Sinan,
On 09/21/2018 12:43 PM, Sinan Kaya wrote: > I'm sure this has been discussed recently but I wanted to raise this > question > one more time as I have seen a lot of CVEs patches getting pulled into > the sumo > branch recently. > > We started enabling the cve-check feature and are triaging the results > of CVE > reports. We think that the following CVEs need attention and need to > be pulled > into the sumo branch. Nice to see another user of this tool. > > There are two approaches to solve this problem: > 1. upgrade these packages to the respective versions: > > CVE-2018-13785: > https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=3b847972b8c6135a695b4a16c836ad2dd1cbb350 > CVE-2018-8740: > https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=a6646df0cab4bd191974fde33ed8a87b9720557e > CVE-2017-15874: > https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=29108755c1c5a23855ab4dda59ea728781b9d75e > CVE-2017-14501: > https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=381f016dccb78a8cf52ffde05459ff084b2f15fd > CVE-2018-11237: > https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=fb535ac046697db5923575bb23ee419fe7cfbab2 > CVE-2017-7960: > https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=26d1f906258e1d5a933830ee0e4f051d29ee7585 Typically we do not upgrade packages in stable unless the upgrade is a bug fix only and it does not break things and it is at the desecration of the stable branch maintainer. > > 2. Apply the attached patches to sumo branch. I already have in my sumo-next http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/log/?h=stable/sumo-next libcroco: patch for CVE-2017-7960 <http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/commit/?h=stable/sumo-nmut&id=c02364a464d2e96ca663018d5266c68751f2c335> libarchive: CVE-2017-14501 <http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/commit/?h=stable/sumo-nmut&id=8d7f5e76cad2127e477056ce42d1be06b4df5b5c> For the rest can you sent them to the proper mailing list openembedded-c...@lists.openembedded.org via git send-patch. I noticed a few of the patches for recipes need some addition information: please review https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines In general, we need to make sure Master is not affected before I can take them into Sumo. Thank you for backporting fixes. regards, Armin > > We'd like to hear the community opinion. > > Sinan > > > >
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
