Security patches for BSP3

gmi · September 7, 2021, 1:49pm

Hi all,

We are currently running Toradex BSP3 LTS on a Colibri iMX7 eMMC and recently found out that we needed to patch our linux kernel (4-.14.170) because of some CVEs impacting our security design (example: CVE-2021-3347).

Having seen the following [Toradex Embedded Linux Support Strategy | Toradex Developer Center], I’ve been digging the linux-toradex git repository but i was unable to find any security patches applicable to the kernel version of BSP3.

Did I miss/misunderstand something?

Thanks and regards
G.

jaski.tx · September 7, 2021, 7:08pm

Hi @gmi

Thanks for writing to the Toradex Community!

Could you share which security Patches are you missing?

Best regards,
Jaski

gmi · September 7, 2021, 7:13pm

Hi Jaski,

CVE-2021-3347, CVE-2021-33909 or CVE-2021-22555 for example among others, although I was able to patch the last two manually.

Regards
G.

jaski.tx · September 7, 2021, 7:25pm

Good, actually I would also have recommended you this.

Best regards,
Jaski

gmi · September 8, 2021, 5:29am

You recommend to patch manually?

Regards
G.

jaski.tx · September 8, 2021, 5:42am

Yes, since you will have your own custom image with all the patches needed for your application.

Best regards,
Jaski

gmi · September 8, 2021, 5:55am

Ok.
Where can I find the security patches to the off the shelf Toradex LTS BSPs?

Regards
G.

jaski.tx · September 8, 2021, 12:55pm

There are no security patches off the shelf. We only do a new LTS release if there are hardware changes.

Best regards,
Jaski

gmi · September 13, 2021, 8:08am

Ok.

By reading this https://developer.toradex.com/knowledge-base/toradex-embedded-linux-bsp-support-strategy#Maintenance_Releases_for_Long_Term_Embedded_Linux_Release_LTS, I really expected Toradex to deliver Kernel security patches to LTS BSP (as well as U-Boot and OE/Yocto).

You should change this description on your website, this is very confusing. I would have know that LTS releases for you BSP were not aligned Linux kernel/UBoot/Yocto mainlines as far as security is concerned, I would have chosen Quarterly Releases to get at latest security updates.

You should also move your “solve - post#3” on this topic to your latest message `There are no security patches off the shelf. We only do a new LTS release if there are hardware changes.

Best regards,
Jaski` .

This information may be very useful for your customers.

Thanks and regards
G.

jaski.tx · September 14, 2021, 6:12am

Hi @gmi

Thanks for your message. We will change the wording.
We apologize for any inconvenience.

Best regards,
Jaski