All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] bind: Whitelist CVE-2019-6470
@ 2019-11-13  8:19 Adrian Bunk
  2019-11-14 12:04 ` Ross Burton
  0 siblings, 1 reply; 8+ messages in thread
From: Adrian Bunk @ 2019-11-13  8:19 UTC (permalink / raw)
  To: openembedded-core

Signed-off-by: Adrian Bunk <bunk@stusta.de>
---
 meta/recipes-connectivity/bind/bind_9.11.5-P4.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb b/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb
index 3e2412dfa4..0a52a66144 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb
@@ -37,6 +37,9 @@ UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4
 UPSTREAM_CHECK_REGEX = "(?P<pver>9.(11|16|20|24|28)(\.\d+)+(-P\d+)*)/"
 
+# Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later
+CVE_CHECK_WHITELIST += "CVE-2019-6470"
+
 inherit autotools update-rc.d systemd useradd pkgconfig multilib_script
 
 MULTILIB_SCRIPTS = "${PN}:${bindir}/bind9-config ${PN}:${bindir}/isc-config.sh"
-- 
2.17.1



^ permalink raw reply related	[flat|nested] 8+ messages in thread
* Re: [PATCH] bind: Whitelist CVE-2019-6470
  2019-11-13  8:19 [PATCH] bind: Whitelist CVE-2019-6470 Adrian Bunk
@ 2019-11-14 12:04 ` Ross Burton
  2019-11-14 12:51   ` Adrian Bunk
  0 siblings, 1 reply; 8+ messages in thread
From: Ross Burton @ 2019-11-14 12:04 UTC (permalink / raw)
  To: openembedded-core

On 13/11/2019 08:19, Adrian Bunk wrote:
> +# Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later
> +CVE_CHECK_WHITELIST += "CVE-2019-6470"

Can you be a bit more explicit about why this is whitelisted?

Ross


^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [PATCH] bind: Whitelist CVE-2019-6470
  2019-11-14 12:04 ` Ross Burton
@ 2019-11-14 12:51   ` Adrian Bunk
  2019-11-14 13:16     ` Ross Burton
  2019-11-14 15:18     ` akuster808
  0 siblings, 2 replies; 8+ messages in thread
From: Adrian Bunk @ 2019-11-14 12:51 UTC (permalink / raw)
  To: Ross Burton; +Cc: openembedded-core

On Thu, Nov 14, 2019 at 12:04:40PM +0000, Ross Burton wrote:
> On 13/11/2019 08:19, Adrian Bunk wrote:
> > +# Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later
> > +CVE_CHECK_WHITELIST += "CVE-2019-6470"
> 
> Can you be a bit more explicit about why this is whitelisted?

Something like
  BIND >= 9.11.2 need dhcpd >= 4.4.1, don't report it here since
  dhcpd is already recent enough.
?

> Ross

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed



^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [PATCH] bind: Whitelist CVE-2019-6470
  2019-11-14 12:51   ` Adrian Bunk
@ 2019-11-14 13:16     ` Ross Burton
  2019-11-18 14:04       ` Adrian Bunk
  2019-11-14 15:18     ` akuster808
  1 sibling, 1 reply; 8+ messages in thread
From: Ross Burton @ 2019-11-14 13:16 UTC (permalink / raw)
  To: Adrian Bunk; +Cc: openembedded-core

On 14/11/2019 12:51, Adrian Bunk wrote:
> On Thu, Nov 14, 2019 at 12:04:40PM +0000, Ross Burton wrote:
>> On 13/11/2019 08:19, Adrian Bunk wrote:
>>> +# Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later
>>> +CVE_CHECK_WHITELIST += "CVE-2019-6470"
>>
>> Can you be a bit more explicit about why this is whitelisted?
> 
> Something like
>    BIND >= 9.11.2 need dhcpd >= 4.4.1, don't report it here since
>    dhcpd is already recent enough.

Right.

Ross


^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [PATCH] bind: Whitelist CVE-2019-6470
  2019-11-14 12:51   ` Adrian Bunk
  2019-11-14 13:16     ` Ross Burton
@ 2019-11-14 15:18     ` akuster808
  2019-11-15 21:46       ` Adrian Bunk
  1 sibling, 1 reply; 8+ messages in thread
From: akuster808 @ 2019-11-14 15:18 UTC (permalink / raw)
  To: Adrian Bunk, Ross Burton; +Cc: openembedded-core



On 11/14/19 4:51 AM, Adrian Bunk wrote:
> On Thu, Nov 14, 2019 at 12:04:40PM +0000, Ross Burton wrote:
>> On 13/11/2019 08:19, Adrian Bunk wrote:
>>> +# Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later
>>> +CVE_CHECK_WHITELIST += "CVE-2019-6470"
>> Can you be a bit more explicit about why this is whitelisted?
> Something like
>   BIND >= 9.11.2 need dhcpd >= 4.4.1, don't report it here since
>   dhcpd is already recent enough.
Actual. checking isc dhcp sources, it appears the fix is sitting in
master and has not been merged to any of the stable branches. I have not
had the time to unpack and check in an OE env ti validate that.

