From eb2d5da24206994488a5824bd482566ed41ffb90 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 10 Oct 2022 14:11:46 +0200 Subject: [PATCH 1/3] profiles: Add accept keywords for net-misc/curl --- .../profiles/coreos/base/package.accept_keywords | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 53950702d3..503069cdb8 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -14,6 +14,9 @@ =dev-libs/libgcrypt-1.9.4 ~amd64 ~arm64 +# To address CVE-2022-35252. +=net-misc/curl-7.85.0-r2 ~amd64 ~arm64 + =net-misc/openssh-8.8_p1-r3 ~amd64 ~arm64 # Required for addressing CVE-2022-29154 From 3ce90997274b52d1b5f916b70508f9e52c745417 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 10 Oct 2022 14:12:14 +0200 Subject: [PATCH 2/3] profiles: Remove obsolete USE flag of net-misc/curl Also drop the comment, it was related to the media-libs/mesa package that was dropped over 9 years ago in commit de91081f00a4ab07332759b1bbfc3072d530c9fd. --- .../coreos-overlay/profiles/coreos/base/package.use | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index 4e1b3fa5d9..a3f48fa2d1 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -10,8 +10,7 @@ dev-libs/libxml2 -python dev-libs/libxslt -python dev-util/perf -doc dev-vcs/git webdav curl bash-completion -# We don't want any driver/hw rendering on the host -net-misc/curl kerberos threads telnet +net-misc/curl kerberos telnet net-misc/iputils arping tracepath traceroute6 sys-devel/gettext -git From 7499c24a5244e701fa857c040118718dfc551aaf Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Thu, 20 Oct 2022 14:34:18 +0200 Subject: [PATCH 3/3] changelog: Add entries --- .../coreos-overlay/changelog/security/2022-10-20-curl-update.md | 1 + .../coreos-overlay/changelog/updates/2022-10-20-curl-update.md | 1 + 2 files changed, 2 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/changelog/security/2022-10-20-curl-update.md create mode 100644 sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-10-20-curl-update.md diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-10-20-curl-update.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-10-20-curl-update.md new file mode 100644 index 0000000000..b793942929 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-10-20-curl-update.md @@ -0,0 +1 @@ +- curl ([CVE-2022-35252](https://nvd.nist.gov/vuln/detail/CVE-2022-35252)) diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-10-20-curl-update.md b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-10-20-curl-update.md new file mode 100644 index 0000000000..3ca94c7285 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-10-20-curl-update.md @@ -0,0 +1 @@ +- curl ([7.85](https://curl.se/mail/archive-2022-08/0012.html))