[OE-core] [RFC] Mark of upstream CVE patches
Burton, Ross
ross.burton at intel.com
Wed Dec 16 09:21:29 UTC 2015
On 16 December 2015 at 09:03, Sona Sarmadi <sona.sarmadi at enea.com> wrote:
> We are supposed to have reference to the CVE identifier both in the patch
> file/s
> and the commit message(e.g. xxx- CVE-2013-6435.pacth) according to the
> guidelines
> for "Patch name convention and commit message" in the Yocto
> Wiki https://wiki.yoctoproject.org/wiki/Security.
>
> If a patch address multiple CVEs, perhaps we should name the patch:
> Fix-for-multiple-CVEs.patch and list all CVEs in the patch file.
>
> Will this not solve the problem? Do you think there is still need for a
> new tag "CVE"?
>
I'd say a new tag is essential if we want to automate tooling, to reduce
the chance of false-positives from simply searching the patch for something
that looks like a CVE reference.
Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20151216/32ef3e1e/attachment-0002.html>
More information about the Openembedded-core
mailing list