* OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST
@ 2021-01-24 17:18 Steve Sakoman
2021-01-24 23:20 ` [yocto-security] " Richard Purdie
0 siblings, 1 reply; 8+ messages in thread
From: Steve Sakoman @ 2021-01-24 17:18 UTC (permalink / raw)
To: steve, openembedded-core, yocto-security
Branch: master
New this week:
CVE-2013-0800: pixman https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 *
CVE-2019-1543: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 *
CVE-2019-1547: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 *
CVE-2019-1549: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 *
CVE-2019-1551: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 *
CVE-2019-1552: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 *
CVE-2019-1563: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 *
CVE-2020-14409: libsdl2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 *
CVE-2020-14410: libsdl2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 *
CVE-2020-1967: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 *
CVE-2020-1971: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 *
Removed this week:
CVE-2013-0800: cairo https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 *
CVE-2020-1752: glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1752 *
CVE-2020-29361: p11-kit https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29361 *
CVE-2020-29362: p11-kit https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29362 *
CVE-2020-29363: p11-kit https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29363 *
CVE-2021-23240: sudo https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23240 *
Full list: Found 59 unpatched CVEs
CVE-2000-0006: strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 *
CVE-2000-0803: groff https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803 *
CVE-2005-0238: epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238 *
CVE-2007-0998: qemu https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0998 *
CVE-2007-2379: jquery https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2379 *
CVE-2007-2768: openssh https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2768 *
CVE-2007-4476: tar https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4476 *
CVE-2008-0888: unzip https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0888 *
CVE-2008-3188: libxcrypt https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3188 *
CVE-2008-3844: openssh https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3844 *
CVE-2008-4178: builder https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4178 *
CVE-2008-4539: qemu https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4539 *
CVE-2010-4226: cpio https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4226 *
CVE-2010-4756: glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756 *
CVE-2011-1548: logrotate https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1548 *
CVE-2011-1549: logrotate https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1549 *
CVE-2011-1550: logrotate https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1550 *
CVE-2013-0221: coreutils-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0221 *
CVE-2013-0222: coreutils-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0222 *
CVE-2013-0223: coreutils-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0223 *
CVE-2013-0800: pixman https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 *
CVE-2013-4235: shadow-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4235 *
CVE-2013-4342: xinetd https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4342 *
CVE-2013-6629: ghostscript https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6629 *
CVE-2013-7381: libnotify https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7381 *
CVE-2015-7313: tiff https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7313 *
CVE-2016-2781: coreutils-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2781 *
CVE-2016-6328: libexif https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6328 *
CVE-2017-3139: bind https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3139 *
CVE-2017-5957: qemu https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5957 *
CVE-2018-1000041: librsvg https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000041 *
CVE-2018-12433: libgcrypt https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12433 *
CVE-2018-12437: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12437 *
CVE-2018-12438: libgcrypt https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12438 *
CVE-2018-18438: qemu https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18438 *
CVE-2019-1010022: glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022 *
CVE-2019-1010023: glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023 *
CVE-2019-1010024: glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024 *
CVE-2019-1010025: glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025 *
CVE-2019-14865: grub-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14865 *
CVE-2019-1543: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 *
CVE-2019-1547: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 *
CVE-2019-1549: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 *
CVE-2019-1551: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 *
CVE-2019-1552: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 *
CVE-2019-1563: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 *
CVE-2019-6293: flex-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6293 *
CVE-2019-6470: bind https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6470 *
CVE-2020-12351: bluez5 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12351 *
CVE-2020-12352: bluez5 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12352 *
CVE-2020-12825: libcroco https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12825 *
CVE-2020-14409: libsdl2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 *
CVE-2020-14410: libsdl2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 *
CVE-2020-15705: grub-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15705 *
CVE-2020-1967: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 *
CVE-2020-1971: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 *
CVE-2020-29509: go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509 *
CVE-2020-29511: go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511 *
CVE-2020-3810: apt https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-3810 *
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST
2021-01-24 17:18 OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST Steve Sakoman
@ 2021-01-24 23:20 ` Richard Purdie
2021-01-25 2:39 ` Lee Chee Yang
0 siblings, 1 reply; 8+ messages in thread
From: Richard Purdie @ 2021-01-24 23:20 UTC (permalink / raw)
To: Steve Sakoman, openembedded-core, yocto-security; +Cc: Lee Chee Yang
On Sun, 2021-01-24 at 07:18 -1000, Steve Sakoman wrote:
> Branch: master
>
> New this week:
> CVE-2013-0800: pixman https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 *
> CVE-2019-1543: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 *
> CVE-2019-1547: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 *
> CVE-2019-1549: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 *
> CVE-2019-1551: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 *
> CVE-2019-1552: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 *
> CVE-2019-1563: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 *
> CVE-2020-14409: libsdl2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 *
> CVE-2020-14410: libsdl2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 *
> CVE-2020-1967: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 *
> CVE-2020-1971: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 *
Adding Chee Yang, did the recent cve-check change mean some version
comparisons regressed and exposed CVEs that shouldn't be in this list,
or were we making some we need to fix? Or did some other change expose
these?
