[OE-core] [RFC] Mark of upstream CVE patches
Richard Purdie
richard.purdie at linuxfoundation.org
Tue Dec 15 16:37:33 UTC 2015
On Tue, 2015-12-15 at 11:30 -0500, Philip Balister wrote:
> I also suggest copying the
>
> https://lists.yoctoproject.org/listinfo/yocto-security
>
> list.
and the architecture list, this is something that should apply to more
than OE-Core ideally.
Cheers,
Richard
> Philip
>
> On 12/15/2015 11:03 AM, Mariano Lopez wrote:
> > There is an initiative to track vulnerable software being built
> > (see
> > bugs 8119 and 7515). The idea is to have a testing tool that would
> > check
> > the recipe versions against CVEs. In order to accomplish such task
> > there
> > is need to reliable mark the patches from upstream that solve CVEs.
> >
> > There have been two options to mark the patches that solve CVEs:
> >
> > 1. Have "CVE" and the CVE number as the patch filename.
> > Pros:
> > Doesn't require a new tag.
> > Cons:
> > It is not flexible to add more information, for example two
> > CVEs in
> > the same patch
> >
> > 2. Add a new tag in the patch that have the CVE information.
> > Pros:
> > It is flexible and can add more information.
> > Cons:
> > Require a change in the patch metadata.
> >
> > What I would recommend is to add a new tag in the patch, it must
> > contain
> > the CVE ID. With this it would be possible to look for the CVE
> > information easily in the testing tool or in NIST, MITRE, or
> > another web
> > page. For example, this would be part of the patch for CVE-2013
> > -6435,
> > currently in OE-Core:
> >
> > -- snip --
> >
> > Upstream-Status: Backport
> > CVE: CVE-2013-6435
> >
> > Reference:
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
> >
> > -- snip --
> >
> > The expected output of this discussion is a standard format for CVE
> > patches that most, if not all, of community members agree on.
> >
> > Please let me know your comments.
> >
> > Cheers,
> >
> > Mariano Lopez
More information about the Openembedded-core
mailing list