Re: CVE patch updates


Tim Orling
 



On Thu, Mar 24, 2022 at 2:45 PM Richard Purdie <richard.purdie@...> wrote:
On Thu, 2022-03-24 at 16:56 +0000, Monsees, Steven C (US) via
lists.yoctoproject.org wrote:
>   
> I am currently building in cve-check to see what is reported, and I was curious
> if Yocto might provide any CVE based patch repositories ?
>  
> Is there a yocto page somewhere that goes over this side of things ?,
> I did not see much in the mega-manual… I am running on zeus based platforms (for
> both armarch64 and x86_64).
>

You'll see output of cve-check on the yocto-security list for layers that are
still in maintenance:

https://lists.yoctoproject.org/g/yocto-security/messages

although zeus is out of maintenance.

We merge CVE fixes to the branches that are in maintenance.

A graph showing the data over time:

https://docs.google.com/spreadsheets/d/e/2PACX-1vRgNISmH0Ditf0bRtSezeR2XsgKIiSFJKF6KJUHpnzocNGzvKZbuSDKfmV3n64BFXDRqElBSJnhHtG4/pubchart?oid=1993375488&format=interactive

Steven, if you haven’t already, you should subscribe to 

Emails are sent out, usually on Sunday. If you see a CVE that interests you… grab it and fix it.

This is mostly a community effort. There is no special dedicated squad of security champions.


Cheers,

Richard






Join yocto@lists.yoctoproject.org to automatically receive all group messages.