From: Philip Balister <philip@balister.org>
To: Mariano Lopez <mariano.lopez@linux.intel.com>,
openembedded-devel@lists.openembedded.org,
openembedded-core@lists.openembedded.org
Subject: Re: [RFC] Mark of upstream CVE patches
Date: Tue, 15 Dec 2015 11:30:06 -0500 [thread overview]
Message-ID: <5670400E.6030201@balister.org> (raw)
In-Reply-To: <567039E1.5000205@linux.intel.com>
I also suggest copying the
https://lists.yoctoproject.org/listinfo/yocto-security
list.
Philip
On 12/15/2015 11:03 AM, Mariano Lopez wrote:
> There is an initiative to track vulnerable software being built (see
> bugs 8119 and 7515). The idea is to have a testing tool that would check
> the recipe versions against CVEs. In order to accomplish such task there
> is need to reliable mark the patches from upstream that solve CVEs.
>
> There have been two options to mark the patches that solve CVEs:
>
> 1. Have "CVE" and the CVE number as the patch filename.
> Pros:
> Doesn't require a new tag.
> Cons:
> It is not flexible to add more information, for example two CVEs in
> the same patch
>
> 2. Add a new tag in the patch that have the CVE information.
> Pros:
> It is flexible and can add more information.
> Cons:
> Require a change in the patch metadata.
>
> What I would recommend is to add a new tag in the patch, it must contain
> the CVE ID. With this it would be possible to look for the CVE
> information easily in the testing tool or in NIST, MITRE, or another web
> page. For example, this would be part of the patch for CVE-2013-6435,
> currently in OE-Core:
>
> -- snip --
>
> Upstream-Status: Backport
> CVE: CVE-2013-6435
>
> Reference:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
>
> -- snip --
>
> The expected output of this discussion is a standard format for CVE
> patches that most, if not all, of community members agree on.
>
> Please let me know your comments.
>
> Cheers,
>
> Mariano Lopez
next prev parent reply other threads:[~2015-12-15 16:30 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-15 16:03 [RFC] Mark of upstream CVE patches Mariano Lopez
2015-12-15 16:26 ` Otavio Salvador
2015-12-15 16:30 ` Philip Balister [this message]
2015-12-15 16:37 ` Richard Purdie
2015-12-15 16:49 ` Philip Balister
2015-12-15 17:13 ` Richard Purdie
2015-12-15 17:17 ` Mariano Lopez
2015-12-16 9:03 ` Sona Sarmadi
2015-12-16 9:21 ` Burton, Ross
2016-01-04 18:25 ` Mariano Lopez
2016-01-04 20:17 ` [oe] " Benjamin Esquivel
2016-01-08 15:22 ` Mariano Lopez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5670400E.6030201@balister.org \
--to=philip@balister.org \
--cc=mariano.lopez@linux.intel.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox