[honister,2/2] util-linux: upgrade 2.37.3 -> 2.37.4

From: Alexander Kanavin <alex.kanavin@gmail.com>

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6a3289c4786c4d278e2bf0ec1a5e04363772d8bc)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
---
 ...til-linux-libuuid_2.37.3.bb => util-linux-libuuid_2.37.4.bb} | 0
 meta/recipes-core/util-linux/util-linux.inc                     | 2 +-
 .../util-linux/{util-linux_2.37.3.bb => util-linux_2.37.4.bb}   | 0
 3 files changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-core/util-linux/{util-linux-libuuid_2.37.3.bb => util-linux-libuuid_2.37.4.bb} (100%)
 rename meta/recipes-core/util-linux/{util-linux_2.37.3.bb => util-linux_2.37.4.bb} (100%)

Hi all,

On 3/7/22 12:21, Quentin Schulz wrote:
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> 
> Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit 6a3289c4786c4d278e2bf0ec1a5e04363772d8bc)
> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
> ---

https://www.spinics.net/lists/util-linux-ng/msg17037.html 2.37.3 fixes 
two CVEs (not listed on nvdist database for some reason).

https://www.spinics.net/lists/util-linux-ng/msg17087.html 2.37.4 fixes 
one CVE (not listed on bvdist for some reason).

I think it might be useful for release maintainer(s) if we mention in 
the commit log or commit title if it's a security bump or not when 
sending patches for version bumps to master? What do you think? (FYI, 
Buildroot seems to do it regularly and it helps me with keeping my 
vendor tree somewhat up-to-date security wise).

Cheers,
Quentin

On Mon, 2022-03-07 at 12:26 +0100, Quentin Schulz wrote:
> Hi all,
> 
> On 3/7/22 12:21, Quentin Schulz wrote:
> > From: Alexander Kanavin <alex.kanavin@gmail.com>
> > 
> > Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > (cherry picked from commit 6a3289c4786c4d278e2bf0ec1a5e04363772d8bc)
> > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
> > ---
> 
> https://www.spinics.net/lists/util-linux-ng/msg17037.html 2.37.3 fixes 
> two CVEs (not listed on nvdist database for some reason).
> 
> https://www.spinics.net/lists/util-linux-ng/msg17087.html 2.37.4 fixes 
> one CVE (not listed on bvdist for some reason).
> 
> I think it might be useful for release maintainer(s) if we mention in 
> the commit log or commit title if it's a security bump or not when 
> sending patches for version bumps to master? What do you think? (FYI, 
> Buildroot seems to do it regularly and it helps me with keeping my 
> vendor tree somewhat up-to-date security wise).

I'm happy if people do mention it (I did for expat recently) but I'm not going
to block upgrades on the information being missing (how would I tell?).

We're struggling to get people to submit upgrades so I'm reluctant to make it
harder for them.

Cheers,

Richard

Hi Richard,

On 3/7/22 12:44, Richard Purdie wrote:
> On Mon, 2022-03-07 at 12:26 +0100, Quentin Schulz wrote:
>> Hi all,
>>
>> On 3/7/22 12:21, Quentin Schulz wrote:
>>> From: Alexander Kanavin <alex.kanavin@gmail.com>
>>>
>>> Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
>>> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>>> (cherry picked from commit 6a3289c4786c4d278e2bf0ec1a5e04363772d8bc)
>>> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
>>> ---
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.spinics.net_lists_util-2Dlinux-2Dng_msg17037.html&d=DwICaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=U4eCQXCHnTmgAB4bLm1IJBHGUvY0OlzZwRhwZUecFxMBJMnqgAgrTpTz0IrWUJTR&s=Z_Fk9dO_TkdYJYl46pu81nr28SBx_F4uwjA-u2QRndg&e=  2.37.3 fixes
>> two CVEs (not listed on nvdist database for some reason).
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.spinics.net_lists_util-2Dlinux-2Dng_msg17087.html&d=DwICaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=U4eCQXCHnTmgAB4bLm1IJBHGUvY0OlzZwRhwZUecFxMBJMnqgAgrTpTz0IrWUJTR&s=FoMkkE5_1EdZcBKwKLGT1JehXLRN8KwCdyEAunBBJIw&e=  2.37.4 fixes
>> one CVE (not listed on bvdist for some reason).
>>
>> I think it might be useful for release maintainer(s) if we mention in
>> the commit log or commit title if it's a security bump or not when
>> sending patches for version bumps to master? What do you think? (FYI,
>> Buildroot seems to do it regularly and it helps me with keeping my
>> vendor tree somewhat up-to-date security wise).
> 
> I'm happy if people do mention it (I did for expat recently) but I'm not going
> to block upgrades on the information being missing (how would I tell?).
> 
> We're struggling to get people to submit upgrades so I'm reluctant to make it
> harder for them.
> 

