Re: [OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

2017-06-30 Thread Scott Murray
On Thu, 29 Jun 2017, Richard Purdie wrote: > On Wed, 2017-06-28 at 13:38 -0400, Scott Murray wrote: > > On Mon, 19 Jun 2017, Richard Purdie wrote: > > > > > > > > I suspect this has been missed by some people so I want to spell it > > > out. We have our first CVE in OE-Core itself. > > > > > >

Re: [OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

2017-06-29 Thread Richard Purdie
On Wed, 2017-06-28 at 13:38 -0400, Scott Murray wrote: > On Mon, 19 Jun 2017, Richard Purdie wrote: > > > > > I suspect this has been missed by some people so I want to spell it > > out. We have our first CVE in OE-Core itself. > > > > The issue is limited to binary ipks potentially exposing

Re: [OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

2017-06-28 Thread Scott Murray
On Mon, 19 Jun 2017, Richard Purdie wrote: > I suspect this has been missed by some people so I want to spell it > out. We have our first CVE in OE-Core itself. > > The issue is limited to binary ipks potentially exposing sensitive > information through the "Source:" field which contained the

Re: [OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

2017-06-22 Thread Richard Purdie
On Tue, 2017-06-20 at 08:27 -0500, Sean Hudson wrote: > On 2017-06-20 04:30 AM, Paul Eggleton wrote: > > > > On Monday, 19 June 2017 5:31:10 PM CEST Sean Hudson wrote: > > > > > > On 2017-06-19 09:05 AM, Mark Hatle wrote: > > > > > > > > It would be reasonable to write up a 'best practices'

Re: [OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

2017-06-20 Thread Paul Eggleton
On Tuesday, 20 June 2017 3:27:15 PM CEST you wrote: > On 2017-06-20 04:30 AM, Paul Eggleton wrote: > > On Monday, 19 June 2017 5:31:10 PM CEST Sean Hudson wrote: > >> On 2017-06-19 09:05 AM, Mark Hatle wrote: > >>> It would be reasonable to write up a 'best practices' type document. > >>>

Re: [OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

2017-06-20 Thread Sean Hudson
On 2017-06-20 04:30 AM, Paul Eggleton wrote: > On Monday, 19 June 2017 5:31:10 PM CEST Sean Hudson wrote: >> On 2017-06-19 09:05 AM, Mark Hatle wrote: >>> It would be reasonable to write up a 'best practices' type document. >>> Explaining that simply due to the nature of building many of these

Re: [OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

2017-06-20 Thread Paul Eggleton
On Monday, 19 June 2017 5:31:10 PM CEST Sean Hudson wrote: > On 2017-06-19 09:05 AM, Mark Hatle wrote: > > It would be reasonable to write up a 'best practices' type document. > > Explaining that simply due to the nature of building many of these things > > will be 'leaked' and where some of them

Re: [OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

2017-06-19 Thread Sean Hudson
On 2017-06-19 09:05 AM, Mark Hatle wrote: > On 6/19/17 8:20 AM, Philip Balister wrote: >> On 06/19/2017 06:38 AM, Richard Purdie wrote: >>> I suspect this has been missed by some people so I want to spell it >>> out. We have our first CVE in OE-Core itself. >>> >>> The issue is limited to binary

Re: [OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

2017-06-19 Thread Mark Hatle
On 6/19/17 5:38 AM, Richard Purdie wrote: > I suspect this has been missed by some people so I want to spell it > out. We have our first CVE in OE-Core itself. > > The issue is limited to binary ipks potentially exposing sensitive > information through the "Source:" field which contained the full

Re: [OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

2017-06-19 Thread Mark Hatle
On 6/19/17 8:20 AM, Philip Balister wrote: > On 06/19/2017 06:38 AM, Richard Purdie wrote: >> I suspect this has been missed by some people so I want to spell it >> out. We have our first CVE in OE-Core itself. >> >> The issue is limited to binary ipks potentially exposing sensitive >> information

Re: [OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

2017-06-19 Thread Philip Balister
On 06/19/2017 09:29 AM, Burton, Ross wrote: > On 19 June 2017 at 14:20, Philip Balister wrote: > >> So the issue is leaking credentials, not build system paths? I mention >> this because we do leak build system paths into images in other places. >> > > Yes, SRC_URI can

Re: [OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

2017-06-19 Thread Burton, Ross
On 19 June 2017 at 14:20, Philip Balister wrote: > So the issue is leaking credentials, not build system paths? I mention > this because we do leak build system paths into images in other places. > Yes, SRC_URI can contain username/passwords, and even if you filter those

Re: [OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

2017-06-19 Thread Philip Balister
On 06/19/2017 06:38 AM, Richard Purdie wrote: > I suspect this has been missed by some people so I want to spell it > out. We have our first CVE in OE-Core itself. > > The issue is limited to binary ipks potentially exposing sensitive > information through the "Source:" field which contained the