On Thu, Nov 12, 2020 at 6:49 AM Sakib Sajal <sakib.sa...@windriver.com> wrote:
> I've triaged the qemu CVE's mentioned below, summary as follows: > > CVE-2015-8345 - CVE-2017-5957 all have fixes that are in qemu 4.2 used > by dunfell. > > CVE-2018-12617 onwards have fixes but are introduced in qemu 5.[0 | 1] Good to hear! So a database update request for these CVE's would be the next step. I'll forward some sample update request emails off-list since you haven't done this before. > CVE's with proposed fixes are as follows: > > https://nvd.nist.gov/vuln/detail/CVE-2018-18438 > v1: https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02294.html > v2: https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02396.html > > https://nvd.nist.gov/vuln/detail/CVE-2020-15859 > https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg05304.html > https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg05341.html > > https://nvd.nist.gov/vuln/detail/CVE-2020-25742 > https://nvd.nist.gov/vuln/detail/CVE-2020-25743 > https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg07779.html > https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01568.html Thanks for tracking down these fixes. Do you plan to submit patches for them? Thanks again for helping with CVE reduction! I really appreciate the help. Steve > I have never sent database update requests, some examples will > definitely be helpful. > > Sakib > > >> CVE-2012-4564: tiff > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4564 * > >> CVE-2012-6094: cups > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6094 * > >> CVE-2013-0800: cairo > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 * > >> CVE-2013-4235: shadow-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4235 * > >> CVE-2013-6629: ghostscript > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6629 * > >> CVE-2013-7381: libnotify > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7381 * > >> CVE-2014-9278: openssh > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9278 * > >> CVE-2015-7313: tiff > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7313 * > >> CVE-2015-8345: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8345 * > >> CVE-2015-8619: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8619 * > >> CVE-2016-4002: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4002 * > >> CVE-2016-4614: libxml2 > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4614 * > >> CVE-2016-6328: libexif > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6328 * > >> CVE-2016-6489: nettle > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6489 * > >> CVE-2016-9101: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9101 * > >> CVE-2016-9596: libxml2 > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9596 * > >> CVE-2016-9598: libxml2 > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9598 * > >> CVE-2016-9907: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9907 * > >> CVE-2016-9908: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9908 * > >> CVE-2016-9911: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9911 * > >> CVE-2016-9912: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9912 * > >> CVE-2016-9921: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9921 * > >> CVE-2016-9923: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9923 * > >> CVE-2017-3139: bind > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3139 * > >> CVE-2017-5957: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5957 * > >> CVE-2018-1000041: librsvg > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000041 * > >> CVE-2018-12433: libgcrypt > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12433 * > >> CVE-2018-12437: libgcrypt > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12437 * > >> CVE-2018-12438: libgcrypt > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12438 * > >> CVE-2018-12617: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12617 * > >> CVE-2018-13410: zip > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-13410 * > >> CVE-2018-13684: zip > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-13684 * > >> CVE-2018-16517: nasm-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16517 * > >> CVE-2018-16868: gnutls > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16868 * > >> CVE-2018-16869: nettle > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16869 * > >> CVE-2018-18438: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18438 * > >> CVE-2018-19665: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19665 * > >> CVE-2018-21232: re2c > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-21232 * > >> CVE-2018-6553: cups > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6553 * > >> CVE-2019-1010022: glibc > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022 * > >> CVE-2019-1010023: glibc > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023 * > >> CVE-2019-1010024: glibc > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024 * > >> CVE-2019-1010025: glibc > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025 * > >> CVE-2019-14865: grub-efi-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14865 * > >> CVE-2019-20446: librsvg > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20446 * > >> CVE-2019-20633: patch-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20633 * > >> CVE-2019-6293: flex-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6293 * > >> CVE-2020-10648: u-boot > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10648 * > >> CVE-2020-11022: jquery > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11022 * > >> CVE-2020-11023: jquery > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11023 * > >> CVE-2020-12825: libcroco > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12825 * > >> CVE-2020-12829: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12829 * > >> CVE-2020-13253: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13253 * > >> CVE-2020-13434: sqlite3-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13434 * > >> CVE-2020-13435: sqlite3-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13435 * > >> CVE-2020-13630: sqlite3-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13630 * > >> CVE-2020-13631: sqlite3-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13631 * > >> CVE-2020-13632: sqlite3-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13632 * > >> CVE-2020-13645: glib-networking > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13645 * > >> CVE-2020-13754: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13754 * > >> CVE-2020-13791: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13791 * > >> CVE-2020-14145: openssh > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14145 * > >> CVE-2020-14150: bison-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14150 * > >> CVE-2020-14308: grub-efi-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14308 * > >> CVE-2020-14309: grub-efi-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14309 * > >> CVE-2020-14310: grub-efi-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14310 * > >> CVE-2020-14311: grub-efi-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14311 * > >> CVE-2020-15469: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15469 * > >> CVE-2020-15523: python3-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15523 * > >> CVE-2020-15704: ppp > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15704 * > >> CVE-2020-15705: grub-efi-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15705 * > >> CVE-2020-15706: grub-efi-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15706 * > >> CVE-2020-15707: grub-efi-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15707 * > >> CVE-2020-15778: openssh > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15778 * > >> CVE-2020-15859: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15859 * > >> CVE-2020-15900: ghostscript-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15900 * > >> CVE-2020-24352: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24352 * > >> CVE-2020-24553: go-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24553 * > >> CVE-2020-25613: ruby > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25613 * > >> CVE-2020-25742: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25742 * > >> CVE-2020-25743: qemu > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25743 * > >> CVE-2020-26154: libproxy > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26154 * > >> CVE-2020-27153: bluez5 > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27153 * > >> CVE-2020-27619: python3-native > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27619 * > >> CVE-2020-3810: apt > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-3810 * > >> CVE-2020-8432: u-boot > >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8432 * > >> > >> > >> > >> > >> > >> > >>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#144517): https://lists.openembedded.org/g/openembedded-core/message/144517 Mute This Topic: https://lists.openembedded.org/mt/78118037/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-