Hi Ola, Am Sonntag, dem 10.03.2024 um 23:03 +0100 schrieb Ola Lundqvist: > > I was about to remove runc from dla-needed but since Adrian sent out > a question email about the removal I thought one more time. (I'm > trying to learn from my mistakes) :-) > > I'm getting a little confused about the notes about runc in dla- > needed. > It says Complete fix for CVE-2024-21626 would require backport of ... > But CVE-2024-21626 looks like it is already fixed by DLA-3735-1. > > If one look at the status information in the data/CVE/list it looks > like it is completely corrected. > But from the dla-needed note it looks like it is not. What is it? > Is it a sufficient fix? The fix for CVE-2024-21626 applied by upstream contained a fix for the real issue and multiple hardening measurements (all part of a series of patches). The issue itself should be fixed. I also backported multiple hardening measurements. However, there is one hardening measurement that uses a function only available in Go 1.12+. So to backport all, this one would require a backport too. I am not able to do it. So, I left a note about it in case someone wants to go for it. I hope this explains it a bit more. Regards, Daniel
Attachment:
signature.asc
Description: This is a digitally signed message part