[OE-core] [PATCH 01/10] openssl: update to 1.0.2e
Alexander Kanavin
alexander.kanavin at linux.intel.com
Fri Dec 11 12:18:44 UTC 2015
On 12/11/2015 01:13 AM, Paul Eggleton wrote:
>> Can we get the CVE's fix by this update included in the commit?
>>
>> It's a version update to oe-core's development branch (e.g.
>> non-production, frequently updated), why have the CVEs in the commit
>> message?
>
> So that it's clearer when a CVE has been resolved, however we ended up
> resolving it. We currently have a massive gap in what we know about CVE
> resolution because upgrades that fix them aren't tracked in any way.
CVE database includes information about which upstream versions are
affected by the vulnerability and which have the fix. We can use this
information in our RRS to determine if there are any CVEs to be fixed
and even send notifications to maintainers.
Asking recipe maintainers to inspect the commit log for any new CVEs
fixed when doing a version update of any package, and then placing those
numbers into the recipe commit message is unnecessary manual work that
is also error-prone.
Alex
More information about the Openembedded-core
mailing list