On Mon, Oct 3, 2022 at 1:29 AM Mathieu Dubois-Briand <[email protected]> wrote: > > Hi, > > This PR intend to fix 3 CVEs: > > - https://nvd.nist.gov/vuln/detail/CVE-2022-2795 > - https://nvd.nist.gov/vuln/detail/CVE-2022-38177 > - https://nvd.nist.gov/vuln/detail/CVE-2022-38178 > > All fix patches were cherry-picked from bind v9_16_33. The first patch can be > merged without conflict and the second one with a minor (curly braces) > conflict. > > The third one (CVE-2022-38178) is a bit trickier as one of the code section > corrected by the patch does not exist in bind 9.11.37: > - > https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_11_37/lib/dns/openssleddsa_link.c#L327 > - > https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6c4165fbd3d > > Basically, on 9.11.37 `siglen` is not verified to be different of 0, because > the > value is always set, so I believe this is OK. However, as I did modify the > patch, I'm not sure if there is some best practice or extra documentation > that I > need to apply here.
This seems ok to me too. Copying Armin since he is listed as the bind maintainer, just in case he would like to comment on this. Steve
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#171362): https://lists.openembedded.org/g/openembedded-core/message/171362 Mute This Topic: https://lists.openembedded.org/mt/94088047/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