Cheers,
Richard
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST
2021-01-24 23:20 ` [yocto-security] " Richard Purdie
@ 2021-01-25 2:39 ` Lee Chee Yang
2021-01-25 22:10 ` Richard Purdie
0 siblings, 1 reply; 8+ messages in thread
From: Lee Chee Yang @ 2021-01-25 2:39 UTC (permalink / raw)
To: Richard Purdie, Steve Sakoman, openembedded-core, yocto-security
The changes expose these, it ignored trailing character in this version compare ( "i" in this case for openssl_1.1.1i )
(CVE-2019-1543, CVE-2019-1547, CVE-2019-1549, CVE-2019-1551, CVE-2019-1552, CVE-2019-1563, CVE-2020-1967, CVE-2020-1971)
behave this way because its difficult to define the trailing characters (like version 1.1b can be 1.1 beta or patched release 1.1b)
NVD just updated these recently
CVE-2013-0800, CVE-2020-14409, CVE-2020-14410
>-----Original Message-----
>From: Richard Purdie <richard.purdie@linuxfoundation.org>
>Sent: Monday, 25 January, 2021 7:21 AM
>To: Steve Sakoman <steve@sakoman.com>; openembedded-
>core@lists.openembedded.org; yocto-security@lists.yoctoproject.org
>Cc: Lee, Chee Yang <chee.yang.lee@intel.com>
>Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021
>07:15:01 AM HST
>
>On Sun, 2021-01-24 at 07:18 -1000, Steve Sakoman wrote:
>> Branch: master
>>
>> New this week:
>> CVE-2013-0800: pixman
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 *
>> CVE-2019-1543: openssl
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 *
>> CVE-2019-1547: openssl
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 *
>> CVE-2019-1549: openssl
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 *
>> CVE-2019-1551: openssl
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 *
>> CVE-2019-1552: openssl
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 *
>> CVE-2019-1563: openssl
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 *
>> CVE-2020-14409: libsdl2
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 *
>> CVE-2020-14410: libsdl2
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 *
>> CVE-2020-1967: openssl
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 *
>> CVE-2020-1971: openssl
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 *
>
>Adding Chee Yang, did the recent cve-check change mean some version
>comparisons regressed and exposed CVEs that shouldn't be in this list, or were we
>making some we need to fix? Or did some other change expose these?
>
>Cheers,
>
>Richard
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST
2021-01-25 2:39 ` Lee Chee Yang
@ 2021-01-25 22:10 ` Richard Purdie
2021-01-26 3:54 ` Lee Chee Yang
0 siblings, 1 reply; 8+ messages in thread
From: Richard Purdie @ 2021-01-25 22:10 UTC (permalink / raw)
To: Lee, Chee Yang, Steve Sakoman, openembedded-core, yocto-security
I'm not sure its working. For example:
https://nvd.nist.gov/vuln/detail/CVE-2019-1543
which says it applies to:
1.1.0 to 1.1.0j
and
1.1.1 to 1.1.1b
Master has 1.1.1i which is greater than 1.1.1b so we shouldn't be shown
as at risk yet the CVE is listed.
