From: "Valek, Andrej" <andrej.valek@siemens.com>
To: "steve@sakoman.com" <steve@sakoman.com>
Cc: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551
Date: Tue, 14 Mar 2023 15:07:08 +0000 [thread overview]
Message-ID: <5a02a7cfc6b0cf6beb22eaf0e4f4f0e67bbb4458.camel@siemens.com> (raw)
In-Reply-To: <CAOSpxdb1J=XFjJ+1oxysiGSxMC7ec5TSuHqnokSotQGPZyVftA@mail.gmail.com>
Hello Steve,
Ok, looks like I received a wrong notification, sorry. So you can keep
there only the 42916.
Basically all the HSTS check features are not implemented in the 7.69.1
version.
Regards,
Andrej
On Tue, 2023-03-14 at 04:39 -1000, Steve Sakoman wrote:
> On Tue, Mar 14, 2023 at 4:26 AM Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> wrote:
> >
> > On Thu, Mar 9, 2023 at 11:54 PM Andrej Valek
> > <andrej.valek@siemens.com> wrote:
> > >
> > > All mentioned CVEs are related to HSTS check feature, which is
> > > not
> > > implemented in version 7.69.1 .
> >
> > Is this due to an error in the CPE database? If so, perhaps the
> > better approach would be to send a version correction request to
> > cpe_dictionary@nist.gov
>
> Hmmm . . . looking at the most recent dunfell CVE report I see that
> only CVE-2022-42916 is listed.
>
> The CPE database indicates the issue is present for versions 7.57.0
> onwards up to but not including 7.88.0
>
> Steve
>
>
> > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > ---
> > > meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb
> > > b/meta/recipes-support/curl/curl_7.69.1.bb
> > > index 899daf8eac..ea36c0bd3d 100644
> > > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > > @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-
> > > 22923 CVE-2021-22926 CVE-2021-229
> > > # This CVE issue affects Windows only Hence whitelisting this
> > > CVE
> > > CVE_CHECK_WHITELIST += "CVE-2021-22897"
> > >
> > > +# HSTS check feature is not implemented
> > > +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-
> > > 43551"
> > > +
> > > inherit autotools pkgconfig binconfig multilib_header
> > >
> > > PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6',
> > > d)} gnutls libidn proxy threaded-resolver verbose zlib"
> > > --
> > > 2.39.2
> > >
> > >
> > >
> > >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#178493):
> > https://lists.openembedded.org/g/openembedded-core/message/178493
> > Mute This Topic: https://lists.openembedded.org/mt/97516349/3620601
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe:
> > https://lists.openembedded.org/g/openembedded-core/unsub [
> > steve@sakoman.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
next prev parent reply other threads:[~2023-03-14 15:07 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-09 15:15 curl Valek, Andrej
2023-03-09 15:24 ` curl Steve Sakoman
2023-03-10 9:54 ` [OE-core][dunfell][PATCH 1/2] curl: Fix CVE CVE-2022-43552 Andrej Valek
2023-03-10 9:54 ` [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551 Andrej Valek
2023-03-14 14:26 ` Steve Sakoman
[not found] ` <174C4F5C0F6A96A7.18998@lists.openembedded.org>
2023-03-14 14:39 ` Steve Sakoman
2023-03-14 15:07 ` Valek, Andrej [this message]
2023-03-14 15:09 ` Steve Sakoman
2023-03-10 12:45 ` [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897 Andrej Valek
2023-03-10 13:09 ` Valek, Andrej
2023-03-10 14:40 ` Steve Sakoman
2023-03-10 14:49 ` Valek, Andrej
2023-03-10 14:56 ` Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2023-05-19 8:18 [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-12 11:57 ` [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551 Andrej Valek
2023-06-12 12:01 ` Valek, Andrej
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5a02a7cfc6b0cf6beb22eaf0e4f4f0e67bbb4458.camel@siemens.com \
--to=andrej.valek@siemens.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=steve@sakoman.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox