* OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST
@ 2024-03-24 11:18 steve
2024-03-24 14:11 ` [yocto-security] " Alexander Kanavin
0 siblings, 1 reply; 7+ messages in thread
From: steve @ 2024-03-24 11:18 UTC (permalink / raw)
To: openembedded-core, yocto-security
Branch: master
New this week: 0 CVEs
Removed this week: 0 CVEs
Full list: Found 37 unpatched CVEs
CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 *
CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 *
CVE-2021-3864 (CVSS3: 7.0 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 *
CVE-2022-0400 (CVSS3: 7.5 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 *
CVE-2022-1247 (CVSS3: 7.0 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 *
CVE-2022-3219 (CVSS3: 3.3 LOW): gnupg:gnupg-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 *
CVE-2022-38096 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 *
CVE-2022-4543 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 *
CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 *
CVE-2023-1386 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 *
CVE-2023-3397 (CVSS3: 6.3 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3397 *
CVE-2023-3640 (CVSS3: 7.8 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 *
CVE-2023-4010 (CVSS3: 4.6 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 *
CVE-2023-42363 (CVSS3: 5.5 MEDIUM): busybox https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 *
CVE-2023-42364 (CVSS3: 5.5 MEDIUM): busybox https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42364 *
CVE-2023-42365 (CVSS3: 5.5 MEDIUM): busybox https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42365 *
CVE-2023-42366 (CVSS3: 5.5 MEDIUM): busybox https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42366 *
CVE-2023-51767 (CVSS3: 7.0 HIGH): openssh https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 *
CVE-2023-6238 (CVSS3: 6.7 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6238 *
CVE-2023-6240 (CVSS3: 6.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6240 *
CVE-2023-6270 (CVSS3: 7.0 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6270 *
CVE-2023-6356 (CVSS3: 7.5 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6356 *
CVE-2023-6535 (CVSS3: 7.5 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6535 *
CVE-2023-6536 (CVSS3: 7.5 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6536 *
CVE-2023-7042 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7042 *
CVE-2023-7216 (CVSS3: 5.3 MEDIUM): cpio https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 *
CVE-2024-0841 (CVSS3: 7.8 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0841 *
CVE-2024-21803 (CVSS3: 7.8 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 *
CVE-2024-23307 (CVSS3: 7.8 HIGH): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23307 *
CVE-2024-23848 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23848 *
CVE-2024-24857 (CVSS3: 6.8 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24857 *
CVE-2024-24858 (CVSS3: 5.3 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24858 *
CVE-2024-24859 (CVSS3: 4.8 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24859 *
CVE-2024-24861 (CVSS3: 6.3 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24861 *
CVE-2024-24864 (CVSS3: 4.7 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24864 *
CVE-2024-25739 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25739 *
CVE-2024-25740 (CVSS3: 5.5 MEDIUM): linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25740 *
Summary of CVE counts by recipe:
linux-yocto: 28
busybox: 4
cpio: 1
gnupg:gnupg-native: 1
nasm:nasm-native: 1
openssh: 1
qemu:qemu-native:qemu-system-native: 1
For further information see: https://autobuilder.yocto.io/pub/non-release/patchmetrics/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST
2024-03-24 11:18 OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST steve
@ 2024-03-24 14:11 ` Alexander Kanavin
2024-03-24 14:17 ` Steve Sakoman
2024-03-28 16:28 ` Marta Rybczynska
0 siblings, 2 replies; 7+ messages in thread
From: Alexander Kanavin @ 2024-03-24 14:11 UTC (permalink / raw)
To: Steve Sakoman; +Cc: openembedded-core, yocto-security
[-- Attachment #1: Type: text/plain, Size: 5418 bytes --]
I’m getting slightly concerned, no new CVEs second week in a row? Did the
checker break?
