Re: [yocto-security] [OE-core] OE-core CVE metrics for master on Sun 22 Jan 2023 02:00:01 AM HST
On Fri, 2023-01-27 at 12:57 +, Richard Purdie wrote: > On Mon, 2023-01-23 at 13:41 +, Ross Burton wrote: > > On 23 Jan 2023, at 13:35, Richard Purdie > > wrote: > > > > I’ve started braindumping into > > > > https://wiki.yoctoproject.org/wiki/CVE_Triage, when it’s expanded and > > > > complete we can link to it. Or maybe we should just start a > > > > Maintainers book in the documentation? > > > > > > Lets put it in the manual. The wiki is good to pull together info but > > > I'd like the manual to be definitive. I've thought this about patch > > > submission for a while too, we have too many docs with the useful bits > > > of data spread over two wikis and a few READMEs… > > > > Copying in Michael and Quentin. > > > > Taking the JFDI approach, I’ve started (another) wiki page to collect a > > table of contents at least: > > > > https://wiki.yoctoproject.org/wiki/Maintainers_Manual > > > > I’m sure there’s plenty I left out, but that’s a start! > > I did start experimenting with: > > https://git.yoctoproject.org/yocto-docs/commit/?h=contrib/rpurdie-wip=cdbe7f39681d2228849b58d1de4c861826d50832 > > It does highlight that we need to be careful on importing some docs as > the wiki info isn't entirely right or well worded in some cases now. I updated with some fixes for a few things, if I do anything else I'll update the branch: https://git.yoctoproject.org/yocto-docs/commit/?h=contrib/rpurdie-wip Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#176444): https://lists.openembedded.org/g/openembedded-core/message/176444 Mute This Topic: https://lists.openembedded.org/mt/96472422/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto-security] [OE-core] OE-core CVE metrics for master on Sun 22 Jan 2023 02:00:01 AM HST
On Mon, 2023-01-23 at 13:41 +, Ross Burton wrote: > On 23 Jan 2023, at 13:35, Richard Purdie > wrote: > > > I’ve started braindumping into > > > https://wiki.yoctoproject.org/wiki/CVE_Triage, when it’s expanded and > > > complete we can link to it. Or maybe we should just start a > > > Maintainers book in the documentation? > > > > Lets put it in the manual. The wiki is good to pull together info but > > I'd like the manual to be definitive. I've thought this about patch > > submission for a while too, we have too many docs with the useful bits > > of data spread over two wikis and a few READMEs… > > Copying in Michael and Quentin. > > Taking the JFDI approach, I’ve started (another) wiki page to collect a table > of contents at least: > > https://wiki.yoctoproject.org/wiki/Maintainers_Manual > > I’m sure there’s plenty I left out, but that’s a start! I did start experimenting with: https://git.yoctoproject.org/yocto-docs/commit/?h=contrib/rpurdie-wip=cdbe7f39681d2228849b58d1de4c861826d50832 It does highlight that we need to be careful on importing some docs as the wiki info isn't entirely right or well worded in some cases now. Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#176442): https://lists.openembedded.org/g/openembedded-core/message/176442 Mute This Topic: https://lists.openembedded.org/mt/96472422/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto-security] [OE-core] OE-core CVE metrics for master on Sun 22 Jan 2023 02:00:01 AM HST
On 23.01.23 at 14:41, Ross Burton wrote: On 23 Jan 2023, at 13:35, Richard Purdie wrote: I’ve started braindumping into https://wiki.yoctoproject.org/wiki/CVE_Triage, when it’s expanded and complete we can link to it. Or maybe we should just start a Maintainers book in the documentation? Lets put it in the manual. The wiki is good to pull together info but I'd like the manual to be definitive. I've thought this about patch submission for a while too, we have too many docs with the useful bits of data spread over two wikis and a few READMEs… Copying in Michael and Quentin. Taking the JFDI approach, I’ve started (another) wiki page to collect a table of contents at least: https://wiki.yoctoproject.org/wiki/Maintainers_Manual I’m sure there’s plenty I left out, but that’s a start! Thanks! I will start working on it in the next days. It's true the guidelines are scattered in so many places that consolidating them all in a central place will help. Cheers Michael. -- Michael Opdenacker, Bootlin Embedded Linux and Kernel engineering https://bootlin.com -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#176344): https://lists.openembedded.org/g/openembedded-core/message/176344 Mute This Topic: https://lists.openembedded.org/mt/96472422/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto-security] [OE-core] OE-core CVE metrics for master on Sun 22 Jan 2023 02:00:01 AM HST
