[scarthgap] curl: Ignore CVE-2024-32928

Message ID	20240826165535.10274-1-peter.marko@siemens.com
State	Accepted
Delegated to:	Steve Sakoman
Headers	show Return-Path: <peter.marko@siemens.com> ip: 185.136.65.226, mailfrom: fm-256628-202408261656136955ae902083a93ad5-plxlhp@rts-flowmailer.siemens.com) From: Peter Marko <peter.marko@siemens.com> To: openembedded-core@lists.openembedded.org Cc: =?utf-8?q?Simone_Wei=C3=9F?= <simone.p.weiss@posteo.com>, Richard Purdie <richard.purdie@linuxfoundation.org>, Peter Marko <peter.marko@siemens.com> Subject: [OE-core][scarthgap][PATCH] curl: Ignore CVE-2024-32928 Date: Mon, 26 Aug 2024 18:55:35 +0200 Message-Id: <20240826165535.10274-1-peter.marko@siemens.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-256628:519-21489:flowmailer
Series	[scarthgap] curl: Ignore CVE-2024-32928 \| expand [scarthgap] curl: Ignore CVE-2024-32928

Message ID

20240826165535.10274-1-peter.marko@siemens.com

State

Accepted

Delegated to:

Steve Sakoman

Headers

From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: =?utf-8?q?Simone_Wei=C3=9F?= <simone.p.weiss@posteo.com>,
 Richard Purdie <richard.purdie@linuxfoundation.org>,
 Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][scarthgap][PATCH] curl: Ignore CVE-2024-32928
Date: Mon, 26 Aug 2024 18:55:35 +0200
Message-Id: <20240826165535.10274-1-peter.marko@siemens.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Feedback-ID: 519:519-256628:519-21489:flowmailer

Series

[scarthgap] curl: Ignore CVE-2024-32928 | expand

Commit Message

Marko, Peter Aug. 26, 2024, 4:55 p.m. UTC

From: Simone Weiß <simone.p.weiss@posteo.com>

This CVE affects google cloud services that utilize libcurl wrongly.

(From OE-Core rev: 27ac7879711e7119b4ec8b190b0a9da5b3ede269)

Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-support/curl/curl_8.7.1.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 6d2886f70c..32b79f35f0 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -21,6 +21,7 @@  SRC_URI[sha256sum] = "6fea2aac6a4610fbd0400afb0bcddbe7258a64c63f1f68e5855ebc0c65
 
 # Curl has used many names over the years...
 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
+CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack"
 
 inherit autotools pkgconfig binconfig multilib_header ptest

[scarthgap] curl: Ignore CVE-2024-32928

Commit Message

Patch