<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 12/16/2015 03:21 AM, Burton, Ross
wrote:<br>
</div>
<blockquote
cite="mid:CAJTo0LYO9ptJ4PDmR49N-Yw9TbTFGsuyCUBUc4zW2FLk2CNoWQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 16 December 2015 at 09:03, Sona
Sarmadi <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sona.sarmadi@enea.com" target="_blank">sona.sarmadi@enea.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div id=":2ce" class="a3s" style="overflow:hidden">We are
supposed to have reference to the CVE identifier both in
the patch file/s<br>
 and the commit message(e.g. xxx- CVE-2013-6435.pacth)
according to the guidelines<br>
for "Patch name convention and commit message" in the
Yocto<br>
Wiki <a moz-do-not-send="true"
href="https://wiki.yoctoproject.org/wiki/Security"
rel="noreferrer" target="_blank">https://wiki.yoctoproject.org/wiki/Security</a>.<br>
<br>
If a patch address multiple CVEs, perhaps we should name
the patch:<br>
Fix-for-multiple-CVEs.patch and list all CVEs in the
patch file.<br>
<br>
Will this not solve the problem? Do you think there is
still need for a new tag "CVE"?</div>
</blockquote>
</div>
<br>
I'd say a new tag is essential if we want to automate tooling,
to reduce the chance of false-positives from simply searching
the patch for something that looks like a CVE reference.</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Ross</div>
</div>
</blockquote>
<br>
The conclusion of this thread is to add the tag "CVE" to the
metadata of submitted CVE patches. I will edit the wiki to show this
requirement.<br>
<br>
<div class="moz-signature">Mariano<br>
</div>
</body>
</html>