On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote: > On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote: > > On 2/17/20 9:46 PM, Huo, De wrote: > > > I applied the patch to fix CVE defect CVE-2019-18276. > > > > That's not exactly an answer to the question of who produced the > > patch. > > If that patch is the one causing failures when it's applied, > > doesn't it > > make sense to go back to the person who produced it and ask them to > > update it if necessary? > > Its likely a general CVE patch where both configure and configure.ac > are patched. For OE, we can drop the configure part since we > reautoconf > the code. Its therefore the OE port of the patch which is likely at > fault. > > Someone just needs to remove that section of the patch.
There are other issues with this patch which should also be fixed I think. It has been marked as a Backport while it is not one. The patch includes changes that are irrelevant to the CVE. And, it should have gone to master first. Thanks, Anuj -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core