[OE-core] [oe] [RFC] Mark of upstream CVE patches
Mariano Lopez
mariano.lopez at linux.intel.com
Fri Jan 8 15:22:50 UTC 2016
On 01/04/2016 02:17 PM, Benjamin Esquivel wrote:
> On Mon, 2016-01-04 at 12:25 -0600, Mariano Lopez wrote:
>> On 12/16/2015 03:21 AM, Burton, Ross wrote:
>>> On 16 December 2015 at 09:03, Sona Sarmadi <sona.sarmadi at enea.com
>>> <mailto:sona.sarmadi at enea.com>> wrote:
>>>
>>> We are supposed to have reference to the CVE identifier both in
>>> the patch file/s
>>> and the commit message(e.g. xxx- CVE-2013-6435.pacth)
>>> according
>>> to the guidelines
>>> for "Patch name convention and commit message" in the Yocto
>>> Wiki https://wiki.yoctoproject.org/wiki/Security.
>>>
>>> If a patch address multiple CVEs, perhaps we should name the
>>> patch:
>>> Fix-for-multiple-CVEs.patch and list all CVEs in the patch
>>> file.
>>>
>>> Will this not solve the problem? Do you think there is still
>>> need
>>> for a new tag "CVE"?
>>>
>>>
>>> I'd say a new tag is essential if we want to automate tooling, to
>>> reduce the chance of false-positives from simply searching the
>>> patch
>>> for something that looks like a CVE reference.
>>>
>>> Ross
>> The conclusion of this thread is to add the tag "CVE" to the metadata
>> of
>> submitted CVE patches. I will edit the wiki to show this requirement.
> Please let us know when the wiki has the changes reflected :)
You can find it here:
http://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#CVE_Patches
>
>> Mariano
--
Mariano Lopez
More information about the Openembedded-core
mailing list