curl: Fix CVE-2021-22946 and CVE-2021-22947, whitelist CVE-2021-22945 - linux/poky.git

diff options

author	Mike Crowe <mac@mcrowe.com>	2021-09-17 17:14:33 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-30 00:02:22 +0100
commit	33d7811e07e0b5d9fca6fdc0414ecbad181c73b6 (patch)
tree	8df9b86a3baa77ffa5d9f61cb8497302329d8193 /meta/recipes-support/nettle/nettle_3.5.1.bb
parent	a1ad0499b43350368369ccd0f14abb8e89f358d3 (diff)
download	poky-33d7811e07e0b5d9fca6fdc0414ecbad181c73b6.tar.gz

curl: Fix CVE-2021-22946 and CVE-2021-22947, whitelist CVE-2021-22945

curl v7.79.0 contained fixes for three CVEs: The description of CVE-2021-22945[1] contains: > This flaw was introduced in commit 2522903b79 but since MQTT support > was marked 'experimental' then and not enabled in the build by default > until curl 7.73.0 (October 14, 2020) we count that as the first flawed > version. which I believe means that curl v7.69.1 is not vulnerable. curl v7.69.1 is vulnerable to both CVE-2021-22946[2] and CVE-22947[3]. These patches are from Ubuntu 20.04's curl 7.68.0 package. The patches applied without conflicts, but I used devtool to regenerate them to avoid fuzz warnings. [1] https://curl.se/docs/CVE-2021-22945.html [2] https://curl.se/docs/CVE-2021-22946.html [3] https://curl.se/docs/CVE-2021-22947.html (From OE-Core rev: b9b343704afc28a6182f699ef17943afacd482a8) Signed-off-by: Mike Crowe <mac@mcrowe.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Diffstat (limited to 'meta/recipes-support/nettle/nettle_3.5.1.bb')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: