| Message ID | 20230310095402.85948-2-andrej.valek@siemens.com |
|---|---|
| State | New |
| Headers | show |
| Series | [dunfell,1/2] curl: Fix CVE CVE-2022-43552 | expand |
On Thu, Mar 9, 2023 at 11:54 PM Andrej Valek <andrej.valek@siemens.com> wrote: > > All mentioned CVEs are related to HSTS check feature, which is not > implemented in version 7.69.1 . Is this due to an error in the CPE database? If so, perhaps the better approach would be to send a version correction request to cpe_dictionary@nist.gov Steve > Signed-off-by: Andrej Valek <andrej.valek@siemens.com> > --- > meta/recipes-support/curl/curl_7.69.1.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb > index 899daf8eac..ea36c0bd3d 100644 > --- a/meta/recipes-support/curl/curl_7.69.1.bb > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-229 > # This CVE issue affects Windows only Hence whitelisting this CVE > CVE_CHECK_WHITELIST += "CVE-2021-22897" > > +# HSTS check feature is not implemented > +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551" > + > inherit autotools pkgconfig binconfig multilib_header > > PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib" > -- > 2.39.2 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#178321): https://lists.openembedded.org/g/openembedded-core/message/178321 > Mute This Topic: https://lists.openembedded.org/mt/97516349/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Tue, Mar 14, 2023 at 4:26 AM Steve Sakoman via lists.openembedded.org <steve=sakoman.com@lists.openembedded.org> wrote: > > On Thu, Mar 9, 2023 at 11:54 PM Andrej Valek <andrej.valek@siemens.com> wrote: > > > > All mentioned CVEs are related to HSTS check feature, which is not > > implemented in version 7.69.1 . > > Is this due to an error in the CPE database? If so, perhaps the > better approach would be to send a version correction request to > cpe_dictionary@nist.gov Hmmm . . . looking at the most recent dunfell CVE report I see that only CVE-2022-42916 is listed. The CPE database indicates the issue is present for versions 7.57.0 onwards up to but not including 7.88.0 Steve > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com> > > --- > > meta/recipes-support/curl/curl_7.69.1.bb | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb > > index 899daf8eac..ea36c0bd3d 100644 > > --- a/meta/recipes-support/curl/curl_7.69.1.bb > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > > @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-229 > > # This CVE issue affects Windows only Hence whitelisting this CVE > > CVE_CHECK_WHITELIST += "CVE-2021-22897" > > > > +# HSTS check feature is not implemented > > +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551" > > + > > inherit autotools pkgconfig binconfig multilib_header > > > > PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib" > > -- > > 2.39.2 > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#178493): https://lists.openembedded.org/g/openembedded-core/message/178493 > Mute This Topic: https://lists.openembedded.org/mt/97516349/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hello Steve, Ok, looks like I received a wrong notification, sorry. So you can keep there only the 42916. Basically all the HSTS check features are not implemented in the 7.69.1 version. Regards, Andrej On Tue, 2023-03-14 at 04:39 -1000, Steve Sakoman wrote: > On Tue, Mar 14, 2023 at 4:26 AM Steve Sakoman via > lists.openembedded.org <steve=sakoman.com@lists.openembedded.org> > wrote: > > > > On Thu, Mar 9, 2023 at 11:54 PM Andrej Valek > > <andrej.valek@siemens.com> wrote: > > > > > > All mentioned CVEs are related to HSTS check feature, which is > > > not > > > implemented in version 7.69.1 . > > > > Is this due to an error in the CPE database? If so, perhaps the > > better approach would be to send a version correction request to > > cpe_dictionary@nist.gov > > Hmmm . . . looking at the most recent dunfell CVE report I see that > only CVE-2022-42916 is listed. > > The CPE database indicates the issue is present for versions 7.57.0 > onwards up to but not including 7.88.0 > > Steve > > > > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com> > > > --- > > > meta/recipes-support/curl/curl_7.69.1.bb | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb > > > b/meta/recipes-support/curl/curl_7.69.1.bb > > > index 899daf8eac..ea36c0bd3d 100644 > > > --- a/meta/recipes-support/curl/curl_7.69.1.bb > > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > > > @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021- > > > 22923 CVE-2021-22926 CVE-2021-229 > > > # This CVE issue affects Windows only Hence whitelisting this > > > CVE > > > CVE_CHECK_WHITELIST += "CVE-2021-22897" > > > > > > +# HSTS check feature is not implemented > > > +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022- > > > 43551" > > > + > > > inherit autotools pkgconfig binconfig multilib_header > > > > > > PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', > > > d)} gnutls libidn proxy threaded-resolver verbose zlib" > > > -- > > > 2.39.2 > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#178493): > > https://lists.openembedded.org/g/openembedded-core/message/178493 > > Mute This Topic: https://lists.openembedded.org/mt/97516349/3620601 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: > > https://lists.openembedded.org/g/openembedded-core/unsub [ > > steve@sakoman.com] > > -=-=-=-=-=-=-=-=-=-=-=- > >
On Tue, Mar 14, 2023 at 5:07 AM Valek, Andrej <andrej.valek@siemens.com> wrote: > > Hello Steve, > > Ok, looks like I received a wrong notification, sorry. So you can keep > there only the 42916. > Basically all the HSTS check features are not implemented in the 7.69.1 > version. I still have the same comment on how we should handle this issue: > > > Is this due to an error in the CPE database? If so, perhaps the > > > better approach would be to send a version correction request to > > > cpe_dictionary@nist.gov Steve > > > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com> > > > > --- > > > > meta/recipes-support/curl/curl_7.69.1.bb | 3 +++ > > > > 1 file changed, 3 insertions(+) > > > > > > > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb > > > > b/meta/recipes-support/curl/curl_7.69.1.bb > > > > index 899daf8eac..ea36c0bd3d 100644 > > > > --- a/meta/recipes-support/curl/curl_7.69.1.bb > > > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > > > > @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021- > > > > 22923 CVE-2021-22926 CVE-2021-229 > > > > # This CVE issue affects Windows only Hence whitelisting this > > > > CVE > > > > CVE_CHECK_WHITELIST += "CVE-2021-22897" > > > > > > > > +# HSTS check feature is not implemented > > > > +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022- > > > > 43551" > > > > + > > > > inherit autotools pkgconfig binconfig multilib_header > > > > > > > > PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', > > > > d)} gnutls libidn proxy threaded-resolver verbose zlib" > > > > -- > > > > 2.39.2 > > > > > > > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > > Links: You receive all messages sent to this group. > > > View/Reply Online (#178493): > > > https://lists.openembedded.org/g/openembedded-core/message/178493 > > > Mute This Topic: https://lists.openembedded.org/mt/97516349/3620601 > > > Group Owner: openembedded-core+owner@lists.openembedded.org > > > Unsubscribe: > > > https://lists.openembedded.org/g/openembedded-core/unsub [ > > > steve@sakoman.com] > > > -=-=-=-=-=-=-=-=-=-=-=- > > > >
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 899daf8eac..ea36c0bd3d 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-229 # This CVE issue affects Windows only Hence whitelisting this CVE CVE_CHECK_WHITELIST += "CVE-2021-22897" +# HSTS check feature is not implemented +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551" + inherit autotools pkgconfig binconfig multilib_header PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib"
All mentioned CVEs are related to HSTS check feature, which is not implemented in version 7.69.1 . Signed-off-by: Andrej Valek <andrej.valek@siemens.com> --- meta/recipes-support/curl/curl_7.69.1.bb | 3 +++ 1 file changed, 3 insertions(+)