Message ID | 20220307112127.21538-2-quentin.schulz@theobroma-systems.com |
---|---|
State | Accepted, archived |
Commit | ff7d5af61066eee1fdcf9b8704d60a4dc3a9da14 |
Headers | show |
Series | [honister,1/2] util-linux: update 2.37.2 -> 2.37.3 | expand |
Hi all, On 3/7/22 12:21, Quentin Schulz wrote: > From: Alexander Kanavin <alex.kanavin@gmail.com> > > Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > (cherry picked from commit 6a3289c4786c4d278e2bf0ec1a5e04363772d8bc) > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> > --- https://www.spinics.net/lists/util-linux-ng/msg17037.html 2.37.3 fixes two CVEs (not listed on nvdist database for some reason). https://www.spinics.net/lists/util-linux-ng/msg17087.html 2.37.4 fixes one CVE (not listed on bvdist for some reason). I think it might be useful for release maintainer(s) if we mention in the commit log or commit title if it's a security bump or not when sending patches for version bumps to master? What do you think? (FYI, Buildroot seems to do it regularly and it helps me with keeping my vendor tree somewhat up-to-date security wise). Cheers, Quentin
On Mon, 2022-03-07 at 12:26 +0100, Quentin Schulz wrote: > Hi all, > > On 3/7/22 12:21, Quentin Schulz wrote: > > From: Alexander Kanavin <alex.kanavin@gmail.com> > > > > Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > > (cherry picked from commit 6a3289c4786c4d278e2bf0ec1a5e04363772d8bc) > > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> > > --- > > https://www.spinics.net/lists/util-linux-ng/msg17037.html 2.37.3 fixes > two CVEs (not listed on nvdist database for some reason). > > https://www.spinics.net/lists/util-linux-ng/msg17087.html 2.37.4 fixes > one CVE (not listed on bvdist for some reason). > > I think it might be useful for release maintainer(s) if we mention in > the commit log or commit title if it's a security bump or not when > sending patches for version bumps to master? What do you think? (FYI, > Buildroot seems to do it regularly and it helps me with keeping my > vendor tree somewhat up-to-date security wise). I'm happy if people do mention it (I did for expat recently) but I'm not going to block upgrades on the information being missing (how would I tell?). We're struggling to get people to submit upgrades so I'm reluctant to make it harder for them. Cheers, Richard
Hi Richard, On 3/7/22 12:44, Richard Purdie wrote: > On Mon, 2022-03-07 at 12:26 +0100, Quentin Schulz wrote: >> Hi all, >> >> On 3/7/22 12:21, Quentin Schulz wrote: >>> From: Alexander Kanavin <alex.kanavin@gmail.com> >>> >>> Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> >>> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> >>> (cherry picked from commit 6a3289c4786c4d278e2bf0ec1a5e04363772d8bc) >>> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> >>> --- >> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.spinics.net_lists_util-2Dlinux-2Dng_msg17037.html&d=DwICaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=U4eCQXCHnTmgAB4bLm1IJBHGUvY0OlzZwRhwZUecFxMBJMnqgAgrTpTz0IrWUJTR&s=Z_Fk9dO_TkdYJYl46pu81nr28SBx_F4uwjA-u2QRndg&e= 2.37.3 fixes >> two CVEs (not listed on nvdist database for some reason). >> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.spinics.net_lists_util-2Dlinux-2Dng_msg17087.html&d=DwICaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=U4eCQXCHnTmgAB4bLm1IJBHGUvY0OlzZwRhwZUecFxMBJMnqgAgrTpTz0IrWUJTR&s=FoMkkE5_1EdZcBKwKLGT1JehXLRN8KwCdyEAunBBJIw&e= 2.37.4 fixes >> one CVE (not listed on bvdist for some reason). >> >> I think it might be useful for release maintainer(s) if we mention in >> the commit log or commit title if it's a security bump or not when >> sending patches for version bumps to master? What do you think? (FYI, >> Buildroot seems to do it regularly and it helps me with keeping my >> vendor tree somewhat up-to-date security wise). > > I'm happy if people do mention it (I did for expat recently) but I'm not going > to block upgrades on the information being missing (how would I tell?). > > We're struggling to get people to submit upgrades so I'm reluctant to make it > harder for them. > Impossible to enforce anyway, as you just mentioned. But making people aware that it's a nice thing to do should be doable, e.g. adding a few words in https://docs.yoctoproject.org/dev-manual/common-tasks.html#submitting-a-change-to-the-yocto-project and https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded ? It was not my intention to suggest add additional rules, sorry if it came across this way. Cheers, Quentin
