[OE-core] [RFC] Mark of upstream CVE patches

Philip Balister philip at balister.org
Tue Dec 15 16:49:43 UTC 2015 

On 12/15/2015 11:37 AM, Richard Purdie wrote:
> On Tue, 2015-12-15 at 11:30 -0500, Philip Balister wrote:
>> I also suggest copying the
>>
>> https://lists.yoctoproject.org/listinfo/yocto-security
>>
>> list.
> 
> and the architecture list, this is something that should apply to more
> than OE-Core ideally.

I thought the exact same thing seconds after hitting send. I'll let the
security and architecture people decide which list is best for discussion.

What I do want to see is fewer discussions cross posted across many lists.

Philip

> 
> Cheers,
> Richard
> 
>> Philip
>>
>> On 12/15/2015 11:03 AM, Mariano Lopez wrote:
>>> There is an initiative to track vulnerable software being built
>>> (see
>>> bugs 8119 and 7515). The idea is to have a testing tool that would
>>> check
>>> the recipe versions against CVEs. In order to accomplish such task
>>> there
>>> is need to reliable mark the patches from upstream that solve CVEs.
>>>
>>> There have been two options to mark the patches that solve CVEs:
>>>
>>> 1. Have  "CVE" and the CVE number as the patch filename.
>>>   Pros:
>>>     Doesn't require a new tag.
>>>   Cons:
>>>     It is not flexible to add more information, for example two
>>> CVEs in
>>> the same patch
>>>
>>> 2. Add a new tag in the patch that have the CVE information.
>>>   Pros:
>>>     It is flexible and can add more information.
>>>   Cons:
>>>     Require a change in the patch metadata.
>>>
>>> What I would recommend is to add a new tag in the patch, it must
>>> contain
>>> the CVE ID. With this it would be possible to look for the CVE
>>> information easily in the testing tool or in NIST, MITRE, or
>>> another web
>>> page. For example, this would be part of the patch for CVE-2013
>>> -6435,
>>> currently in OE-Core:
>>>
>>> -- snip --
>>>
>>> Upstream-Status: Backport
>>> CVE: CVE-2013-6435
>>>
>>> Reference:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
>>>
>>> -- snip --
>>>
>>> The expected output of this discussion is a standard format for CVE
>>> patches that most, if not all, of community members agree on.
>>>
>>> Please let me know your comments.
>>>
>>> Cheers,
>>>
>>> Mariano Lopez
>

More information about the Openembedded-core mailing list