On Tue, Apr 12, 2022 at 12:52 AM Richard Purdie <[email protected]> wrote: > > I thought I'd update on a quick check through the status of the CVEs this is > reporting for master/kirkstone. > > On Sun, 2022-04-10 at 02:02 -1000, Steve Sakoman wrote: > > Branch: master > > > > Full list: Found 12 unpatched CVEs > > CVE-2019-1010238 (CVSS3: 9.8 CRITICAL): pango:pango-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010238 * > > Steve is questioning the version restrictions on this, we don't think it > applies > to us.
After a little back and forth it appears that they will be updating the CVE affected versions this week. So this CVE should no longer be an issue for master and dunfell. Steve > > CVE-2019-12067 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067 * > > No movement upstream, not a priority for qemu maintainers. > > > CVE-2020-18974 (CVSS3: 3.3 LOW): nasm:nasm-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974 * > > CVE-2021-20255 (CVSS3: 5.5 MEDIUM): qemu:qemu-native:qemu-system-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 * > > No movement upstream, not a priority for qemu maintainers. > > > CVE-2021-44647 (CVSS3: 5.5 MEDIUM): lua:lua-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44647 * > > I believe this is fixed in lua 5.4.4, have requested a version restriction on > the CVE. > > > CVE-2022-0529 (CVSS3: 7.8 HIGH): unzip:unzip-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0529 * > > CVE-2022-0530 (CVSS3: 7.8 HIGH): unzip:unzip-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0530 * > > RH bugs are restricted, no public patches to fix, not much we can do. > > > CVE-2022-1050 (CVSS3: 8.8 HIGH): qemu:qemu-native:qemu-system-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1050 * > > Have sent a patch for this. > > > CVE-2022-1056 (CVSS3: 5.5 MEDIUM): tiff > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1056 * > > Already fixed by patches we apply, have sent an update for our metadata. > > > CVE-2022-24975 (CVSS3: 7.5 HIGH): git > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24975 * > > This issue isn't particularly relevant to us, sent an ignore for it. > > > CVE-2022-26280 (CVSS3: 9.1 CRITICAL): libarchive:libarchive-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26280 * > > Have merged an upgrade for this containing the fix. > > > CVE-2022-27191 (CVSS3: 7.5 HIGH): go > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27191 * > > No patches for 1.17.X and upgrading to 1.18 not an option for kirkstone. > > Cheers, > > Richard > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#164275): https://lists.openembedded.org/g/openembedded-core/message/164275 Mute This Topic: https://lists.openembedded.org/mt/90415498/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
