On Thu, Oct 2, 2014 at 12:48 PM, Mark Hatle <mark.ha...@windriver.com> wrote:
> On 10/2/14, 10:13 AM, Paul Eggleton wrote:
>>
>> On Thursday 02 October 2014 09:48:29 Mark Hatle wrote:
>>>
>>> With the recent vulnerabilities, a bunch of patches are being sent up to
>>> the
>>> list. The content is generally fine, but I'm wondering if for master we
>>> should apply all of the official bash patches to get to the latest patch
>>> version, instead of applying various 'security' fixes that may or may not
>>> be the official version.
>>>
>>> For instance, bash_4.3:
>>>
>>> SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
>>> [followed by a bunch of local patches]
>>> "
>>>
>>> ncftp .../bash/bash-4.3-patches > ls
>>> bash43-001 bash43-004.sig bash43-008 bash43-011.sig
>>> bash43-015 bash43-018.sig bash43-022 bash43-025.sig
>>> bash43-001.sig bash43-005 bash43-008.sig bash43-012
>>> bash43-015.sig bash43-019 bash43-022.sig bash43-026
>>> bash43-002 bash43-005.sig bash43-009 bash43-012.sig
>>> bash43-016 bash43-019.sig bash43-023 bash43-026.sig
>>> bash43-002.sig bash43-006 bash43-009.sig bash43-013
>>> bash43-016.sig bash43-020 bash43-023.sig bash43-027
>>> bash43-003 bash43-006.sig bash43-010 bash43-013.sig
>>> bash43-017 bash43-020.sig bash43-024 bash43-027.sig
>>> bash43-003.sig bash43-007 bash43-010.sig bash43-014
>>> bash43-017.sig bash43-021 bash43-024.sig bash43-028
>>> bash43-004 bash43-007.sig bash43-011 bash43-014.sig
>>> bash43-018 bash43-021.sig bash43-025 bash43-028.sig
>>>
>>> The community has 28 patches for various bugs (and these security issues)
>>> posted. Would it make sense to update to bash 4.3 (28)?
>>>
>>> In our bash 3.2.48:
>>>
>>> SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
>>>
>>>
>>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-049;apply=yes;striplevel=0;name=p
>>> atch001 \
>>>
>>>
>>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=p
>>> atch002 \
>>>
>>>
>>> ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=p
>>> atch003 \
>>> ...
>>> "
>>>
>>> Some of the upstream items are applied, but I'm wondering if we should
>>> extend that to patch level 55 (the latest) in the same way.
>>>
>>> Both patch level 4.3 - 28 and 3.2.48 - 55 will apply all of the fixes
>>> that
>>> keep getting submitted plus a set of other general bugs. It will also
>>> make
>>> it easier for security scanners to simply check the version and know the
>>> right fixes have been applied.
>>
>>
>> FWIW, I'm inclined to agree - given the severity and high profile of these
>> issues I think we should patch up to the latest patchlevel. Do we have
>> enough
>> tests to mitigate any risk of doing that for the 1.7 release, given how
>> late
>> we are in the release cycle?
>
>
> I think between the ptest and normal system integration testing, we have
> enough tests to mitigate the risks. Plus the patches themselves are heavily
> tested by the [bash] community and the official changes, so I think it's
> significantly less likely they will introduce issues.
I agree as well.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
