I thought I'd update on a quick check through the status of the CVEs this is reporting for master/kirkstone.
On Sun, 2022-04-10 at 02:02 -1000, Steve Sakoman wrote: > Branch: master > > Full list: Found 12 unpatched CVEs > CVE-2019-1010238 (CVSS3: 9.8 CRITICAL): pango:pango-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010238 * Steve is questioning the version restrictions on this, we don't think it applies to us. > CVE-2019-12067 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067 * No movement upstream, not a priority for qemu maintainers. > CVE-2020-18974 (CVSS3: 3.3 LOW): nasm:nasm-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974 * > CVE-2021-20255 (CVSS3: 5.5 MEDIUM): qemu:qemu-native:qemu-system-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 * No movement upstream, not a priority for qemu maintainers. > CVE-2021-44647 (CVSS3: 5.5 MEDIUM): lua:lua-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44647 * I believe this is fixed in lua 5.4.4, have requested a version restriction on the CVE. > CVE-2022-0529 (CVSS3: 7.8 HIGH): unzip:unzip-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0529 * > CVE-2022-0530 (CVSS3: 7.8 HIGH): unzip:unzip-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0530 * RH bugs are restricted, no public patches to fix, not much we can do. > CVE-2022-1050 (CVSS3: 8.8 HIGH): qemu:qemu-native:qemu-system-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1050 * Have sent a patch for this. > CVE-2022-1056 (CVSS3: 5.5 MEDIUM): tiff > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1056 * Already fixed by patches we apply, have sent an update for our metadata. > CVE-2022-24975 (CVSS3: 7.5 HIGH): git > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24975 * This issue isn't particularly relevant to us, sent an ignore for it. > CVE-2022-26280 (CVSS3: 9.1 CRITICAL): libarchive:libarchive-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26280 * Have merged an upgrade for this containing the fix. > CVE-2022-27191 (CVSS3: 7.5 HIGH): go > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27191 * No patches for 1.17.X and upgrading to 1.18 not an option for kirkstone. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#164263): https://lists.openembedded.org/g/openembedded-core/message/164263 Mute This Topic: https://lists.openembedded.org/mt/90415498/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
