package/rsyslog: ignore CVE-2015-3243

https://security-tracker.debian.org/tracker/CVE-2015-3243 "Rsyslog uses weak permissions for generating log files." Ignoring this CVE for Buildroot as normally there are not local users and a build could customize the rsyslog.conf to be more restrictive ($FileCreateMode 0640). Example fix from Alpino Linux 3cb5210cda Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit fb4402b516) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-21 15:42:34 -05:00 · 2021-04-21 15:42:34 -05:00 · ea5323f16a
commit ea5323f16a
parent 3bf84c7ce0
1 changed files with 4 additions and 0 deletions
--- a/package/rsyslog/rsyslog.mk
+++ b/package/rsyslog/rsyslog.mk
@ -9,6 +9,10 @@ RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
 RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0
 RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
 RSYSLOG_CPE_ID_VENDOR = rsyslog
+# rsyslog uses weak permissions for generating log files.
+# Ignoring this CVE as Buildroot normally doesn't have local users and a build
+# could customize the rsyslog.conf to be more restrictive ($FileCreateMode 0640)
+RSYSLOG_IGNORE_CVES += CVE-2015-3243
 RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf
 RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99'
 RSYSLOG_PLUGINS = imdiag imfile impstats imptcp \