Cheers,
Richard
On Mon, 2021-01-25 at 02:39 +0000, Lee, Chee Yang wrote:
> The changes expose these, it ignored trailing character in this version compare ( "i" in this case for openssl_1.1.1i )
> (CVE-2019-1543, CVE-2019-1547, CVE-2019-1549, CVE-2019-1551, CVE-2019-1552, CVE-2019-1563, CVE-2020-1967, CVE-2020-1971)
> behave this way because its difficult to define the trailing characters (like version 1.1b can be 1.1 beta or patched release 1.1b)
>
>
> NVD just updated these recently
> CVE-2013-0800, CVE-2020-14409, CVE-2020-14410
>
>
>
> > -----Original Message-----
> > From: Richard Purdie <richard.purdie@linuxfoundation.org>
> > Sent: Monday, 25 January, 2021 7:21 AM
> > To: Steve Sakoman <steve@sakoman.com>; openembedded-
> > core@lists.openembedded.org; yocto-security@lists.yoctoproject.org
> > Cc: Lee, Chee Yang <chee.yang.lee@intel.com>
> > Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021
> > 07:15:01 AM HST
> >
> > On Sun, 2021-01-24 at 07:18 -1000, Steve Sakoman wrote:
> > > Branch: master
> > >
> > > New this week:
> > > CVE-2013-0800: pixman
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 *
> > > CVE-2019-1543: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 *
> > > CVE-2019-1547: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 *
> > > CVE-2019-1549: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 *
> > > CVE-2019-1551: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 *
> > > CVE-2019-1552: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 *
> > > CVE-2019-1563: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 *
> > > CVE-2020-14409: libsdl2
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 *
> > > CVE-2020-14410: libsdl2
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 *
> > > CVE-2020-1967: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 *
> > > CVE-2020-1971: openssl
> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 *
> >
> > Adding Chee Yang, did the recent cve-check change mean some version
> > comparisons regressed and exposed CVEs that shouldn't be in this list, or were we
> > making some we need to fix? Or did some other change expose these?
> >
> > Cheers,
> >
> > Richard
> >
> >
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST
2021-01-25 22:10 ` Richard Purdie
@ 2021-01-26 3:54 ` Lee Chee Yang
2021-01-26 9:54 ` [OE-core] " Ross Burton
0 siblings, 1 reply; 8+ messages in thread
From: Lee Chee Yang @ 2021-01-26 3:54 UTC (permalink / raw)
To: Richard Purdie, Steve Sakoman, openembedded-core, yocto-security
for this case the new changes only consider 1.1.1 from both 1.1.1i and 1.1.1b , do not takes the trailing "i" and "b" when comparing them , so these 2 version are treated as same version ( 1.1.1 ) when comparing them.
I expected this although knowing that compare version in this way can falsely report more CVE, but this can capture some corner case.
>-----Original Message-----
>From: Richard Purdie <richard.purdie@linuxfoundation.org>
>Sent: Tuesday, 26 January, 2021 6:10 AM
>To: Lee, Chee Yang <chee.yang.lee@intel.com>; Steve Sakoman
><steve@sakoman.com>; openembedded-core@lists.openembedded.org; yocto-
>security@lists.yoctoproject.org
>Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021
>07:15:01 AM HST
>
>I'm not sure its working. For example:
>
>https://nvd.nist.gov/vuln/detail/CVE-2019-1543
>
>which says it applies to:
>
>1.1.0 to 1.1.0j
>and
>1.1.1 to 1.1.1b
>
>Master has 1.1.1i which is greater than 1.1.1b so we shouldn't be shown as at risk
>yet the CVE is listed.
