diff --git a/package/boost/boost.mk b/package/boost/boost.mk
index 322429a10c..2daf7f5a96 100644
--- a/package/boost/boost.mk
+++ b/package/boost/boost.mk
@@ -11,6 +11,10 @@ BOOST_INSTALL_STAGING = YES
 BOOST_LICENSE = BSL-1.0
 BOOST_LICENSE_FILES = LICENSE_1_0.txt
 
+# CVE-2009-3654 is misclassified (by our CVE tracker) as affecting to boost,
+# while in fact it affects Drupal (a module called boost in there).
+BOOST_IGNORE_CVES += CVE-2009-3654
+
 # keep host variant as minimal as possible
 HOST_BOOST_FLAGS = --without-icu --with-toolset=gcc \
 	--without-libraries=$(subst $(space),$(comma),atomic chrono context \