diff mbox series

[meta-oe,kirkstone,4/5] nodejs: ignore CVE-2024-22017

Message ID 20260102112900.1800006-4-skandigraun@gmail.com
State New
Headers show
Series [meta-oe,kirkstone,1/5] fio: ignore CVE-2025-10824 | expand

Commit Message

Gyorgy Sarvari Jan. 2, 2026, 11:28 a.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-22017

The vulnerability is related to the io_uring usage of libuv.

Libuv first introduced io_uring support in v1.45[1].
oe-core ships a non-vulnerable version (1.44.2), and nodejs
vendors also an older version (1.43).

Mark this CVE as ignored for this recipe version.

[1]: https://github.com/libuv/libuv/commit/d2c31f429b87b476a7f1344d145dad4752a406d4

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb | 3 +++
 1 file changed, 3 insertions(+)
diff mbox series

Patch

diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
index 2feec12f21..9c279d1463 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
@@ -50,6 +50,9 @@  CVE_PRODUCT = "nodejs node.js"
 # the vulnerabilities were introduced in v20
 CVE_CHECK_IGNORE = "CVE-2023-30583 CVE-2023-30584 CVE-2023-30587"
 
+# the vulnerability was introduced later (with libuv 1.45)
+CVE_CHECK_IGNORE += "CVE-2024-22017"
+
 # v8 errors out if you have set CCACHE
 CCACHE = ""