diff mbox series

[PATCH/stable] package/putty: Ignore CVE-2021-33500

Message ID 20210601070316.27441-1-post@lespocky.de
State Accepted
Headers show
Series [PATCH/stable] package/putty: Ignore CVE-2021-33500 | expand

Commit Message

Alexander Dahl June 1, 2021, 7:03 a.m. UTC 
Since putty is only affected by this CVE on Windows, ignore it in the
stable branch.  Branch master is not affected anymore already, due to
newer version which got fixed.

Signed-off-by: Alexander Dahl <post@lespocky.de>
---
 package/putty/putty.mk | 3 +++
 1 file changed, 3 insertions(+)


base-commit: 677b20cf240d099e1bfc1d50e54730083618d24f

Comments

Alexander Dahl June 8, 2021, 5:09 a.m. UTC | #1 
Hello everyone,

since I get autobuilder warning mails every Monday for CVE-2021-33500
now, I kindly wanted to ask, if this is the right approach?

That CVE only affects Windows, master has putty 0.75 which has that
fixed already. So I thought it would not be necessary to backport 0.75
to the stable branch(es), but ignore that CVE in stable branches only?

Greets
Alex

On Tue, Jun 01, 2021 at 09:03:16AM +0200, Alexander Dahl wrote:
> Since putty is only affected by this CVE on Windows, ignore it in the
> stable branch.  Branch master is not affected anymore already, due to
> newer version which got fixed.
> 
> Signed-off-by: Alexander Dahl <post@lespocky.de>
> ---
>  package/putty/putty.mk | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/package/putty/putty.mk b/package/putty/putty.mk
> index c40cac9dc5..8a494d4e54 100644
> --- a/package/putty/putty.mk
> +++ b/package/putty/putty.mk
> @@ -12,6 +12,9 @@ PUTTY_CPE_ID_VENDOR = putty
>  PUTTY_CONF_OPTS = --disable-gtktest
>  PUTTY_CONF_ENV = CFLAGS="$(TARGET_CFLAGS) -Wno-error"
>  
> +# Windows only, fixed for Windows with 0.75
> +PUTTY_IGNORE_CVES += CVE-2021-33500
> +
>  ifeq ($(BR2_PACKAGE_LIBGTK2),y)
>  PUTTY_CONF_OPTS += --with-gtk=2
>  PUTTY_DEPENDENCIES += libgtk2
> 
> base-commit: 677b20cf240d099e1bfc1d50e54730083618d24f
> -- 
> 2.20.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
Peter Korsgaard June 8, 2021, 6:35 a.m. UTC | #2 
>>>>> "Alexander" == Alexander Dahl <post@lespocky.de> writes:

 > Hello everyone,
 > since I get autobuilder warning mails every Monday for CVE-2021-33500
 > now, I kindly wanted to ask, if this is the right approach?

 > That CVE only affects Windows, master has putty 0.75 which has that
 > fixed already. So I thought it would not be necessary to backport 0.75
 > to the stable branch(es), but ignore that CVE in stable branches only?

Yes, that is fine. Sorry, I am running a bit behind on the LTS
backports, but I will get to it this week.

Thanks.
Peter Korsgaard June 11, 2021, 8:17 a.m. UTC | #3 
>>>>> "Alexander" == Alexander Dahl <post@lespocky.de> writes:

 > Hello everyone,
 > since I get autobuilder warning mails every Monday for CVE-2021-33500
 > now, I kindly wanted to ask, if this is the right approach?

 > That CVE only affects Windows, master has putty 0.75 which has that
 > fixed already. So I thought it would not be necessary to backport 0.75
 > to the stable branch(es), but ignore that CVE in stable branches only?

Committed to 2021.02.x, thanks.
diff mbox series

Patch

diff --git a/package/putty/putty.mk b/package/putty/putty.mk
index c40cac9dc5..8a494d4e54 100644
--- a/package/putty/putty.mk
+++ b/package/putty/putty.mk
@@ -12,6 +12,9 @@  PUTTY_CPE_ID_VENDOR = putty
 PUTTY_CONF_OPTS = --disable-gtktest
 PUTTY_CONF_ENV = CFLAGS="$(TARGET_CFLAGS) -Wno-error"
 
+# Windows only, fixed for Windows with 0.75
+PUTTY_IGNORE_CVES += CVE-2021-33500
+
 ifeq ($(BR2_PACKAGE_LIBGTK2),y)
 PUTTY_CONF_OPTS += --with-gtk=2
 PUTTY_DEPENDENCIES += libgtk2