On 21 Jan 2024, at 11:18, Steve Sakoman via lists.yoctoproject.org <[email protected]> wrote: > New this week: 0 CVEs
Hurray! > Full list: Found 39 unpatched CVEs Ouch! I did a pass of triage on the non-kernel issues. > CVE-2022-3219 (CVSS3: 3.3 LOW): gnupg:gnupg-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 * > CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 * > CVE-2023-1386 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 * These are still open upstream. > CVE-2023-3019 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3019 * > CVE-2023-38559 (CVSS3: 5.5 MEDIUM): ghostscript > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38559 * > CVE-2023-5088 (CVSS3: 7.0 HIGH): qemu:qemu-native:qemu-system-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5088 * > CVE-2023-46407 (CVSS3: 5.5 MEDIUM): ffmpeg > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46407 * These have been fixed but the CPE is incorrect, updates mailed to NIST. > CVE-2023-4039 (CVSS3: 4.8 MEDIUM): > gcc:gcc-cross-x86_64:gcc-runtime:gcc-sanitizers:libgcc:libgcc-initial > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4039 * We have a fix but the checker doesn’t see it, Simone Weiß has a patch that needs a respin > CVE-2023-5574 (CVSS3: 7.0 HIGH): xserver-xorg > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5574 * Not fixed upstream, but also specific to Xvfb. Xvfb is pretty ancient now so I propose we disable this by default anyway. > CVE-2023-6228 (CVSS3: 5.5 MEDIUM): tiff > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6228 * Patch upstream but no release, sending a backport. > CVE-2023-6693 (CVSS3: 5.3 MEDIUM): qemu:qemu-native:qemu-system-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6693 * Patch at https://lore.kernel.org/qemu-devel/[email protected]/, not yet merged. > CVE-2023-6992 (CVSS3: 5.5 MEDIUM): zlib:zlib-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6992 * Specific to the Cloudflare fork, sending a patch to ignore it. The rest are outstanding and the kernel list will change (hopefully for the better) when master-next merges. Ross
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194147): https://lists.openembedded.org/g/openembedded-core/message/194147 Mute This Topic: https://lists.openembedded.org/mt/103885308/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