>
>Cheers,
>
>Richard
>
>On Mon, 2021-01-25 at 02:39 +0000, Lee, Chee Yang wrote:
>> The changes expose these, it ignored trailing character in this
>> version compare ( "i" in this case for openssl_1.1.1i )
>> (CVE-2019-1543, CVE-2019-1547, CVE-2019-1549, CVE-2019-1551,
>> CVE-2019-1552, CVE-2019-1563, CVE-2020-1967, CVE-2020-1971) behave
>> this way because its difficult to define the trailing characters (like
>> version 1.1b can be 1.1 beta or patched release 1.1b)
>>
>>
>> NVD just updated these recently
>> CVE-2013-0800, CVE-2020-14409, CVE-2020-14410
>>
>>
>>
>> > -----Original Message-----
>> > From: Richard Purdie <richard.purdie@linuxfoundation.org>
>> > Sent: Monday, 25 January, 2021 7:21 AM
>> > To: Steve Sakoman <steve@sakoman.com>; openembedded-
>> > core@lists.openembedded.org; yocto-security@lists.yoctoproject.org
>> > Cc: Lee, Chee Yang <chee.yang.lee@intel.com>
>> > Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun
>> > 24 Jan 2021
>> > 07:15:01 AM HST
>> >
>> > On Sun, 2021-01-24 at 07:18 -1000, Steve Sakoman wrote:
>> > > Branch: master
>> > >
>> > > New this week:
>> > > CVE-2013-0800: pixman
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 *
>> > > CVE-2019-1543: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 *
>> > > CVE-2019-1547: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 *
>> > > CVE-2019-1549: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 *
>> > > CVE-2019-1551: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 *
>> > > CVE-2019-1552: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 *
>> > > CVE-2019-1563: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 *
>> > > CVE-2020-14409: libsdl2
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 *
>> > > CVE-2020-14410: libsdl2
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 *
>> > > CVE-2020-1967: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 *
>> > > CVE-2020-1971: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 *
>> >
>> > Adding Chee Yang, did the recent cve-check change mean some version
>> > comparisons regressed and exposed CVEs that shouldn't be in this
>> > list, or were we making some we need to fix? Or did some other change
>expose these?
>> >
>> > Cheers,
>> >
>> > Richard
>> >
>> >
>>
>>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST
2021-01-26 3:54 ` Lee Chee Yang
@ 2021-01-26 9:54 ` Ross Burton
2021-01-26 16:19 ` Lee Chee Yang
0 siblings, 1 reply; 8+ messages in thread
From: Ross Burton @ 2021-01-26 9:54 UTC (permalink / raw)
To: Lee Chee Yang
Cc: Richard Purdie, Steve Sakoman, openembedded-core, yocto-security
[-- Attachment #1: Type: text/plain, Size: 4090 bytes --]
Versions using a single character for patch level isn’t rare, and OpenSSL
is high impact. Can we special case these in the parser?
Ross
On Tue, 26 Jan 2021 at 03:55, Lee Chee Yang <chee.yang.lee@intel.com> wrote:
> for this case the new changes only consider 1.1.1 from both 1.1.1i and
> 1.1.1b , do not takes the trailing "i" and "b" when comparing them , so
> these 2 version are treated as same version ( 1.1.1 ) when comparing them.
>
> I expected this although knowing that compare version in this way can
> falsely report more CVE, but this can capture some corner case.
>
> >-----Original Message-----
> >From: Richard Purdie <richard.purdie@linuxfoundation.org>
> >Sent: Tuesday, 26 January, 2021 6:10 AM
> >To: Lee, Chee Yang <chee.yang.lee@intel.com>; Steve Sakoman
> ><steve@sakoman.com>; openembedded-core@lists.openembedded.org; yocto-
> >security@lists.yoctoproject.org
> >Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 24
> Jan 2021
> >07:15:01 AM HST
> >
> >I'm not sure its working. For example:
> >
> >https://nvd.nist.gov/vuln/detail/CVE-2019-1543
> >
> >which says it applies to:
> >
> >1.1.0 to 1.1.0j
> >and
> >1.1.1 to 1.1.1b
> >
> >Master has 1.1.1i which is greater than 1.1.1b so we shouldn't be shown
> as at risk
> >yet the CVE is listed.
