Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST

2024-05-27 Thread Rich Persaud 
On Mar 28, 2024, at 12:58, Rich Persaud  wrote:
> 
>> On Mar 28, 2024, at 12:37, Alexander Kanavin  wrote:
>> 
>> On Thu, 28 Mar 2024 at 17:28, Marta Rybczynska  wrote:
>>> I think you weren't there at the weekly meeting when we discussed
>>> that: it started around Feb 14th and I see that in my data
>>> (I have a daily report).
>>> 
>>> To make the story short: NVD is close to 0 activity since mid-February
>>> and there is no communication for now on why, what are the reasons
>>> etc.
>>> The security community is concerned and there are multiple ideas:
>>> amending/replacing the database, there is an open letter in the works
>>> etc.
>>> From our practical view there's no automated solutions we can
>>> implement right now. I have some ideas and it would be good to discuss
>>> them,
>>> the next weekly meeting might be a good occasion.
>> 
>> Probably alternatives to NVD will get increased attention too, which
>> is not a bad thing. This exposes NVD as the single point of failure,
>> and I can't see how they're going to restore trust.
> 
> Funding has been an issue for years, e.g. many thousands of bug reports never 
> processed into CVEs, 
> https://www.platformsecuritysummit.com/2019/speaker/sherman/

May 24th update:
https://therecord.media/nist-database-backlog-growing-vulncheck

> More than 90% of submissions to the government's National Vulnerabilities 
> Database have not been analyzed or enriched since the agency announced 
> cutbacks in February, new research shows.
> 
> Researchers from VulnCheck analyzed the NVD’s activity since it announced 
> cutbacks on February 12 and found that of the 12,720 new vulnerabilities 
> added since then, 11,885 “have not been analyzed or enriched with critical 
> data that help security professionals determine what software has been 
> affected by a vulnerability.”
> 
> VulnCheck has a list of vulnerabilities it classifies as exploited and said 
> nearly half of those bugs have not been analyzed by NVD since the slowdown. 
> Another 82% of bugs that have a public proof-of-concept exploit have also not 
> been examined, according to the company...
> 
> “We recently enriched 1,300 CVEs and continue to diligently work to ensure 
> all submitted CVEs are enriched,” CISA said. “We ask all CVE Numbering 
> Authorities (CNAs) to provide complete CVEs when making initial submission to 
> CVE.org.”

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199948): 
https://lists.openembedded.org/g/openembedded-core/message/199948
Mute This Topic: https://lists.openembedded.org/mt/105119670/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST

2024-03-28 Thread Rich Persaud 
On Mar 28, 2024, at 12:37, Alexander Kanavin  wrote:
> 
> On Thu, 28 Mar 2024 at 17:28, Marta Rybczynska  wrote:
>> I think you weren't there at the weekly meeting when we discussed
>> that: it started around Feb 14th and I see that in my data
>> (I have a daily report).
>> 
>> To make the story short: NVD is close to 0 activity since mid-February
>> and there is no communication for now on why, what are the reasons
>> etc.
>> The security community is concerned and there are multiple ideas:
>> amending/replacing the database, there is an open letter in the works
>> etc.
>> From our practical view there's no automated solutions we can
>> implement right now. I have some ideas and it would be good to discuss
>> them,
>> the next weekly meeting might be a good occasion.
> 
> Probably alternatives to NVD will get increased attention too, which
> is not a bad thing. This exposes NVD as the single point of failure,
> and I can't see how they're going to restore trust.

Funding has been an issue for years, e.g. many thousands of bug reports never 
processed into CVEs, 
https://www.platformsecuritysummit.com/2019/speaker/sherman/
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197595): 
https://lists.openembedded.org/g/openembedded-core/message/197595
Mute This Topic: https://lists.openembedded.org/mt/105119670/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST

2024-03-28 Thread Alexander Kanavin 
On Thu, 28 Mar 2024 at 17:28, Marta Rybczynska  wrote:
> I think you weren't there at the weekly meeting when we discussed
> that: it started around Feb 14th and I see that in my data
> (I have a daily report).
>
> To make the story short: NVD is close to 0 activity since mid-February
> and there is no communication for now on why, what are the reasons
> etc.
> The security community is concerned and there are multiple ideas:
> amending/replacing the database, there is an open letter in the works
> etc.
> From our practical view there's no automated solutions we can
> implement right now. I have some ideas and it would be good to discuss
> them,
> the next weekly meeting might be a good occasion.

