[OE-core] CVE-2016-3116: dropbear: X11 forwarding input not validated properly
Sona Sarmadi
sona.sarmadi at enea.com
Wed Sep 14 10:24:14 UTC 2016
> >> That said, I vote for updating to the version that comes with the
> >> fix.
> >> Backporting fixes should not be the default in the stable yocto
> >> releases; we should trust the upstream more.
> >
> > Taking that argument to the extreme, we should update all versions in
> > the "stable" release to the latest to ensure we get all the fixes. At
> > that point, it becomes no different to master and its not the
> > definition of "stable" which most people want to use.
>
> But I'm not making this argument at all. What I'm saying, is that master
> branch and stable branches are two different extremes with their own
> problems (one is moving too fast, the other is conservative to a fault), and
> we should try to find a sensible middle ground between them.
>
> > In this case, its a question of what else changed in dropbear between
> > these versions. Were there a ton of new features or was it just
> > bugfixes? How much risk of other problems is there?
>
> In this case, the only difference between 2015.71 and 2016.72 is indeed
> the CVE fix commit:
> https://secure.ucc.asn.au/hg/dropbear/graph
>
> (you need to scroll down some to see it in the graph).
Thanks guys for your feedbacks. I agree that by default we shouldn't upgrade package
versions in stable branches as far as possible but sometimes we have to. If there isn't a
suitable patch I personally prefer upgrading (only if it is minor changes) rather than
sticking to a vulnerable version. We have done this in the past e.g. for OpenSSL (from
1.0.1x to 1.0.1y).
I will do some investigation to find out if https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff
is the fix for CVE-2016-3116 (by quick analysis it looks the right patch) and use that patch and NOT
upgrade the dropbear version in krogoth !!
Thanks
//Sona
More information about the Openembedded-core
mailing list