> >
> >Cheers,
> >
> >Richard
> >
> >On Mon, 2021-01-25 at 02:39 +0000, Lee, Chee Yang wrote:
> >> The changes expose these, it ignored trailing character in this
> >> version compare ( "i" in this case for openssl_1.1.1i )
> >> (CVE-2019-1543, CVE-2019-1547, CVE-2019-1549, CVE-2019-1551,
> >> CVE-2019-1552, CVE-2019-1563, CVE-2020-1967, CVE-2020-1971) behave
> >> this way because its difficult to define the trailing characters (like
> >> version 1.1b can be 1.1 beta or patched release 1.1b)
> >>
> >>
> >> NVD just updated these recently
> >> CVE-2013-0800, CVE-2020-14409, CVE-2020-14410
> >>
> >>
> >>
> >> > -----Original Message-----
> >> > From: Richard Purdie <richard.purdie@linuxfoundation.org>
> >> > Sent: Monday, 25 January, 2021 7:21 AM
> >> > To: Steve Sakoman <steve@sakoman.com>; openembedded-
> >> > core@lists.openembedded.org; yocto-security@lists.yoctoproject.org
> >> > Cc: Lee, Chee Yang <chee.yang.lee@intel.com>
> >> > Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun
> >> > 24 Jan 2021
> >> > 07:15:01 AM HST
> >> >
> >> > On Sun, 2021-01-24 at 07:18 -1000, Steve Sakoman wrote:
> >> > > Branch: master
> >> > >
> >> > > New this week:
> >> > > CVE-2013-0800: pixman
> >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 *
> >> > > CVE-2019-1543: openssl
> >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 *
> >> > > CVE-2019-1547: openssl
> >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 *
> >> > > CVE-2019-1549: openssl
> >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 *
> >> > > CVE-2019-1551: openssl
> >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 *
> >> > > CVE-2019-1552: openssl
> >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 *
> >> > > CVE-2019-1563: openssl
> >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 *
> >> > > CVE-2020-14409: libsdl2
> >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 *
> >> > > CVE-2020-14410: libsdl2
> >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 *
> >> > > CVE-2020-1967: openssl
> >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 *
> >> > > CVE-2020-1971: openssl
> >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 *
> >> >
> >> > Adding Chee Yang, did the recent cve-check change mean some version
> >> > comparisons regressed and exposed CVEs that shouldn't be in this
> >> > list, or were we making some we need to fix? Or did some other change
> >expose these?
> >> >
> >> > Cheers,
> >> >
> >> > Richard
> >> >
> >> >
> >>
> >>
> >
>
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 7303 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST
2021-01-26 9:54 ` [OE-core] " Ross Burton
@ 2021-01-26 16:19 ` Lee Chee Yang
2021-01-26 16:55 ` Richard Purdie
0 siblings, 1 reply; 8+ messages in thread
From: Lee Chee Yang @ 2021-01-26 16:19 UTC (permalink / raw)
To: Ross Burton
Cc: Richard Purdie, Steve Sakoman, openembedded-core, yocto-security
[-- Attachment #1: Type: text/plain, Size: 4888 bytes --]
A variable in recipe to indicate the character as patch level?
like CVE_VERSION_SUFFIX in “alphabetical” so the parser understand the last alphabetical character as patched release
From: Ross Burton <ross@burtonini.com>
Sent: Tuesday, 26 January, 2021 5:54 PM
To: Lee, Chee Yang <chee.yang.lee@intel.com>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>; Steve Sakoman <steve@sakoman.com>; openembedded-core@lists.openembedded.org; yocto-security@lists.yoctoproject.org
Subject: Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST
Versions using a single character for patch level isn’t rare, and OpenSSL is high impact. Can we special case these in the parser?
Ross
On Tue, 26 Jan 2021 at 03:55, Lee Chee Yang <chee.yang.lee@intel.com<mailto:chee.yang.lee@intel.com>> wrote:
for this case the new changes only consider 1.1.1 from both 1.1.1i and 1.1.1b , do not takes the trailing "i" and "b" when comparing them , so these 2 version are treated as same version ( 1.1.1 ) when comparing them.
I expected this although knowing that compare version in this way can falsely report more CVE, but this can capture some corner case.
>-----Original Message-----
>From: Richard Purdie <richard.purdie@linuxfoundation.org<mailto:richard.purdie@linuxfoundation.org>>
>Sent: Tuesday, 26 January, 2021 6:10 AM
>To: Lee, Chee Yang <chee.yang.lee@intel.com<mailto:chee.yang.lee@intel.com>>; Steve Sakoman
><steve@sakoman.com<mailto:steve@sakoman.com>>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>; yocto-
>security@lists.yoctoproject.org<mailto:security@lists.yoctoproject.org>
>Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021
>07:15:01 AM HST
>
>I'm not sure its working. For example:
>
>https://nvd.nist.gov/vuln/detail/CVE-2019-1543
>
>which says it applies to:
>
>1.1.0 to 1.1.0j
>and
>1.1.1 to 1.1.1b
>
>Master has 1.1.1i which is greater than 1.1.1b so we shouldn't be shown as at risk
>yet the CVE is listed.
