On Sat Jun 13, 2026 at 12:25 PM CEST, Sudhir Dumbhare via
lists.openembedded.org wrote:
> From: Sudhir Dumbhare <[email protected]>
>
> Analysis:
> - CVE-2026-3832 affects GnuTLS OCSP multi-record response handling.
> - The vulnerable OCSP response handling code was introduced in GnuTLS 3.8.8.
> - This vulnerable code is not present in the current GnuTLS 3.8.4.
> - Hence ignoring the CVE for this version.
>
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2026-3832
> https://security-tracker.debian.org/tracker/CVE-2026-3832
> https://gitlab.com/gnutls/gnutls/-/issues/1801
>
> Signed-off-by: Sudhir Dumbhare <[email protected]>
> ---
I think the CVE applies to wrynose. Can you send a fix there, and then,
ping back here?
Thanks!
> meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> index ccb6a2b4b2..6d43c58df2 100644
> --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> @@ -124,3 +124,5 @@ pkg_postinst_ontarget:${PN}-fips () {
> ${bindir}/fipshmac ${libdir}/libhogweed.so.6.* >
> ${libdir}/.libhogweed.so.6.hmac
> fi
> }
> +
> +CVE_STATUS[CVE-2026-3832] = "fixed-version: vulnerable multi-record OCSP
> response handling was introduced in 3.8.8 and is not present in 3.8.4"
--
Yoann Congal
Smile ECS
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239305):
https://lists.openembedded.org/g/openembedded-core/message/239305
Mute This Topic: https://lists.openembedded.org/mt/119786186/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-