On Mon, 2023-01-23 at 13:29 +, Ross Burton wrote: > On 23 Jan 2023, at 12:42, Alexander Kanavin wrote: > > > > On Mon, 23 Jan 2023 at 13:40, Ross Burton wrote: > > > > CVE-2022-3550 (CVSS3: 8.8 HIGH): xserver-xorg > > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3550 * > > > > CVE-2022-3551 (CVSS3: 6.5 MEDIUM): xserver-xorg > > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3551 * > > > > > > These are fixed in xserver-org 21.1.6, I’ve mailed to get the CPE updated. > > > > This is quite often the case, perhaps those weekly reports could > > include a pointer on how to do that? > > I guess whilst the CVE triage process is actually quite simple, there’s a few > non-obvious steps. > > I’ve started braindumping into > https://wiki.yoctoproject.org/wiki/CVE_Triage, when it’s expanded and > complete we can link to it. Or maybe we should just start a > Maintainers book in the documentation? Lets put it in the manual. The wiki is good to pull together info but I'd like the manual to be definitive. I've thought this about patch submission for a while too, we have too many docs with the useful bits of data spread over two wikis and a few READMEs... Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#176307): https://lists.openembedded.org/g/openembedded-core/message/176307 Mute This Topic: https://lists.openembedded.org/mt/96472422/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto-security] [OE-core] OE-core CVE metrics for master on Sun 22 Jan 2023 02:00:01 AM HST
On 23 Jan 2023, at 13:35, Richard Purdie wrote: >> I’ve started braindumping into >> https://wiki.yoctoproject.org/wiki/CVE_Triage, when it’s expanded and >> complete we can link to it. Or maybe we should just start a >> Maintainers book in the documentation? > > Lets put it in the manual. The wiki is good to pull together info but > I'd like the manual to be definitive. I've thought this about patch > submission for a while too, we have too many docs with the useful bits > of data spread over two wikis and a few READMEs… Copying in Michael and Quentin. Taking the JFDI approach, I’ve started (another) wiki page to collect a table of contents at least: https://wiki.yoctoproject.org/wiki/Maintainers_Manual I’m sure there’s plenty I left out, but that’s a start! Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#176309): https://lists.openembedded.org/g/openembedded-core/message/176309 Mute This Topic: https://lists.openembedded.org/mt/96472422/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto-security] [OE-core] OE-core CVE metrics for master on Sun 22 Jan 2023 02:00:01 AM HST
On Mon, 2023-01-23 at 13:29 +, Ross Burton wrote: > On 23 Jan 2023, at 12:42, Alexander Kanavin wrote: > > > > On Mon, 23 Jan 2023 at 13:40, Ross Burton wrote: > > > > CVE-2022-3550 (CVSS3: 8.8 HIGH): xserver-xorg > > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3550 * > > > > CVE-2022-3551 (CVSS3: 6.5 MEDIUM): xserver-xorg > > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3551 * > > > > > > These are fixed in xserver-org 21.1.6, I’ve mailed to get the CPE updated. > > > > This is quite often the case, perhaps those weekly reports could > > include a pointer on how to do that? > > I guess whilst the CVE triage process is actually quite simple, there’s a few > non-obvious steps. > > I’ve started braindumping into > https://wiki.yoctoproject.org/wiki/CVE_Triage, when it’s expanded and > complete we can link to it. Or maybe we should just start a > Maintainers book in the documentation? Lets put it in the manual. The wiki is good to pull together info but I'd like the manual to be definitive. I've thought this about patch submission for a while too, we have too many docs with the useful bits of data spread over two wikis and a few READMEs... Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#176308): https://lists.openembedded.org/g/openembedded-core/message/176308 Mute This Topic: https://lists.openembedded.org/mt/96472422/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto-security] [OE-core] OE-core CVE metrics for master on Sun 22 Jan 2023 02:00:01 AM HST
On 23 Jan 2023, at 12:42, Alexander Kanavin wrote: > > On Mon, 23 Jan 2023 at 13:40, Ross Burton wrote: >>> CVE-2022-3550 (CVSS3: 8.8 HIGH): xserver-xorg >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3550 * >>> CVE-2022-3551 (CVSS3: 6.5 MEDIUM): xserver-xorg >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3551 * >> >> These are fixed in xserver-org 21.1.6, I’ve mailed to get the CPE updated. > > This is quite often the case, perhaps those weekly reports could > include a pointer on how to do that? I guess whilst the CVE triage process is actually quite simple, there’s a few non-obvious steps. I’ve started braindumping into https://wiki.yoctoproject.org/wiki/CVE_Triage, when it’s expanded and complete we can link to it. Or maybe we should just start a Maintainers book in the documentation? Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#176306): https://lists.openembedded.org/g/openembedded-core/message/176306 Mute This Topic: https://lists.openembedded.org/mt/96472422/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto-security] [OE-core] OE-core CVE metrics for master on Sun 22 Jan 2023 02:00:01 AM HST
On Mon, 23 Jan 2023 at 13:40, Ross Burton wrote: > > CVE-2022-3550 (CVSS3: 8.8 HIGH): xserver-xorg > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3550 * > > CVE-2022-3551 (CVSS3: 6.5 MEDIUM): xserver-xorg > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3551 * > > These are fixed in xserver-org 21.1.6, I’ve mailed to get the CPE updated. This is quite often the case, perhaps those weekly reports could include a pointer on how to do that? Alex -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#176302): https://lists.openembedded.org/g/openembedded-core/message/176302 Mute This Topic: https://lists.openembedded.org/mt/96472422/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-