There are cases when a single patch fixes multiple CVEs and the patch can’t be split into multiple patches. For example, the patch CVE-2011-1000.patch also fixes CVE-2011-1111, but the latter will not appear as “Patched” in the report. For this case we added the support for .patched files, to define custom patches that enable the user to mark a certain CVE as patched without actually applying it.
In order to mark a CVE as patched the user should add a file with the “.patched” extension that contains a detailed description for the reason why the CVE has been marked as patched. Also in the corresponding spec file the user should add the file to the list of patches ( e.g. Patch: CVE-2011-1111.patched)
ikeydoherty
commented
7 years ago
There are cases when a single patch fixes multiple CVEs and the patch can’t be split into multiple patches. For example, the patch CVE-2011-1000.patch also fixes CVE-2011-1111, but the latter will not appear as “Patched” in the report. For this case we added the support for .patched files, to define custom patches that enable the user to mark a certain CVE as patched without actually applying it.
In order to mark a CVE as patched the user should add a file with the “.patched” extension that contains a detailed description for the reason why the CVE has been marked as patched. Also in the corresponding spec file the user should add the file to the list of patches ( e.g. Patch: CVE-2011-1111.patched)