On Wednesday 04 August 2021 at 08:05:27 -1000, Steve Sakoman wrote: > On Wed, Aug 4, 2021 at 7:27 AM Steve Sakoman via > lists.openembedded.org <steve=sakoman....@lists.openembedded.org> > wrote: > > > > On Wed, Aug 4, 2021 at 7:06 AM Mike Crowe via lists.openembedded.org > > <yocto=mac.mcrowe....@lists.openembedded.org> wrote: > > > > > > curl v7.78 contained fixes for five CVEs: > > > > > > CVE-2021-22922[1] and CVE-2021-22923[2] are only present when support > > > for metalink is enabled. EXTRA_OECONF contains "--without-libmetalink" > > > so these fixes are unnecessary. > > > > > > CVE-2021-22926[3] only affects builds for MacOS. > > > > > > CVE-2021-22924[4] and CVE-2021-22925[5] are both applicable. Take the > > > patches from Ubuntu 20.04 curl_7.68.0-1ubuntu2.6 package which is close > > > enough that the patch for CVE-2021-22924 applies without conflicts. The > > > CVE-2021-22925 patch required only a small tweak to apply. > > > > > > [1] https://curl.se/docs/CVE-2021-22922.html > > > [2] https://curl.se/docs/CVE-2021-22923.html > > > [3] https://curl.se/docs/CVE-2021-22926.html > > > [4] https://curl.se/docs/CVE-2021-22924.html > > > [5] https://curl.se/docs/CVE-2021-22925.html > > > > This patch wouldn't apply because there's another curl CVE fix in my > > testing queue (curl: Fix for CVE-2021-22898): > > > > https://lists.openembedded.org/g/openembedded-core/message/154145 > > > > I went ahead and did the required fixup so no need for you to do anything. > > Sigh. I spoke too soon. Your CVE-2021-22925 patch and the previous > CVE-2021-22898 patch both touch lib/telnet.c so your patch won't apply > now. > > You mentioned that you had to tweak the CVE-2021-22925 patch, might > this be related to the CVE-2021-22898 fix (which is a one-liner)?
Ah, yes. That's the change I had to accommodate. You can either tweak my patch (just adding the "== 2" to the patch should work - that's the opposite of what I did) or just drop your CVE-2021-22898 patch since the CVE-2021-22925 patch supersedes it.) Alternatively, I can do whichever of those you prefer tomorrow if you wish. Thanks. Mike.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154461): https://lists.openembedded.org/g/openembedded-core/message/154461 Mute This Topic: https://lists.openembedded.org/mt/84666902/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
