[Buildroot] [PATCH/stable] package/putty: Ignore CVE-2021-33500

All of lore.kernel.org
 help / color / mirror / Atom feed

* [Buildroot] [PATCH/stable] package/putty: Ignore CVE-2021-33500
@ 2021-06-01  7:03 Alexander Dahl
  2021-06-08  5:09 ` Alexander Dahl
  0 siblings, 1 reply; 4+ messages in thread
From: Alexander Dahl @ 2021-06-01  7:03 UTC (permalink / raw)
  To: buildroot

Since putty is only affected by this CVE on Windows, ignore it in the
stable branch.  Branch master is not affected anymore already, due to
newer version which got fixed.

Signed-off-by: Alexander Dahl <post@lespocky.de>
---
 package/putty/putty.mk | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/package/putty/putty.mk b/package/putty/putty.mk
index c40cac9dc5..8a494d4e54 100644
--- a/package/putty/putty.mk
+++ b/package/putty/putty.mk
@@ -12,6 +12,9 @@ PUTTY_CPE_ID_VENDOR = putty
 PUTTY_CONF_OPTS = --disable-gtktest
 PUTTY_CONF_ENV = CFLAGS="$(TARGET_CFLAGS) -Wno-error"
 
+# Windows only, fixed for Windows with 0.75
+PUTTY_IGNORE_CVES += CVE-2021-33500
+
 ifeq ($(BR2_PACKAGE_LIBGTK2),y)
 PUTTY_CONF_OPTS += --with-gtk=2
 PUTTY_DEPENDENCIES += libgtk2

base-commit: 677b20cf240d099e1bfc1d50e54730083618d24f
-- 
2.20.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [Buildroot] [PATCH/stable] package/putty: Ignore CVE-2021-33500
  2021-06-01  7:03 [Buildroot] [PATCH/stable] package/putty: Ignore CVE-2021-33500 Alexander Dahl
@ 2021-06-08  5:09 ` Alexander Dahl
  2021-06-08  6:35   ` Peter Korsgaard
  2021-06-11  8:17   ` Peter Korsgaard
  0 siblings, 2 replies; 4+ messages in thread
From: Alexander Dahl @ 2021-06-08  5:09 UTC (permalink / raw)
  To: buildroot

Hello everyone,

since I get autobuilder warning mails every Monday for CVE-2021-33500
now, I kindly wanted to ask, if this is the right approach?

That CVE only affects Windows, master has putty 0.75 which has that
fixed already. So I thought it would not be necessary to backport 0.75
to the stable branch(es), but ignore that CVE in stable branches only?

Greets
Alex

On Tue, Jun 01, 2021 at 09:03:16AM +0200, Alexander Dahl wrote:
> Since putty is only affected by this CVE on Windows, ignore it in the
> stable branch.  Branch master is not affected anymore already, due to
> newer version which got fixed.
> 
> Signed-off-by: Alexander Dahl <post@lespocky.de>
> ---
>  package/putty/putty.mk | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/package/putty/putty.mk b/package/putty/putty.mk
> index c40cac9dc5..8a494d4e54 100644
> --- a/package/putty/putty.mk
> +++ b/package/putty/putty.mk
> @@ -12,6 +12,9 @@ PUTTY_CPE_ID_VENDOR = putty
>  PUTTY_CONF_OPTS = --disable-gtktest
>  PUTTY_CONF_ENV = CFLAGS="$(TARGET_CFLAGS) -Wno-error"
>  
> +# Windows only, fixed for Windows with 0.75
> +PUTTY_IGNORE_CVES += CVE-2021-33500
> +
>  ifeq ($(BR2_PACKAGE_LIBGTK2),y)
>  PUTTY_CONF_OPTS += --with-gtk=2
>  PUTTY_DEPENDENCIES += libgtk2
> 
> base-commit: 677b20cf240d099e1bfc1d50e54730083618d24f
> -- 
> 2.20.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
/"\ ASCII RIBBON | ?With the first link, the chain is forged. The first
\ / CAMPAIGN     | speech censured, the first thought forbidden, the
 X  AGAINST      | first freedom denied, chains us all irrevocably.?
/ \ HTML MAIL    | (Jean-Luc Picard, quoting Judge Aaron Satie)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20210608/0e331e5a/attachment.asc>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Buildroot] [PATCH/stable] package/putty: Ignore CVE-2021-33500
  2021-06-08  5:09 ` Alexander Dahl
@ 2021-06-08  6:35   ` Peter Korsgaard
  2021-06-11  8:17   ` Peter Korsgaard
  1 sibling, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2021-06-08  6:35 UTC (permalink / raw)
  To: buildroot

>>>>> "Alexander" == Alexander Dahl <post@lespocky.de> writes:

 > Hello everyone,
 > since I get autobuilder warning mails every Monday for CVE-2021-33500
 > now, I kindly wanted to ask, if this is the right approach?

 > That CVE only affects Windows, master has putty 0.75 which has that
 > fixed already. So I thought it would not be necessary to backport 0.75
 > to the stable branch(es), but ignore that CVE in stable branches only?

Yes, that is fine. Sorry, I am running a bit behind on the LTS
backports, but I will get to it this week.

Thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Buildroot] [PATCH/stable] package/putty: Ignore CVE-2021-33500
  2021-06-08  5:09 ` Alexander Dahl
  2021-06-08  6:35   ` Peter Korsgaard
@ 2021-06-11  8:17   ` Peter Korsgaard
  1 sibling, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2021-06-11  8:17 UTC (permalink / raw)
  To: buildroot

>>>>> "Alexander" == Alexander Dahl <post@lespocky.de> writes:

 > Hello everyone,
 > since I get autobuilder warning mails every Monday for CVE-2021-33500
 > now, I kindly wanted to ask, if this is the right approach?

 > That CVE only affects Windows, master has putty 0.75 which has that
 > fixed already. So I thought it would not be necessary to backport 0.75
 > to the stable branch(es), but ignore that CVE in stable branches only?

Committed to 2021.02.x, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-06-11  8:17 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-01  7:03 [Buildroot] [PATCH/stable] package/putty: Ignore CVE-2021-33500 Alexander Dahl
2021-06-08  5:09 ` Alexander Dahl
2021-06-08  6:35   ` Peter Korsgaard
2021-06-11  8:17   ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.