>
>Cheers,
>
>Richard
>
>On Mon, 2021-01-25 at 02:39 +0000, Lee, Chee Yang wrote:
>> The changes expose these, it ignored trailing character in this
>> version compare ( "i" in this case for openssl_1.1.1i )
>> (CVE-2019-1543, CVE-2019-1547, CVE-2019-1549, CVE-2019-1551,
>> CVE-2019-1552, CVE-2019-1563, CVE-2020-1967, CVE-2020-1971) behave
>> this way because its difficult to define the trailing characters (like
>> version 1.1b can be 1.1 beta or patched release 1.1b)
>>
>>
>> NVD just updated these recently
>> CVE-2013-0800, CVE-2020-14409, CVE-2020-14410
>>
>>
>>
>> > -----Original Message-----
>> > From: Richard Purdie <richard.purdie@linuxfoundation.org<mailto:richard.purdie@linuxfoundation.org>>
>> > Sent: Monday, 25 January, 2021 7:21 AM
>> > To: Steve Sakoman <steve@sakoman.com<mailto:steve@sakoman.com>>; openembedded-
>> > core@lists.openembedded.org<mailto:core@lists.openembedded.org>; yocto-security@lists.yoctoproject.org<mailto:yocto-security@lists.yoctoproject.org>
>> > Cc: Lee, Chee Yang <chee.yang.lee@intel.com<mailto:chee.yang.lee@intel.com>>
>> > Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun
>> > 24 Jan 2021
>> > 07:15:01 AM HST
>> >
>> > On Sun, 2021-01-24 at 07:18 -1000, Steve Sakoman wrote:
>> > > Branch: master
>> > >
>> > > New this week:
>> > > CVE-2013-0800: pixman
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 *
>> > > CVE-2019-1543: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 *
>> > > CVE-2019-1547: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 *
>> > > CVE-2019-1549: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 *
>> > > CVE-2019-1551: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 *
>> > > CVE-2019-1552: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 *
>> > > CVE-2019-1563: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 *
>> > > CVE-2020-14409: libsdl2
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 *
>> > > CVE-2020-14410: libsdl2
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 *
>> > > CVE-2020-1967: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 *
>> > > CVE-2020-1971: openssl
>> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 *
>> >
>> > Adding Chee Yang, did the recent cve-check change mean some version
>> > comparisons regressed and exposed CVEs that shouldn't be in this
>> > list, or were we making some we need to fix? Or did some other change
>expose these?
>> >
>> > Cheers,
>> >
>> > Richard
>> >
>> >
>>
>>
>
[-- Attachment #2: Type: text/html, Size: 10104 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST
2021-01-26 16:19 ` Lee Chee Yang
@ 2021-01-26 16:55 ` Richard Purdie
0 siblings, 0 replies; 8+ messages in thread
From: Richard Purdie @ 2021-01-26 16:55 UTC (permalink / raw)
To: Lee, Chee Yang, Ross Burton
Cc: Steve Sakoman, openembedded-core, yocto-security
On Tue, 2021-01-26 at 16:19 +0000, Lee, Chee Yang wrote:
> A variable in recipe to indicate the character as patch level?
> like CVE_VERSION_SUFFIX in “alphabetical” so the parser understand
> the last alphabetical character as patched release
Something like that could work. We really need to handle openssl
versioning in particular so we need to do something (or revert the
change if we can't fix it).
Cheers,
Richard
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-01-26 16:55 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-24 17:18 OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST Steve Sakoman
2021-01-24 23:20 ` [yocto-security] " Richard Purdie
2021-01-25 2:39 ` Lee Chee Yang
2021-01-25 22:10 ` Richard Purdie
2021-01-26 3:54 ` Lee Chee Yang
2021-01-26 9:54 ` [OE-core] " Ross Burton
2021-01-26 16:19 ` Lee Chee Yang
2021-01-26 16:55 ` Richard Purdie
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.