[yocto-security] Yocto security responses.

Paul Eggleton paul.eggleton at linux.intel.com
Thu Oct 12 19:13:54 PDT 2017 

On Friday, 13 October 2017 2:24:58 PM NZDT Martin Jansa wrote:
> On Thu, Oct 12, 2017 at 11:24 PM, Paul Eggleton <
> paul.eggleton at linux.intel.com> wrote:
> 
> > Hi Jim,
> >
> > On Friday, 13 October 2017 8:56:50 AM NZDT Jim Gettys wrote:
> > > I'm trying to understand the Yocto response to security issues.
> > >
> > > The OE https://patchwork.openembedded.org/project/oe/patches/ page shows
> > > you added a patch to fix the recent dnsmasq problems on October 3, by
> > > updating to dnsmasq 2.78.
> > >
> > > But being new to Yocto, I don't know how long it takes to percolate
> > through
> > > the Yocto system.
> > >
> > > https://layers.openembedded.org/layerindex/recipe/4473/
> > >
> > > Still says version 2.76, whereas the fixes are in 2.78.
> > >
> > > If one built Yocto today from current head of tree, what version would be
> > > picked up?
> > >
> > > Any insight on how Yocto handles security issues would be helpful.
> >
> > To explain a little background - OpenEmbedded recipes are split up into
> > various different layers. The layer in which dnsmasq is contained,
> > meta-networking, isn't actually maintained by the Yocto Project - it's not
> > part of our release/test cycle that we do for the core. I just happened to
> > send a patch because I noticed the security issue announcement and it was a
> > straightforward upgrade from 2.76.
> >
> > Patch testing for meta-networking and other layers in the meta-openembedded
> > repository in which meta-networking is contained is graciously carried out
> > for
> > the community by Martin (on CC) which involves world builds for every
> > architecture we support. Usually when patches get sent it takes a few days
> > for
> > them to get through those tests. I would like to see security patches like
> > this one have some kind of fast track - I'd have to agree that 10 days is
> > longer than we would like. We do have a number of volunteers who work on
> >
> 
> Hi Jim, Paul,
> 
> in this case with meta-networking layer it's true that I do the testing
> with world builds (in my free time),
> but the meta-networking layer is maintained by Joe MacDonald (I've added
> him to the thread), so it's
> waiting for him to do his tests as well and to merge it in master.
> 
> It was already included in the build report:
> http://lists.openembedded.org/pipermail/openembedded-devel/2017-October/115143.html
> together with a lot older dnsmasq change:
> d43e7f0 dnsmasq: disable the service by default
> which might mitigate these security risks as well, but there was some
> argument about this solution in:
> https://patchwork.openembedded.org/patch/137644/

Right - sorry I should have included Joe earlier, thanks. 

The other change is really orthogonal - I would expect many more people to
be using dnsmasq as a service than both bind and dnsmasq together where that
conflict arises.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

More information about the yocto-security mailing list