From: Peter Korsgaard <peter@korsgaard.com>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [git commit] package/dmidecode: bump to version 3.5
Date: Tue, 29 Aug 2023 10:55:08 +0200 [thread overview]
Message-ID: <87edjm5itv.fsf@48ers.dk> (raw)
In-Reply-To: <20230828235935.4dcd6b5a@windsurf> (Thomas Petazzoni's message of "Mon, 28 Aug 2023 23:59:35 +0200")
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:
> Hello Peter,
> On Tue, 27 Jun 2023 07:48:40 +0200
> Peter Korsgaard <peter@korsgaard.com> wrote:
>> commit: https://git.buildroot.net/buildroot/commit/?id=c97f27283b36ffc39dfb6223caee6055997b3234
>> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
>>
>> For change log, see:
>> https://git.savannah.gnu.org/cgit/dmidecode.git/tree/NEWS?h=dmidecode-3-5
>>
>> Note: this patch also adds a comment about pgp signature verification in
>> the hash file.
>>
>> Signed-off-by: Julien Olivain <ju.o@free.fr>
>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> FYI: this is a security bump, as it fixes
> https://nvd.nist.gov/vuln/detail/CVE-2023-30630. "Dmidecode before 3.5
> allows -dump-bin to overwrite a local file. This has security relevance
> because, for example, execution of Dmidecode via Sudo is plausible."
OK. Somewhat unlikely threat model expecting people to run dmidecode
-dump-bin on untrusted machines in directories with other files, but oh well.
> So getting dmidecode 3.5 in Buildroot 2023.02 and 2023.05 is probably OK.
Yes, I'll do that. Thanks for the heads up!
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2023-08-29 8:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-27 5:48 [Buildroot] [git commit] package/dmidecode: bump to version 3.5 Peter Korsgaard
2023-08-28 21:59 ` Thomas Petazzoni via buildroot
2023-08-29 8:55 ` Peter Korsgaard [this message]
2023-08-29 9:08 ` Thomas Petazzoni via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87edjm5itv.fsf@48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.