Brendan Cunningham
Brendan Cunningham
> Explicitly nacking so that we don't merge this without discussion. I do not believe that we should take one-off patches. We should either update libevent to one without the...
> Is this a libevent configure option to disable the DNS code, perchance? Yes, libevent has a configure option `--disable-dns`. ``` opal/mca/event/libevent2022/configure.m4:138: event_args="--disable-dns --disable-http --disable-rpc --disable-openssl --enable-thread-support" ``` And this...
> @BrendanCunningham (and @artemry-nv, from #10583) How did your internal scanner find this issue? Do we know that patching libevent will actually make your scanners happy? Or are the scanners...
> @BrendanCunningham Does `--disable-dns` effectively address the CVEs? `--disable-dns` does prevent `evdns.c` from being compiled; that takes care of 2 of the 3 CVE hits. The third CVE hit is...
> @BrendanCunningham So there's three proposed solutions: > > 1. See if `--disable-dns` was sufficient. I.e., is your scanner smart enough to realize that the bad functions in question are...
> > Yes, we will test if the PR fixes the CVE hits according to our scanner. > > @BrendanCunningham Have you been able to do this yet, perchance? Have...
> > > @BrendanCunningham Have you been able to do this yet, perchance? > > > > > > Have not, no. > > @BrendanCunningham Do you have an ETA...
@jsquyres we ran our scanner against both our OpenMPI 4.1.4 build with our CVE fixes and Open MPI 4.1.4 built from the [openmpi-4.1.4-1.src.rpm](https://download.open-mpi.org/release/open-mpi/v4.1/openmpi-4.1.4-1.src.rpm). Our CVE scanner did not report any...
> @jsquyres we ran our scanner against both our OpenMPI 4.1.4 build with our CVE fixes and Open MPI 4.1.4 built from the [openmpi-4.1.4-1.src.rpm](https://download.open-mpi.org/release/open-mpi/v4.1/openmpi-4.1.4-1.src.rpm). Our CVE scanner did not report...
evdns.c is only compiled when libevent is built with DNS support. ompi/v4.1.x does not appear to build libevent with DNS support. I am still able to build v4.1.x if I...