diff mbox series

[meta-oe,kirkstone,2/5] nodejs: ignore CVE-2023-30583, CVE-2023-30584 and CVE-2023-30587

Message ID 20260102112900.1800006-2-skandigraun@gmail.com
State New
Headers show
Series [meta-oe,kirkstone,1/5] fio: ignore CVE-2025-10824 | expand

Commit Message

Gyorgy Sarvari Jan. 2, 2026, 11:28 a.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30583
https://nvd.nist.gov/vuln/detail/CVE-2023-30584
https://nvd.nist.gov/vuln/detail/CVE-2023-30587

None of these vulnerabilities are present in the recipe version.

CVE-2023-30583: While the main feature (blob) was intruced in v16, the vulnerable
code (load blobs from file) was introduced in v20[1], and as such,
the vulnerability is not present in the recipe version.

CVE-2023-30584, CVE-2023-30587: The whole vulnerable feature (permission model) was
introduced[2] in v20.

Ignore these CVE IDs.

[1]: https://github.com/nodejs/node/commit/950cec4c2642c15e2913f35babadda56c1d8a723
[2]: https://github.com/nodejs/node/commit/00c222593e49d817281bc88a322f41f8dca95885

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb | 3 +++
 1 file changed, 3 insertions(+)
diff mbox series

Patch

diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
index 05a6706c10..b2872bfd98 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
@@ -46,6 +46,9 @@  S = "${WORKDIR}/node-v${PV}"
 
 CVE_PRODUCT = "nodejs node.js"
 
+# the vulnerabilities were introduced in v20
+CVE_CHECK_IGNORE = "CVE-2023-30583 CVE-2023-30584 CVE-2023-30587"
+
 # v8 errors out if you have set CCACHE
 CCACHE = ""