cf686670b9
CVE-2023-31038 affects log4cxx only if ODBC is supported. While CVE-2023-31038 has been fixed in newer versions of log4cxx, there is quite a huge gap to do a version bump, and the commit that fixes CVE-2023-31038 could not be identified. Therefore, we want to rely on the fact that our log4cxx package does not support ODBC: there is indeed no explicit dependency on our unixodbc package in log4cxx.mk. However, log4cxx automatically detects if ODBC is available and if it is, it uses it. So what we do in this commit is backport an upstream commit, which adds explicitly options to enable/disable ODBC and ESMTP support, and we use them to (1) always disable ODBC and (2) explicitly enable/disable ESMTP support. Thanks to ODBC being disabled, we're not affected by CVE-2023-31038. Of course, there is a potential regression for users who were relying on the implicit unixodbc dependency, but as we could not identify the commit fixing the CVE-2023-31038, this is the best we can do at the moment. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Arnout Vandecappelle <arnout@mind.be> |
||
---|---|---|
.. | ||
0001-Make-ODBC-and-SMTP-opt-in-191.patch | ||
Config.in | ||
log4cxx.hash | ||
log4cxx.mk |