Impossible to enforce anyway, as you just mentioned. But making people 
aware that it's a nice thing to do should be doable, e.g. adding a few 
words in 
https://docs.yoctoproject.org/dev-manual/common-tasks.html#submitting-a-change-to-the-yocto-project 
and 
https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded ?

It was not my intention to suggest add additional rules, sorry if it 
came across this way.

Cheers,
Quentin

On Mon, 2022-03-07 at 12:51 +0100, Quentin Schulz wrote:
> Hi Richard,
> 
> On 3/7/22 12:44, Richard Purdie wrote:
> > On Mon, 2022-03-07 at 12:26 +0100, Quentin Schulz wrote:
> > > Hi all,
> > > 
> > > On 3/7/22 12:21, Quentin Schulz wrote:
> > > > From: Alexander Kanavin <alex.kanavin@gmail.com>
> > > > 
> > > > Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
> > > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > > > (cherry picked from commit 6a3289c4786c4d278e2bf0ec1a5e04363772d8bc)
> > > > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
> > > > ---
> > > 
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.spinics.net_lists_util-2Dlinux-2Dng_msg17037.html&d=DwICaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=U4eCQXCHnTmgAB4bLm1IJBHGUvY0OlzZwRhwZUecFxMBJMnqgAgrTpTz0IrWUJTR&s=Z_Fk9dO_TkdYJYl46pu81nr28SBx_F4uwjA-u2QRndg&e=  2.37.3 fixes
> > > two CVEs (not listed on nvdist database for some reason).
> > > 
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.spinics.net_lists_util-2Dlinux-2Dng_msg17087.html&d=DwICaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=U4eCQXCHnTmgAB4bLm1IJBHGUvY0OlzZwRhwZUecFxMBJMnqgAgrTpTz0IrWUJTR&s=FoMkkE5_1EdZcBKwKLGT1JehXLRN8KwCdyEAunBBJIw&e=  2.37.4 fixes
> > > one CVE (not listed on bvdist for some reason).
> > > 
> > > I think it might be useful for release maintainer(s) if we mention in
> > > the commit log or commit title if it's a security bump or not when
> > > sending patches for version bumps to master? What do you think? (FYI,
> > > Buildroot seems to do it regularly and it helps me with keeping my
> > > vendor tree somewhat up-to-date security wise).
> > 
> > I'm happy if people do mention it (I did for expat recently) but I'm not going
> > to block upgrades on the information being missing (how would I tell?).
> > 
> > We're struggling to get people to submit upgrades so I'm reluctant to make it
> > harder for them.
> > 
> 
> Impossible to enforce anyway, as you just mentioned. But making people 
> aware that it's a nice thing to do should be doable, e.g. adding a few 
> words in 
> https://docs.yoctoproject.org/dev-manual/common-tasks.html#submitting-a-change-to-the-yocto-project 
> and 
> https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded ?
> 
> It was not my intention to suggest add additional rules, sorry if it 
> came across this way.

Highlighting in the docs sounds like a great idea :)

Cheers,

Richard