OE-core CVE metrics for master on Sun 26 Mar 2023 02:00:01 AM HST

OE-core CVE metrics for master on Sun 26 Mar 2023 02:00:01 AM HST

[steve]

Branch: master

New this week: 1 CVEs
CVE-2023-28531 (CVSS3: 9.8 CRITICAL): openssh https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28531 *

Removed this week: 0 CVEs

Full list:  Found 7 unpatched CVEs
CVE-2005-1796 (CVSS3: N/A): ncurses:ncurses-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1796 *
CVE-2022-3219 (CVSS3: 5.5 MEDIUM): gnupg:gnupg-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 *
CVE-2022-4055 (CVSS3: 7.4 HIGH): xdg-utils https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4055 *
CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 *
CVE-2023-0330 (CVSS3: 9.8 CRITICAL): qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0330 *
CVE-2023-24532 (CVSS3: 5.3 MEDIUM): go:go-binary-native:go-cross-core2-64:go-runtime https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24532 *
CVE-2023-28531 (CVSS3: 9.8 CRITICAL): openssh https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28531 *

For further information see: https://autobuilder.yocto.io/pub/non-release/patchmetrics/

Re: [OE-core] OE-core CVE metrics for master on Sun 26 Mar 2023 02:00:01 AM HST

[Ross Burton]

On 26 Mar 2023, at 13:03, Steve Sakoman via lists.openembedded.org <steve=sakoman.com@lists.openembedded.org> wrote:
> CVE-2005-1796 (CVSS3: N/A): ncurses:ncurses-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1796 *

Still waiting for NIST to update the CPE.

> CVE-2022-3219 (CVSS3: 5.5 MEDIUM): gnupg:gnupg-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 *

Upstream don’t consider this an attack, just slow processing, and have marked it as low priority.

> CVE-2022-4055 (CVSS3: 7.4 HIGH): xdg-utils https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4055 *
> CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 *

Both still open upstream.

> CVE-2023-0330 (CVSS3: 9.8 CRITICAL): qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0330 *

Very niche from what I can tell, but the patch on the list is simple, testing now.

> CVE-2023-24532 (CVSS3: 5.3 MEDIUM): go:go-binary-native:go-cross-core2-64:go-runtime https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24532 *

Patch testing now.

> CVE-2023-28531 (CVSS3: 9.8 CRITICAL): openssh https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28531 *

Upgrade patch already on the list.

Ross

Re: [yocto-security] [OE-core] OE-core CVE metrics for master on Sun 26 Mar 2023 02:00:01 AM HST

[Ross Burton]

>> CVE-2023-0330 (CVSS3: 9.8 CRITICAL): qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0330 *
> 
> Very niche from what I can tell, but the patch on the list is simple, testing now.

Update: there’s an alternative patch series which is likely merged instead: https://lore.kernel.org/qemu-devel/20230324113725.xsnbqvzo6rszayjj@mozz.bu.edu/

I suspect none of our machines use this device so this isn’t an urgent fix.

Ross