Backport fix for CVE-2022-41794

Question

Backport fix for CVE-2022-41794

Closed this issue 2 years ago · 2 comments

We are using multipath-tools 0.8.4 version which is facing the issue CVE-2022-41974. The issue was fixed in multipath-tools 0.9.2 version & the commit id is (f812466). So can we backport the CVE-2022-41974 fix on our current version 0.8.4 ?

Is 0.8.4 version is still maintained?

Thanks

mwilck commented 2 years ago

Closing.

Answer 1 · 2023-01-16T12:18:44.000Z

We don't maintain stable branches for upstream multipath-tools. The closest you can get is what distributions have done for their multipath-tools packages for various releases.

For example, at SUSE, I backported the upstream fix to SLE15-SP3 code stream, which is based on 0.8.5 here (commit date Sep. 27). For SLE15-SP2, which is based on the older 0.8.2 code, I took the simpler approach suggested by @bmarzins, basically just the 2 commits openSUSE@fbbf280 and openSUSE@92be462.