On 10/29/2017 05:28 PM, akuster808 wrote:
2. Delete the following patchs which have been applied in curl 7.56.1
CVE-2017-1000099.patch
CVE-2017-1000100.patch
CVE-2017-1000101.patch
3. Delete the do_install_append() due to the curl/curlbuild.h have been removed.
Can you also update the commit message to show the CVE entries in a
standard format? We are trying to collect commits that resolve CVE's on
the yocto-security list.
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Example:_CVE_patch_header
How does that work on patches that go removed?
For this mentioning the CVE without the .patch might help. cc'ing
Michael in case he his suggesting to help the hook.
What is the point of indicating CVE's being removed?
Indeed; I actually misunderstood the above request, and thought it's for
newly fixed CVEs. But referencing CVEs that were already fixed before
the commit, and remain fixed after the commit serves no purpose.
Alex
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
