package/freeradius-server: ignore CVE-2002-0318 and CVE-2011-4966

CVE-2002-0318 has been mitigated by adding a new config option in
freeradius-server commit f0f762d1439336fff9c8b90291364ddff583f698,
which is part of release_0_5_0 onwards.
See also the original report ([1]).
The NVD database's CPE configuration doesn't have an associated
version number, which is why our CVE check still reports it.

For CVE-2011-4966, the CVE description (see [2]) mentions the issue is
fixed in version 2.2.0 onwards, but the CPE again doesn't use a
version number.

To reduce the noise in the list of CVEs that pkg-stats reports, ignore
them.

FWIW, yocto/oe also ignores them (see [3]).

[1]: https://marc.info/?l=bugtraq&m=101440113410083&w=2#2
[2]: https://nvd.nist.gov/vuln/detail/CVE-2011-4966
[3] https://patchwork.yoctoproject.org/project/oe/patch/20220715133515.14298-1-davide.gardenal@huawei.com/

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 913bdcda44159e3b517b611dc7fbb2d105be343d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>

package/freeradius-server/freeradius-server.mk

@@ -15,6 +15,13 @@ FREERADIUS_SERVER_CPE_ID_PRODUCT = freeradius
 FREERADIUS_SERVER_DEPENDENCIES = libtalloc
 FREERADIUS_SERVER_AUTORECONF = YES
 
+# Mitigated upstream since version 0.5.0, NVD database entry not
+# up-to-date
+FREERADIUS_SERVER_IGNORE_CVES += CVE-2002-0318
+
+# Fixed in 2.2.0, NVD database entry not up-to-date
+FREERADIUS_SERVER_IGNORE_CVES += CVE-2011-4966
+
 # We're patching src/modules/rlm_krb5/configure.ac
 define FREERADIUS_SERVER_RUN_KRB5_AUTORECONF
 	cd $(@D)/src/modules/rlm_krb5; $(AUTORECONF) -I$(@D)/m4