Hi Anuj, I agree the Backport status is not accurate as the patch doesn't go to master branch, but why do you say the patch is irrelevant to the CVE-2019-18276, could you help to provide more info?
Hi Chet, Does https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=951bdaad7a18cc0dc1036bba86b18b90874d39ff fix the issue reported in CVE-2019-18276? Could you help to provide some info here? Thanks, Mingli ________________________________________ From: [email protected] [[email protected]] on behalf of Mittal, Anuj [[email protected]] Sent: Tuesday, February 18, 2020 11:43 PM To: [email protected]; [email protected]; [email protected]; Huo, De; [email protected]; [email protected] Subject: Re: [OE-core] bash: Fix CVE-2019-18276 On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote: > On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote: > > On 2/17/20 9:46 PM, Huo, De wrote: > > > I applied the patch to fix CVE defect CVE-2019-18276. > > > > That's not exactly an answer to the question of who produced the > > patch. > > If that patch is the one causing failures when it's applied, > > doesn't it > > make sense to go back to the person who produced it and ask them to > > update it if necessary? > > Its likely a general CVE patch where both configure and configure.ac > are patched. For OE, we can drop the configure part since we > reautoconf > the code. Its therefore the OE port of the patch which is likely at > fault. > > Someone just needs to remove that section of the patch. There are other issues with this patch which should also be fixed I think. It has been marked as a Backport while it is not one. The patch includes changes that are irrelevant to the CVE. And, it should have gone to master first. Thanks, Anuj -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
