[OE-core] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

[Sona Sarmadi]

Hi all,

Sorry that the fix/workaround for this vulnerability was not discussed publically. 
This vulnerability was reported by a user privately/encrypted. Yocto Security team; 
Sona, Michael Halstead and Richard handled this off-list. We decided that we provide
a quick fix/workaround before we make this vulnerability public and then change/
improve it later if necessary. 
 
> I suspect this has been missed by some people so I want to spell it out. We
> have our first CVE in OE-Core itself.

We have received a CVE from Mitre for this vulnerability, but they have changed 
our description of vulnerability of some unknown reason :) we have requested an
update/correction (see below) but they haven't changed the description yet: 
 

From: CVE Request [mailto:CVE-Request at mitre.org] 
Sent: Monday, June 19, 2017 12:09 PM
To: Sona Sarmadi <sona.sarmadi at enea.com>
Subject: CVE Request 349461 for Update Published CVE 

Thank you for your submission. It will be reviewed by a CVE Assignment Team member.
 
You have requested an update to the following published CVE:  CVE-2017-9731
 
 
Changes, additions, or updates to your request can be sent to the CVE Team by replying directly to this email.
 
Please do not change the subject line, which allows us to effectively track your request.
 
CVE Assignment Team 
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA 
[A PGP key is available for encrypted communications at 
http://cve.mitre.org/cve/request_id.html]

Thanks all for your help with this vulnerability.
//Sona