All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paul Eggleton <paul.eggleton@linux.intel.com>
To: openembedded-core@lists.openembedded.org
Cc: yocto-security@yoctoproject.org
Subject: Re: [PATCH 3/3] git: update to 2.8.1
Date: Tue, 19 Apr 2016 14:44:15 +1200	[thread overview]
Message-ID: <2128894.poWFMP4dMf@peggleto-mobl.ger.corp.intel.com> (raw)
In-Reply-To: <CACS+7ZTFxKWOtWW4G07i0q8J5a9jWKmKfu_hamPLQZRwcfYXmQ@mail.gmail.com>

On the other hand, AFAICT we are currently still vulnerable to a remote code
execution issue:

  https://ma.ttias.be/remote-code-execution-git-versions-client-server-2-7-1-cve-2016-2324-cve-2016-2315/

Given we provide git for native use in the buildtools as well as on target
I think we really ought to be addressing this before release. Whether we
should do that by upgrading to 2.7.4 or attempting to apply patches I'm
not sure.

Cheers,
Paul

On Tue, 12 Apr 2016 13:48:26 Dan McGregor wrote:
> Works for me. I'm not in a hurry.
> 
> On 12 April 2016 at 13:41, Burton, Ross <ross.burton@intel.com> wrote:
> > Far too late for master/krogoth, this can be merged after they've
> > branched.
> > 
> > Ross
> > 
> > On 12 April 2016 at 19:25, Dan McGregor <danismostlikely@gmail.com> wrote:
> >> From: Dan McGregor <dan.mcgregor@usask.ca>
> >> 
> >> Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
> >> ---
> >> 
> >>  meta/recipes-devtools/git/git_2.7.2.bb | 11 -----------
> >>  meta/recipes-devtools/git/git_2.8.1.bb | 11 +++++++++++
> >>  2 files changed, 11 insertions(+), 11 deletions(-)
> >>  delete mode 100644 meta/recipes-devtools/git/git_2.7.2.bb
> >>  create mode 100644 meta/recipes-devtools/git/git_2.8.1.bb
> >> 
> >> diff --git a/meta/recipes-devtools/git/git_2.7.2.bb
> >> b/meta/recipes-devtools/git/git_2.7.2.bb
> >> deleted file mode 100644
> >> index 3fd7151..0000000
> >> --- a/meta/recipes-devtools/git/git_2.7.2.bb
> >> +++ /dev/null
> >> @@ -1,11 +0,0 @@
> >> -require git.inc
> >> -
> >> -EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \
> >> -
> >> ac_cv_fread_reads_directories=${ac_cv_fread_reads_directories=yes} \
> >> -                 "
> >> -EXTRA_OEMAKE += "NO_GETTEXT=1"
> >> -
> >> -SRC_URI[tarball.md5sum] = "162ddc6c9b243899ad67ebd6b1c166b1"
> >> -SRC_URI[tarball.sha256sum] =
> >> "58959e3ef3046403216a157dfc683c4d7f0dd83365463b8dd87063ded940a0df"
> >> -SRC_URI[manpages.md5sum] = "7bb067d6363f537b92c3b8b813ff9ed6"
> >> -SRC_URI[manpages.sha256sum] =
> >> "e6b5481fd6e24a1d1b155ef17363b313d47025bf6da880737fa872ab78e24f15"
> >> diff --git a/meta/recipes-devtools/git/git_2.8.1.bb
> >> b/meta/recipes-devtools/git/git_2.8.1.bb
> >> new file mode 100644
> >> index 0000000..8978b72
> >> --- /dev/null
> >> +++ b/meta/recipes-devtools/git/git_2.8.1.bb
> >> @@ -0,0 +1,11 @@
> >> +require git.inc
> >> +
> >> +EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \
> >> +
> >> ac_cv_fread_reads_directories=${ac_cv_fread_reads_directories=yes} \
> >> +                 "
> >> +EXTRA_OEMAKE += "NO_GETTEXT=1"
> >> +
> >> +SRC_URI[tarball.md5sum] = "1a12555182c1e9f781bc30a5c5f9515e"
> >> +SRC_URI[tarball.sha256sum] =
> >> "cfc66324179b9ed62ee02833f29d39935f4ab66874125a3ab9d5bb9055c0cb67"
> >> +SRC_URI[manpages.md5sum] = "60552f15a90b9fcdc1b92b222e2d2379"
> >> +SRC_URI[manpages.sha256sum] =
> >> "df46de0c172049f935cc3736361b263c5ff289b77077c73053e63ae83fcf43f4"
> >> --
> >> 2.8.1
> >> 
> >> --
> >> _______________________________________________
> >> Openembedded-core mailing list
> >> Openembedded-core@lists.openembedded.org
> >> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 

Paul Eggleton
Intel Open Source Technology Centre


      reply	other threads:[~2016-04-19  2:44 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-12 18:25 [PATCH 1/3] sysvinit: make lastb.1 an alternative Dan McGregor
2016-04-12 18:25 ` [PATCH 2/3] sudo: fix pam config on systemd systems Dan McGregor
2016-04-12 18:25 ` [PATCH 3/3] git: update to 2.8.1 Dan McGregor
2016-04-12 19:10   ` Denys Dmytriyenko
2016-04-12 19:41   ` Burton, Ross
2016-04-12 19:48     ` Dan McGregor
2016-04-19  2:44       ` Paul Eggleton [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2128894.poWFMP4dMf@peggleto-mobl.ger.corp.intel.com \
    --to=paul.eggleton@linux.intel.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=yocto-security@yoctoproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.