On Mon, 2022-03-07 at 12:26 +0100, Quentin Schulz wrote: > Hi all, > > On 3/7/22 12:21, Quentin Schulz wrote: > > From: Alexander Kanavin <[email protected]> > > > > Signed-off-by: Alexander Kanavin <[email protected]> > > Signed-off-by: Richard Purdie <[email protected]> > > (cherry picked from commit 6a3289c4786c4d278e2bf0ec1a5e04363772d8bc) > > Signed-off-by: Quentin Schulz <[email protected]> > > --- > > https://www.spinics.net/lists/util-linux-ng/msg17037.html 2.37.3 fixes > two CVEs (not listed on nvdist database for some reason). > > https://www.spinics.net/lists/util-linux-ng/msg17087.html 2.37.4 fixes > one CVE (not listed on bvdist for some reason). > > I think it might be useful for release maintainer(s) if we mention in > the commit log or commit title if it's a security bump or not when > sending patches for version bumps to master? What do you think? (FYI, > Buildroot seems to do it regularly and it helps me with keeping my > vendor tree somewhat up-to-date security wise).
I'm happy if people do mention it (I did for expat recently) but I'm not going to block upgrades on the information being missing (how would I tell?). We're struggling to get people to submit upgrades so I'm reluctant to make it harder for them. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#162811): https://lists.openembedded.org/g/openembedded-core/message/162811 Mute This Topic: https://lists.openembedded.org/mt/89609558/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
