[OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)
Philip Balister
philip at balister.org
Mon Jun 19 13:32:33 UTC 2017
On 06/19/2017 09:29 AM, Burton, Ross wrote:
> On 19 June 2017 at 14:20, Philip Balister <philip at balister.org> wrote:
>
>> So the issue is leaking credentials, not build system paths? I mention
>> this because we do leak build system paths into images in other places.
>>
>
> Yes, SRC_URI can contain username/passwords, and even if you filter those
> out explicitly you can expose internal hostnames and so on.
But we do expose internal host names in other places ...
Philip
>
> Ross
>
More information about the Openembedded-core
mailing list