Alex
On Sun 24. Mar 2024 at 12.18, Steve Sakoman <steve@sakoman.com> wrote:
> Branch: master
>
> New this week: 0 CVEs
>
> Removed this week: 0 CVEs
>
> Full list: Found 37 unpatched CVEs
> CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 *
> CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 *
> CVE-2021-3864 (CVSS3: 7.0 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 *
> CVE-2022-0400 (CVSS3: 7.5 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 *
> CVE-2022-1247 (CVSS3: 7.0 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 *
> CVE-2022-3219 (CVSS3: 3.3 LOW): gnupg:gnupg-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 *
> CVE-2022-38096 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 *
> CVE-2022-4543 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 *
> CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 *
> CVE-2023-1386 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 *
> CVE-2023-3397 (CVSS3: 6.3 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3397 *
> CVE-2023-3640 (CVSS3: 7.8 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 *
> CVE-2023-4010 (CVSS3: 4.6 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 *
> CVE-2023-42363 (CVSS3: 5.5 MEDIUM): busybox
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 *
> CVE-2023-42364 (CVSS3: 5.5 MEDIUM): busybox
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42364 *
> CVE-2023-42365 (CVSS3: 5.5 MEDIUM): busybox
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42365 *
> CVE-2023-42366 (CVSS3: 5.5 MEDIUM): busybox
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42366 *
> CVE-2023-51767 (CVSS3: 7.0 HIGH): openssh
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 *
> CVE-2023-6238 (CVSS3: 6.7 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6238 *
> CVE-2023-6240 (CVSS3: 6.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6240 *
> CVE-2023-6270 (CVSS3: 7.0 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6270 *
> CVE-2023-6356 (CVSS3: 7.5 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6356 *
> CVE-2023-6535 (CVSS3: 7.5 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6535 *
> CVE-2023-6536 (CVSS3: 7.5 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6536 *
> CVE-2023-7042 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7042 *
> CVE-2023-7216 (CVSS3: 5.3 MEDIUM): cpio
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 *
> CVE-2024-0841 (CVSS3: 7.8 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0841 *
> CVE-2024-21803 (CVSS3: 7.8 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 *
> CVE-2024-23307 (CVSS3: 7.8 HIGH): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23307 *
> CVE-2024-23848 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23848 *
> CVE-2024-24857 (CVSS3: 6.8 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24857 *
> CVE-2024-24858 (CVSS3: 5.3 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24858 *
> CVE-2024-24859 (CVSS3: 4.8 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24859 *
> CVE-2024-24861 (CVSS3: 6.3 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24861 *
> CVE-2024-24864 (CVSS3: 4.7 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24864 *
> CVE-2024-25739 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25739 *
> CVE-2024-25740 (CVSS3: 5.5 MEDIUM): linux-yocto
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25740 *
>
> Summary of CVE counts by recipe:
> linux-yocto: 28
> busybox: 4
> cpio: 1
> gnupg:gnupg-native: 1
> nasm:nasm-native: 1
> openssh: 1
> qemu:qemu-native:qemu-system-native: 1
>
> For further information see:
> https://autobuilder.yocto.io/pub/non-release/patchmetrics/
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#1109):
> https://lists.yoctoproject.org/g/yocto-security/message/1109
> Mute This Topic: https://lists.yoctoproject.org/mt/105117571/1686489
> Group Owner: yocto-security+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto-security/unsub [
> alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
[-- Attachment #2: Type: text/html, Size: 10452 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST
2024-03-24 14:11 ` [yocto-security] " Alexander Kanavin
@ 2024-03-24 14:17 ` Steve Sakoman
[not found] ` <41DC1D74-16D9-4736-BDA6-A87CB6E0FF09@gmail.com>
2024-03-28 16:28 ` Marta Rybczynska
1 sibling, 1 reply; 7+ messages in thread
From: Steve Sakoman @ 2024-03-24 14:17 UTC (permalink / raw)
To: Alexander Kanavin
Cc: Patches and discussions about the oe-core layer, yocto-security
[-- Attachment #1: Type: text/plain, Size: 5719 bytes --]
https://www.scmagazine.com/news/update-delays-to-nist-vulnerability-database-alarms-researchers
On Sun, Mar 24, 2024, 4:11 AM Alexander Kanavin <alex.kanavin@gmail.com>
wrote:
> I’m getting slightly concerned, no new CVEs second week in a row? Did the
> checker break?
