opensc: multiple security vulnerablities require backports?

Question

opensc: multiple security vulnerablities require backports?

Opened this issue 5 days ago · 6 comments

citypw commented 5 days ago

There are multiple security vulnerabilities are fixed in OpenSC v0.26-rc1:

https://github.com/OpenSC/OpenSC/releases/tag/0.26.0-rc1

Answer 1 · 2024-09-26T20:47:21.000Z

@citypw I see that its still in RC stage. Once 0.26 final is released, we need to upgrade the recipe.

Answer 2 · 2024-09-26T21:25:39.000Z

@kraj do you have plan to backport it to other branches like Kirkstone? There are some security backports still missing in Kirkstone:
https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories#opensc-security-advisories

Answer 3 · 2024-09-26T22:38:00.000Z

@kraj do you have plan to backport it to other branches like Kirkstone? There are some security backports still missing in Kirkstone: https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories#opensc-security-advisories

Usual policy is no major version upgrades into release branches. It will surely be in master when it happens.

Answer 4 · 2024-09-27T07:12:52.000Z

I understand the point. I saw some branches like Kirkstone did the security backports for OpenSC previously:
https://github.com/openembedded/meta-openembedded/blob/kirkstone/meta-oe/recipes-support/opensc/opensc_0.22.0.bb#L17C1-L25C43

It's still missing a couple of known vulnerabilities with CVE numbers. I'm curious what's the backport criteria. Will all CVEs backport to the branches or just some CVEs with higher impact?

Answer 5 · 2024-09-27T13:03:18.000Z

it really depends upon contributors.

Answer 6 · 2024-09-28T22:29:24.000Z

Okidoki, a PR with two backports: #876