On Mon, Aug 9, 2021 at 8:37 AM Ralph Siemsen <ralph.siem...@linaro.org> wrote: > > On Sun, Aug 08, 2021 at 04:33:59AM -1000, Steve Sakoman wrote: > >Branch: dunfell > > > >New this week: 3 CVEs > >CVE-2021-28966: ruby:ruby-native > >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28966 * > >CVE-2021-31810: ruby:ruby-native > >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31810 * > >CVE-2021-35942: glibc > >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35942 * > > It looks like the glibc one is already fixed in the dunfell branch: > > commit e1e89ff7d75c3d22 ("glibc: update to lastest 2.31 release HEAD") > > Includes the following fixes: > > 4f0a61f753 wordexp: handle overflow in positional parameter number (bug > 28011) > > which fixes the CVE, although it isn't mention in the commit: > > https://sourceware.org/git/?p=glibc.git;a=commit;h=4f0a61f75385c9a5879cbe7202042e88f692a3c8 > > So I think all that's needed is CVE_CHECK_WHITELIST += "CVE-2021-35942" > I can submit a patch for this if you wish...
That would be much appreciated! Steve
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154658): https://lists.openembedded.org/g/openembedded-core/message/154658 Mute This Topic: https://lists.openembedded.org/mt/84748068/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-