| Message ID | 20220508123418.159142-1-richard.purdie@linuxfoundation.org |
|---|---|
| State | Accepted, archived |
| Commit | 77d745bd49c979de987c75fd7a3af116e99db82b |
| Headers | show |
| Series | [1/2] vim: Upgrade 8.2.4681 -> 8.2.4912 | expand |
On Sun, 2022-05-08 at 13:34 +0100, Richard Purdie via lists.openembedded.org wrote: > Includes fixes for CVE-2022-27404, CVE-2022-27405, CVE-2022-27406. > > I'm amending this to "Include fix for CVE-2022-27404" since CVE-2022- 27405 and CVE-2022-27406 were already in 2.12.0. I don't think the CVE checker is going to like these as they're using dates for these for reasons I don't understand. Cheers, Richard
On Sun, May 8, 2022 at 6:45 PM Richard Purdie < richard.purdie@linuxfoundation.org> wrote: > On Sun, 2022-05-08 at 13:34 +0100, Richard Purdie via > lists.openembedded.org wrote: > > Includes fixes for CVE-2022-27404, CVE-2022-27405, CVE-2022-27406. > > > > > > I'm amending this to "Include fix for CVE-2022-27404" since CVE-2022- > 27405 and CVE-2022-27406 were already in 2.12.0. > > I don't think the CVE checker is going to like these as they're using > dates for these for reasons I don't understand. > > They also include versions in the NVD, but there is no version "non-afected" as of today for CVE-2022-27404. I'll figure out the exact versions for those CVEs and update the NVD in the next hours. Kind regards, Marta
On Mon, May 9, 2022 at 12:40 PM Marta Rybczynska <rybczynska@gmail.com> wrote: > > > On Sun, May 8, 2022 at 6:45 PM Richard Purdie < > richard.purdie@linuxfoundation.org> wrote: > >> On Sun, 2022-05-08 at 13:34 +0100, Richard Purdie via >> lists.openembedded.org wrote: >> > Includes fixes for CVE-2022-27404, CVE-2022-27405, CVE-2022-27406. >> > >> > >> >> I'm amending this to "Include fix for CVE-2022-27404" since CVE-2022- >> 27405 and CVE-2022-27406 were already in 2.12.0. >> >> I don't think the CVE checker is going to like these as they're using >> dates for these for reasons I don't understand. >> >> > They also include versions in the NVD, but there is no version " > non-afected" > as of today for CVE-2022-27404. I'll figure out the exact versions for > those > CVEs and update the NVD in the next hours. > > Kind regards, > Marta > Update: the message to NVD has been sent. According to my analysis all three CVEs have been fixed in 2.12.0. Regards, Marta
On Mon, May 9, 2022 at 4:42 PM Marta Rybczynska via lists.openembedded.org <rybczynska=gmail.com@lists.openembedded.org> wrote: > > > On Mon, May 9, 2022 at 12:40 PM Marta Rybczynska <rybczynska@gmail.com> > wrote: > >> >> >> On Sun, May 8, 2022 at 6:45 PM Richard Purdie < >> richard.purdie@linuxfoundation.org> wrote: >> >>> On Sun, 2022-05-08 at 13:34 +0100, Richard Purdie via >>> lists.openembedded.org wrote: >>> > Includes fixes for CVE-2022-27404, CVE-2022-27405, CVE-2022-27406. >>> > >>> > >>> >>> I'm amending this to "Include fix for CVE-2022-27404" since CVE-2022- >>> 27405 and CVE-2022-27406 were already in 2.12.0. >>> >>> I don't think the CVE checker is going to like these as they're using >>> dates for these for reasons I don't understand. >>> >>> >> They also include versions in the NVD, but there is no version " >> non-afected" >> as of today for CVE-2022-27404. I'll figure out the exact versions for >> those >> CVEs and update the NVD in the next hours. >> >> Kind regards, >> Marta >> > > Update: the message to NVD has been sent. According to my analysis all > three > CVEs have been fixed in 2.12.0. > The change is up in NVD. The next run of the cve-check should see it. Regards, Marta
On Tue, 2022-05-10 at 17:02 +0200, Marta Rybczynska wrote: > On Mon, May 9, 2022 at 4:42 PM Marta Rybczynska via > lists.openembedded.org <rybczynska=gmail.com@lists.openembedded.org> > wrote: > > On Mon, May 9, 2022 at 12:40 PM Marta Rybczynska > > <rybczynska@gmail.com> wrote: > > > On Sun, May 8, 2022 at 6:45 PM Richard Purdie > > > <richard.purdie@linuxfoundation.org> wrote: > > > > On Sun, 2022-05-08 at 13:34 +0100, Richard Purdie via > > > > lists.openembedded.org wrote: > > > > > Includes fixes for CVE-2022-27404, CVE-2022-27405, CVE-2022- > > > > > 27406. > > > > > > > > > > > > > > > > > > I'm amending this to "Include fix for CVE-2022-27404" since > > > > CVE-2022- > > > > 27405 and CVE-2022-27406 were already in 2.12.0. > > > > > > > > I don't think the CVE checker is going to like these as they're > > > > using > > > > dates for these for reasons I don't understand. > > > > > > > > > > > > > > > > > They also include versions in the NVD, but there is no version > > > "non-afected" > > > as of today for CVE-2022-27404. I'll figure out the exact > > > versions for those > > > CVEs and update the NVD in the next hours. > > > > > > Kind regards, > > > Marta > > > > > > > > > Update: the message to NVD has been sent. According to my analysis > > all three > > CVEs have been fixed in 2.12.0. > > > > > The change is up in NVD. The next run of the cve-check should see it. Great, thanks for sorting that one out, the reports will be much better for it! Cheers, Richard
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 21ff036cf4cf..c5922b7fcd71 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -21,8 +21,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://racefix.patch \ " -PV .= ".4681" -SRCREV = "15f74fab653a784548d5d966644926b47ba2cfa7" +PV .= ".4912" +SRCREV = "a7583c42cd6b64fd276a5d7bb0db5ce7bfafa730" # Remove when 8.3 is out UPSTREAM_VERSION_UNKNOWN = "1"
Includes fixes for CVE-2022-1381, CVE-2022-1420. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)