Re: [OE-core] OE-core CVE metrics for master on Sun 18 Feb 2024 01:00:01 AM HST

Sun, 18 Feb 2024 08:31:33 -0800 

Hi, 

This time we have some real new issues, mostly we need to upgrade some
recipes.
For wrong entries NVD was now multiple times pinged. I'll set the
CVE_STATUS now, but ping them again anyhow.

On Sun, 2024-02-18 at 01:18 -1000, Steve Sakoman wrote:
> Branch: master
> 
> New this week: 13 CVEs
=> Action for me: update wiki page
> CVE-2023-6240 (CVSS3: 6.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6240 *
> CVE-2023-6356 (CVSS3: 7.5 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6356 *
> CVE-2023-6535 (CVSS3: 7.5 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6535 *
> CVE-2023-6536 (CVSS3: 7.5 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6536 *
> CVE-2023-7216 (CVSS3: 8.8 HIGH): cpio
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 *
> CVE-2024-0684 (CVSS3: 5.5 MEDIUM): coreutils:coreutils-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0684 *
> CVE-2024-1048 (CVSS3: 3.3 LOW): grub:grub-efi:grub-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1048 *
> CVE-2024-22667 (CVSS3: 7.8 HIGH): vim
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22667 *
> CVE-2024-24575 (CVSS3: 7.5 HIGH): libgit2
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24575 *
> CVE-2024-24577 (CVSS3: 9.8 CRITICAL): libgit2
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24577 *
> CVE-2024-24806 (CVSS3: 9.8 CRITICAL): libuv
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24806 *
> CVE-2024-24860 (CVSS3: 5.3 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24860 *
> CVE-2024-25062 (CVSS3: 7.5 HIGH): libxml2:libxml2-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25062 *
> 
> Removed this week: 4 CVEs
=> Action for me: update wiki page
> CVE-2023-48795 (CVSS3: 5.9 MEDIUM): openssh
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-48795 *
> CVE-2023-51384 (CVSS3: 5.5 MEDIUM): openssh
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51384 *
> CVE-2023-51385 (CVSS3: 6.5 MEDIUM): openssh
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51385 *
> CVE-2024-23849 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23849 *
> 
> Full list:  Found 55 unpatched CVEs
> CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 *
> CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 *
> CVE-2021-3864 (CVSS3: 7.0 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 *
> CVE-2022-0400 (CVSS3: 7.5 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 *
> CVE-2022-1247 (CVSS3: 7.0 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 *
> CVE-2022-3219 (CVSS3: 3.3 LOW): gnupg:gnupg-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 *
Hypothetical DoS. A patch was proposed but hasn't been reviewed or merged
> CVE-2022-38096 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 *
> CVE-2022-4543 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 *
> CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 *
Buffer overflow, still open upstream.
> CVE-2023-1386 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 *
Still open upstream.
> CVE-2023-25584 (CVSS3: 7.1 HIGH): binutils:binutils-cross-
> testsuite:binutils-cross-x86_64:binutils-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25584 *
Merged fix in
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44
. Present in binutils >=2.40 NVD pinged 06/02/2024. NVD pinged 12/02/2024.
=> I'll set the cve status 
> CVE-2023-3019 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3019 *
Fixed in 8.2.0 with 9050f976e447444ea6ee2ba12c9f77e4b0dc54bc. NVD pinged
06/02/2024. NVD pinged 12/02/2024. 
=> I'll set the cve status
> CVE-2023-3164 (CVSS3: 5.5 MEDIUM): tiff
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3164 *
Upstream issue https://gitlab.com/libtiff/libtiff/-/issues/542 closed as
"wontfix-unmaintained" Only affect the tiffcrop tool not compiled by
default since 4.6.0 (OE-Core = 4.6.0). NVD pinged 06/02/2024. NVD pinged
12/02/2024. 
=> I'll set the cve status
> CVE-2023-3397 (CVSS3: 6.3 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3397 *
> CVE-2023-3640 (CVSS3: 7.8 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 *
> CVE-2023-38559 (CVSS3: 5.5 MEDIUM): ghostscript
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38559 *
Fix
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
Present in >= 10.02.0 (OE-core ghostscript = 10.02.1) NVD pinged
06/02/2024. NVD pinged 12/02/2024. 
=> I'll set the cve status
> CVE-2023-4010 (CVSS3: 4.6 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 *
> CVE-2023-42363 (CVSS3: 5.5 MEDIUM): busybox
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 *
> CVE-2023-42364 (CVSS3: 5.5 MEDIUM): busybox
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42364 *
> CVE-2023-42365 (CVSS3: 5.5 MEDIUM): busybox
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42365 *
> CVE-2023-42366 (CVSS3: 5.5 MEDIUM): busybox
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42366 *
Busybox: All still open upstream
> CVE-2023-4692 (CVSS3: 7.8 HIGH): grub:grub-efi:grub-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4692 *
> CVE-2023-4693 (CVSS3: 4.6 MEDIUM): grub:grub-efi:grub-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4693 *
Both: (in NTFS support) : Fix merged :
e58b870ff926415e23fc386af41ff81b2f588763 + 6 parents , released in 2.12
