Hi Ola,
Am Sonntag, dem 10.03.2024 um 23:03 +0100 schrieb Ola Lundqvist:
>
> I was about to remove runc from dla-needed but since Adrian sent out
> a question email about the removal I thought one more time. (I'm
> trying to learn from my mistakes) :-)
>
> I'm getting a little confused about the notes about runc in dla-
> needed.
> It says Complete fix for CVE-2024-21626 would require backport of ...
> But CVE-2024-21626 looks like it is already fixed by DLA-3735-1.
>
> If one look at the status information in the data/CVE/list it looks
> like it is completely corrected.
> But from the dla-needed note it looks like it is not. What is it?
> Is it a sufficient fix?
The fix for CVE-2024-21626 applied by upstream contained a fix for the
real issue and multiple hardening measurements (all part of a series of
patches). The issue itself should be fixed. I also backported multiple
hardening measurements. However, there is one hardening measurement
that uses a function only available in Go 1.12+. So to backport all,
this one would require a backport too. I am not able to do it. So, I
left a note about it in case someone wants to go for it.
I hope this explains it a bit more.
Regards, Daniel