What I gather from various sources, the way to detect if a CVE-2021-42574 vulnerability is being exploited is to scan the source code. Some example scanners include: - gcc - https://gcc.gnu.org/bugzil

Does OE/bitbakle have best practices, guidelines, or tooling for developers who perform a bitbake build and then want the get a list of all the (fetched, unpacked, and patched) source code which was u

Mark and Richard, Thanks for your detailed review of Bitbake/OE/Yocto capabilities in this area, and for your guidance. I have no further questions at this time, and will let you know if we come up wi

What protection does Yocto offer for the Unicode Bidi security vulnerability CVE-2021-42574? A quick search shows an example of how this could be exploited:https://github.com/ziglang/zig/issues/10074

Thank you. Getting this started sometime this year would be fantastic! Please ping me directly. I've added a link from the OpenBMC project configuration guide to your Yocto work item, so we can track

On 8/4/21 11:00 AM, Richard Purdie wrote: ...snip... >> I've tried to push >> https://github.com/openbmc/openbmc/wiki/Configuration-guide into >> https://github.com/openbmc/docs, but there was not eno

Thanks. I understand and accept that Yocto will continue without any SSH or shell session idle timeouts. I will pursue this configuration change for my downstream project (OpenBMC). Thanks. I've got t

Mea culpa! I have a two unresolved issues: - Proposal to write an "initial/administratively expired password" into /etc/shadow - https://github.com/openembedded/openembedded-core/pull/63 - Proposal to

Yocto security team, Have you considered starting a "Yocto security configuration guide"? A "Yocto security configuration guide" would provide guidance for two groups of people: 1. System integrators

Yocto security community, Is Yocto interested in configuring a "SSH command shell session idle timeout" to a more secure default? Standards: I suggest a per-session idle timeout of 60 minutes (one hou

Hello, The OpenBMC project is considering performing a daily-build from scratch (beginning each with an empty sstate cache) and sharing the sstate cache (among other results) with all OpenBMC develope

Resurrecto! I am resurrecting this 15 month old thread because I still need this function and think others would want it too. I sent a patch for a new extrausers expire-password command. (And I apolog

Pankaj, Members of the OpenBMC community share your interest (and OpenBMC is downstream from Yocto/OE). I'm not sure what you are asking. OpenBMC'ers are looking at using the following together, as a

Thanks. I am proceeding with my design. I need help with the direction for the EXPIRED_PASSWORD image feature implementation. Should the password be expired when the user is added? Like this code in u

Richard and yocto-security (and dropped OpenBMC from the to: list), Thank you, I'll plan this as an image feature, disabled by default. My investigation is proceeding. We believe this approach would c

I pushed an OpenBMC design to [Gerrit review][] for the OpenBMC project for a new distro or image feature (disabled by default) which causes the initial password to be disabled by default, so the pass

I am working on a design to help manufacturers comply with [CA law SB-327 Information privacy: connected devices][SB-327], specifically per paragraph 1798.91.04(b)(2) (paraphrased): to create an image

Although this patch is for security, it is a config change and not a fix. I understand if you don't want to add it to a release branch, and I am am okay with that. I just want to know one way or the o

I am attempting to backport the dropbear disable-weak-cipher PACKAGECONFIG option from master to the 2.7 (warrior) branch. (I got my git send-email working, yay!) - Joseph -------- Forwarded Message -

I made the patch and attempted to sent it to openembedded-core@.... However, I am a Linux patch sendmail noob. I guess the right place to discuss the patch is on the email list. Her