Re: [PATCH] wget: CVE-2017-13089 and CVE-2017-13090

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Alexander Kanavin <alexander.kanavin@linux.intel.com>
To: Andre McCurdy <armccurdy@gmail.com>,
	Zhixiong Chi <zhixiong.chi@windriver.com>
Cc: OE Core mailing list <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH] wget: CVE-2017-13089 and CVE-2017-13090
Date: Fri, 3 Nov 2017 11:03:18 +0200	[thread overview]
Message-ID: <1ce560f5-8efb-1058-7c51-ece82f8d16e4@linux.intel.com> (raw)
In-Reply-To: <CAJ86T=UnT5woKyTFC82_O0kycoqPufavbOvduRXy4_9F0hWS4Q@mail.gmail.com>

On 11/02/2017 10:29 PM, Andre McCurdy wrote:
>>> Update the master to 1.19.2 instead please.
> 
> Patching 1.19.1 does have the advantage of creating a commit which can
> easily be cherry-picked into rocko (and pyro, which also uses wget
> 1.19.1).

Yes, but this is coincidental. If the versions wouldn't exactly match, 
cherry-picking would not be possible.

> Master should certainly update to 1.19.2 but doing so in two steps
> might be appreciated by the stable branch maintainers.

When fixing CVEs, the yocto branches should be considered separately, 
and patched all at the same time by the same person. For master, 
updating to latest upstream release without the vulnerability is the 
best, as it lessens the load on people who have to keep master up to 
date. For stable branches, it depends. If the upstream maintains a 
stable branch themselves where cves and other bugs are fixed, I think we 
should trust that rather than backport patches.

Alex

next prev parent reply	other threads:[~2017-11-03  9:03 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-31  9:02 [PATCH] wget: CVE-2017-13089 and CVE-2017-13090 Zhixiong Chi
2017-10-31  9:13 ` Alexander Kanavin
2017-10-31  9:48   ` Zhixiong Chi
2017-11-02 20:29     ` Andre McCurdy
2017-11-03  9:03       ` Alexander Kanavin [this message]
2017-11-03 19:33         ` Andre McCurdy
2017-10-31  9:35 ` ✗ patchtest: failure for " Patchwork

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1ce560f5-8efb-1058-7c51-ece82f8d16e4@linux.intel.com \
    --to=alexander.kanavin@linux.intel.com \
    --cc=armccurdy@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=zhixiong.chi@windriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox