Security: Difference between revisions
SonaSarmadi (talk | contribs) |
SonaSarmadi (talk | contribs) |
||
Line 111: | Line 111: | ||
* [http://cvechecker.sourceforge.net Cvechecker] | * [http://cvechecker.sourceforge.net Cvechecker] | ||
== Security Issues Addressed in Yocto 1.6 | == Security Issues Addressed in Yocto Releases == | ||
'''Yocto 1.6 - Daisy''' | |||
https://www.yoctoproject.org/downloads/core/daisy16 | https://www.yoctoproject.org/downloads/core/daisy16 | ||
'''Yocto 1.7 - Dizzy''' | |||
https://www.yoctoproject.org/downloads/core/dizzy17 |
Revision as of 11:31, 28 November 2014
Since the Yocto Project is intended to be flexible and meet the needs of many applications, we leave policy-making decisions around security to our end users. Our goal instead is to ship each release with metadata that follows best practices in that we do not release recipe versions which are known to have significant security vulnerabilities. Generally this is done by upgrading recipes to newer versions that are no longer vulnerable to these issues.
We are tracking security vulnerabilities in the Yocto Project against the National Vulnerability Database.
Branches maintained with security fixes
Major version | Current Version | Branch name | BitBake version | Maintainer |
---|---|---|---|---|
1.7 | 1.7 | dizzy | 1.24 | Armin Kuster <akuster808@gmail.com> |
1.6 | 1.6.1 | daisy | 1.22 | Saul Wold <sgw@linux.intel.com> |
1.5 | 1.5.3 | dora | 1.20 | Robert Yang <liezhi.yang@windriver.com> |
1.4 | 1.4.3* | dylan | 1.18 | Paul Eggleton <paul.eggleton@linux.intel.com> |
1.3 | 1.3.2 | danny | 1.16 | Ross Burton <ross.burton@intel.com> |
All CVEs (security patches) should be backported to all branches above (if at all possible).
Versions in grey are no longer actively maintained, but well-tested security patches may still be accepted for them.)
See Stable branches maintenancefor detailed info regarding the policies and maintenance of Stable branch
Kernel security patches
Kernel security patches are backported to Linux-yoco kernels regularly from https://www.kernel.org/
Linux-yocto
linux-yocto_3.10 & linux-yocto_3.14 (maintainer: Ross Burton)
Vendor kernels
Kernel security patches are also backported to Linux-vendor kernels from https://www.kernel.org/
- meta-intel (meta-intel uses Linux-yocto)
- meta-fsl-ppc (maintainer: xxx)
- meta-fsl-arm (maintainer: xxx)
- meta-xilinx (maintainer: xxx)
- meta-ti (maintainer: xxx)
- etc
How to test
If there is any test case for the vulnerability by the upstream project or community
- Run the test to reproduce the problem and verify the correction. - Run the regression test
If there isn’t any test case and it is complicated and time consuming to write a testcase
- Run the regressions test
Regression test
- Build the core image for at least two architectures (preferably one big-endian and one little-endian)
- Run ptest (for those branches/packages that there is ptest mechanism)
Patch name convention and commit message
Security patches should have reference to the CVE identifier both in the patch file/s and the commit comment.
Please make sure to add the package name in the subject and the reference to the CVE. Example for the commit comment:
bash: CVE-2014-6278 <short description> References E.g. link to CVE or other useful info/blog/advisory. Signed-off-by: <your email addres> Signed-off-by: xxxx
For additional guidelines refer to: Commit Patch Message Guidelines
Security Issues Addressed in Yocto Releases
Yocto 1.6 - Daisy https://www.yoctoproject.org/downloads/core/daisy16 Yocto 1.7 - Dizzy https://www.yoctoproject.org/downloads/core/dizzy17