-
Notifications
You must be signed in to change notification settings - Fork 6.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
backport the security patch of CVE-2024-1638 #77262
backport the security patch of CVE-2024-1638 #77262
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
3.5 was end of life'd on 31st July 2024, no further backports should be made, projects should be updated to 3.7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this phrasing is subject to interpretation. I read it as "The Zephyr project doesn't backport fixes" not as "The Zephyr project will not accept fixes".
My opinion is that since this is a security issue, we can at least make the effort to accept it in the release branch, even if we don't make an official point release.
@Crispy-fried-chicken the first requirement would be to retain the original commit message. Also fix the formatting of the actual patch. The Compliance CI check is failing because of this. |
f332865
to
d21148f
Compare
@jhedberg Hi, I've already fixed commit format and code format, please continue to review it, thank you! |
…e connection (LESC) mask also require encryption, and some users have been using e.g. BT_GATT_PERM_READ_LESC without BT_GATT_PERM_READ_ENCRYPT, and then the encryption check in bt_gatt_check_perm was never properly applied. cherry-picked from commit d9ff7eb > Signed-off-by: Yiheng Cao([email protected])
7277e26
to
b531cec
Compare
@Crispy-fried-chicken thanks. We just discussed cases like this in the Zephyr project's release engineering meeting, and the consensus was that we will not start making exceptions to the official supported release policy: https://docs.zephyrproject.org/latest/releases/index.html#supported-releases So unfortunately it means that you'd need to either maintain this in your own downstream tree, or move to a supported Zephyr release version. |
Here is a vulnerability which is fixed in the https://github.com/zephyrproject-rtos/zephyr/tree/main and https://github.com/zephyrproject-rtos/zephyr/tree/v3.7-branch branch d9ff7eb, but is not fixed in the branch of v3.5-branch, maybe it should be backported?