On Sun, 21 Feb 2021, Klaus Heinrich Kiwi wrote: > >> CVE-2021-27138 > >> > >> Adjust the kernel-fitimage.bbclass accordingly to not use unit > >> addresses. In addition to fixing a CVE, this is also required before we > >> can bump U-Boot to 2021.4. > >> > >> Signed-off-by: Klaus Heinrich Kiwi <kl...@linux.vnet.ibm.com> > > [snip] > > > > Please send this to the oe-core list since kernel-fitimage.bbclass is in > > it, not meta-openembedded. I would also perhaps be inclined to not > > Thanks, for some reason I thought that -core was discussed here, but I have > read the README more carefully since then. > > > describe this change itself as "fixing a CVE", since it is the change in > > U-Boot that actually does that IMO. > > > > Yeah I was unsure how to summarize that, since the CVE 'fix' in U-boot is > to really disallow unit addresses, and looks like it's not going to be > applied to released branches, but instead only on 2021.4 onwards. So I > opted to call out the CVE in the title, as it is, in practical terms, > addressing a CVE (if it's a workaround or a proper fix is debatable I > guess).
My concern is more about trying to avoid giving people the impression this change somehow fixes the U-Boot vulnerability, as it is entirely possible they might not being using kernel-fitimage.bbclass to generate their fitimages. I'd be okay with something along the lines of "In addition to not generating fitimage configurations vulnerable to the CVE, this is also required before we can bump U-Boot to 2021.4, which removes unit address support to fix the CVE." Thanks, Scott
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#89631): https://lists.openembedded.org/g/openembedded-devel/message/89631 Mute This Topic: https://lists.openembedded.org/mt/80789218/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-