Have you done that?

- Armin
> ?
>
>> Ross
> cu
> Adrian
>



^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [PATCH] bind: Whitelist CVE-2019-6470
  2019-11-14 15:18     ` akuster808
@ 2019-11-15 21:46       ` Adrian Bunk
  2019-11-17 16:14         ` akuster808
  0 siblings, 1 reply; 8+ messages in thread
From: Adrian Bunk @ 2019-11-15 21:46 UTC (permalink / raw)
  To: akuster808; +Cc: openembedded-core

On Thu, Nov 14, 2019 at 07:18:28AM -0800, akuster808 wrote:
> 
> 
> On 11/14/19 4:51 AM, Adrian Bunk wrote:
> > On Thu, Nov 14, 2019 at 12:04:40PM +0000, Ross Burton wrote:
> >> On 13/11/2019 08:19, Adrian Bunk wrote:
> >>> +# Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later
> >>> +CVE_CHECK_WHITELIST += "CVE-2019-6470"
> >> Can you be a bit more explicit about why this is whitelisted?
> > Something like
> >   BIND >= 9.11.2 need dhcpd >= 4.4.1, don't report it here since
> >   dhcpd is already recent enough.
> Actual. checking isc dhcp sources, it appears the fix is sitting in
> master and has not been merged to any of the stable branches. I have not
> had the time to unpack and check in an OE env ti validate that.
> 
> Have you done that?

At what commit are you looking?

rt46719 was merged in 2017, actually before 4.4.0.

> - Armin

cu
Adrian



^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [PATCH] bind: Whitelist CVE-2019-6470
  2019-11-15 21:46       ` Adrian Bunk
@ 2019-11-17 16:14         ` akuster808
  0 siblings, 0 replies; 8+ messages in thread
From: akuster808 @ 2019-11-17 16:14 UTC (permalink / raw)
  To: Adrian Bunk; +Cc: openembedded-core



On 11/15/19 1:46 PM, Adrian Bunk wrote:
> On Thu, Nov 14, 2019 at 07:18:28AM -0800, akuster808 wrote:
>>
>> On 11/14/19 4:51 AM, Adrian Bunk wrote:
>>> On Thu, Nov 14, 2019 at 12:04:40PM +0000, Ross Burton wrote:
>>>> On 13/11/2019 08:19, Adrian Bunk wrote:
>>>>> +# Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later
>>>>> +CVE_CHECK_WHITELIST += "CVE-2019-6470"
>>>> Can you be a bit more explicit about why this is whitelisted?
>>> Something like
>>>   BIND >= 9.11.2 need dhcpd >= 4.4.1, don't report it here since
>>>   dhcpd is already recent enough.
>> Actual. checking isc dhcp sources, it appears the fix is sitting in
>> master and has not been merged to any of the stable branches. I have not
>> had the time to unpack and check in an OE env ti validate that.
>>
>> Have you done that?
> At what commit are you looking?
https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=abacf8ad0d8844685e5cd76645a34ef2b8da3253

An like I said "it appears" and I alway verify with what sources get
unpacked. I finally got around to it doing that this morning and the
dhcp does have this fix.

-armin
>
> rt46719 was merged in 2017, actually before 4.4.0.
>
>> - Armin
> cu
> Adrian
>



^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [PATCH] bind: Whitelist CVE-2019-6470
  2019-11-14 13:16     ` Ross Burton
@ 2019-11-18 14:04       ` Adrian Bunk
  0 siblings, 0 replies; 8+ messages in thread
From: Adrian Bunk @ 2019-11-18 14:04 UTC (permalink / raw)
  To: Ross Burton; +Cc: openembedded-core

On Thu, Nov 14, 2019 at 01:16:44PM +0000, Ross Burton wrote:
> On 14/11/2019 12:51, Adrian Bunk wrote:
> > On Thu, Nov 14, 2019 at 12:04:40PM +0000, Ross Burton wrote:
> > > On 13/11/2019 08:19, Adrian Bunk wrote:
> > > > +# Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later
> > > > +CVE_CHECK_WHITELIST += "CVE-2019-6470"
> > > 
> > > Can you be a bit more explicit about why this is whitelisted?
> > 
> > Something like
> >    BIND >= 9.11.2 need dhcpd >= 4.4.1, don't report it here since
> >    dhcpd is already recent enough.
> 
> Right.

v2 sent.

> Ross

cu
Adrian


^ permalink raw reply	[flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-11-18 14:04 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-13  8:19 [PATCH] bind: Whitelist CVE-2019-6470 Adrian Bunk
2019-11-14 12:04 ` Ross Burton
2019-11-14 12:51   ` Adrian Bunk
2019-11-14 13:16     ` Ross Burton
2019-11-18 14:04       ` Adrian Bunk
2019-11-14 15:18     ` akuster808
2019-11-15 21:46       ` Adrian Bunk
2019-11-17 16:14         ` akuster808

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.