OE-Core grub = 2.12 NVD pinged 06/02/2024. NVD pinged 12/02/2024. 
=> I'll set the cve status
> CVE-2023-5088 (CVSS3: 7.0 HIGH): qemu:qemu-native:qemu-system-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5088 *
Fix merged
https://github.com/qemu/qemu/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e
Present in >=8.2.0 (OE-core qemu = 8.2.1) NVD pinged 06/02/2024. NVD
pinged 12/02/2024. 
=> I'll set the cve status
> CVE-2023-51767 (CVSS3: 7.0 HIGH): openssh
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 *
"openssh: authentication bypass via row hammer attack" Upstream bug :
https://bugzilla.mindrot.org/show_bug.cgi?id=3656 (still open, no patch)
Real-world impacts seem quite low 
> CVE-2023-6238 (CVSS3: 6.7 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6238 *
> CVE-2023-6240 (CVSS3: 6.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6240 *
> CVE-2023-6270 (CVSS3: 7.0 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6270 *
> CVE-2023-6356 (CVSS3: 7.5 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6356 *
> CVE-2023-6535 (CVSS3: 7.5 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6535 *
> CVE-2023-6536 (CVSS3: 7.5 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6536 *
> CVE-2023-6683 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6683 *
v2 of fix still in review
https://lists.nongnu.org/archive/html/qemu-devel/2024-01/msg03298.html
> CVE-2023-6693 (CVSS3: 5.3 MEDIUM): qemu:qemu-native:qemu-system-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6693 *
Backported upstream 939a09575fff7048446e36ce438fa7be6e251d41 in v8.2.1.
CPE change request sent to NVD 07/02/2024. NVD pinged 12/02/2024.  
=> I'll set the cve status
> CVE-2023-6780 (CVSS3: 5.3 MEDIUM): glibc
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6780 *
Fixed in 2.39 already wrong cpe. NVD pinged 12/02/2024. 
=> I'll ping again
> CVE-2023-7042 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7042 *
> CVE-2023-7216 (CVSS3: 8.8 HIGH): cpio 
path traversal in cpio, open upstream bug.
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 *
> CVE-2024-0684 (CVSS3: 5.5 MEDIUM): coreutils:coreutils-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0684 *
Fixed upstream in coreutils master branch via
https://github.com/coreutils/coreutils/commit/c4c5ed8f4e9cd55a12966d4f520e3a13101637d9
but not in any release yet
-> we need to update with latest fixes
> CVE-2024-0841 (CVSS3: 7.8 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0841 *
> CVE-2024-1048 (CVSS3: 3.3 LOW): grub:grub-efi:grub-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1048 *
Appeared after the fix of CVE-2019-14865 which was RHEL specific. This is
also RHEL specific as it affects the grub2-set-bootflag extension.
=> I set the CVE_STATUS and mark this as RHEL specific, patch is on list
> CVE-2024-21803 (CVSS3: 7.8 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 *
> CVE-2024-22667 (CVSS3: 7.8 HIGH): vim
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22667 *
Fixed in version 9.0.2142 of vim. We have vim 9.0.2130
=> I will update vims patchlevel, patch is out
> CVE-2024-23307 (CVSS3: 7.8 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23307 *
> CVE-2024-23848 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23848 *
> CVE-2024-23850 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23850 *
> CVE-2024-23851 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23851 *
> CVE-2024-24575 (CVSS3: 7.5 HIGH): libgit2
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24575 *
> CVE-2024-24577 (CVSS3: 9.8 CRITICAL): libgit2
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24577 *
Both are fixed in libgit2 1.7.2, we have 1.7.1
=> I update libgit2, patch is on list
> CVE-2024-24806 (CVSS3: 9.8 CRITICAL): libuv
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24806 *
Is fixed in libuv 1.48.0, we have 1.47.0
-> we need to update libubv
> CVE-2024-24857 (CVSS3: 6.8 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24857 *
> CVE-2024-24858 (CVSS3: 5.3 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24858 *
> CVE-2024-24859 (CVSS3: 4.8 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24859 *
> CVE-2024-24860 (CVSS3: 5.3 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24860 *
> CVE-2024-24861 (CVSS3: 6.3 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24861 *
> CVE-2024-24864 (CVSS3: 4.7 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24864 *
> CVE-2024-25062 (CVSS3: 7.5 HIGH): libxml2:libxml2-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25062 *
> 
We have libxml2 2.11.5 it is fixed in 2.12.5. 
=> I'll Update it

> Summary of CVE counts by recipe:
>   linux-yocto: 29
>   qemu:qemu-native:qemu-system-native: 5
>   busybox: 4
>   grub:grub-efi:grub-native: 3
>   libgit2: 2
>   binutils:binutils-cross-testsuite:binutils-cross-x86_64:binutils-
> native: 1
>   coreutils:coreutils-native: 1
>   cpio: 1
>   ghostscript: 1
>   glibc: 1
>   gnupg:gnupg-native: 1
>   libuv: 1
>   libxml2:libxml2-native: 1
>   nasm:nasm-native: 1
>   openssh: 1
>   tiff: 1
>   vim: 1
> 
> For further information see:
> https://autobuilder.yocto.io/pub/non-release/patchmetrics/
> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#195836): 
https://lists.openembedded.org/g/openembedded-core/message/195836
Mute This Topic: https://lists.openembedded.org/mt/104426008/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to