On Mon, 2022-03-07 at 12:51 +0100, Quentin Schulz wrote: > Hi Richard, > > On 3/7/22 12:44, Richard Purdie wrote: > > On Mon, 2022-03-07 at 12:26 +0100, Quentin Schulz wrote: > > > Hi all, > > > > > > On 3/7/22 12:21, Quentin Schulz wrote: > > > > From: Alexander Kanavin <alex.kanavin@gmail.com> > > > > > > > > Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> > > > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > > > > (cherry picked from commit 6a3289c4786c4d278e2bf0ec1a5e04363772d8bc) > > > > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> > > > > --- > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.spinics.net_lists_util-2Dlinux-2Dng_msg17037.html&d=DwICaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=U4eCQXCHnTmgAB4bLm1IJBHGUvY0OlzZwRhwZUecFxMBJMnqgAgrTpTz0IrWUJTR&s=Z_Fk9dO_TkdYJYl46pu81nr28SBx_F4uwjA-u2QRndg&e= 2.37.3 fixes > > > two CVEs (not listed on nvdist database for some reason). > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.spinics.net_lists_util-2Dlinux-2Dng_msg17087.html&d=DwICaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=U4eCQXCHnTmgAB4bLm1IJBHGUvY0OlzZwRhwZUecFxMBJMnqgAgrTpTz0IrWUJTR&s=FoMkkE5_1EdZcBKwKLGT1JehXLRN8KwCdyEAunBBJIw&e= 2.37.4 fixes > > > one CVE (not listed on bvdist for some reason). > > > > > > I think it might be useful for release maintainer(s) if we mention in > > > the commit log or commit title if it's a security bump or not when > > > sending patches for version bumps to master? What do you think? (FYI, > > > Buildroot seems to do it regularly and it helps me with keeping my > > > vendor tree somewhat up-to-date security wise). > > > > I'm happy if people do mention it (I did for expat recently) but I'm not going > > to block upgrades on the information being missing (how would I tell?). > > > > We're struggling to get people to submit upgrades so I'm reluctant to make it > > harder for them. > > > > Impossible to enforce anyway, as you just mentioned. But making people > aware that it's a nice thing to do should be doable, e.g. adding a few > words in > https://docs.yoctoproject.org/dev-manual/common-tasks.html#submitting-a-change-to-the-yocto-project > and > https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded ? > > It was not my intention to suggest add additional rules, sorry if it > came across this way. Highlighting in the docs sounds like a great idea :) Cheers, Richard
diff --git a/meta/recipes-core/util-linux/util-linux-libuuid_2.37.3.bb b/meta/recipes-core/util-linux/util-linux-libuuid_2.37.4.bb similarity index 100% rename from meta/recipes-core/util-linux/util-linux-libuuid_2.37.3.bb rename to meta/recipes-core/util-linux/util-linux-libuuid_2.37.4.bb diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc index 0309332722..c48f9572f5 100644 --- a/meta/recipes-core/util-linux/util-linux.inc +++ b/meta/recipes-core/util-linux/util-linux.inc @@ -37,4 +37,4 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin file://avoid_parallel_tests.patch \ " -SRC_URI[sha256sum] = "590c592e58cd6bf38519cb467af05ce6a1ab18040e3e3418f24bcfb2f55f9776" +SRC_URI[sha256sum] = "634e6916ad913366c3536b6468e7844769549b99a7b2bf80314de78ab5655b83" diff --git a/meta/recipes-core/util-linux/util-linux_2.37.3.bb b/meta/recipes-core/util-linux/util-linux_2.37.4.bb similarity index 100% rename from meta/recipes-core/util-linux/util-linux_2.37.3.bb rename to meta/recipes-core/util-linux/util-linux_2.37.4.bb