all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* bug#40142: CVE checker return false positives
@ 2020-03-20  9:10 Brice Waegeneire
  2020-03-21 16:25 ` Ludovic Courtès
  2020-04-01 17:01 ` bug#40142: (guix cve) discards configuration "vendor", leading to " Brice Waegeneire
  0 siblings, 2 replies; 5+ messages in thread
From: Brice Waegeneire @ 2020-03-20  9:10 UTC (permalink / raw)
  To: 40142

Hello,

The CVE checker of “guix lint” returns false positives:
┌────
│ LANGUAGE=C guix lint git 2>&1
├───
│ gnu/packages/version-control.scm:149:2: git@2.25.1: probably 
vulnerable to CVE-2020-2136, CVE-2019-1003010, CVE-2018-1000110, 
CVE-2018-1000182
│ 
/gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:153:12: 
git@2.25.1: can be upgraded to 2.25.2
│ 
/gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:154:11: 
git@2.25.1: source not archived on Software Heritage
└────


• [CVE-2020-2136]: “Jenkins Git Plugin 4.2.0 and earlier […]”
• [CVE-2019-1003010]: “[…] Jenkins Git Plugin 3.9.1 and earlier […]”
• [CVE-2018-1000110]: “[…] Jenkins Git Plugin version 3.7.0 and earlier
   […]”
• [CVE-2018-1000182]: “[…] Jenkins Git Plugin 3.9.0 and older […]”

Also note the missing / on the first line and it output on `stderr'
instead of `stdout'.

[CVE-2020-2136] <https://nvd.nist.gov/vuln/detail/CVE-2020-2136>

[CVE-2019-1003010] <https://nvd.nist.gov/vuln/detail/CVE-2019-1003010>

[CVE-2018-1000110] <https://nvd.nist.gov/vuln/detail/CVE-2018-1000110>

[CVE-2018-1000182] <https://nvd.nist.gov/vuln/detail/CVE-2018-1000182>

Brice.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-04-02 10:39 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-03-20  9:10 bug#40142: CVE checker return false positives Brice Waegeneire
2020-03-21 16:25 ` Ludovic Courtès
2020-03-21 16:57   ` Brice Waegeneire
2020-04-01 17:01 ` bug#40142: (guix cve) discards configuration "vendor", leading to " Brice Waegeneire
2020-04-02 10:38   ` Ludovic Courtès

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.