If you understand the code well, and can be confident that your backports address the issue correctly and do not introduce new issues, then by all means go ahead.
My personal position should be known: I see the whole 'CVE backporting' industry as a colossal waste. We need to learn to update to supported upstream versions, and not be scared of breaking production with that. Alex On Tue, 7 Mar 2023 at 10:05, Valek, Andrej <[email protected]> wrote: > > Hello Alex, > > Yes, that would an option, but afaik it wasn't working quite well. So I > would still prefer a straight forward solution. > > Should I spend some time for creating such patches? Means if there will > be a potential option for being accepted? > > Andrej > > On Tue, 2023-03-07 at 07:37 +0100, Alexander Kanavin wrote: > > You probably should make a kirkstone mixin layer like we did for > > dunfell. > > https://git.yoctoproject.org/meta-lts-mixins/ > > > > Alex > > > > On Tue, 7 Mar 2023 at 07:32, Andrej Valek <[email protected]> > > wrote: > > > > > > Hello everyone, > > > > > > I would like to ask you how to proceed with multiple CVEs for > > > Google Go > > > component in kirkstone branch. > > > > > > CVEs in current version 1.17.13: > > > - CVE-2022-41722 > > > - CVE-2022-41725 > > > - CVE-2022-41724 > > > - CVE-2022-41723 > > > > > > They are fixed in 1.19.6/1.20.1 branches, but a fixing patches are > > > available for all of them too. Unfortunately there is more then > > > ~1000 > > > changed LOC. So not sure if this is the right approach to apply > > > them. > > > Not sure if the upgrade is acceptable. > > > > > > So how to proceed with this? > > > > > > I know, that they aren't a critical one, but would be nice to have > > > them > > > fixed. > > > > > > Regards, > > > Andrej > > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#178097): https://lists.openembedded.org/g/openembedded-core/message/178097 Mute This Topic: https://lists.openembedded.org/mt/97444547/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
