<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <p>Sinan,<br>

    </p>

    <br>

    <div class="moz-cite-prefix">On 09/21/2018 12:43 PM, Sinan Kaya

      wrote:<br>

    </div>

    <blockquote type="cite"

      cite="mid:36756321-d4b5-b3fb-39a7-7303793ad723@kernel.org">I'm

      sure this has been discussed recently but I wanted to raise this

      question

      <br>

      one more time as I have seen a lot of CVEs patches getting pulled

      into the sumo

      <br>

      branch recently.

      <br>

      <br>

      We started enabling the cve-check feature and are triaging the

      results of CVE

      <br>

      reports. We think that the following CVEs need attention and need

      to be pulled

      <br>

      into the sumo branch.

      <br>

    </blockquote>

    Nice to see another user of this tool.<br>

    <br>

    <blockquote type="cite"

      cite="mid:36756321-d4b5-b3fb-39a7-7303793ad723@kernel.org">

      <br>

      There are two approaches to solve this problem:

      <br>

      1. upgrade these packages to the respective versions:

      <br>

      <br>

      CVE-2018-13785:

<a class="moz-txt-link-freetext" href="https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=3b847972b8c6135a695b4a16c836ad2dd1cbb350">https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=3b847972b8c6135a695b4a16c836ad2dd1cbb350</a><br>

      CVE-2018-8740:

<a class="moz-txt-link-freetext" href="https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=a6646df0cab4bd191974fde33ed8a87b9720557e">https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=a6646df0cab4bd191974fde33ed8a87b9720557e</a><br>

      CVE-2017-15874:

<a class="moz-txt-link-freetext" href="https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=29108755c1c5a23855ab4dda59ea728781b9d75e">https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=29108755c1c5a23855ab4dda59ea728781b9d75e</a><br>

      CVE-2017-14501:

<a class="moz-txt-link-freetext" href="https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=381f016dccb78a8cf52ffde05459ff084b2f15fd">https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=381f016dccb78a8cf52ffde05459ff084b2f15fd</a><br>

      CVE-2018-11237:

<a class="moz-txt-link-freetext" href="https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=fb535ac046697db5923575bb23ee419fe7cfbab2">https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=fb535ac046697db5923575bb23ee419fe7cfbab2</a><br>

      CVE-2017-7960:

<a class="moz-txt-link-freetext" href="https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=26d1f906258e1d5a933830ee0e4f051d29ee7585">https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=26d1f906258e1d5a933830ee0e4f051d29ee7585</a><br>

    </blockquote>

    <br>

    Typically we do not upgrade packages in stable unless the upgrade is

    a bug fix only and it does not break things and it is at the

    desecration of the stable branch maintainer.<br>

    <br>

    <blockquote type="cite"

      cite="mid:36756321-d4b5-b3fb-39a7-7303793ad723@kernel.org">

      <br>

      2. Apply the attached patches to sumo branch.

      <br>

    </blockquote>

    <br>

    I already have in my sumo-next

<a class="moz-txt-link-freetext" href="http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/log/?h=stable/sumo-next">http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/log/?h=stable/sumo-next</a><br>

    <a

href="http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/commit/?h=stable/sumo-nmut&id=c02364a464d2e96ca663018d5266c68751f2c335">libcroco:

      patch for CVE-2017-7960</a><br>

    <br>

    <a

href="http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/commit/?h=stable/sumo-nmut&id=8d7f5e76cad2127e477056ce42d1be06b4df5b5c">libarchive:

      CVE-2017-14501</a><br>

    <br>

    For the rest can you sent them to the proper mailing list

    <a class="moz-txt-link-abbreviated" href="mailto:openembedded-core@lists.openembedded.org">openembedded-core@lists.openembedded.org</a> via git send-patch.<br>

    <br>

    I noticed a few of the patches for recipes need some addition

    information:<br>

    please review

    <a class="moz-txt-link-freetext" href="https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines">https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines</a><br>

    <br>

    In general, we need to make sure Master is not affected before I can

    take them into Sumo.<br>

    <br>

    Thank you for backporting fixes.<br>

    <br>

    regards,<br>

    Armin<br>

    <blockquote type="cite"

      cite="mid:36756321-d4b5-b3fb-39a7-7303793ad723@kernel.org">

      <br>

      We'd like to hear the community opinion.

      <br>

      <br>

      Sinan

      <br>

      <br>

      <br>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

    </blockquote>

    <br>

  </body>

</html>