diff options
author | Mike Crowe <mac@mcrowe.com> | 2021-09-17 17:14:33 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-09-30 00:02:22 +0100 |
commit | 33d7811e07e0b5d9fca6fdc0414ecbad181c73b6 (patch) | |
tree | 8df9b86a3baa77ffa5d9f61cb8497302329d8193 /meta/recipes-support/nettle/nettle_3.5.1.bb | |
parent | a1ad0499b43350368369ccd0f14abb8e89f358d3 (diff) | |
download | poky-33d7811e07e0b5d9fca6fdc0414ecbad181c73b6.tar.gz |
curl: Fix CVE-2021-22946 and CVE-2021-22947, whitelist CVE-2021-22945
curl v7.79.0 contained fixes for three CVEs:
The description of CVE-2021-22945[1] contains:
> This flaw was introduced in commit 2522903b79 but since MQTT support
> was marked 'experimental' then and not enabled in the build by default
> until curl 7.73.0 (October 14, 2020) we count that as the first flawed
> version.
which I believe means that curl v7.69.1 is not vulnerable.
curl v7.69.1 is vulnerable to both CVE-2021-22946[2] and CVE-22947[3].
These patches are from Ubuntu 20.04's curl 7.68.0 package. The patches
applied without conflicts, but I used devtool to regenerate them to
avoid fuzz warnings.
[1] https://curl.se/docs/CVE-2021-22945.html
[2] https://curl.se/docs/CVE-2021-22946.html
[3] https://curl.se/docs/CVE-2021-22947.html
(From OE-Core rev: b9b343704afc28a6182f699ef17943afacd482a8)
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support/nettle/nettle_3.5.1.bb')
0 files changed, 0 insertions, 0 deletions