Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 21 Jan 2024 01:00:01 AM HST

Mon, 22 Jan 2024 09:01:41 -0800 

And the rest of the CVEs:

On 21 Jan 2024, at 11:18, Steve Sakoman via lists.yoctoproject.org 
<steve=sakoman....@lists.yoctoproject.org> wrote:
> CVE-2023-25584 (CVSS3: 7.1 HIGH): 
> binutils:binutils-cross-testsuite:binutils-cross-x86_64:binutils-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25584 *

Part of 2.40, CPE fix sent to NIST.

> CVE-2023-42363 (CVSS3: 5.5 MEDIUM): busybox 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 *
> CVE-2023-42364 (CVSS3: 5.5 MEDIUM): busybox 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42364 *
> CVE-2023-42365 (CVSS3: 5.5 MEDIUM): busybox 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42365 *
> CVE-2023-42366 (CVSS3: 5.5 MEDIUM): busybox 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42366 *

Four memory usage bugs in awk, all unfixed upstream currently.

> CVE-2023-48795 (CVSS3: 5.9 MEDIUM): libssh2:libssh2-native:openssh 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-48795 *

Fixed upstream in 
https://github.com/libssh2/libssh2/commit/d34d9258b8420b19ec3f97b4cc5bf7aa7d98e35a,
 needs a backport.

> CVE-2023-51384 (CVSS3: 5.5 MEDIUM): openssh 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51384 *
> CVE-2023-51385 (CVSS3: 6.5 MEDIUM): openssh 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51385 *

These are part of openssh 9.6, which Tim sent a patch for already.

> CVE-2023-51767 (CVSS3: 7.0 HIGH): openssh 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 *

This is a RowHammer attack against OpenSSH, but 
https://bugzilla.mindrot.org/show_bug.cgi?id=3656 discusses it further and it’s 
incredibly difficult to exploit in the real world with an unmodified openssh.

Ross
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#194187): 
https://lists.openembedded.org/g/openembedded-core/message/194187
Mute This Topic: https://lists.openembedded.org/mt/103890439/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to