Hi Thank you Daniel.
You who have looked at it. Is this fix important in your view? You have looked into this more than I have so I think you are better to judge. // Ola On Mon, 11 Mar 2024 at 01:43, Daniel Leidert <[email protected]> wrote: > Hi Ola, > > Am Sonntag, dem 10.03.2024 um 23:03 +0100 schrieb Ola Lundqvist: > > > > I was about to remove runc from dla-needed but since Adrian sent out > > a question email about the removal I thought one more time. (I'm > > trying to learn from my mistakes) :-) > > > > I'm getting a little confused about the notes about runc in dla- > > needed. > > It says Complete fix for CVE-2024-21626 would require backport of ... > > But CVE-2024-21626 looks like it is already fixed by DLA-3735-1. > > > > If one look at the status information in the data/CVE/list it looks > > like it is completely corrected. > > But from the dla-needed note it looks like it is not. What is it? > > Is it a sufficient fix? > > The fix for CVE-2024-21626 applied by upstream contained a fix for the > real issue and multiple hardening measurements (all part of a series of > patches). The issue itself should be fixed. I also backported multiple > hardening measurements. However, there is one hardening measurement > that uses a function only available in Go 1.12+. So to backport all, > this one would require a backport too. I am not able to do it. So, I > left a note about it in case someone wants to go for it. > > I hope this explains it a bit more. > > Regards, Daniel > -- --- Inguza Technology AB --- MSc in Information Technology ---- | [email protected] [email protected] | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
