Security

All CVE (security) patches should be backported if at all possible

See Stable branchesfor the detailed info regarding the policies and maintenance of Stable branch

Kernel security patches

Kernel security patches are backported to Linux-yoco kernels regularly from https://www.kernel.org/

Linux-yocto

linux-yocto_3.10 & linux-yocto_3.14 (maintainer: Ross Burton)

Vendor kernels

Kernel security patches are also backported to Linux-vendor kernels from https://www.kernel.org/

• meta-intel (meta-intel uses Linux-yocto)
• meta-fsl-ppc (maintainer: xxx)
• meta-fsl-arm (maintainer: xxx)
• meta-xilinx (maintainer: xxx)
• meta-ti (maintainer: xxx)
• etc

How to test

If there is any test case for the vulnerability by the upstream project or community

- Run the test to reproduce the problem and after applying the correction to verify that the problem is solved. 
- Run the regression test

If there isn’t any test case and it is complicated and time consuming to write a testcase

- Run the regressions test

Regression test Build the core image for at least two architectures (preferably one big-endian and one little-endian) Run ptest (for those branches/packages that there is ptest mechanism)

Patch name convention and commit comment

Security patches should have reference to the CVE identifier both in the patch file/s and the commit comment.

Please make sure to add the package name in the subject and the reference to the CVE. Example for the commit comment:

   bash: CVE-2014-6278
   
   <short description>
   
   References
   E.g. linke to CVE or other useful info/blog/advisory.
   
   Signed-off-by: <your email addres>
   Signed-off-by: xxxx

For additional guideline refer to: Commit Patch Message Guidelines

Some security related links/useful tools

• CVE details
• CVE list, Linux kernel 2014
• Meta-security-layer
• Making images more secure
• Cvechecker

Security Issues Addressed in Yocto 1.7 / Poky x.