The CPE previously says that it applies to apple:cups <499.4. We have openprinting’s fork of cups, 2.4.2.
It now also says openprinting:cups <2.4.2, but I don’t think we should restrict the CVE_PRODUCT as we’ll miss all the apple:cups entries then. Not sure how best to handle this… Ross > On 13 Jun 2022, at 16:59, Steve Sakoman via lists.yoctoproject.org > <[email protected]> wrote: > > On Mon, Jun 13, 2022 at 5:32 AM Steve Sakoman via > lists.openembedded.org <[email protected]> > wrote: >> >> On Mon, Jun 13, 2022 at 5:01 AM Ross Burton <[email protected]> wrote: >>> >>> >>>> CVE-2022-26691 (CVSS3: 6.7 MEDIUM): cups >>>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26691 * >>> >>> This is fixed in 2.4.2 which is already in master. >>> >>> The stable branches can cherry-pick >>> https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444. >> >> I'm working on that for dunfell and kirkstone today. > > I've put together a patch for dunfell which will be in the next patchset. > > However kirkstone and master are both at version 2.4.2, so something > must be wrong in the database entry for this to be flagged for both > :-( > > Steve > > > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#166869): https://lists.openembedded.org/g/openembedded-core/message/166869 Mute This Topic: https://lists.openembedded.org/mt/91728512/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
