On Wednesday 04 August 2021 at 06:44:51 -1000, Steve Sakoman wrote: > On Tue, Aug 3, 2021 at 10:11 PM Mike Crowe via lists.openembedded.org > <yocto=mac.mcrowe....@lists.openembedded.org> wrote: > > > > curl v7.78 contained fixes for five CVEs: > > > > CVE-2021-22922 and CVE-2021-22923 are only present when support for > > metalink is enabled. EXTRA_OECONF contains "--without-libmetalink" so > > these fixes are unnecessary. > > > > CVE-2021-22926 only affects builds for MacOS. > > > > CVE-2021-22924 and CVE-2021-22925 are both applicable. Take the patches > > from Ubuntu 20.04 curl_7.68.0-1ubuntu2.6 package which is close enough > > that the patch for CVE-2021-22924 applies without conflicts. The > > CVE-2021-22925 patch required only a small tweak to apply. > > Being curious why none of these are showing up in the reports I > checked the CPE database and it seems none of them are present! So > that explains why. > > Do you know why they are missing? Perhaps a status of RESERVED? See: > > https://nvd.nist.gov/vuln/detail/CVE-2021-22923
I'm afraid that I have no idea. :( I just watch curl release announcements to assess the security impact on our products and spotted these. > Since they seem to be real issues though I can take the patch once you > send a V2 with the issue below fixed. > [ Need to have a CVE tag and your signed-off-by in both patch files. ] v2 should have arrived. I must have sneaked my previous CVE fixes through without them somehow. :) > It might make sense to whitelist the CVE's that don't apply to us so > that once the entries hit the database we will already have dealt with > them. Hopefully done. Thanks. Mike.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154446): https://lists.openembedded.org/g/openembedded-core/message/154446 Mute This Topic: https://lists.openembedded.org/mt/84657570/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-