On 12/9/19 8:48 AM, milunj via Lists.Yoctoproject.Org wrote:
My greeting to all
I am new on yocto project and yocto build environment is also new to
me ...
My working task is removing vulnerabilities from libc library...
The processor is based on arm5 while newer yoctos 2.7.x and 3.x. do
not provide environment support for arm5 based processors.
The glibc vulnerabilities are fixed in the latest glibc 2.30 released.
<https://sourceware.org/ml/libc-alpha/2019-08/msg00029.html> package
while yocto 2.6.x includes 2.28 package.
Also some of glibc vulnerabilities are patched in 2.6.4
(\oecore-thud-20.0.4.tar\oecore-thud-20.0.4\meta\recipes-core\glibc\glibc):
CVE-2016-10739
CVE-2018-19591
CVE-2019-6488
CVE-2019-7309
CVE-2019-9169
while there are some others those have not been patched:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3590
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-7254
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20796
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9192
Does anyone know whether new vulnerability patches will be applied for
yocto 2.6.5 and when will be released yocto 2.6.5 ?
Welcome Milun,
The 2.6.4 was released in early November 2019 and
I don't see any plans to ever release 2.6.5 but I've
CCed Armin to confirm if this is the official YP plan.
As for patches to the 'thud' branch after 2.6.4:
( see also: http://git.yoctoproject.org/cgit/cgit.cgi/poky/log/?h=thud )
$ cd ../poky.git; git checkout thud; git pull
$ git branch --contains yocto-2.6.4
* thud
$ git log --oneline yocto-2.6.4...
8cd3ee6e1a (HEAD -> thud, origin/thud) linux-yocto/4.14: meta-yocto-bsp
update to 143
5bb142d7dd meta-yocto-bsp: Bump to the latest stable kernel for the BSPs
a8640d9a60 bitbake: fetch2: Ensure cached url data is matched to a datastore
3e42c33da5 documentation: Setup for 2.6.4 release
532f2df770 bitbake: bitbake-worker child process create group before
registering SIGTERM handler
So it doesn't look like there are any CVE fixes there.
If you prefer not to do such work yourself, there are consultants and
support organizations
that provide support for much longer than the ~1 year YP timeline. See
the list of companies on:
https://www.yoctoproject.org/ecosystem/yocto-project-compatible-product-showcase/
The supported releases listed on page is out of date and I'll get it
updated.
Good luck,
../Randy
Thank you in advance
Milun
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#47603): https://lists.yoctoproject.org/g/yocto/message/47603
Mute This Topic: https://lists.yoctoproject.org/mt/67793912/3616765
Mute #yocto: https://lists.yoctoproject.org/mk?hashtag=yocto&subid=6692177
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
--
# Randy MacLeod
# Wind River Linux
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#47611): https://lists.yoctoproject.org/g/yocto/message/47611
Mute This Topic: https://lists.yoctoproject.org/mt/67793912/21656
Mute #yocto: https://lists.yoctoproject.org/mk?hashtag=yocto&subid=6691583
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
