From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Peter Korsgaard <peter@korsgaard.com>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>,
Luca Ceresoli <luca.ceresoli@bootlin.com>,
buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 2/2] package/exim: mark CVE-2022-3620 as ignored
Date: Sat, 3 Dec 2022 15:34:04 +0100 [thread overview]
Message-ID: <20221203153404.2345d457@windsurf> (raw)
In-Reply-To: <20221202183631.2066307-2-peter@korsgaard.com>
On Fri, 2 Dec 2022 19:36:31 +0100
Peter Korsgaard <peter@korsgaard.com> wrote:
> CVE-2022-3620: A vulnerability was found in Exim and classified as
> problematic. This issue affects the function dmarc_dns_lookup of the file
> dmarc.c of the component DMARC Handler. The manipulation leads to use after
> free. The attack may be initiated remotely. The name of the patch is
> 12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445. It is recommended to apply a
> patch to fix this issue. The associated identifier of this vulnerability is
> VDB-211919.
>
> This vulnerability is in the DMARC handling, which is only used if
> libopendmarc is available AND SUPPORT_DMARC is set to yes, neither of which
> is true for Buildroot, so ignore the CVE.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/exim/exim.mk | 3 +++
> 1 file changed, 3 insertions(+)
We need to be careful to un-ignore this CVE if we enable DMARC support
before we bump to a newer release that has the CVE fixed. But
admittedly, it's unlikely that we will enable DMARC support anytime
soon.
Applied to master, thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2022-12-03 14:34 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-02 18:36 [Buildroot] [PATCH 1/2] package/exim: add upstream security fixes for CVE-2022-3559 Peter Korsgaard
2022-12-02 18:36 ` [Buildroot] [PATCH 2/2] package/exim: mark CVE-2022-3620 as ignored Peter Korsgaard
2022-12-03 14:34 ` Thomas Petazzoni via buildroot [this message]
2022-12-07 15:03 ` Peter Korsgaard
2022-12-03 14:33 ` [Buildroot] [PATCH 1/2] package/exim: add upstream security fixes for CVE-2022-3559 Thomas Petazzoni via buildroot
2022-12-07 15:03 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221203153404.2345d457@windsurf \
--to=buildroot@buildroot.org \
--cc=bernd.kuhls@t-online.de \
--cc=luca.ceresoli@bootlin.com \
--cc=peter@korsgaard.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.