Probably alternatives to NVD will get increased attention too, which
is not a bad thing. This exposes NVD as the single point of failure,
and I can't see how they're going to restore trust.

Alex

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197593): 
https://lists.openembedded.org/g/openembedded-core/message/197593
Mute This Topic: https://lists.openembedded.org/mt/105119670/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST

2024-03-28 Thread Marta Rybczynska 
On Sun, Mar 24, 2024 at 3:11 PM Alexander Kanavin
 wrote:
>
> I’m getting slightly concerned, no new CVEs second week in a row? Did the 
> checker break?
>

I think you weren't there at the weekly meeting when we discussed
that: it started around Feb 14th and I see that in my data
(I have a daily report).

To make the story short: NVD is close to 0 activity since mid-February
and there is no communication for now on why, what are the reasons
etc.
The security community is concerned and there are multiple ideas:
amending/replacing the database, there is an open letter in the works
etc.
>From our practical view there's no automated solutions we can
implement right now. I have some ideas and it would be good to discuss
them,
the next weekly meeting might be a good occasion.

Regards,
Marta

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197591): 
https://lists.openembedded.org/g/openembedded-core/message/197591
Mute This Topic: https://lists.openembedded.org/mt/105119670/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST

2024-03-28 Thread Marta Rybczynska 
On Sun, Mar 24, 2024 at 3:25 PM Rich Persaud  wrote:
>
> https://www.darkreading.com/cybersecurity-operations/nist-vuln-database-downshifts-prompting-questions-about-its-future
>
> > Next week, vulnerability researchers will gather for the VulnCon conference 
> > in Raleigh, N.C., where an "NVD symposium" is on the agenda. Perhaps more 
> > details will emerge then.

I'm following this closely.

Marta

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197590): 
https://lists.openembedded.org/g/openembedded-core/message/197590
Mute This Topic: https://lists.openembedded.org/mt/105119670/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST

2024-03-24 Thread Rich Persaud 
https://www.darkreading.com/cybersecurity-operations/nist-vuln-database-downshifts-prompting-questions-about-its-future> Next week, vulnerability researchers will gather for the VulnCon conference in Raleigh, N.C., where an "NVD symposium" is on the agenda. Perhaps more details will emerge then.   On Mar 24, 2024, at 10:17, Steve Sakoman  wrote:https://www.scmagazine.com/news/update-delays-to-nist-vulnerability-database-alarms-researchersOn Sun, Mar 24, 2024, 4:11 AM Alexander Kanavin  wrote:I’m getting slightly concerned, no new CVEs second week in a row? Did the checker break?AlexOn Sun 24. Mar 2024 at 12.18, Steve Sakoman  wrote:Branch: master

New this week: 0 CVEs

Removed this week: 0 CVEs

Full list:  Found 37 unpatched CVEs
CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 *
CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 *
CVE-2021-3864 (CVSS3: 7.0 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 *
CVE-2022-0400 (CVSS3: 7.5 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 *
CVE-2022-1247 (CVSS3: 7.0 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 *
CVE-2022-3219 (CVSS3: 3.3 LOW): gnupg:gnupg-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 *
CVE-2022-38096 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 *
CVE-2022-4543 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 *
CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 *
CVE-2023-1386 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 *
CVE-2023-3397 (CVSS3: 6.3 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3397 *
CVE-2023-3640 (CVSS3: 7.8 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 *
CVE-2023-4010 (CVSS3: 4.6 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 *
CVE-2023-42363 (CVSS3: 5.5 MEDIUM): busybox https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 *
CVE-2023-42364 (CVSS3: 5.5 MEDIUM): busybox https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42364 *
CVE-2023-42365 (CVSS3: 5.5 MEDIUM): busybox https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42365 *
CVE-2023-42366 (CVSS3: 5.5 MEDIUM): busybox https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42366 *
CVE-2023-51767 (CVSS3: 7.0 HIGH): openssh https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 *
CVE-2023-6238 (CVSS3: 6.7 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6238 *
CVE-2023-6240 (CVSS3: 6.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6240 *
CVE-2023-6270 (CVSS3: 7.0 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6270 *
CVE-2023-6356 (CVSS3: 7.5 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6356 *
CVE-2023-6535 (CVSS3: 7.5 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6535 *
CVE-2023-6536 (CVSS3: 7.5 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6536 *
CVE-2023-7042 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7042 *
CVE-2023-7216 (CVSS3: 5.3 MEDIUM): cpio https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 *
CVE-2024-0841 (CVSS3: 7.8 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0841 *
CVE-2024-21803 (CVSS3: 7.8 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 *
CVE-2024-23307 (CVSS3: 7.8 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23307 *
CVE-2024-23848 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23848 *
CVE-2024-24857 (CVSS3: 6.8 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24857 *
CVE-2024-24858 (CVSS3: 5.3 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24858 *
CVE-2024-24859 (CVSS3: 4.8 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24859 *
CVE-2024-24861 (CVSS3: 6.3 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24861 *
CVE-2024-24864 (CVSS3: 4.7 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24864 *
CVE-2024-25739 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25739 *
CVE-2024-25740 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25740 *

Summary of CVE counts by recipe:
  linux-yocto: 28
 

Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST

2024-03-24 Thread Steve Sakoman 
https://www.scmagazine.com/news/update-delays-to-nist-vulnerability-database-alarms-researchers

On Sun, Mar 24, 2024, 4:11 AM Alexander Kanavin 
wrote:

> I’m getting slightly concerned, no new CVEs second week in a row? Did the
> checker break?
>
> Alex
>
> On Sun 24. Mar 2024 at 12.18, Steve Sakoman  wrote:
>
>> Branch: master
>>
>> New this week: 0 CVEs
>>
>> Removed this week: 0 CVEs
>>
>> Full list:  Found 37 unpatched CVEs
>> CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 *
>> CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 *
>> CVE-2021-3864 (CVSS3: 7.0 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 *
>> CVE-2022-0400 (CVSS3: 7.5 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 *
>> CVE-2022-1247 (CVSS3: 7.0 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 *
>> CVE-2022-3219 (CVSS3: 3.3 LOW): gnupg:gnupg-native
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 *
>> CVE-2022-38096 (CVSS3: 5.5 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 *
>> CVE-2022-4543 (CVSS3: 5.5 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 *
>> CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 *
>> CVE-2023-1386 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 *
>> CVE-2023-3397 (CVSS3: 6.3 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3397 *
>> CVE-2023-3640 (CVSS3: 7.8 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 *
>> CVE-2023-4010 (CVSS3: 4.6 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 *
>> CVE-2023-42363 (CVSS3: 5.5 MEDIUM): busybox
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 *
>> CVE-2023-42364 (CVSS3: 5.5 MEDIUM): busybox
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42364 *
>> CVE-2023-42365 (CVSS3: 5.5 MEDIUM): busybox
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42365 *
>> CVE-2023-42366 (CVSS3: 5.5 MEDIUM): busybox
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42366 *
>> CVE-2023-51767 (CVSS3: 7.0 HIGH): openssh
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 *
>> CVE-2023-6238 (CVSS3: 6.7 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6238 *
>> CVE-2023-6240 (CVSS3: 6.5 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6240 *
>> CVE-2023-6270 (CVSS3: 7.0 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6270 *
>> CVE-2023-6356 (CVSS3: 7.5 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6356 *
>> CVE-2023-6535 (CVSS3: 7.5 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6535 *
>> CVE-2023-6536 (CVSS3: 7.5 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6536 *
>> CVE-2023-7042 (CVSS3: 5.5 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7042 *
>> CVE-2023-7216 (CVSS3: 5.3 MEDIUM): cpio
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 *
>> CVE-2024-0841 (CVSS3: 7.8 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0841 *
>> CVE-2024-21803 (CVSS3: 7.8 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 *
>> CVE-2024-23307 (CVSS3: 7.8 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23307 *
>> CVE-2024-23848 (CVSS3: 5.5 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23848 *
>> CVE-2024-24857 (CVSS3: 6.8 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24857 *
>> CVE-2024-24858 (CVSS3: 5.3 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24858 *
>> CVE-2024-24859 (CVSS3: 4.8 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24859 *
>> CVE-2024-24861 (CVSS3: 6.3 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24861 *
>> CVE-2024-24864 (CVSS3: 4.7 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24864 *
>> CVE-2024-25739 (CVSS3: 5.5 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25739 *
>> CVE-2024-25740 (CVSS3: 5.5 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25740 *
>>
>> Summary of CVE counts by recipe:
>>   linux-yocto: 28
>>   busybox: 4
>>   cpio: 1
>>   gnupg:gnupg-native: 1
>>   nasm:nasm-native: 1
>>   openssh: 1
>>

Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST

2024-03-24 Thread Alexander Kanavin 
I’m getting slightly concerned, no new CVEs second week in a row? Did the
checker break?

Alex

On Sun 24. Mar 2024 at 12.18, Steve Sakoman  wrote:

> Branch: master
>
> New this week: 0 CVEs
>
> Removed this week: 0 CVEs
>
> Full list:  Found 37 unpatched CVEs
> CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 *
> CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 *
> CVE-2021-3864 (CVSS3: 7.0 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 *
> CVE-2022-0400 (CVSS3: 7.5 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 *
> CVE-2022-1247 (CVSS3: 7.0 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 *
> CVE-2022-3219 (CVSS3: 3.3 LOW): gnupg:gnupg-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 *
> CVE-2022-38096 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 *
> CVE-2022-4543 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 *
> CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 *
> CVE-2023-1386 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 *
> CVE-2023-3397 (CVSS3: 6.3 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3397 *
> CVE-2023-3640 (CVSS3: 7.8 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 *
> CVE-2023-4010 (CVSS3: 4.6 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 *
> CVE-2023-42363 (CVSS3: 5.5 MEDIUM): busybox
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 *
> CVE-2023-42364 (CVSS3: 5.5 MEDIUM): busybox
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42364 *
> CVE-2023-42365 (CVSS3: 5.5 MEDIUM): busybox
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42365 *
> CVE-2023-42366 (CVSS3: 5.5 MEDIUM): busybox
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42366 *
> CVE-2023-51767 (CVSS3: 7.0 HIGH): openssh
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 *
> CVE-2023-6238 (CVSS3: 6.7 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6238 *
> CVE-2023-6240 (CVSS3: 6.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6240 *
> CVE-2023-6270 (CVSS3: 7.0 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6270 *
> CVE-2023-6356 (CVSS3: 7.5 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6356 *
> CVE-2023-6535 (CVSS3: 7.5 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6535 *
> CVE-2023-6536 (CVSS3: 7.5 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6536 *
> CVE-2023-7042 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7042 *
> CVE-2023-7216 (CVSS3: 5.3 MEDIUM): cpio
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 *
> CVE-2024-0841 (CVSS3: 7.8 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0841 *
> CVE-2024-21803 (CVSS3: 7.8 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 *
> CVE-2024-23307 (CVSS3: 7.8 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23307 *
> CVE-2024-23848 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23848 *
> CVE-2024-24857 (CVSS3: 6.8 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24857 *
> CVE-2024-24858 (CVSS3: 5.3 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24858 *
> CVE-2024-24859 (CVSS3: 4.8 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24859 *
> CVE-2024-24861 (CVSS3: 6.3 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24861 *
> CVE-2024-24864 (CVSS3: 4.7 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24864 *
> CVE-2024-25739 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25739 *
> CVE-2024-25740 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25740 *
>
> Summary of CVE counts by recipe:
>   linux-yocto: 28
>   busybox: 4
>   cpio: 1
>   gnupg:gnupg-native: 1
>   nasm:nasm-native: 1
>   openssh: 1
>   qemu:qemu-native:qemu-system-native: 1
>
> For further information see:
> https://autobuilder.yocto.io/pub/non-release/patchmetrics/
>
> 
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197476):