On 12/16/2015 03:21 AM, Burton, Ross wrote:

On 16 December 2015 at 09:03, Sona Sarmadi <sona.sarmadi@enea.com> wrote:
We are supposed to have reference to the CVE identifier both in the patch file/s
 and the commit message(e.g.  xxx- CVE-2013-6435.pacth) according to the guidelines
for "Patch name convention and commit message" in the Yocto
Wiki https://wiki.yoctoproject.org/wiki/Security.

If a patch address multiple CVEs, perhaps we should name the patch:
Fix-for-multiple-CVEs.patch and list all CVEs in the patch file.

Will this not solve the problem? Do you think there is still need for a new tag "CVE"?

I'd say a new tag is essential if we want to automate tooling, to reduce the chance of false-positives from simply searching the patch for something that looks like a CVE reference.

Ross

The conclusion of this thread is to add the tag "CVE" to the metadata of submitted CVE patches. I will edit the wiki to show this requirement.

Mariano