diff options
author | Mike Crowe <mac@mcrowe.com> | 2021-09-17 17:14:33 +0100 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2021-09-24 04:27:46 -1000 |
commit | b9b343704afc28a6182f699ef17943afacd482a8 (patch) | |
tree | 6388bc09bf1aa17d51d267de46017522b51b7ffd /meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch | |
parent | ddcdb9baec74391844d5e3cf3c891d63d2eef865 (diff) | |
download | openembedded-core-contrib-b9b343704afc28a6182f699ef17943afacd482a8.tar.gz |
curl: Fix CVE-2021-22946 and CVE-2021-22947, whitelist CVE-2021-22945
curl v7.79.0 contained fixes for three CVEs:
The description of CVE-2021-22945[1] contains:
> This flaw was introduced in commit 2522903b79 but since MQTT support
> was marked 'experimental' then and not enabled in the build by default
> until curl 7.73.0 (October 14, 2020) we count that as the first flawed
> version.
which I believe means that curl v7.69.1 is not vulnerable.
curl v7.69.1 is vulnerable to both CVE-2021-22946[2] and CVE-22947[3].
These patches are from Ubuntu 20.04's curl 7.68.0 package. The patches
applied without conflicts, but I used devtool to regenerate them to
avoid fuzz warnings.
[1] https://curl.se/docs/CVE-2021-22945.html
[2] https://curl.se/docs/CVE-2021-22946.html
[3] https://curl.se/docs/CVE-2021-22947.html
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch')
0 files changed, 0 insertions, 0 deletions