Yes, of course. I've briefly checked all these CVE-2019-xxx links, they have all been fixed. I'll send out a patch.
Regards, Qi -----Original Message----- From: Richard Purdie <richard.pur...@linuxfoundation.org> Sent: Monday, April 8, 2024 7:57 PM To: Steve Sakoman <st...@sakoman.com>; openembedded-core@lists.openembedded.org; yocto-secur...@lists.yoctoproject.org Cc: Chen, Qi <qi.c...@windriver.com> Subject: Re: [OE-core] OE-core CVE metrics for master on Sun 07 Apr 2024 01:00:01 AM HST On Sun, 2024-04-07 at 01:19 -1000, Steve Sakoman wrote: > Branch: master > > New this week: 21 CVEs > CVE-2014-4859 (CVSS3: 6.8 MEDIUM): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4859 * > CVE-2014-4860 (CVSS3: 6.8 MEDIUM): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4860 * Qi sent a patch for this, thanks. > CVE-2019-14553 (CVSS3: 4.9 MEDIUM): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14553 * > CVE-2019-14559 (CVSS3: 7.5 HIGH): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14559 * > CVE-2019-14562 (CVSS3: 5.5 MEDIUM): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14562 * > CVE-2019-14563 (CVSS3: 7.8 HIGH): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14563 * > CVE-2019-14575 (CVSS3: 7.8 HIGH): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14575 * > CVE-2019-14586 (CVSS3: 8.0 HIGH): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14586 * > CVE-2019-14587 (CVSS3: 6.5 MEDIUM): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14587 * I think we will need a patch for these for now as the CPE entries are missing in NVD. Would you be able to help there please Qi? > CVE-2022-36763 (CVSS3: 7.8 HIGH): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36763 * > CVE-2022-36764 (CVSS3: 7.8 HIGH): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36764 * > CVE-2022-36765 (CVSS3: 7.8 HIGH): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36765 * > CVE-2023-45229 (CVSS3: 6.5 MEDIUM): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45229 * > CVE-2023-45230 (CVSS3: 8.8 HIGH): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45230 * > CVE-2023-45231 (CVSS3: 6.5 MEDIUM): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45231 * > CVE-2023-45232 (CVSS3: 7.5 HIGH): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45232 * > CVE-2023-45233 (CVSS3: 7.5 HIGH): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45233 * > CVE-2023-45234 (CVSS3: 8.8 HIGH): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45234 * > CVE-2023-45235 (CVSS3: 8.8 HIGH): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45235 * > CVE-2023-45236 (CVSS3: 7.5 HIGH): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45236 * > CVE-2023-45237 (CVSS3: 7.5 HIGH): ovmf:ovmf-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45237 * These are genuine issues and I've merged an upgrade to address them. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#198014): https://lists.openembedded.org/g/openembedded-core/message/198014 Mute This Topic: https://lists.openembedded.org/mt/105380934/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-