Detecting and Fixing CVE Security Issues in Yocto-Based Embedded Linux Distributions - Mikko Rapeli

Explore the process of detecting and fixing CVE security issues in Yocto-based embedded Linux distributions in this 36-minute conference talk by Mikko Rapeli. Learn how to utilize the Yocto CVE checker to identify security vulnerabilities in your product, apply fixes for detected issues, and navigate common challenges in this critical aspect of software development. Gain insights into best practices for maintaining high-quality software projects, including CVE scanning tooling, inputs and outputs, and the application of security fixes. Delve into topics such as poky reference distribution, layered architecture, differences between Debian/Ubuntu and Yocto, Bitbake recipes, CVE data fields, and CPE. Understand the limitations of CVE scanning and patching, addressing issues like name and version matching, embedded source code, and incomplete CVE data. Benefit from years of experience as you explore this essential aspect of embedded Linux security.