2024-03-19 03:03 PM
There are a bunch of CVEs for ThreadX, NetX, and USBX dealing with remote code execution in versions below 6.2.1 (with some pretty scary vulnerability scores) and fixed in 6.3.
The distribution in the STM32Cube system is 6.2.0 today, and I was wondering if the ThreadX support people have the latest distribution integration on their stack?
Thanks,
Andrei
2024-03-19 04:27 PM
@Andrei Chichak Imagine that they've updated to 6.3. The next day a new bunch of CVE will arrive. then what?
As soon as you get the project building, begin refactoring it to decouple ThreadX from the Cube package, so that ThreadX can be maintained independently. Change the source/include paths... Do the same for other 3rd party libraries.
2024-03-21 11:24 AM - edited 2024-03-21 11:26 AM
Assume that there is a release coming up from the Eclipse Foundation rather than Microsoft, it's imminent, real soon now. I expect that the appropriate staff are waiting for that to drop, with the 6.3 changes, before they prepare the port.
But to answer your question, if a new bunch of CVEs drop the next day, Microsoft (now Eclipse) prepares the new release, sends out notifications to the appropriate governmental and industry interested parties, then Eclipse ThreadX board members (like ST) determine when to release those changes through their internal processes. It shouldn't matter if there will be more CVEs dropping tomorrow, in Microsoft's case with Windows they decided to push daily and monthly updates, plus bundles. Other companies reach out and force updates. Others, like ATM manufacturers, just run Windows 95 and deal with the exposure. PVR and router manufacturers will just drop support for those models and move on. Others, like medical devices, have rules governing updates of COTS and they may choose to do nothing, they might have to notify the FDA/Health Canada/??? and prepare a plan to overcome the vulnerability, or may ask their customers to take their devices off-line, they may fly out techs to update the systems.
So, then what? It depends, there is not one answer.
2024-03-26 01:04 PM
A
2024-04-30 05:59 AM
I have a related questions for ST ..
Will https://github.com/STMicroelectronics/x-cube-azrtos-f7 be updated or replaced to incorporate https://github.com/eclipse-threadx?
Will the STM32CubeIDE and MX tools be updated to pull in latest (or selected) versions from https://github.com/eclipse-threadx?
What's the plan in general? I can't find any info from ST on the move from Azure RTOS to Eclipse ThreadX.
thx