Impact of certain CVEs on Mender

Hi there!

How do you consider the impact of

on Mender?

Do you think this is critical? We are asking since dunfell is directly affected with version 1.14.12.

Best regards

Taking each one separately:

I believe it is impacted, but since the client validates the server certificate against the DNS name, in practice it has no other effect than not being able to connect (as long as the attack is going on).

Impacted, but the attacker must have deployment privileges on the server in order to exploit it. As far as I can tell, all they can do is crash the client, but systemd is set to automatically restart the mender client if it panics, so it should have no lasting effect.

Not impacted, ReverseProxy is not used in the client.

I think not impacted, the client doesn’t use the math.big package. I’m not 100% sure if some of the crypto functions might use it, but probably this would have been mentioned in the CVE, so I don’t think so.

1 Like

Thanks for your quick reply.