Re: [OE-core] OE-core CVE metrics for dunfell on Sun 08 Nov 2020 07:30:01 AM HST

Steve Sakoman Thu, 12 Nov 2020 09:07:22 -0800

On Thu, Nov 12, 2020 at 6:49 AM Sakib Sajal <sakib.sa...@windriver.com> wrote:


> I've triaged the qemu CVE's mentioned below, summary as follows:
>
> CVE-2015-8345 - CVE-2017-5957 all have fixes that are in qemu 4.2 used
> by dunfell.
>
> CVE-2018-12617 onwards have fixes but are introduced in qemu 5.[0 | 1]

Good to hear!  So a database update request for these CVE's would be
the next step.

I'll forward some sample update request emails off-list since you
haven't done this before.

> CVE's with proposed fixes are as follows:
>
> https://nvd.nist.gov/vuln/detail/CVE-2018-18438
> v1: https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02294.html
> v2: https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02396.html
>
> https://nvd.nist.gov/vuln/detail/CVE-2020-15859
> https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg05304.html
> https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg05341.html
>
> https://nvd.nist.gov/vuln/detail/CVE-2020-25742
> https://nvd.nist.gov/vuln/detail/CVE-2020-25743
> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg07779.html
> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01568.html

Thanks for tracking down these fixes.  Do you plan to submit patches for them?

Thanks again for helping with CVE reduction!  I really appreciate the help.

Steve

> I have never sent database update requests, some examples will
> definitely be helpful.
>
> Sakib
>
> >> CVE-2012-4564: tiff 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4564 *
> >> CVE-2012-6094: cups 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6094 *
> >> CVE-2013-0800: cairo 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 *
> >> CVE-2013-4235: shadow-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4235 *
> >> CVE-2013-6629: ghostscript 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6629 *
> >> CVE-2013-7381: libnotify 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7381 *
> >> CVE-2014-9278: openssh 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9278 *
> >> CVE-2015-7313: tiff 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7313 *
> >> CVE-2015-8345: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8345 *
> >> CVE-2015-8619: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8619 *
> >> CVE-2016-4002: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4002 *
> >> CVE-2016-4614: libxml2 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4614 *
> >> CVE-2016-6328: libexif 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6328 *
> >> CVE-2016-6489: nettle 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6489 *
> >> CVE-2016-9101: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9101 *
> >> CVE-2016-9596: libxml2 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9596 *
> >> CVE-2016-9598: libxml2 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9598 *
> >> CVE-2016-9907: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9907 *
> >> CVE-2016-9908: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9908 *
> >> CVE-2016-9911: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9911 *
> >> CVE-2016-9912: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9912 *
> >> CVE-2016-9921: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9921 *
> >> CVE-2016-9923: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9923 *
> >> CVE-2017-3139: bind 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3139 *
> >> CVE-2017-5957: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5957 *
> >> CVE-2018-1000041: librsvg 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000041 *
> >> CVE-2018-12433: libgcrypt 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12433 *
> >> CVE-2018-12437: libgcrypt 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12437 *
> >> CVE-2018-12438: libgcrypt 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12438 *
> >> CVE-2018-12617: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12617 *
> >> CVE-2018-13410: zip 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-13410 *
> >> CVE-2018-13684: zip 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-13684 *
> >> CVE-2018-16517: nasm-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16517 *
> >> CVE-2018-16868: gnutls 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16868 *
> >> CVE-2018-16869: nettle 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16869 *
> >> CVE-2018-18438: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18438 *
> >> CVE-2018-19665: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19665 *
> >> CVE-2018-21232: re2c 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-21232 *
> >> CVE-2018-6553: cups 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6553 *
> >> CVE-2019-1010022: glibc 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022 *
> >> CVE-2019-1010023: glibc 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023 *
> >> CVE-2019-1010024: glibc 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024 *
> >> CVE-2019-1010025: glibc 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025 *
> >> CVE-2019-14865: grub-efi-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14865 *
> >> CVE-2019-20446: librsvg 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20446 *
> >> CVE-2019-20633: patch-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20633 *
> >> CVE-2019-6293: flex-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6293 *
> >> CVE-2020-10648: u-boot 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10648 *
> >> CVE-2020-11022: jquery 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11022 *
> >> CVE-2020-11023: jquery 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11023 *
> >> CVE-2020-12825: libcroco 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12825 *
> >> CVE-2020-12829: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12829 *
> >> CVE-2020-13253: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13253 *
> >> CVE-2020-13434: sqlite3-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13434 *
> >> CVE-2020-13435: sqlite3-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13435 *
> >> CVE-2020-13630: sqlite3-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13630 *
> >> CVE-2020-13631: sqlite3-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13631 *
> >> CVE-2020-13632: sqlite3-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13632 *
> >> CVE-2020-13645: glib-networking 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13645 *
> >> CVE-2020-13754: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13754 *
> >> CVE-2020-13791: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13791 *
> >> CVE-2020-14145: openssh 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14145 *
> >> CVE-2020-14150: bison-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14150 *
> >> CVE-2020-14308: grub-efi-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14308 *
> >> CVE-2020-14309: grub-efi-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14309 *
> >> CVE-2020-14310: grub-efi-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14310 *
> >> CVE-2020-14311: grub-efi-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14311 *
> >> CVE-2020-15469: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15469 *
> >> CVE-2020-15523: python3-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15523 *
> >> CVE-2020-15704: ppp 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15704 *
> >> CVE-2020-15705: grub-efi-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15705 *
> >> CVE-2020-15706: grub-efi-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15706 *
> >> CVE-2020-15707: grub-efi-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15707 *
> >> CVE-2020-15778: openssh 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15778 *
> >> CVE-2020-15859: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15859 *
> >> CVE-2020-15900: ghostscript-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15900 *
> >> CVE-2020-24352: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24352 *
> >> CVE-2020-24553: go-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24553 *
> >> CVE-2020-25613: ruby 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25613 *
> >> CVE-2020-25742: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25742 *
> >> CVE-2020-25743: qemu 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25743 *
> >> CVE-2020-26154: libproxy 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26154 *
> >> CVE-2020-27153: bluez5 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27153 *
> >> CVE-2020-27619: python3-native 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27619 *
> >> CVE-2020-3810: apt 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-3810 *
> >> CVE-2020-8432: u-boot 
> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8432 *
> >>
> >>
> >>
> >>
> >>
> >> 
> >>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#144517): 
https://lists.openembedded.org/g/openembedded-core/message/144517
Mute This Topic: https://lists.openembedded.org/mt/78118037/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] OE-core CVE metrics for dunfell on Sun 08 Nov 2020 07:30:01 AM HST

Reply via email to