>
> Alex
>
> On Sun 24. Mar 2024 at 12.18, Steve Sakoman <steve@sakoman.com> wrote:
>
>> Branch: master
>>
>> New this week: 0 CVEs
>>
>> Removed this week: 0 CVEs
>>
>> Full list: Found 37 unpatched CVEs
>> CVE-2019-14899 (CVSS3: 7.4 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 *
>> CVE-2021-3714 (CVSS3: 5.9 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 *
>> CVE-2021-3864 (CVSS3: 7.0 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 *
>> CVE-2022-0400 (CVSS3: 7.5 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 *
>> CVE-2022-1247 (CVSS3: 7.0 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 *
>> CVE-2022-3219 (CVSS3: 3.3 LOW): gnupg:gnupg-native
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 *
>> CVE-2022-38096 (CVSS3: 5.5 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 *
>> CVE-2022-4543 (CVSS3: 5.5 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 *
>> CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 *
>> CVE-2023-1386 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 *
>> CVE-2023-3397 (CVSS3: 6.3 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3397 *
>> CVE-2023-3640 (CVSS3: 7.8 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 *
>> CVE-2023-4010 (CVSS3: 4.6 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 *
>> CVE-2023-42363 (CVSS3: 5.5 MEDIUM): busybox
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 *
>> CVE-2023-42364 (CVSS3: 5.5 MEDIUM): busybox
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42364 *
>> CVE-2023-42365 (CVSS3: 5.5 MEDIUM): busybox
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42365 *
>> CVE-2023-42366 (CVSS3: 5.5 MEDIUM): busybox
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42366 *
>> CVE-2023-51767 (CVSS3: 7.0 HIGH): openssh
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 *
>> CVE-2023-6238 (CVSS3: 6.7 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6238 *
>> CVE-2023-6240 (CVSS3: 6.5 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6240 *
>> CVE-2023-6270 (CVSS3: 7.0 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6270 *
>> CVE-2023-6356 (CVSS3: 7.5 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6356 *
>> CVE-2023-6535 (CVSS3: 7.5 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6535 *
>> CVE-2023-6536 (CVSS3: 7.5 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6536 *
>> CVE-2023-7042 (CVSS3: 5.5 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7042 *
>> CVE-2023-7216 (CVSS3: 5.3 MEDIUM): cpio
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 *
>> CVE-2024-0841 (CVSS3: 7.8 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0841 *
>> CVE-2024-21803 (CVSS3: 7.8 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 *
>> CVE-2024-23307 (CVSS3: 7.8 HIGH): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23307 *
>> CVE-2024-23848 (CVSS3: 5.5 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23848 *
>> CVE-2024-24857 (CVSS3: 6.8 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24857 *
>> CVE-2024-24858 (CVSS3: 5.3 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24858 *
>> CVE-2024-24859 (CVSS3: 4.8 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24859 *
>> CVE-2024-24861 (CVSS3: 6.3 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24861 *
>> CVE-2024-24864 (CVSS3: 4.7 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24864 *
>> CVE-2024-25739 (CVSS3: 5.5 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25739 *
>> CVE-2024-25740 (CVSS3: 5.5 MEDIUM): linux-yocto
>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25740 *
>>
>> Summary of CVE counts by recipe:
>> linux-yocto: 28
>> busybox: 4
>> cpio: 1
>> gnupg:gnupg-native: 1
>> nasm:nasm-native: 1
>> openssh: 1
>> qemu:qemu-native:qemu-system-native: 1
>>
>> For further information see:
>> https://autobuilder.yocto.io/pub/non-release/patchmetrics/
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#1109):
>> https://lists.yoctoproject.org/g/yocto-security/message/1109
>> Mute This Topic: https://lists.yoctoproject.org/mt/105117571/1686489
>> Group Owner: yocto-security+owner@lists.yoctoproject.org
>> Unsubscribe: https://lists.yoctoproject.org/g/yocto-security/unsub [
>> alex.kanavin@gmail.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
>>
[-- Attachment #2: Type: text/html, Size: 11524 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST
[not found] ` <41DC1D74-16D9-4736-BDA6-A87CB6E0FF09@gmail.com>
@ 2024-03-28 16:24 ` Marta Rybczynska
0 siblings, 0 replies; 7+ messages in thread
From: Marta Rybczynska @ 2024-03-28 16:24 UTC (permalink / raw)
To: Rich Persaud
Cc: Steve Sakoman, Alexander Kanavin,
Patches and discussions about the oe-core layer, yocto-security
On Sun, Mar 24, 2024 at 3:25 PM Rich Persaud <persaur@gmail.com> wrote:
>
> https://www.darkreading.com/cybersecurity-operations/nist-vuln-database-downshifts-prompting-questions-about-its-future
>
> > Next week, vulnerability researchers will gather for the VulnCon conference in Raleigh, N.C., where an "NVD symposium" is on the agenda. Perhaps more details will emerge then.
I'm following this closely.
