Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST
On Mar 28, 2024, at 12:58, Rich Persaud wrote: > >> On Mar 28, 2024, at 12:37, Alexander Kanavin wrote: >> >> On Thu, 28 Mar 2024 at 17:28, Marta Rybczynska wrote: >>> I think you weren't there at the weekly meeting when we discussed >>> that: it started around Feb 14th and I see that in my data >>> (I have a daily report). >>> >>> To make the story short: NVD is close to 0 activity since mid-February >>> and there is no communication for now on why, what are the reasons >>> etc. >>> The security community is concerned and there are multiple ideas: >>> amending/replacing the database, there is an open letter in the works >>> etc. >>> From our practical view there's no automated solutions we can >>> implement right now. I have some ideas and it would be good to discuss >>> them, >>> the next weekly meeting might be a good occasion. >> >> Probably alternatives to NVD will get increased attention too, which >> is not a bad thing. This exposes NVD as the single point of failure, >> and I can't see how they're going to restore trust. > > Funding has been an issue for years, e.g. many thousands of bug reports never > processed into CVEs, > https://www.platformsecuritysummit.com/2019/speaker/sherman/ May 24th update: https://therecord.media/nist-database-backlog-growing-vulncheck > More than 90% of submissions to the government's National Vulnerabilities > Database have not been analyzed or enriched since the agency announced > cutbacks in February, new research shows. > > Researchers from VulnCheck analyzed the NVD’s activity since it announced > cutbacks on February 12 and found that of the 12,720 new vulnerabilities > added since then, 11,885 “have not been analyzed or enriched with critical > data that help security professionals determine what software has been > affected by a vulnerability.” > > VulnCheck has a list of vulnerabilities it classifies as exploited and said > nearly half of those bugs have not been analyzed by NVD since the slowdown. > Another 82% of bugs that have a public proof-of-concept exploit have also not > been examined, according to the company... > > “We recently enriched 1,300 CVEs and continue to diligently work to ensure > all submitted CVEs are enriched,” CISA said. “We ask all CVE Numbering > Authorities (CNAs) to provide complete CVEs when making initial submission to > CVE.org.” -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#199948): https://lists.openembedded.org/g/openembedded-core/message/199948 Mute This Topic: https://lists.openembedded.org/mt/105119670/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST
On Mar 28, 2024, at 12:37, Alexander Kanavin wrote: > > On Thu, 28 Mar 2024 at 17:28, Marta Rybczynska wrote: >> I think you weren't there at the weekly meeting when we discussed >> that: it started around Feb 14th and I see that in my data >> (I have a daily report). >> >> To make the story short: NVD is close to 0 activity since mid-February >> and there is no communication for now on why, what are the reasons >> etc. >> The security community is concerned and there are multiple ideas: >> amending/replacing the database, there is an open letter in the works >> etc. >> From our practical view there's no automated solutions we can >> implement right now. I have some ideas and it would be good to discuss >> them, >> the next weekly meeting might be a good occasion. > > Probably alternatives to NVD will get increased attention too, which > is not a bad thing. This exposes NVD as the single point of failure, > and I can't see how they're going to restore trust. Funding has been an issue for years, e.g. many thousands of bug reports never processed into CVEs, https://www.platformsecuritysummit.com/2019/speaker/sherman/ -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197595): https://lists.openembedded.org/g/openembedded-core/message/197595 Mute This Topic: https://lists.openembedded.org/mt/105119670/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST
On Thu, 28 Mar 2024 at 17:28, Marta Rybczynska wrote: > I think you weren't there at the weekly meeting when we discussed > that: it started around Feb 14th and I see that in my data > (I have a daily report). > > To make the story short: NVD is close to 0 activity since mid-February > and there is no communication for now on why, what are the reasons > etc. > The security community is concerned and there are multiple ideas: > amending/replacing the database, there is an open letter in the works > etc. > From our practical view there's no automated solutions we can > implement right now. I have some ideas and it would be good to discuss > them, > the next weekly meeting might be a good occasion. Probably alternatives to NVD will get increased attention too, which is not a bad thing. This exposes NVD as the single point of failure, and I can't see how they're going to restore trust. Alex -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197593): https://lists.openembedded.org/g/openembedded-core/message/197593 Mute This Topic: https://lists.openembedded.org/mt/105119670/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST
On Sun, Mar 24, 2024 at 3:11 PM Alexander Kanavin wrote: > > I’m getting slightly concerned, no new CVEs second week in a row? Did the > checker break? > I think you weren't there at the weekly meeting when we discussed that: it started around Feb 14th and I see that in my data (I have a daily report). To make the story short: NVD is close to 0 activity since mid-February and there is no communication for now on why, what are the reasons etc. The security community is concerned and there are multiple ideas: amending/replacing the database, there is an open letter in the works etc. >From our practical view there's no automated solutions we can implement right now. I have some ideas and it would be good to discuss them, the next weekly meeting might be a good occasion. Regards, Marta -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197591): https://lists.openembedded.org/g/openembedded-core/message/197591 Mute This Topic: https://lists.openembedded.org/mt/105119670/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST
On Sun, Mar 24, 2024 at 3:25 PM Rich Persaud wrote: > > https://www.darkreading.com/cybersecurity-operations/nist-vuln-database-downshifts-prompting-questions-about-its-future > > > Next week, vulnerability researchers will gather for the VulnCon conference > > in Raleigh, N.C., where an "NVD symposium" is on the agenda. Perhaps more > > details will emerge then. I'm following this closely. Marta -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197590): https://lists.openembedded.org/g/openembedded-core/message/197590 Mute This Topic: https://lists.openembedded.org/mt/105119670/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST
https://www.darkreading.com/cybersecurity-operations/nist-vuln-database-downshifts-prompting-questions-about-its-future> Next week, vulnerability researchers will gather for the VulnCon conference in Raleigh, N.C., where an "NVD symposium" is on the agenda. Perhaps more details will emerge then. On Mar 24, 2024, at 10:17, Steve Sakoman wrote:https://www.scmagazine.com/news/update-delays-to-nist-vulnerability-database-alarms-researchersOn Sun, Mar 24, 2024, 4:11 AM Alexander Kanavinwrote:I’m getting slightly concerned, no new CVEs second week in a row? Did the checker break?AlexOn Sun 24. Mar 2024 at 12.18, Steve Sakoman wrote:Branch: master New this week: 0 CVEs Removed this week: 0 CVEs Full list: Found 37 unpatched CVEs CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 * CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 * CVE-2021-3864 (CVSS3: 7.0 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 * CVE-2022-0400 (CVSS3: 7.5 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 * CVE-2022-1247 (CVSS3: 7.0 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 * CVE-2022-3219 (CVSS3: 3.3 LOW): gnupg:gnupg-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 * CVE-2022-38096 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 * CVE-2022-4543 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 * CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 * CVE-2023-1386 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 * CVE-2023-3397 (CVSS3: 6.3 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3397 * CVE-2023-3640 (CVSS3: 7.8 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 * CVE-2023-4010 (CVSS3: 4.6 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 * CVE-2023-42363 (CVSS3: 5.5 MEDIUM): busybox https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 * CVE-2023-42364 (CVSS3: 5.5 MEDIUM): busybox https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42364 * CVE-2023-42365 (CVSS3: 5.5 MEDIUM): busybox https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42365 * CVE-2023-42366 (CVSS3: 5.5 MEDIUM): busybox https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42366 * CVE-2023-51767 (CVSS3: 7.0 HIGH): openssh https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 * CVE-2023-6238 (CVSS3: 6.7 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6238 * CVE-2023-6240 (CVSS3: 6.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6240 * CVE-2023-6270 (CVSS3: 7.0 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6270 * CVE-2023-6356 (CVSS3: 7.5 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6356 * CVE-2023-6535 (CVSS3: 7.5 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6535 * CVE-2023-6536 (CVSS3: 7.5 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6536 * CVE-2023-7042 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7042 * CVE-2023-7216 (CVSS3: 5.3 MEDIUM): cpio https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 * CVE-2024-0841 (CVSS3: 7.8 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0841 * CVE-2024-21803 (CVSS3: 7.8 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 * CVE-2024-23307 (CVSS3: 7.8 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23307 * CVE-2024-23848 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23848 * CVE-2024-24857 (CVSS3: 6.8 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24857 * CVE-2024-24858 (CVSS3: 5.3 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24858 * CVE-2024-24859 (CVSS3: 4.8 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24859 * CVE-2024-24861 (CVSS3: 6.3 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24861 * CVE-2024-24864 (CVSS3: 4.7 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24864 * CVE-2024-25739 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25739 * CVE-2024-25740 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25740 * Summary of CVE counts by recipe: linux-yocto: 28
Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST
https://www.scmagazine.com/news/update-delays-to-nist-vulnerability-database-alarms-researchers On Sun, Mar 24, 2024, 4:11 AM Alexander Kanavin wrote: > I’m getting slightly concerned, no new CVEs second week in a row? Did the > checker break? > > Alex > > On Sun 24. Mar 2024 at 12.18, Steve Sakoman wrote: > >> Branch: master >> >> New this week: 0 CVEs >> >> Removed this week: 0 CVEs >> >> Full list: Found 37 unpatched CVEs >> CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 * >> CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 * >> CVE-2021-3864 (CVSS3: 7.0 HIGH): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 * >> CVE-2022-0400 (CVSS3: 7.5 HIGH): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 * >> CVE-2022-1247 (CVSS3: 7.0 HIGH): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 * >> CVE-2022-3219 (CVSS3: 3.3 LOW): gnupg:gnupg-native >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 * >> CVE-2022-38096 (CVSS3: 5.5 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 * >> CVE-2022-4543 (CVSS3: 5.5 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 * >> CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 * >> CVE-2023-1386 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 * >> CVE-2023-3397 (CVSS3: 6.3 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3397 * >> CVE-2023-3640 (CVSS3: 7.8 HIGH): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 * >> CVE-2023-4010 (CVSS3: 4.6 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 * >> CVE-2023-42363 (CVSS3: 5.5 MEDIUM): busybox >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 * >> CVE-2023-42364 (CVSS3: 5.5 MEDIUM): busybox >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42364 * >> CVE-2023-42365 (CVSS3: 5.5 MEDIUM): busybox >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42365 * >> CVE-2023-42366 (CVSS3: 5.5 MEDIUM): busybox >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42366 * >> CVE-2023-51767 (CVSS3: 7.0 HIGH): openssh >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 * >> CVE-2023-6238 (CVSS3: 6.7 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6238 * >> CVE-2023-6240 (CVSS3: 6.5 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6240 * >> CVE-2023-6270 (CVSS3: 7.0 HIGH): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6270 * >> CVE-2023-6356 (CVSS3: 7.5 HIGH): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6356 * >> CVE-2023-6535 (CVSS3: 7.5 HIGH): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6535 * >> CVE-2023-6536 (CVSS3: 7.5 HIGH): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6536 * >> CVE-2023-7042 (CVSS3: 5.5 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7042 * >> CVE-2023-7216 (CVSS3: 5.3 MEDIUM): cpio >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 * >> CVE-2024-0841 (CVSS3: 7.8 HIGH): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0841 * >> CVE-2024-21803 (CVSS3: 7.8 HIGH): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 * >> CVE-2024-23307 (CVSS3: 7.8 HIGH): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23307 * >> CVE-2024-23848 (CVSS3: 5.5 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23848 * >> CVE-2024-24857 (CVSS3: 6.8 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24857 * >> CVE-2024-24858 (CVSS3: 5.3 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24858 * >> CVE-2024-24859 (CVSS3: 4.8 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24859 * >> CVE-2024-24861 (CVSS3: 6.3 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24861 * >> CVE-2024-24864 (CVSS3: 4.7 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24864 * >> CVE-2024-25739 (CVSS3: 5.5 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25739 * >> CVE-2024-25740 (CVSS3: 5.5 MEDIUM): linux-yocto >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25740 * >> >> Summary of CVE counts by recipe: >> linux-yocto: 28 >> busybox: 4 >> cpio: 1 >> gnupg:gnupg-native: 1 >> nasm:nasm-native: 1 >> openssh: 1 >>
Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST
I’m getting slightly concerned, no new CVEs second week in a row? Did the checker break? Alex On Sun 24. Mar 2024 at 12.18, Steve Sakoman wrote: > Branch: master > > New this week: 0 CVEs > > Removed this week: 0 CVEs > > Full list: Found 37 unpatched CVEs > CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 * > CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 * > CVE-2021-3864 (CVSS3: 7.0 HIGH): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 * > CVE-2022-0400 (CVSS3: 7.5 HIGH): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 * > CVE-2022-1247 (CVSS3: 7.0 HIGH): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 * > CVE-2022-3219 (CVSS3: 3.3 LOW): gnupg:gnupg-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 * > CVE-2022-38096 (CVSS3: 5.5 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 * > CVE-2022-4543 (CVSS3: 5.5 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 * > CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 * > CVE-2023-1386 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 * > CVE-2023-3397 (CVSS3: 6.3 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3397 * > CVE-2023-3640 (CVSS3: 7.8 HIGH): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 * > CVE-2023-4010 (CVSS3: 4.6 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 * > CVE-2023-42363 (CVSS3: 5.5 MEDIUM): busybox > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 * > CVE-2023-42364 (CVSS3: 5.5 MEDIUM): busybox > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42364 * > CVE-2023-42365 (CVSS3: 5.5 MEDIUM): busybox > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42365 * > CVE-2023-42366 (CVSS3: 5.5 MEDIUM): busybox > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42366 * > CVE-2023-51767 (CVSS3: 7.0 HIGH): openssh > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 * > CVE-2023-6238 (CVSS3: 6.7 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6238 * > CVE-2023-6240 (CVSS3: 6.5 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6240 * > CVE-2023-6270 (CVSS3: 7.0 HIGH): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6270 * > CVE-2023-6356 (CVSS3: 7.5 HIGH): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6356 * > CVE-2023-6535 (CVSS3: 7.5 HIGH): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6535 * > CVE-2023-6536 (CVSS3: 7.5 HIGH): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6536 * > CVE-2023-7042 (CVSS3: 5.5 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7042 * > CVE-2023-7216 (CVSS3: 5.3 MEDIUM): cpio > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 * > CVE-2024-0841 (CVSS3: 7.8 HIGH): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0841 * > CVE-2024-21803 (CVSS3: 7.8 HIGH): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 * > CVE-2024-23307 (CVSS3: 7.8 HIGH): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23307 * > CVE-2024-23848 (CVSS3: 5.5 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23848 * > CVE-2024-24857 (CVSS3: 6.8 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24857 * > CVE-2024-24858 (CVSS3: 5.3 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24858 * > CVE-2024-24859 (CVSS3: 4.8 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24859 * > CVE-2024-24861 (CVSS3: 6.3 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24861 * > CVE-2024-24864 (CVSS3: 4.7 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24864 * > CVE-2024-25739 (CVSS3: 5.5 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25739 * > CVE-2024-25740 (CVSS3: 5.5 MEDIUM): linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25740 * > > Summary of CVE counts by recipe: > linux-yocto: 28 > busybox: 4 > cpio: 1 > gnupg:gnupg-native: 1 > nasm:nasm-native: 1 > openssh: 1 > qemu:qemu-native:qemu-system-native: 1 > > For further information see: > https://autobuilder.yocto.io/pub/non-release/patchmetrics/ > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197476):