subject:"Re\: \[yocto\] \[RFC\] CVEs on sumo branch"

Re: [yocto] [RFC] CVEs on sumo branch

2018-09-24 Thread Sinan Kaya


On 9/24/2018 10:27 AM, Sinan Kaya wrote:

Here is another one.

https://patches.openembedded.org/patch/154290/


I see you pulled this into rucko-nmut. It is also needed for the sumo
branch.
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [RFC] CVEs on sumo branch

2018-09-24 Thread Sinan Kaya


On 9/22/2018 10:46 AM, akuster wrote:

Signed-off-by: Zheng Ruoqin
     Signed-off-by: Richard Purdie

What does it take to move this in the right direction?

bring it to my attention like you have.

backported it for the next build round.


Here is another one.

https://patches.openembedded.org/patch/154290/

I'll post

gnupg: CVE-2018-9234

shortly.
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [RFC] CVEs on sumo branch

2018-09-22 Thread akuster



On 09/21/2018 02:07 PM, Sinan Kaya wrote:
> On 9/21/2018 4:35 PM, akuster808 wrote:
>> I already have in my sumo-next
>> http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/log/?h=stable/sumo-next
>>
>> libcroco: patch for CVE-2017-7960
>> 
>>
>>
>> libarchive: CVE-2017-14501
>> 
>>
>>
>> For the rest can you sent them to the proper mailing list
>> openembedded-c...@lists.openembedded.org  via git send-patch.
>
> Actually, I took this from open-embedded master branch.
>
> https://github.com/openembedded/openembedded-core/commit/b9b254da08c1db94ac9ded5f67d7e2e82e3b9be7
>
>
> commit b9b254da08c1db94ac9ded5f67d7e2e82e3b9be7
> Author: Zheng Ruoqin 
> Date:   Tue Jun 26 13:44:17 2018 +0800
>
>     glibc: fix CVE-2018-11237
>
>     glibc: fix CVE-2018-11237
>
>     Signed-off-by: Zheng Ruoqin 
>     Signed-off-by: Richard Purdie 
>
> What does it take to move this in the right direction?
bring it to my attention like you have.

backported it for the next build round.

Thanks,
Armin
>
> I'll take care of the remaining 3.

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [RFC] CVEs on sumo branch

2018-09-21 Thread Sinan Kaya


On 9/21/2018 4:35 PM, akuster808 wrote:

I already have in my sumo-next
http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/log/?h=stable/sumo-next
libcroco: patch for CVE-2017-7960


libarchive: CVE-2017-14501


For the rest can you sent them to the proper mailing list
openembedded-c...@lists.openembedded.org  via git send-patch.


Actually, I took this from open-embedded master branch.

https://github.com/openembedded/openembedded-core/commit/b9b254da08c1db94ac9ded5f67d7e2e82e3b9be7

commit b9b254da08c1db94ac9ded5f67d7e2e82e3b9be7
Author: Zheng Ruoqin 
Date:   Tue Jun 26 13:44:17 2018 +0800

glibc: fix CVE-2018-11237

glibc: fix CVE-2018-11237

Signed-off-by: Zheng Ruoqin 
Signed-off-by: Richard Purdie 

What does it take to move this in the right direction?

I'll take care of the remaining 3.
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [RFC] CVEs on sumo branch

2018-09-21 Thread Sinan Kaya


On 9/21/2018 4:35 PM, akuster808 wrote:

For the rest can you sent them to the proper mailing list
openembedded-c...@lists.openembedded.org  via git send-patch.

I noticed a few of the patches for recipes need some addition information:
please review
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines

In general, we need to make sure Master is not affected before I can
take them into Sumo.


Sure, I'll work on it. I'm fairly new to working with the yocto upstream.
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [RFC] CVEs on sumo branch

2018-09-21 Thread akuster808

Sinan,


On 09/21/2018 12:43 PM, Sinan Kaya wrote:
> I'm sure this has been discussed recently but I wanted to raise this
> question
> one more time as I have seen a lot of CVEs patches getting pulled into
> the sumo
> branch recently.
>
> We started enabling the cve-check feature and are triaging the results
> of CVE
> reports. We think that the following CVEs need attention and need to
> be pulled
> into the sumo branch.
Nice to see another user of this tool.

>
> There are two approaches to solve this problem:
> 1. upgrade these packages to the respective versions:
>
> CVE-2018-13785:
> https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=3b847972b8c6135a695b4a16c836ad2dd1cbb350
> CVE-2018-8740:
> https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=a6646df0cab4bd191974fde33ed8a87b9720557e
> CVE-2017-15874:
> https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=29108755c1c5a23855ab4dda59ea728781b9d75e
> CVE-2017-14501:
> https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=381f016dccb78a8cf52ffde05459ff084b2f15fd
> CVE-2018-11237:
> https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=fb535ac046697db5923575bb23ee419fe7cfbab2
> CVE-2017-7960:
> https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=26d1f906258e1d5a933830ee0e4f051d29ee7585

Typically we do not upgrade packages in stable unless the upgrade is a
bug fix only and it does not break things and it is at the desecration
of the stable branch maintainer.

>
> 2. Apply the attached patches to sumo branch.

I already have in my sumo-next
http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/log/?h=stable/sumo-next
libcroco: patch for CVE-2017-7960


libarchive: CVE-2017-14501


For the rest can you sent them to the proper mailing list
openembedded-c...@lists.openembedded.org via git send-patch.

I noticed a few of the patches for recipes need some addition information:
please review
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines

In general, we need to make sure Master is not affected before I can
take them into Sumo.

Thank you for backporting fixes.

regards,
Armin
>
> We'd like to hear the community opinion.
>
> Sinan
>
>
>
>

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [RFC] CVEs on sumo branch

2018-09-21 Thread Alexander Kanavin

2018-09-21 21:43 GMT+02:00 Sinan Kaya :
> 2. Apply the attached patches to sumo branch.
>
> We'd like to hear the community opinion.

For stable branches the yocto project tends to be on the conservative
side. Which means option 2: backport the cve fixes.

For the master branch, version upgrades are preferable, unless a
pre-release freeze is in effect.

Alex
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [RFC] CVEs on sumo branch

Re: [yocto] [RFC] CVEs on sumo branch

Re: [yocto] [RFC] CVEs on sumo branch

Re: [yocto] [RFC] CVEs on sumo branch

Re: [yocto] [RFC] CVEs on sumo branch

Re: [yocto] [RFC] CVEs on sumo branch

Re: [yocto] [RFC] CVEs on sumo branch

7 matches

Site Navigation

Mail list logo

Footer information