On Sun, Aug 08, 2021 at 04:33:59AM -1000, Steve Sakoman wrote:
Branch: dunfell
New this week: 3 CVEs
CVE-2021-28966: ruby:ruby-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28966 *
CVE-2021-31810: ruby:ruby-native
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31810 *
CVE-2021-35942: glibc
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35942 *
It looks like the glibc one is already fixed in the dunfell branch:
commit e1e89ff7d75c3d22 ("glibc: update to lastest 2.31 release HEAD")
Includes the following fixes:
4f0a61f753 wordexp: handle overflow in positional parameter number (bug
28011)
which fixes the CVE, although it isn't mention in the commit:
https://sourceware.org/git/?p=glibc.git;a=commit;h=4f0a61f75385c9a5879cbe7202042e88f692a3c8
So I think all that's needed is CVE_CHECK_WHITELIST += "CVE-2021-35942"
I can submit a patch for this if you wish...
Regards,
Ralph
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#154657):
https://lists.openembedded.org/g/openembedded-core/message/154657
Mute This Topic: https://lists.openembedded.org/mt/84748068/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-