On 12/11/2015 01:13 AM, Paul Eggleton wrote:
Can we get the CVE's fix by this update included in the commit?
It's a version update to oe-core's development branch (e.g.
non-production, frequently updated), why have the CVEs in the commit
message?
So that it's clearer when a CVE has been resolved, however we ended up
resolving it. We currently have a massive gap in what we know about CVE
resolution because upgrades that fix them aren't tracked in any way.
CVE database includes information about which upstream versions are
affected by the vulnerability and which have the fix. We can use this
information in our RRS to determine if there are any CVEs to be fixed
and even send notifications to maintainers.
Asking recipe maintainers to inspect the commit log for any new CVEs
fixed when doing a version update of any package, and then placing those
numbers into the recipe commit message is unnecessary manual work that
is also error-prone.
Alex
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
