package/python-pip: ignore CVE-2018-20225

See https://security-tracker.debian.org/tracker/CVE-2018-20225 for the rationale of ignoring this CVE. Things basically work as intended. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-03 00:14:24 +02:00 · 2023-09-03 00:14:24 +02:00 · 57229c22f1
commit 57229c22f1
parent 2397349fa9
1 changed files with 3 additions and 0 deletions
--- a/package/python-pip/python-pip.mk
+++ b/package/python-pip/python-pip.mk
@ -12,6 +12,9 @@ PYTHON_PIP_LICENSE = MIT
 PYTHON_PIP_LICENSE_FILES = LICENSE.txt
 PYTHON_PIP_CPE_ID_VENDOR = pypa
 PYTHON_PIP_CPE_ID_PRODUCT = pip
+# Disputed CVE: things work as designed, and only affects the
+# --extra-index-url option. This CVE will never be fixed.
+PYTHON_PIP_IGNORE_CVES += CVE-2018-20225

 $(eval $(python-package))
 $(eval $(host-python-package))