| Message ID | 20220601105312.29861-2-omkarpatil10.93@gmail.com |
|---|---|
| State | Accepted, archived |
| Commit | 9c736c9dcf5f18b8db082a0903be0acb3fbb51c2 |
| Headers | show |
| Series | [dunfell,1/2] libxslt: update to v1.1.35 | expand |
On Wed, Jun 1, 2022 at 12:53 AM omkar <omkarpatil10.93@gmail.com> wrote: > > From: Richard Purdie <richard.purdie@linuxfoundation.org> > > We have libxml2 2.9.14 and we don't link statically against libxml2 anyway > so the CVE doesn't apply to libxslt. dunfell libxml2 is version 2.9.10! Steve > (From OE-Core rev: c6315d8a2a1429a0fb7563b1d6352ceee7bc222c) > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > (cherry picked from commit ad63694e6df4f284879f7220962a821f97928eb0) > Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com> > --- > meta/recipes-support/libxslt/libxslt_1.1.35.bb | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb > index 0f25043743..47a38deb13 100644 > --- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb > +++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb > @@ -19,6 +19,10 @@ SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f > > UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar" > > +# We have libxml2 2.9.14 and we don't link statically with it anyway > +# so this isn't an issue. > +CVE_CHECK_WHITELIST += "CVE-2022-29824" > + > S = "${WORKDIR}/libxslt-${PV}" > > BINCONFIG = "${bindir}/xslt-config" > -- > 2.17.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#166373): https://lists.openembedded.org/g/openembedded-core/message/166373 > Mute This Topic: https://lists.openembedded.org/mt/91472462/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Wed, Jun 1, 2022 at 5:09 AM Steve Sakoman via lists.openembedded.org <steve=sakoman.com@lists.openembedded.org> wrote: > > On Wed, Jun 1, 2022 at 12:53 AM omkar <omkarpatil10.93@gmail.com> wrote: > > > > From: Richard Purdie <richard.purdie@linuxfoundation.org> > > > > We have libxml2 2.9.14 and we don't link statically against libxml2 anyway > > so the CVE doesn't apply to libxslt. > > dunfell libxml2 is version 2.9.10! I just noticed that we have a libxml2 patch submitted to fix CVE-2022-29824: https://lists.openembedded.org/g/openembedded-core/message/166376 So you can adjust this patch to reflect this and resubmit it. Steve > > Steve > > > (From OE-Core rev: c6315d8a2a1429a0fb7563b1d6352ceee7bc222c) > > > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > > (cherry picked from commit ad63694e6df4f284879f7220962a821f97928eb0) > > Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com> > > --- > > meta/recipes-support/libxslt/libxslt_1.1.35.bb | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb > > index 0f25043743..47a38deb13 100644 > > --- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb > > +++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb > > @@ -19,6 +19,10 @@ SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f > > > > UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar" > > > > +# We have libxml2 2.9.14 and we don't link statically with it anyway > > +# so this isn't an issue. > > +CVE_CHECK_WHITELIST += "CVE-2022-29824" > > + > > S = "${WORKDIR}/libxslt-${PV}" > > > > BINCONFIG = "${bindir}/xslt-config" > > -- > > 2.17.1 > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#166383): https://lists.openembedded.org/g/openembedded-core/message/166383 > Mute This Topic: https://lists.openembedded.org/mt/91472462/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb index 0f25043743..47a38deb13 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb @@ -19,6 +19,10 @@ SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar" +# We have libxml2 2.9.14 and we don't link statically with it anyway +# so this isn't an issue. +CVE_CHECK_WHITELIST += "CVE-2022-29824" + S = "${WORKDIR}/libxslt-${PV}" BINCONFIG = "${bindir}/xslt-config"