From 61012643b26ca033210a66a900c8a28a3767c361 Mon Sep 17 00:00:00 2001
From: Peter Marko <peter.marko@siemens.com>
Date: Tue, 14 Mar 2023 20:49:28 +0100
Subject: ntp: whitelist CVE-2019-11331

Links from https://nvd.nist.gov/vuln/detail/CVE-2019-11331 lead to
conclusion that this is how icurrent ntp protocol is designed.
New RFC is propsed for future but it will not be compatible with current
one.

See https://support.f5.com/csp/article/K09940637

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 648912f72d3d85ef43ba5114953794faa1572bdf)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
index 3ce2d77df7..5d2f05e925 100644
--- a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
+++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
@@ -27,6 +27,7 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
 SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19"
 
 # CVE-2016-9312 is only for windows.
+# CVE-2019-11331 is inherent to RFC 5905 and cannot be fixed without breaking compatibility
 # The other CVEs are not correctly identified because cve-check
 # is not able to check the version correctly (it only checks for 4.2.8 omitting p15 that makes the difference)
 CVE_CHECK_IGNORE += "\
@@ -50,6 +51,7 @@ CVE_CHECK_IGNORE += "\
     CVE-2016-7433 \
     CVE-2016-9310 \
     CVE-2016-9311 \
+    CVE-2019-11331 \
 "
 
 
-- 
cgit v1.2.3-54-g00ecf