Hi, This PR intend to fix 3 CVEs:
- https://nvd.nist.gov/vuln/detail/CVE-2022-2795 - https://nvd.nist.gov/vuln/detail/CVE-2022-38177 - https://nvd.nist.gov/vuln/detail/CVE-2022-38178 All fix patches were cherry-picked from bind v9_16_33. The first patch can be merged without conflict and the second one with a minor (curly braces) conflict. The third one (CVE-2022-38178) is a bit trickier as one of the code section corrected by the patch does not exist in bind 9.11.37: - https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_11_37/lib/dns/openssleddsa_link.c#L327 - https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6c4165fbd3d Basically, on 9.11.37 `siglen` is not verified to be different of 0, because the value is always set, so I believe this is OK. However, as I did modify the patch, I'm not sure if there is some best practice or extra documentation that I need to apply here. Best regards, Mathieu
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#171361): https://lists.openembedded.org/g/openembedded-core/message/171361 Mute This Topic: https://lists.openembedded.org/mt/94088047/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
