From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: Philip Balister <philip@balister.org>,
Mariano Lopez <mariano.lopez@linux.intel.com>,
openembedded-devel@lists.openembedded.org,
openembedded-core@lists.openembedded.org,
openembedded-architecture
<openembedded-architecture@lists.openembedded.org>
Subject: Re: [RFC] Mark of upstream CVE patches
Date: Tue, 15 Dec 2015 16:37:33 +0000 [thread overview]
Message-ID: <1450197453.13505.72.camel@linuxfoundation.org> (raw)
In-Reply-To: <5670400E.6030201@balister.org>
On Tue, 2015-12-15 at 11:30 -0500, Philip Balister wrote:
> I also suggest copying the
>
> https://lists.yoctoproject.org/listinfo/yocto-security
>
> list.
and the architecture list, this is something that should apply to more
than OE-Core ideally.
Cheers,
Richard
> Philip
>
> On 12/15/2015 11:03 AM, Mariano Lopez wrote:
> > There is an initiative to track vulnerable software being built
> > (see
> > bugs 8119 and 7515). The idea is to have a testing tool that would
> > check
> > the recipe versions against CVEs. In order to accomplish such task
> > there
> > is need to reliable mark the patches from upstream that solve CVEs.
> >
> > There have been two options to mark the patches that solve CVEs:
> >
> > 1. Have "CVE" and the CVE number as the patch filename.
> > Pros:
> > Doesn't require a new tag.
> > Cons:
> > It is not flexible to add more information, for example two
> > CVEs in
> > the same patch
> >
> > 2. Add a new tag in the patch that have the CVE information.
> > Pros:
> > It is flexible and can add more information.
> > Cons:
> > Require a change in the patch metadata.
> >
> > What I would recommend is to add a new tag in the patch, it must
> > contain
> > the CVE ID. With this it would be possible to look for the CVE
> > information easily in the testing tool or in NIST, MITRE, or
> > another web
> > page. For example, this would be part of the patch for CVE-2013
> > -6435,
> > currently in OE-Core:
> >
> > -- snip --
> >
> > Upstream-Status: Backport
> > CVE: CVE-2013-6435
> >
> > Reference:
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
> >
> > -- snip --
> >
> > The expected output of this discussion is a standard format for CVE
> > patches that most, if not all, of community members agree on.
> >
> > Please let me know your comments.
> >
> > Cheers,
> >
> > Mariano Lopez
next prev parent reply other threads:[~2015-12-15 16:37 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-15 16:03 [RFC] Mark of upstream CVE patches Mariano Lopez
2015-12-15 16:26 ` Otavio Salvador
2015-12-15 16:30 ` Philip Balister
2015-12-15 16:37 ` Richard Purdie [this message]
2015-12-15 16:49 ` Philip Balister
2015-12-15 17:13 ` Richard Purdie
2015-12-15 17:17 ` Mariano Lopez
2015-12-16 9:03 ` Sona Sarmadi
2015-12-16 9:21 ` Burton, Ross
2016-01-04 18:25 ` Mariano Lopez
2016-01-04 20:17 ` [oe] " Benjamin Esquivel
2016-01-08 15:22 ` Mariano Lopez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1450197453.13505.72.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=mariano.lopez@linux.intel.com \
--cc=openembedded-architecture@lists.openembedded.org \
--cc=openembedded-core@lists.openembedded.org \
--cc=openembedded-devel@lists.openembedded.org \
--cc=philip@balister.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox