I have started a thread in OE-architecture mailing list regarding the mark of upstream CVE patches. Here is the link: http://lists.openembedded.org/pipermail/openembedded-architecture/2015-December/000025.html Please feel free to comment. Mariano Lopez