I suspect this has been missed by some people so I want to spell it out. We have our first CVE in OE-Core itself.
The issue is limited to binary ipks potentially exposing sensitive information through the "Source:" field which contained the full SRC_URI. Those urls could potentially contain sensitive information about servers and credentials. After discussion, I ended up changing the field to contain the recipe filename (no path). There was talk of filtering the urls however if you try, it becomes clear that sensitive elements can remain and no solution is likely 100% effective. The other package backends don't do this at all so this brings ipk more into line with them. Simply clearing the field doesn't work with the current opkg-utils. It can be changed but the change becomes more invasive. This fix has been merged to master. I also did take the decision to backport this change back to pyro/morty/krogoth too. I appreciate this can cause some disruption to people who rely on SRC_URI being in the Source: field however I couldn't see any other realistic way forward. Cheers, Richard -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