Marta
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST
2024-03-24 14:11 ` [yocto-security] " Alexander Kanavin
2024-03-24 14:17 ` Steve Sakoman
@ 2024-03-28 16:28 ` Marta Rybczynska
2024-03-28 16:36 ` Alexander Kanavin
1 sibling, 1 reply; 7+ messages in thread
From: Marta Rybczynska @ 2024-03-28 16:28 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: Steve Sakoman, openembedded-core, yocto-security
On Sun, Mar 24, 2024 at 3:11 PM Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
>
> I’m getting slightly concerned, no new CVEs second week in a row? Did the checker break?
>
I think you weren't there at the weekly meeting when we discussed
that: it started around Feb 14th and I see that in my data
(I have a daily report).
To make the story short: NVD is close to 0 activity since mid-February
and there is no communication for now on why, what are the reasons
etc.
The security community is concerned and there are multiple ideas:
amending/replacing the database, there is an open letter in the works
etc.
From our practical view there's no automated solutions we can
implement right now. I have some ideas and it would be good to discuss
them,
the next weekly meeting might be a good occasion.
Regards,
Marta
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST
2024-03-28 16:28 ` Marta Rybczynska
@ 2024-03-28 16:36 ` Alexander Kanavin
2024-03-28 16:58 ` Rich Persaud
0 siblings, 1 reply; 7+ messages in thread
From: Alexander Kanavin @ 2024-03-28 16:36 UTC (permalink / raw)
To: Marta Rybczynska; +Cc: Steve Sakoman, openembedded-core, yocto-security
On Thu, 28 Mar 2024 at 17:28, Marta Rybczynska <rybczynska@gmail.com> wrote:
> I think you weren't there at the weekly meeting when we discussed
> that: it started around Feb 14th and I see that in my data
> (I have a daily report).
>
> To make the story short: NVD is close to 0 activity since mid-February
> and there is no communication for now on why, what are the reasons
> etc.
> The security community is concerned and there are multiple ideas:
> amending/replacing the database, there is an open letter in the works
> etc.
> From our practical view there's no automated solutions we can
> implement right now. I have some ideas and it would be good to discuss
> them,
> the next weekly meeting might be a good occasion.
Probably alternatives to NVD will get increased attention too, which
is not a bad thing. This exposes NVD as the single point of failure,
and I can't see how they're going to restore trust.
Alex
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST
2024-03-28 16:36 ` Alexander Kanavin
@ 2024-03-28 16:58 ` Rich Persaud
0 siblings, 0 replies; 7+ messages in thread
From: Rich Persaud @ 2024-03-28 16:58 UTC (permalink / raw)
To: Alexander Kanavin
Cc: Marta Rybczynska, Steve Sakoman, openembedded-core, yocto-security
[-- Attachment #1: Type: text/plain, Size: 1209 bytes --]
On Mar 28, 2024, at 12:37, Alexander Kanavin <alex.kanavin@gmail.com> wrote:
>
> On Thu, 28 Mar 2024 at 17:28, Marta Rybczynska <rybczynska@gmail.com> wrote:
>> I think you weren't there at the weekly meeting when we discussed
>> that: it started around Feb 14th and I see that in my data
>> (I have a daily report).
>>
>> To make the story short: NVD is close to 0 activity since mid-February
>> and there is no communication for now on why, what are the reasons
>> etc.
>> The security community is concerned and there are multiple ideas:
>> amending/replacing the database, there is an open letter in the works
>> etc.
>> From our practical view there's no automated solutions we can
>> implement right now. I have some ideas and it would be good to discuss
>> them,
>> the next weekly meeting might be a good occasion.
>
> Probably alternatives to NVD will get increased attention too, which
> is not a bad thing. This exposes NVD as the single point of failure,
> and I can't see how they're going to restore trust.
Funding has been an issue for years, e.g. many thousands of bug reports never processed into CVEs, https://www.platformsecuritysummit.com/2019/speaker/sherman/
[-- Attachment #2: Type: text/html, Size: 2338 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-03-28 16:58 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-24 11:18 OE-core CVE metrics for master on Sun 24 Mar 2024 01:00:01 AM HST steve
2024-03-24 14:11 ` [yocto-security] " Alexander Kanavin
2024-03-24 14:17 ` Steve Sakoman
[not found] ` <41DC1D74-16D9-4736-BDA6-A87CB6E0FF09@gmail.com>
2024-03-28 16:24 ` Marta Rybczynska
2024-03-28 16:28 ` Marta Rybczynska
2024-03-28 16:36 ` Alexander Kanavin
2024-03-28 16:58 ` Rich Persaud
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.