[OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)
Burton, Ross
ross.burton at intel.com
Mon Jun 19 13:29:09 UTC 2017
On 19 June 2017 at 14:20, Philip Balister <philip at balister.org> wrote:
> So the issue is leaking credentials, not build system paths? I mention
> this because we do leak build system paths into images in other places.
>
Yes, SRC_URI can contain username/passwords, and even if you filter those
out explicitly you can expose internal hostnames and so on.
Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20170619/0c4c887d/attachment-0002.html>
More information about the Openembedded-core
mailing list