.1.bb
+++ b/meta-oe/recipes-support/smarty/smarty_4.4.1.bb
@@ -24,3 +24,5 @@  do_install() {
         install -m 0644 ${S}/libs/sysplugins/*.php ${D}${datadir}/php/smarty3/libs/sysplugins/
 }
 FILES:${PN} = "${datadir}/php/smarty3/"
+
+CVE_STATUS[CVE-2020-10375] = "cpe-incorrect: The recipe used in the meta-openembedded is a different smarty package compared to the one which has the CVE issue."