Synchronization CVEs

From Yocto Project
Revision as of 07:22, 20 October 2023 by Marta Rybczynska (talk | contribs) (→‎Regular cve-check runs: Add cve-check runs)
Jump to navigationJump to search

(WIP) Synchronization on the CVE work

The Yocto project is actively fixing public CVEs. This page describes the process to follow to allow synchronization between developers. The goal is to avoid duplicate work, and also limit the number of high severity CVEs that remain without a backport of the fix.

Regular cve-check runs

The project runs cve-check regularly on the Poky repository with a world build. This allows the generation of an up-to-date state of the known CVEs.

Results from multiple runs of the cve-check are available:

- weekly emails sent to the yocto-security mailing list - autobuilder daily runs - runs managed by Project's collaborators

Synchronization page

A synchronization wiki page is available for everyone working on CVE fixes.

WIP

To cover:

  • Who updates the page?
  • What happens when a fix is posted on the ML?
  • How do we handle different LTS versions
Retrieved from "https://wiki.yoctoproject.org/wiki/index.php?title=Synchronization_CVEs&oldid=86009"