Re: [yocto-security] OE-core CVE metrics for master on Sun 10 Apr 2022 02:00:01 AM HST

From: Steve Sakoman <steve@sakoman.com>
To: Richard Purdie <richard.purdie@linuxfoundation.org>
Cc: openembedded-core@lists.openembedded.org,
	yocto-security@lists.yoctoproject.org
Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 10 Apr 2022 02:00:01 AM HST
Date: Tue, 12 Apr 2022 04:23:15 -1000	[thread overview]
Message-ID: <CAOSpxdaP=67srs9_a2C_6o2ySZ8W9w4f8FXR1qdMkm3_0Z2oaQ@mail.gmail.com> (raw)
In-Reply-To: <e6b5684ec20a4c5c0cca18a5c443c28dfe15c69d.camel@linuxfoundation.org>

On Tue, Apr 12, 2022 at 12:52 AM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> I thought I'd update on a quick check through the status of the CVEs this is
> reporting for master/kirkstone.
>
> On Sun, 2022-04-10 at 02:02 -1000, Steve Sakoman wrote:
> > Branch: master
> >
> > Full list:  Found 12 unpatched CVEs
> > CVE-2019-1010238 (CVSS3: 9.8 CRITICAL): pango:pango-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010238 *
>
> Steve is questioning the version restrictions on this, we don't think it applies
> to us.

After a little back and forth it appears that they will be updating
the CVE affected versions this week.  So this CVE should no longer be
an issue for master and dunfell.

Steve

> > CVE-2019-12067 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067 *
>
> No movement upstream, not a priority for qemu maintainers.
>
> > CVE-2020-18974 (CVSS3: 3.3 LOW): nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974 *
> > CVE-2021-20255 (CVSS3: 5.5 MEDIUM): qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 *
>
> No movement upstream, not a priority for qemu maintainers.
>
> > CVE-2021-44647 (CVSS3: 5.5 MEDIUM): lua:lua-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44647 *
>
> I believe this is fixed in lua 5.4.4, have requested a version restriction on
> the CVE.
>
> > CVE-2022-0529 (CVSS3: 7.8 HIGH): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0529 *
> > CVE-2022-0530 (CVSS3: 7.8 HIGH): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0530 *
>
> RH bugs are restricted, no public patches to fix, not much we can do.
>
> > CVE-2022-1050 (CVSS3: 8.8 HIGH): qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1050 *
>
> Have sent a patch for this.
>
> > CVE-2022-1056 (CVSS3: 5.5 MEDIUM): tiff https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1056 *
>
> Already fixed by patches we apply, have sent an update for our metadata.
>
> > CVE-2022-24975 (CVSS3: 7.5 HIGH): git https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24975 *
>
> This issue isn't particularly relevant to us, sent an ignore for it.
>
> > CVE-2022-26280 (CVSS3: 9.1 CRITICAL): libarchive:libarchive-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26280 *
>
> Have merged an upgrade for this containing the fix.
>
> > CVE-2022-27191 (CVSS3: 7.5 HIGH): go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27191 *
>
> No patches for 1.17.X and upgrading to 1.18 not an option for kirkstone.
>
> Cheers,
>
> Richard
>
>
>