'Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 29 Jan 2023 02:00:01 AM HST'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openembedded-core
Subject:    Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 29 Jan 2023 02:00:01 AM HST
From:       "Ross Burton" <ross.burton () arm ! com>
Date:       2023-01-30 16:41:31
Message-ID: E7BF6584-DB84-410C-9980-DC5B6F6AF25E () arm ! com
[Download RAW message or body]

[Attachment #2 (unknown)]

On 29 Jan 2023, at 12:03, Steve Sakoman via lists.yoctoproject.org \
<steve=sakoman.com@lists.yoctoproject.org> wrote:
> Full list:  Found 9 unpatched CVEs
> CVE-2022-23521 (CVSS3: 9.8 CRITICAL): git \
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23521 * CVE-2022-41903 \
> (CVSS3: 9.8 CRITICAL): git \
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41903 * CVE-2022-41953 \
> (CVSS3: 7.8 HIGH): git \
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41953 *

Patches sent (upgrade and ignore).

> CVE-2022-3550 (CVSS3: 8.8 HIGH): xserver-xorg \
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3550 * CVE-2022-3551 \
> (CVSS3: 6.5 MEDIUM): xserver-xorg \
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3551 * CVE-2022-46457 \
> (CVSS3: 5.5 MEDIUM): nasm:nasm-native \
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46457 *

NIST haven't taken the CPE fixes I sent, re-sent.

> CVE-2022-3996 (CVSS3: 7.5 HIGH): openssl:openssl-native \
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3996 *

This was fixed by a patch on the list that was incorrectly labelled as langdale, I've \
reposted it.

> CVE-2022-4055 (CVSS3: 7.4 HIGH): xdg-utils \
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4055 * CVE-2022-46456 \
> (CVSS3: 6.1 MEDIUM): nasm:nasm-native \
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 *

Both still open upstream.

Ross



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#176497): https://lists.openembedded.org/g/openembedded-core/message/176497
Mute This Topic: https://lists.openembedded.org/mt/96631913/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic