On 9/25/14, 5:40 PM, Burton, Ross wrote:
Hu Francesco,
On 25 September 2014 11:35, Francesco Del Degan <f.delde...@endian.com> wrote:
Updated to reflect the latest patchset in bash 4.3.
Fixes the CVE-2014-6271.
I'm hearing that this isn't a complete fix, so lets wait for more patches.
Is it possible to cherry-pick just the security fixes, instead of
every patch they've released?
Finally, patches for oe-core should go to openembedded-core@, not yocto@.
Ross
Patch 025 fixes CVE-2014-6271, but does NOT fix CVE-2014-7169 or possibly two
other issues people are currently looking into. (None of this is confidential
BTW.. you can all follow along on the oss-security mailing list.)
So I would recommend that someone get the 025 patch (don't forget to patch bash
3.2 as well) in.. and we should wait until their is an official one for 7169.
--Mark
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
