From: Peter Korsgaard <peter@korsgaard.com>
To: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Subject: Re: [Buildroot] [PATCH] package/log4cxx: ignore CVE-2023-31038
Date: Thu, 14 Sep 2023 10:23:29 +0200 [thread overview]
Message-ID: <87cyylyxha.fsf@48ers.dk> (raw)
In-Reply-To: <20230828223215.2428514-1-thomas.petazzoni@bootlin.com> (Thomas Petazzoni via buildroot's message of "Tue, 29 Aug 2023 00:32:14 +0200")
>>>>> "Thomas" == Thomas Petazzoni via buildroot <buildroot@buildroot.org> writes:
> CVE-2023-31038 affects log4cxx only if ODBC is supported. While
> CVE-2023-31038 has been fixed in newer versions of log4cxx, there is
> quite a huge gap to do a version bump, and the commit that fixes
> CVE-2023-31038 could not be identified.
> Therefore, we want to rely on the fact that our log4cxx package does
> not support ODBC: there is indeed no explicit dependency on our
> unixodbc package in log4cxx.mk. However, log4cxx automatically detects
> if ODBC is available and if it is, it uses it.
> So what we do in this commit is backport an upstream commit, which
> adds explicitly options to enable/disable ODBC and ESMTP support, and
> we use them to (1) always disable ODBC and (2) explicitly
> enable/disable ESMTP support.
> Thanks to ODBC being disabled, we're not affected by CVE-2023-31038.
> Of course, there is a potential regression for users who were relying
> on the implicit unixodbc dependency, but as we could not identify the
> commit fixing the CVE-2023-31038, this is the best we can do at the
> moment.
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Committed to 2023.02.x and 2023.05.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2023-09-14 8:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-28 22:32 [Buildroot] [PATCH] package/log4cxx: ignore CVE-2023-31038 Thomas Petazzoni via buildroot
2023-08-30 20:04 ` Arnout Vandecappelle via buildroot
2023-09-14 8:23 ` Peter Korsgaard [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87cyylyxha.fsf@48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.