[OE-core] [PATCH] wget: CVE-2017-13089 and CVE-2017-13090
Alexander Kanavin
alexander.kanavin at linux.intel.com
Fri Nov 3 09:03:18 UTC 2017
On 11/02/2017 10:29 PM, Andre McCurdy wrote:
>>> Update the master to 1.19.2 instead please.
>
> Patching 1.19.1 does have the advantage of creating a commit which can
> easily be cherry-picked into rocko (and pyro, which also uses wget
> 1.19.1).
Yes, but this is coincidental. If the versions wouldn't exactly match,
cherry-picking would not be possible.
> Master should certainly update to 1.19.2 but doing so in two steps
> might be appreciated by the stable branch maintainers.
When fixing CVEs, the yocto branches should be considered separately,
and patched all at the same time by the same person. For master,
updating to latest upstream release without the vulnerability is the
best, as it lessens the load on people who have to keep master up to
date. For stable branches, it depends. If the upstream maintains a
stable branch themselves where cves and other bugs are fixed, I think we
should trust that rather than backport patches.
Alex
More information about the Openembedded-core
mailing list