* OE-core CVE metrics for kirkstone on Sun 12 Jun 2022 03:00:01 AM HST
@ 2022-06-12 13:02 steve
2022-06-12 15:57 ` [OE-core] " Robert Joslyn
0 siblings, 1 reply; 3+ messages in thread
From: steve @ 2022-06-12 13:02 UTC (permalink / raw)
To: openembedded-core, yocto-security
Branch: kirkstone
New this week: 5 CVEs
CVE-2022-1664 (CVSS3: 9.8 CRITICAL): dpkg https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1664 *
CVE-2022-1927 (CVSS3: 9.8 CRITICAL): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1927 *
CVE-2022-1942 (CVSS3: 7.8 HIGH): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1942 *
CVE-2022-26691 (CVSS3: 6.7 MEDIUM): cups https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26691 *
CVE-2022-27778 (CVSS3: 8.1 HIGH): curl:curl-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27778 *
Removed this week: 16 CVEs
CVE-2022-1210 (CVSS3: 6.5 MEDIUM): tiff https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1210 *
CVE-2022-1587 (CVSS3: 9.1 CRITICAL): libpcre2:libpcre2-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1587 *
CVE-2022-1621 (CVSS3: 7.8 HIGH): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1621 *
CVE-2022-1629 (CVSS3: 7.8 HIGH): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1629 *
CVE-2022-1674 (CVSS3: 5.5 MEDIUM): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1674 *
CVE-2022-1733 (CVSS3: 7.8 HIGH): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1733 *
CVE-2022-1735 (CVSS3: 7.8 HIGH): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1735 *
CVE-2022-1769 (CVSS3: 7.8 HIGH): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1769 *
CVE-2022-1771 (CVSS3: 5.5 MEDIUM): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1771 *
CVE-2022-1785 (CVSS3: 7.8 HIGH): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1785 *
CVE-2022-1796 (CVSS3: 7.8 HIGH): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1796 *
CVE-2022-1851 (CVSS3: 7.8 HIGH): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1851 *
CVE-2022-1886 (CVSS3: 7.8 HIGH): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1886 *
CVE-2022-1898 (CVSS3: 7.8 HIGH): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1898 *
CVE-2022-29458 (CVSS3: 7.1 HIGH): ncurses:ncurses-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29458 *
CVE-2022-29824 (CVSS3: 6.5 MEDIUM): libxslt:libxslt-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29824 *
Full list: Found 14 unpatched CVEs
CVE-2019-12067 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067 *
CVE-2020-18974 (CVSS3: 3.3 LOW): nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974 *
CVE-2021-20255 (CVSS3: 5.5 MEDIUM): qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 *
CVE-2021-3611 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3611 *
CVE-2021-3750 (CVSS3: 8.2 HIGH): qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3750 *
CVE-2022-0529 (CVSS3: 5.5 MEDIUM): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0529 *
CVE-2022-0530 (CVSS3: 5.5 MEDIUM): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0530 *
CVE-2022-1183 (CVSS3: 7.5 HIGH): bind https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1183 *
CVE-2022-1664 (CVSS3: 9.8 CRITICAL): dpkg https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1664 *
CVE-2022-1927 (CVSS3: 9.8 CRITICAL): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1927 *
CVE-2022-1942 (CVSS3: 7.8 HIGH): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1942 *
CVE-2022-26691 (CVSS3: 6.7 MEDIUM): cups https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26691 *
CVE-2022-27778 (CVSS3: 8.1 HIGH): curl:curl-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27778 *
CVE-2022-30065 (CVSS3: 7.8 HIGH): busybox https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30065 *
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] OE-core CVE metrics for kirkstone on Sun 12 Jun 2022 03:00:01 AM HST
2022-06-12 13:02 OE-core CVE metrics for kirkstone on Sun 12 Jun 2022 03:00:01 AM HST steve
@ 2022-06-12 15:57 ` Robert Joslyn
2022-06-12 16:07 ` Steve Sakoman
0 siblings, 1 reply; 3+ messages in thread
From: Robert Joslyn @ 2022-06-12 15:57 UTC (permalink / raw)
To: Steve Sakoman; +Cc: OE-core, yocto-security
> On Jun 12, 2022, at 6:02 AM, Steve Sakoman <steve@sakoman.com> wrote:
>
> Branch: kirkstone
>
> New this week: 5 CVEs
> CVE-2022-1664 (CVSS3: 9.8 CRITICAL): dpkg https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1664 *
> CVE-2022-1927 (CVSS3: 9.8 CRITICAL): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1927 *
> CVE-2022-1942 (CVSS3: 7.8 HIGH): vim https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1942 *
> CVE-2022-26691 (CVSS3: 6.7 MEDIUM): cups https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26691 *
> CVE-2022-27778 (CVSS3: 8.1 HIGH): curl:curl-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27778 *
CVE-2022-27778 doesn’t apply to the curl versions in kirkstone or dunfell (master already has the fixed version). It looks like the NVD doesn’t quite have the right version ranges based on what the curl developers have published. I’ve sent an email to hopefully get the NVD updated.
Thanks,
Robert
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] OE-core CVE metrics for kirkstone on Sun 12 Jun 2022 03:00:01 AM HST
2022-06-12 15:57 ` [OE-core] " Robert Joslyn
@ 2022-06-12 16:07 ` Steve Sakoman
0 siblings, 0 replies; 3+ messages in thread
From: Steve Sakoman @ 2022-06-12 16:07 UTC (permalink / raw)
To: Robert Joslyn; +Cc: OE-core, yocto-security
[-- Attachment #1: Type: text/plain, Size: 1147 bytes --]
On Sun, Jun 12, 2022, 5:57 AM Robert Joslyn <robert.joslyn@redrectangle.org>
wrote:
>
>
> > On Jun 12, 2022, at 6:02 AM, Steve Sakoman <steve@sakoman.com> wrote:
> >
> > Branch: kirkstone
> >
> > New this week: 5 CVEs
> > CVE-2022-1664 (CVSS3: 9.8 CRITICAL): dpkg
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1664 *
> > CVE-2022-1927 (CVSS3: 9.8 CRITICAL): vim
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1927 *
> > CVE-2022-1942 (CVSS3: 7.8 HIGH): vim
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1942 *
> > CVE-2022-26691 (CVSS3: 6.7 MEDIUM): cups
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26691 *
> > CVE-2022-27778 (CVSS3: 8.1 HIGH): curl:curl-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27778 *
>
> CVE-2022-27778 doesn’t apply to the curl versions in kirkstone or dunfell
> (master already has the fixed version). It looks like the NVD doesn’t quite
> have the right version ranges based on what the curl developers have
> published. I’ve sent an email to hopefully get the NVD updated.
>
Thanks Robert!
Steve
>
[-- Attachment #2: Type: text/html, Size: 2405 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-06-12 16:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-12 13:02 OE-core CVE metrics for kirkstone on Sun 12 Jun 2022 03:00:01 AM HST steve
2022-06-12 15:57 ` [OE-core] " Robert Joslyn
2022-06-12 16:07 ` Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.