[OE-core] [oe] [RFC] Mark of upstream CVE patches
Benjamin Esquivel
benjamin.esquivel at linux.intel.com
Mon Jan 4 20:17:01 UTC 2016
On Mon, 2016-01-04 at 12:25 -0600, Mariano Lopez wrote:
>
> On 12/16/2015 03:21 AM, Burton, Ross wrote:
> >
> > On 16 December 2015 at 09:03, Sona Sarmadi <sona.sarmadi at enea.com
> > <mailto:sona.sarmadi at enea.com>> wrote:
> >
> > We are supposed to have reference to the CVE identifier both in
> > the patch file/s
> > and the commit message(e.g. xxx- CVE-2013-6435.pacth)
> > according
> > to the guidelines
> > for "Patch name convention and commit message" in the Yocto
> > Wiki https://wiki.yoctoproject.org/wiki/Security.
> >
> > If a patch address multiple CVEs, perhaps we should name the
> > patch:
> > Fix-for-multiple-CVEs.patch and list all CVEs in the patch
> > file.
> >
> > Will this not solve the problem? Do you think there is still
> > need
> > for a new tag "CVE"?
> >
> >
> > I'd say a new tag is essential if we want to automate tooling, to
> > reduce the chance of false-positives from simply searching the
> > patch
> > for something that looks like a CVE reference.
> >
> > Ross
>
> The conclusion of this thread is to add the tag "CVE" to the metadata
> of
> submitted CVE patches. I will edit the wiki to show this requirement.
Please let us know when the wiki has the changes reflected :)
>
> Mariano
More information about the Openembedded-core
mailing list