Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST

From: "Richard Purdie" <richard.purdie@linuxfoundation.org>
To: "Lee, Chee Yang" <chee.yang.lee@intel.com>,
	Steve Sakoman <steve@sakoman.com>,
	"openembedded-core@lists.openembedded.org"
	<openembedded-core@lists.openembedded.org>,
	 "yocto-security@lists.yoctoproject.org"
	<yocto-security@lists.yoctoproject.org>
Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST
Date: Mon, 25 Jan 2021 22:10:17 +0000	[thread overview]
Message-ID: <0d314728a5aceabe78e9d61bfe257d69396b23e3.camel@linuxfoundation.org> (raw)
In-Reply-To: <MWHPR11MB20005F089BE21737CFA246E7B9BD9@MWHPR11MB2000.namprd11.prod.outlook.com>

I'm not sure its working. For example:

https://nvd.nist.gov/vuln/detail/CVE-2019-1543

which says it applies to:

1.1.0 to 1.1.0j
and
1.1.1 to 1.1.1b

Master has 1.1.1i which is greater than 1.1.1b so we shouldn't be shown
as at risk yet the CVE is listed.

Cheers,

Richard

On Mon, 2021-01-25 at 02:39 +0000, Lee, Chee Yang wrote:
> The changes expose these, it ignored trailing character in this version compare ( "i" in this case for openssl_1.1.1i )
> (CVE-2019-1543, CVE-2019-1547, CVE-2019-1549, CVE-2019-1551, CVE-2019-1552, CVE-2019-1563, CVE-2020-1967, CVE-2020-1971)  
> behave this way because its difficult to define the trailing characters (like version 1.1b can be 1.1 beta or patched release 1.1b) 
> 
> 
> NVD just updated these recently 
> CVE-2013-0800, CVE-2020-14409, CVE-2020-14410
> 
> 
> 
> > -----Original Message-----
> > From: Richard Purdie <richard.purdie@linuxfoundation.org>
> > Sent: Monday, 25 January, 2021 7:21 AM
> > To: Steve Sakoman <steve@sakoman.com>; openembedded-
> > core@lists.openembedded.org; yocto-security@lists.yoctoproject.org
> > Cc: Lee, Chee Yang <chee.yang.lee@intel.com>
> > Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021
> > 07:15:01 AM HST
> > 
> > On Sun, 2021-01-24 at 07:18 -1000, Steve Sakoman wrote:
> > > Branch: master
> > > 
> > > New this week:
> > > CVE-2013-0800: pixman
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 *
> > > CVE-2019-1543: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 *
> > > CVE-2019-1547: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 *
> > > CVE-2019-1549: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 *
> > > CVE-2019-1551: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 *
> > > CVE-2019-1552: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 *
> > > CVE-2019-1563: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 *
> > > CVE-2020-14409: libsdl2
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 *
> > > CVE-2020-14410: libsdl2
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 *
> > > CVE-2020-1967: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 *
> > > CVE-2020-1971: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 *
> > 
> > Adding Chee Yang, did the recent cve-check change mean some version
> > comparisons regressed and exposed CVEs that shouldn't be in this list, or were we
> > making some we need to fix? Or did some other change expose these?
> > 
> > Cheers,
> > 
> > Richard
> > 
> > 
> 
> 