From: Sudhir Dumbhare <[email protected]> Analysis: - CVE-2026-3832 affects GnuTLS OCSP multi-record response handling. - The vulnerable OCSP response handling code was introduced in GnuTLS 3.8.8. - This vulnerable code is not present in the current GnuTLS 3.8.4. - Hence ignoring the CVE for this version.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3832 https://security-tracker.debian.org/tracker/CVE-2026-3832 https://gitlab.com/gnutls/gnutls/-/issues/1801 Signed-off-by: Sudhir Dumbhare <[email protected]> --- meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb index ccb6a2b4b2..6d43c58df2 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb @@ -124,3 +124,5 @@ pkg_postinst_ontarget:${PN}-fips () { ${bindir}/fipshmac ${libdir}/libhogweed.so.6.* > ${libdir}/.libhogweed.so.6.hmac fi } + +CVE_STATUS[CVE-2026-3832] = "fixed-version: vulnerable multi-record OCSP response handling was introduced in 3.8.8 and is not present in 3.8.4" -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238671): https://lists.openembedded.org/g/openembedded-core/message/238671 Mute This Topic: https://lists.openembedded.org/mt/119786186/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
