Release 6.2.2 clarification

[jubalh]

I'm trying to figure out what changed in the freshly released 6.2.2.

The release note on GitHub states ipv6 host ip address support and logfile CVE fixes.
The diff provided by et-v6.2.2...et-v6.2.1 is huge. A lot of external lib changes in it. Hard to see what actually was going on.

So I wonder, which CVEs got fixed? CVE-2022-48257, CVE-2022-48258, CVE-2023-23558? All of them? Only one?

I found #555 so that seems to be part of it.

Maybe you could help me with the rest? Maybe mentioning the CVE numbers in the respective issue (after they became public) so that it's easier to search and understand. Or maybe even having a changelog or mentioning the changes in more detail on the github release page.
For example:

- Fix log ... (#someissuenumber)
- Add ipv6 blabla.. (#someissuenumber)

Would be quite helpful. Then distributions and other interested people could easily understand what changed and also review the issues.

[jubalh]

I tried to take a quick look. Please check if I forgot more. I think the changelog/release note should actually look like:

* Support for ipv6 addresses (#536)                                                     
* Support collapsed zeroes format for ipv6 host addresses (#537)                        
* Support ipv6 abbreviated addresses (#539)                                             
* Fix tunnel parsing exception handling (#550)                                          
* Logfile open mode and permission plus location configurability (#556) CVE-2022-48257, CVE-2022-48258 

Or something like that. Please check if I forgot more. And consider editing the notes on the release page accordingly.

[jubalh]

When building the new release I get:

[   22s] -- The C compiler identification is GNU 12.2.1
[   22s] -- Detecting C compiler ABI info
[   22s] -- Detecting C compiler ABI info - done
[   22s] -- Check for working C compiler: /usr/bin/cc - skipped
[   22s] -- Detecting C compile features
[   22s] -- Detecting C compile features - done
[   22s] -- The CXX compiler identification is GNU 12.2.1
[   22s] -- Detecting CXX compiler ABI info
[   22s] -- Detecting CXX compiler ABI info - done
[   22s] -- Check for working CXX compiler: /usr/bin/c++ - skipped
[   22s] -- Detecting CXX compile features
[   22s] -- Detecting CXX compile features - done
[   22s] -- Found OpenSSL: /usr/lib64/libcrypto.so (found version "1.1.1s")  
[   22s] CMake Error at CMakeLists.txt:96 (find_package):
[   22s]   By not providing "FindSanitizers.cmake" in CMAKE_MODULE_PATH this project
[   22s]   has asked CMake to find a package configuration file provided by
[   22s]   "Sanitizers", but CMake did not find one.
[   22s] 
[   22s]   Could not find a package configuration file provided by "Sanitizers" with
[   22s]   any of the following names:
[   22s] 
[   22s]     SanitizersConfig.cmake
[   22s]     sanitizers-config.cmake
[   22s] 
[   22s]   Add the installation prefix of "Sanitizers" to CMAKE_PREFIX_PATH or set
[   22s]   "Sanitizers_DIR" to a directory containing one of the above files.  If
[   22s]   "Sanitizers" provides a separate development package or SDK, be sure it has
[   22s]   been installed.

The directory external/sanitizers-cmake seems empty.

[AKosturArista]

Could someone verify that the source tarball contains the right things? v6.2.1's tarball is 22MB, but 6.2.2 is only 429KB?

[jubalh]

6.2.4 got released and has a 21.8MB tarball again.
Building works fine now.

I still would like to get a changelog and and information which CVEs got fixed in which version.

[jshort]

Checkout 6.2.4, I've updated the notes and compared to 6.2.1. 6.2.2 has been deleted.

[jubalh]

Thanks the changes are much more informative now.
But it looks like none of the releases mention the CVE fixes at all? Could you add this as well?

[jshort]

Thanks the changes are much more informative now. But it looks like none of the releases mention the CVE fixes at all? Could you add this as well?

Done!

[jubalh]

Great, thank you!