On Wed, Aug 4, 2021 at 9:42 AM Mike Crowe <yo...@mac.mcrowe.com> wrote: > > On Wednesday 04 August 2021 at 08:05:27 -1000, Steve Sakoman wrote: > > On Wed, Aug 4, 2021 at 7:27 AM Steve Sakoman via > > lists.openembedded.org <steve=sakoman....@lists.openembedded.org> > > wrote: > > > > > > On Wed, Aug 4, 2021 at 7:06 AM Mike Crowe via lists.openembedded.org > > > <yocto=mac.mcrowe....@lists.openembedded.org> wrote: > > > > > > > > curl v7.78 contained fixes for five CVEs: > > > > > > > > CVE-2021-22922[1] and CVE-2021-22923[2] are only present when support > > > > for metalink is enabled. EXTRA_OECONF contains "--without-libmetalink" > > > > so these fixes are unnecessary. > > > > > > > > CVE-2021-22926[3] only affects builds for MacOS. > > > > > > > > CVE-2021-22924[4] and CVE-2021-22925[5] are both applicable. Take the > > > > patches from Ubuntu 20.04 curl_7.68.0-1ubuntu2.6 package which is close > > > > enough that the patch for CVE-2021-22924 applies without conflicts. The > > > > CVE-2021-22925 patch required only a small tweak to apply. > > > > > > > > [1] https://curl.se/docs/CVE-2021-22922.html > > > > [2] https://curl.se/docs/CVE-2021-22923.html > > > > [3] https://curl.se/docs/CVE-2021-22926.html > > > > [4] https://curl.se/docs/CVE-2021-22924.html > > > > [5] https://curl.se/docs/CVE-2021-22925.html > > > > > > This patch wouldn't apply because there's another curl CVE fix in my > > > testing queue (curl: Fix for CVE-2021-22898): > > > > > > https://lists.openembedded.org/g/openembedded-core/message/154145 > > > > > > I went ahead and did the required fixup so no need for you to do anything. > > > > Sigh. I spoke too soon. Your CVE-2021-22925 patch and the previous > > CVE-2021-22898 patch both touch lib/telnet.c so your patch won't apply > > now. > > > > You mentioned that you had to tweak the CVE-2021-22925 patch, might > > this be related to the CVE-2021-22898 fix (which is a one-liner)? > > Ah, yes. That's the change I had to accommodate. You can either tweak my > patch (just adding the "== 2" to the patch should work - that's the > opposite of what I did) or just drop your CVE-2021-22898 patch since the > CVE-2021-22925 patch supersedes it.)
OK, I'll tweak your patch and start testing. Steve
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154462): https://lists.openembedded.org/g/openembedded-core/message/154462 Mute This Topic: https://lists.openembedded.org/mt/84666902/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
