From: "Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)" <asparmar@cisco.com>
To: openembedded-core@lists.openembedded.org
Cc: xe-linux-external@cisco.com, to@cisco.com,
Ashishkumar Parmar <asparmar@cisco.com>
Subject: [OE-core] [scarthgap] [PATCH 4/5] bind: Ignore CVE-2026-3039
Date: Wed, 10 Jun 2026 03:04:03 -0700 [thread overview]
Message-ID: <20260610100404.2993940-4-asparmar@cisco.com> (raw)
In-Reply-To: <20260610100404.2993940-1-asparmar@cisco.com>
From: Ashishkumar Parmar <asparmar@cisco.com>
Analysis:
- CVE-2026-3039 affects BIND servers using TKEY-based
authentication via GSS-API tokens [1].
- This recipe configures BIND with --with-gssapi=no, so the
vulnerable GSS-API TKEY negotiation path is disabled [2].
- Hence ignoring the CVE for this build configuration.
Reference:
[1] https://kb.isc.org/docs/cve-2026-3039
[2] meta/recipes-connectivity/bind/bind_9.18.44.bb
Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
---
meta/recipes-connectivity/bind/bind_9.18.44.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-connectivity/bind/bind_9.18.44.bb b/meta/recipes-connectivity/bind/bind_9.18.44.bb
index dd8923f185..7b5baf5338 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.44.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.44.bb
@@ -43,6 +43,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
# Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
# so the issue doesn't affect us.
CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
+CVE_STATUS[CVE-2026-3039] = "not-applicable-config: BIND is built with --with-gssapi=no, so GSS-API TKEY negotiation is disabled."
inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
--
2.35.6
next prev parent reply other threads:[~2026-06-10 10:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 10:04 [OE-core] [scarthgap] [PATCH 1/5] bind: Fix CVE-2026-1519 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-10 10:04 ` [OE-core] [scarthgap] [PATCH 2/5] bind: Fix CVE-2026-5950 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-10 10:04 ` [OE-core] [scarthgap] [PATCH 3/5] bind: Fix CVE-2026-3592 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-10 10:04 ` Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) [this message]
2026-06-10 10:04 ` [OE-core] [scarthgap] [PATCH 5/5] bind: Fix CVE-2026-5946 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-26 16:59 ` [OE-core] [scarthgap] [PATCH 1/5] bind: Fix CVE-2026-1519 Yoann Congal
2026-07-06 10:53 ` Yoann Congal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260610100404.2993940-4-asparmar@cisco.com \
--to=asparmar@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=to@cisco.com \
--cc=xe-linux-external@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).