Re: [OE-core] OE-core CVE metrics for dunfell on Sun 08 Aug 2021 04:30:01 AM HST

Ralph Siemsen Mon, 09 Aug 2021 11:37:46 -0700

On Sun, Aug 08, 2021 at 04:33:59AM -1000, Steve Sakoman wrote:

Branch: dunfell


New this week: 3 CVEs
CVE-2021-28966: ruby:ruby-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28966 *
CVE-2021-31810: ruby:ruby-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31810 *

CVE-2021-35942: glibchttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35942 *


It looks like the glibc one is already fixed in the dunfell branch:

commit e1e89ff7d75c3d22 ("glibc: update to lastest 2.31 release HEAD")

Includes the following fixes:

4f0a61f753 wordexp: handle overflow in positional parameter number (bug28011)


which fixes the CVE, although it isn't mention in the commit:

https://sourceware.org/git/?p=glibc.git;a=commit;h=4f0a61f75385c9a5879cbe7202042e88f692a3c8

So I think all that's needed is CVE_CHECK_WHITELIST += "CVE-2021-35942"
I can submit a patch for this if you wish...

Regards,
Ralph

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#154657): 
https://lists.openembedded.org/g/openembedded-core/message/154657
Mute This Topic: https://lists.openembedded.org/mt/84748068/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] OE-core CVE metrics for dunfell on Sun 08 Aug 2021 04:30:01 AM HST

Reply via email to