CVE-2022-3474: A bad credential handling in the remote assets API for Bazel versions prior to 5.3.2 and 4.2.3 sends all user-provided credentials instead of only the required ones for the requests. We recommend upgrading to versions later than or equal to 5.3.2 or 4.2.3. This is Google's CVE. The CVE description says to upgrade to 4.2.3/5.3.2. The Github advisory (referenced by the CVE) says there's no fixed version. Not sure who to trust here.
Ah, fixes are indeed in 4.2.3, 5.3.2, 5.4.0: https://github.com/bazelbuild/bazel/pull/16450. Needs bumps.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=937bb2fe50b5f938cca85d4a3b2ba55dbf71e617 commit 937bb2fe50b5f938cca85d4a3b2ba55dbf71e617 Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2024-02-24 12:50:14 +0000 Commit: Jakov Smolić <jsmolic@gentoo.org> CommitDate: 2024-02-24 12:50:14 +0000 dev-build/bazel: treeclean Bug: https://bugs.gentoo.org/878501 Closes: https://bugs.gentoo.org/906914 Closes: https://bugs.gentoo.org/917689 Closes: https://bugs.gentoo.org/918703 Closes: https://bugs.gentoo.org/634046 Closes: https://bugs.gentoo.org/652776 Closes: https://bugs.gentoo.org/687538 Closes: https://bugs.gentoo.org/747370 Closes: https://bugs.gentoo.org/766243 Closes: https://bugs.gentoo.org/790116 Closes: https://bugs.gentoo.org/820179 Closes: https://bugs.gentoo.org/820182 Closes: https://bugs.gentoo.org/832935 Closes: https://bugs.gentoo.org/837023 Closes: https://bugs.gentoo.org/846464 Closes: https://bugs.gentoo.org/858314 Closes: https://bugs.gentoo.org/867292 Closes: https://bugs.gentoo.org/872455 Closes: https://bugs.gentoo.org/884477 Closes: https://bugs.gentoo.org/895300 Closes: https://bugs.gentoo.org/909434 Closes: https://bugs.gentoo.org/917257 Closes: https://bugs.gentoo.org/919798 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> dev-build/bazel/Manifest | 7 -- dev-build/bazel/bazel-3.7.2-r1.ebuild | 117 --------------------- dev-build/bazel/bazel-4.2.2.ebuild | 100 ------------------ dev-build/bazel/bazel-5.0.0.ebuild | 96 ----------------- dev-build/bazel/bazel-5.1.1.ebuild | 96 ----------------- dev-build/bazel/bazel-5.3.0.ebuild | 102 ------------------ dev-build/bazel/bazel-6.2.0.ebuild | 102 ------------------ dev-build/bazel/bazel-6.4.0.ebuild | 102 ------------------ .../bazel-3.2.0-include-limits-for-gcc-11.patch | 25 ----- .../bazel-3.7.2-musl-temp-failure-retry.patch | 34 ------ .../files/bazel-4.2.2-absl_numeric_limits.patch | 41 -------- dev-build/bazel/metadata.xml | 20 ---- profiles/package.mask | 15 --- profiles/updates/1Q-2024 | 1 - 14 files changed, 858 deletions(-)
Vote glsa: no.
