I already mentioned this last week. https://lists.openembedded.org/g/openembedded-core/message/196199
I think that partial NVD DB update is not working properly as things which were corrected by NVD are still showing up in patchmetrics but not in email reports. For example: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6779 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6780 kirkstone has glibc 2.35 and nvd recently fixed these to >= 2.37 and these ate still in patchmetrics. Email reports maybe use different (not-broken yet) NVD DB cache or make full update instead of incremental? Peter -----Original Message----- From: yocto-secur...@lists.yoctoproject.org <yocto-secur...@lists.yoctoproject.org> On Behalf Of Richard Purdie via lists.yoctoproject.org Sent: Sunday, March 3, 2024 13:36 To: Simone Weiß <simone.p.we...@posteo.com>; Steve Sakoman <st...@sakoman.com>; openembedded-core@lists.openembedded.org; yocto-secur...@lists.yoctoproject.org Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 03 Mar 2024 01:00:01 AM HST > On Sun, 2024-03-03 at 11:49 +0000, Simone Weiß wrote: > > quick check: No news for any old issue, except cpio, which is disputed > > by the maintainer. > > Thanks, that is really useful to know! > > > > > > Full list: Found 41 unpatched CVEs > > I'm a bit puzzled/worried that our patch metrics page says 50 rather than 41: > > https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-master.txt > >:/ > > Does anyone know why? > > Cheers, > > Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#196562): https://lists.openembedded.org/g/openembedded-core/message/196562 Mute This Topic: https://lists.openembedded.org/mt/104701002/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-