diff mbox series

[scarthgap,4/5] bind: Ignore CVE-2026-3039

Message ID 20260610100404.2993940-4-asparmar@cisco.com
State New
Headers show
Series [scarthgap,1/5] bind: Fix CVE-2026-1519 | expand

Commit Message

Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) June 10, 2026, 10:04 a.m. UTC 
From: Ashishkumar Parmar <asparmar@cisco.com>

Analysis:
- CVE-2026-3039 affects BIND servers using TKEY-based
  authentication via GSS-API tokens [1].
- This recipe configures BIND with --with-gssapi=no, so the
  vulnerable GSS-API TKEY negotiation path is disabled [2].
- Hence ignoring the CVE for this build configuration.

Reference:
[1] https://kb.isc.org/docs/cve-2026-3039
[2] meta/recipes-connectivity/bind/bind_9.18.44.bb

Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
---
 meta/recipes-connectivity/bind/bind_9.18.44.bb | 1 +
 1 file changed, 1 insertion(+)
diff mbox series

Patch

diff --git a/meta/recipes-connectivity/bind/bind_9.18.44.bb b/meta/recipes-connectivity/bind/bind_9.18.44.bb
index dd8923f185..7b5baf5338 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.44.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.44.bb
@@ -43,6 +43,7 @@  UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
 # Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
 # so the issue doesn't affect us.
 CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
+CVE_STATUS[CVE-2026-3039] = "not-applicable-config: BIND is built with --with-gssapi=no, so GSS-API TKEY negotiation is disabled."
 
 inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives