We've recently tagged a few patches fixing CVEs with signed git tags. We also in the past tagged patches fixing CVEs.
I've identified a list of CVEs (including commit hashes) that weren't tagged yet. The list below was first compiled using this "simple one liner": git log | grep -o 'CVE-[0-9]\+-[0-9]\+\|^commit [0-9a-z]\+' | grep -B 1 'CVE-' | grep -v '^--' | tr "\n" " " | sed 's/commit/\ncommit/g' | grep -v "$(git tag ' | sed -e 's/|$//' -e 's/|/\\|/g')" > cves (Basically looking for 'CVE-' strings in the commit log and cross-referencing it with the list of tags (badly for that matter I halfway realized that I pasted in the sub-command supposed to find CVEs wrong but was too far in to re-try)) And then manually going trhough the list. I've identified the following commits: (single commits) commit 8dfb12cb77996519901b8d52c754ab564ebd10e8 CVE-2024-8235 commit 8074d64dc2eca846d6a61efe1a9b7428a0ce1dd1 CVE-2024-4418 commit 8a3f8d957507c1f8223fdcf25a3ff885b15557f2 CVE-2024-2494 commit c664015fe3a7bf59db26686e9ed69af011c6ebb8 CVE-2024-1441 commit 9a47442366fcf8a7b6d7422016d7bbb6764a1098 CVE-2023-3750 commit a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36 CVE-2022-0897 commit 15073504dbb624d3f6c911e85557019d3620fdb2 CVE-2021-3631 commit 22494556542c676d1b9e7f1c1f2ea13ac17e1e3e CVE-2020-14339 commit bf6c2830b6c338b1f5699b095df36f374777b291 CVE-2019-10168 commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26 CVE-2019-10167 commit db0b78457f183e4c7ac45bc94de86044a1e2056a CVE-2019-10166 commit aed6a032cead4386472afb24b16196579e239580 CVE-2019-10161 commit fbf31e1a4cd19d6f6e33e0937a009775cd7d9513 CVE-2018-1064 commit bc251ea91bcfddd2622fce6bce701a438b2e7276 CVE-2018-5748 commit 57023c0a3af4af1c547189c1f6712ed5edeb0c0b CVE-2014-8131 commit c567853089a2764c964002dd752e09e318524a38 CVE-2010-2242 commit 53611889ff93c442028828c70472151a7cf1bf4d CVE-2008-5086 (patchsets, where multiple patches bear CVE number, histrically we've tagged all of them with numbered tags) commit a63b48c5ecef077bf0f909a85f453a605600cf05 CVE-2020-25637 commit e4116eaa44cb366b59f7fe98f4b88d04c04970ad CVE-2020-25637 commit 50864dcda191eb35732dbd80fb6ca251a6bba923 CVE-2020-25637 commit 955029bd0ad7ef96000f529ac38204a8f4a96401 CVE-2020-25637 commit e37bd65f9948c1185456b2cdaa3bd6e875af680f CVE-2019-10132 commit f111e09468693909b1f067aa575efdafd9a262a1 CVE-2019-10132 commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7 CVE-2019-10132 commit ae076bb40e0e150aef41361b64001138d04d6c60 CVE-2019-3886 commit 2a07c990bd9143d7a0fe8d1b6b7c763c52185240 CVE-2019-3886 commit c2dc6698c88fb591639e542c8ecb0076c54f3dfb CVE-2018-6764 commit 759b4d1b0fe5f4d84d98b99153dfa7ac289dd167 CVE-2018-6764 commit b347c0c2a321ec5c20aae214927949832a288c5a CVE-2015-0236 commit 03c3c0c874c84dfa51ef17556062b095c6e1c0a3 CVE-2015-0236 commit 5fc590ad9f4071350a8df4d567ba88baacc8334d CVE-2013-6456 commit 1cadeafcaa422844a27ef622e2a7041d0235bcb3 CVE-2013-6456 commit 1754c7f0ab1407dcf7c89636a35711dd9b1febe1 CVE-2013-6456 commit 7fba01c15c1f886b4235825692b4c13e88dd9f7b CVE-2013-6456 commit 4dd3a7d5bc44980135a1b11810ba9aeab42a4a59 CVE-2013-6456 commit aebbcdd33c8c18891f0bdbbf8924599a28152c9c CVE-2013-6456 And finally few manually synthetized entries based on CVE references. commit 447f69dec47e1b0bd15ecd7cd49a9fd3b050fb87 CVE-2021-3667 commit 68719c4bddb85fbcc931a5b7d99ac7c8a0af09b0 CVE-2010-2238 Thus if we want to keep tagging CVEs the above list ought to be tagged. I've also got a few work in progress patches/branches which will e.g. add a CI job to do (a more robust) cross-check of the CVE numbers with the commitlog and NEWS file, etc. In addition our commit log also references non-libvirt cves: CVE-2022-24765 - git permission issue when repo is shared between users CVE-2020-15708 - bug in Ubuntu's packaging of libvirt CVE-2013-0242 - memory corruption in gnulib's regex() CVE-2012-3386 - bug in automake's distcheck rules giving world-writable perms CVE-2011-4127 - qemu allowing SCSI/SG_IO command passthrough CPU vulnerabllities: CVE-2019-11135 - TSX Asynchronous Abort condition on some CPUs CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 - Microarchitectural Store Buffer Data Sampling (MSBDS) cpu vulnerabilities CVE-2018-3639 - Speculative Store Bypass (SSB), Variant 4. CVE-2017-5715 - speculative execution by utilizing branch target injection
