Re: [OE-core] OE-core CVE metrics for master on Sun 20 Aug 2023 01:00:01 AM HST

Steve Sakoman Sun, 20 Aug 2023 11:10:35 -0700

On Sun, Aug 20, 2023 at 7:30 AM Khem Raj <[email protected]> wrote:
>
> On Sun, Aug 20, 2023 at 4:19 AM Steve Sakoman <[email protected]> wrote:
> >
> > Branch: master
> >
> > New this week: 3 CVEs
> > CVE-2023-0687 (CVSS3: 9.8 CRITICAL): glibc 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0687 *
>
> We are at 2.38 release on master and this release contains
> https://sourceware.org/git/?p=glibc.git;a=commit;h=801af9fafd4689337ebf27260aa115335a0cb2bc
> which fixes this problem. So I wonder why it appears in the scan here ?


Here is the note associated with this CVE:

"** DISPUTED ** A vulnerability was found in GNU C Library 2.38. It
has been declared as critical. This vulnerability affects the function
__monstartup of the file gmon.c of the component Call Graph Monitor.
The manipulation leads to buffer overflow. It is recommended to apply
a patch to fix this issue. VDB-220246 is the identifier assigned to
this vulnerability. NOTE: The real existence of this vulnerability is
still doubted at the moment. The inputs that induce this vulnerability
are basically addresses of the running application that is built with
gmon enabled. It's basically trusted input or input that needs an
actual security flaw to be compromised or controlled."

Steve
>
> > CVE-2023-4128 (CVSS3: 7.8 HIGH): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4128 *
> > CVE-2023-4147 (CVSS3: 7.8 HIGH): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4147 *
> >
> > Removed this week: 15 CVEs
> > CVE-2022-3533 (CVSS3: 5.7 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3533 *
> > CVE-2022-3606 (CVSS3: 5.5 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3606 *
> > CVE-2023-0160 (CVSS3: 5.5 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0160 *
> > CVE-2023-2176 (CVSS3: 7.8 HIGH): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2176 *
> > CVE-2023-23039 (CVSS3: 5.7 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23039 *
> > CVE-2023-2430 (CVSS3: 5.5 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2430 *
> > CVE-2023-2975 (CVSS3: 5.3 MEDIUM): openssl:openssl-native 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2975 *
> > CVE-2023-3446 (CVSS3: 5.3 MEDIUM): openssl:openssl-native 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3446 *
> > CVE-2023-35827 (CVSS3: 7.0 HIGH): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-35827 *
> > CVE-2023-3618 (CVSS3: 6.5 MEDIUM): tiff 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3618 *
> > CVE-2023-37453 (CVSS3: 4.6 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-37453 *
> > CVE-2023-37454 (CVSS3: 5.5 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-37454 *
> > CVE-2023-3817 (CVSS3: 5.3 MEDIUM): openssl:openssl-native 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3817 *
> > CVE-2023-4132 (CVSS3: 5.5 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4132 *
> > CVE-2023-4133 (CVSS3: 5.5 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4133 *
> >
> > Full list:  Found 29 unpatched CVEs
> > CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 *
> > CVE-2021-3714 (CVSS3: 7.5 HIGH): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 *
> > CVE-2021-3864 (CVSS3: 7.0 HIGH): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 *
> > CVE-2022-0400 (CVSS3: 7.5 HIGH): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 *
> > CVE-2022-1247 (CVSS3: 7.0 HIGH): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 *
> > CVE-2022-3219 (CVSS3: 3.3 LOW): gnupg:gnupg-native 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 *
> > CVE-2022-33065 (CVSS3: 7.8 HIGH): libsndfile1 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33065 *
> > CVE-2022-36402 (CVSS3: 5.5 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36402 *
> > CVE-2022-38096 (CVSS3: 5.5 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 *
> > CVE-2022-4543 (CVSS3: 5.5 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 *
> > CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 *
> > CVE-2023-0687 (CVSS3: 9.8 CRITICAL): glibc 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0687 *
> > CVE-2023-1206 (CVSS3: 5.7 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1206 *
> > CVE-2023-1386 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 *
> > CVE-2023-3019 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3019 *
> > CVE-2023-3180 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3180 *
> > CVE-2023-3354 (CVSS3: 7.5 HIGH): qemu:qemu-native:qemu-system-native 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3354 *
> > CVE-2023-3640 (CVSS3: 7.8 HIGH): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 *
> > CVE-2023-36632 (CVSS3: 7.5 HIGH): python3:python3-native 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-36632 *
> > CVE-2023-36664 (CVSS3: 7.8 HIGH): ghostscript 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-36664 *
> > CVE-2023-3772 (CVSS3: 4.4 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3772 *
> > CVE-2023-3773 (CVSS3: 4.4 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3773 *
> > CVE-2023-37769 (CVSS3: 6.5 MEDIUM): pixman:pixman-native 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-37769 *
> > CVE-2023-4004 (CVSS3: 7.8 HIGH): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4004 *
> > CVE-2023-4010 (CVSS3: 4.6 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 *
> > CVE-2023-4016 (CVSS3: 5.5 MEDIUM): procps 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4016 *
> > CVE-2023-4128 (CVSS3: 7.8 HIGH): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4128 *
> > CVE-2023-4135 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4135 *
> > CVE-2023-4147 (CVSS3: 7.8 HIGH): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4147 *
> >
> > For further information see: 
> > https://autobuilder.yocto.io/pub/non-release/patchmetrics/
> >
> > 
> >

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#186415): 
https://lists.openembedded.org/g/openembedded-core/message/186415
Mute This Topic: https://lists.openembedded.org/mt/100852965/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] OE-core CVE metrics for master on Sun 20 Aug 2023 01:00:01 AM HST

Reply via email to