From 7959fe04b5ea75b488eaf7cb06d43f81d2e8494b Mon Sep 17 00:00:00 2001
From: Maxim Kochetkov <fido_max@inbox.ru>
Date: Mon, 13 Mar 2023 09:13:23 +0300
Subject: [PATCH] package/postgresql: ignore CVE-2017-8806

CVE-2017-8806 is related to postgresql-common package, as present in
Debian and its derivatives; Buildroot does not have that package.
It is false positive for postgresql, so ignore it.

To be noted, is that a similar CVE [0] applied to postgresql itself, as
stated in [1], but that was fixed a while ago [2], and we need not
ignore it.

[0] https://nvd.nist.gov/vuln/detail/CVE-2017-12172
[1] https://ubuntu.com/security/CVE-2017-8806
[2] https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=dfc015dcf46c1996bd7ed5866e9e045d258604b3

Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6104b62d95e87e5cb4f4815b78841541de4301e8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/postgresql/postgresql.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/postgresql/postgresql.mk b/package/postgresql/postgresql.mk
index a2aed9a2eb..e46622c0e7 100644
--- a/package/postgresql/postgresql.mk
+++ b/package/postgresql/postgresql.mk
@@ -19,6 +19,10 @@ POSTGRESQL_CONF_ENV = \
 POSTGRESQL_CONF_OPTS = --disable-rpath
 POSTGRESQL_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
 
+# CVE-2017-8806 is related to postgresql-common package
+# It is false positive for postgresql
+POSTGRESQL_IGNORE_CVES += CVE-2017-8806
+
 # https://www.postgresql.org/docs/11/static/install-procedure.html:
 # "If you want to invoke the build from another makefile rather than
 # manually, you must unset MAKELEVEL or set it to zero"