Re: [RFC] Mark of upstream CVE patches

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: Philip Balister <philip@balister.org>
To: Richard Purdie <richard.purdie@linuxfoundation.org>,
	Mariano Lopez <mariano.lopez@linux.intel.com>,
	openembedded-devel@lists.openembedded.org,
	openembedded-core@lists.openembedded.org,
	openembedded-architecture
	<openembedded-architecture@lists.openembedded.org>
Subject: Re: [RFC] Mark of upstream CVE patches
Date: Tue, 15 Dec 2015 11:49:43 -0500	[thread overview]
Message-ID: <567044A7.8050505@balister.org> (raw)
In-Reply-To: <1450197453.13505.72.camel@linuxfoundation.org>

On 12/15/2015 11:37 AM, Richard Purdie wrote:
> On Tue, 2015-12-15 at 11:30 -0500, Philip Balister wrote:
>> I also suggest copying the
>>
>> https://lists.yoctoproject.org/listinfo/yocto-security
>>
>> list.
> 
> and the architecture list, this is something that should apply to more
> than OE-Core ideally.

I thought the exact same thing seconds after hitting send. I'll let the
security and architecture people decide which list is best for discussion.

What I do want to see is fewer discussions cross posted across many lists.

Philip

> 
> Cheers,
> Richard
> 
>> Philip
>>
>> On 12/15/2015 11:03 AM, Mariano Lopez wrote:
>>> There is an initiative to track vulnerable software being built
>>> (see
>>> bugs 8119 and 7515). The idea is to have a testing tool that would
>>> check
>>> the recipe versions against CVEs. In order to accomplish such task
>>> there
>>> is need to reliable mark the patches from upstream that solve CVEs.
>>>
>>> There have been two options to mark the patches that solve CVEs:
>>>
>>> 1. Have  "CVE" and the CVE number as the patch filename.
>>>   Pros:
>>>     Doesn't require a new tag.
>>>   Cons:
>>>     It is not flexible to add more information, for example two
>>> CVEs in
>>> the same patch
>>>
>>> 2. Add a new tag in the patch that have the CVE information.
>>>   Pros:
>>>     It is flexible and can add more information.
>>>   Cons:
>>>     Require a change in the patch metadata.
>>>
>>> What I would recommend is to add a new tag in the patch, it must
>>> contain
>>> the CVE ID. With this it would be possible to look for the CVE
>>> information easily in the testing tool or in NIST, MITRE, or
>>> another web
>>> page. For example, this would be part of the patch for CVE-2013
>>> -6435,
>>> currently in OE-Core:
>>>
>>> -- snip --
>>>
>>> Upstream-Status: Backport
>>> CVE: CVE-2013-6435
>>>
>>> Reference:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
>>>
>>> -- snip --
>>>
>>> The expected output of this discussion is a standard format for CVE
>>> patches that most, if not all, of community members agree on.
>>>
>>> Please let me know your comments.
>>>
>>> Cheers,
>>>
>>> Mariano Lopez
>

next prev parent reply	other threads:[~2015-12-15 16:49 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-15 16:03 [RFC] Mark of upstream CVE patches Mariano Lopez
2015-12-15 16:26 ` Otavio Salvador
2015-12-15 16:30 ` Philip Balister
2015-12-15 16:37   ` Richard Purdie
2015-12-15 16:49     ` Philip Balister [this message]
2015-12-15 17:13       ` Richard Purdie
2015-12-15 17:17         ` Mariano Lopez
2015-12-16  9:03 ` Sona Sarmadi
2015-12-16  9:21   ` Burton, Ross
2016-01-04 18:25     ` Mariano Lopez
2016-01-04 20:17       ` [oe] " Benjamin Esquivel
2016-01-08 15:22         ` Mariano Lopez

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=567044A7.8050505@balister.org \
    --to=philip@balister.org \
    --cc=mariano.lopez@linux.intel.com \
    --cc=openembedded-architecture@lists.openembedded.org \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=openembedded-devel@lists.openembedded.org \
    --cc=richard.purdie@linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox