Message ID | 20210601070316.27441-1-post@lespocky.de |
---|---|
State | Accepted |
Headers | show |
Series | [PATCH/stable] package/putty: Ignore CVE-2021-33500 | expand |
Hello everyone, since I get autobuilder warning mails every Monday for CVE-2021-33500 now, I kindly wanted to ask, if this is the right approach? That CVE only affects Windows, master has putty 0.75 which has that fixed already. So I thought it would not be necessary to backport 0.75 to the stable branch(es), but ignore that CVE in stable branches only? Greets Alex On Tue, Jun 01, 2021 at 09:03:16AM +0200, Alexander Dahl wrote: > Since putty is only affected by this CVE on Windows, ignore it in the > stable branch. Branch master is not affected anymore already, due to > newer version which got fixed. > > Signed-off-by: Alexander Dahl <post@lespocky.de> > --- > package/putty/putty.mk | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/package/putty/putty.mk b/package/putty/putty.mk > index c40cac9dc5..8a494d4e54 100644 > --- a/package/putty/putty.mk > +++ b/package/putty/putty.mk > @@ -12,6 +12,9 @@ PUTTY_CPE_ID_VENDOR = putty > PUTTY_CONF_OPTS = --disable-gtktest > PUTTY_CONF_ENV = CFLAGS="$(TARGET_CFLAGS) -Wno-error" > > +# Windows only, fixed for Windows with 0.75 > +PUTTY_IGNORE_CVES += CVE-2021-33500 > + > ifeq ($(BR2_PACKAGE_LIBGTK2),y) > PUTTY_CONF_OPTS += --with-gtk=2 > PUTTY_DEPENDENCIES += libgtk2 > > base-commit: 677b20cf240d099e1bfc1d50e54730083618d24f > -- > 2.20.1 > > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot
>>>>> "Alexander" == Alexander Dahl <post@lespocky.de> writes: > Hello everyone, > since I get autobuilder warning mails every Monday for CVE-2021-33500 > now, I kindly wanted to ask, if this is the right approach? > That CVE only affects Windows, master has putty 0.75 which has that > fixed already. So I thought it would not be necessary to backport 0.75 > to the stable branch(es), but ignore that CVE in stable branches only? Yes, that is fine. Sorry, I am running a bit behind on the LTS backports, but I will get to it this week. Thanks.
>>>>> "Alexander" == Alexander Dahl <post@lespocky.de> writes: > Hello everyone, > since I get autobuilder warning mails every Monday for CVE-2021-33500 > now, I kindly wanted to ask, if this is the right approach? > That CVE only affects Windows, master has putty 0.75 which has that > fixed already. So I thought it would not be necessary to backport 0.75 > to the stable branch(es), but ignore that CVE in stable branches only? Committed to 2021.02.x, thanks.
diff --git a/package/putty/putty.mk b/package/putty/putty.mk index c40cac9dc5..8a494d4e54 100644 --- a/package/putty/putty.mk +++ b/package/putty/putty.mk @@ -12,6 +12,9 @@ PUTTY_CPE_ID_VENDOR = putty PUTTY_CONF_OPTS = --disable-gtktest PUTTY_CONF_ENV = CFLAGS="$(TARGET_CFLAGS) -Wno-error" +# Windows only, fixed for Windows with 0.75 +PUTTY_IGNORE_CVES += CVE-2021-33500 + ifeq ($(BR2_PACKAGE_LIBGTK2),y) PUTTY_CONF_OPTS += --with-gtk=2 PUTTY_DEPENDENCIES += libgtk2
Since putty is only affected by this CVE on Windows, ignore it in the stable branch. Branch master is not affected anymore already, due to newer version which got fixed. Signed-off-by: Alexander Dahl <post@lespocky.de> --- package/putty/putty.mk | 3 +++ 1 file changed, 3 insertions(+) base-commit: 677b20cf240d099e1bfc1d50e54730083618d24f