* OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST @ 2021-01-24 17:18 Steve Sakoman 2021-01-24 23:20 ` [yocto-security] " Richard Purdie 0 siblings, 1 reply; 8+ messages in thread From: Steve Sakoman @ 2021-01-24 17:18 UTC (permalink / raw) To: steve, openembedded-core, yocto-security Branch: master New this week: CVE-2013-0800: pixman https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 * CVE-2019-1543: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 * CVE-2019-1547: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 * CVE-2019-1549: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 * CVE-2019-1551: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 * CVE-2019-1552: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 * CVE-2019-1563: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 * CVE-2020-14409: libsdl2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 * CVE-2020-14410: libsdl2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 * CVE-2020-1967: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 * CVE-2020-1971: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 * Removed this week: CVE-2013-0800: cairo https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 * CVE-2020-1752: glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1752 * CVE-2020-29361: p11-kit https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29361 * CVE-2020-29362: p11-kit https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29362 * CVE-2020-29363: p11-kit https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29363 * CVE-2021-23240: sudo https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23240 * Full list: Found 59 unpatched CVEs CVE-2000-0006: strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 * CVE-2000-0803: groff https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803 * CVE-2005-0238: epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238 * CVE-2007-0998: qemu https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0998 * CVE-2007-2379: jquery https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2379 * CVE-2007-2768: openssh https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2768 * CVE-2007-4476: tar https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4476 * CVE-2008-0888: unzip https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0888 * CVE-2008-3188: libxcrypt https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3188 * CVE-2008-3844: openssh https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3844 * CVE-2008-4178: builder https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4178 * CVE-2008-4539: qemu https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4539 * CVE-2010-4226: cpio https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4226 * CVE-2010-4756: glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756 * CVE-2011-1548: logrotate https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1548 * CVE-2011-1549: logrotate https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1549 * CVE-2011-1550: logrotate https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1550 * CVE-2013-0221: coreutils-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0221 * CVE-2013-0222: coreutils-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0222 * CVE-2013-0223: coreutils-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0223 * CVE-2013-0800: pixman https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 * CVE-2013-4235: shadow-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4235 * CVE-2013-4342: xinetd https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4342 * CVE-2013-6629: ghostscript https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6629 * CVE-2013-7381: libnotify https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7381 * CVE-2015-7313: tiff https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7313 * CVE-2016-2781: coreutils-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2781 * CVE-2016-6328: libexif https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6328 * CVE-2017-3139: bind https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3139 * CVE-2017-5957: qemu https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5957 * CVE-2018-1000041: librsvg https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000041 * CVE-2018-12433: libgcrypt https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12433 * CVE-2018-12437: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12437 * CVE-2018-12438: libgcrypt https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12438 * CVE-2018-18438: qemu https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18438 * CVE-2019-1010022: glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022 * CVE-2019-1010023: glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023 * CVE-2019-1010024: glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024 * CVE-2019-1010025: glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025 * CVE-2019-14865: grub-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14865 * CVE-2019-1543: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 * CVE-2019-1547: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 * CVE-2019-1549: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 * CVE-2019-1551: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 * CVE-2019-1552: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 * CVE-2019-1563: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 * CVE-2019-6293: flex-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6293 * CVE-2019-6470: bind https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6470 * CVE-2020-12351: bluez5 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12351 * CVE-2020-12352: bluez5 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12352 * CVE-2020-12825: libcroco https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12825 * CVE-2020-14409: libsdl2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 * CVE-2020-14410: libsdl2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 * CVE-2020-15705: grub-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15705 * CVE-2020-1967: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 * CVE-2020-1971: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 * CVE-2020-29509: go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509 * CVE-2020-29511: go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511 * CVE-2020-3810: apt https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-3810 * ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST 2021-01-24 17:18 OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST Steve Sakoman @ 2021-01-24 23:20 ` Richard Purdie 2021-01-25 2:39 ` Lee Chee Yang 0 siblings, 1 reply; 8+ messages in thread From: Richard Purdie @ 2021-01-24 23:20 UTC (permalink / raw) To: Steve Sakoman, openembedded-core, yocto-security; +Cc: Lee Chee Yang On Sun, 2021-01-24 at 07:18 -1000, Steve Sakoman wrote: > Branch: master > > New this week: > CVE-2013-0800: pixman https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 * > CVE-2019-1543: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 * > CVE-2019-1547: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 * > CVE-2019-1549: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 * > CVE-2019-1551: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 * > CVE-2019-1552: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 * > CVE-2019-1563: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 * > CVE-2020-14409: libsdl2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 * > CVE-2020-14410: libsdl2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 * > CVE-2020-1967: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 * > CVE-2020-1971: openssl https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 * Adding Chee Yang, did the recent cve-check change mean some version comparisons regressed and exposed CVEs that shouldn't be in this list, or were we making some we need to fix? Or did some other change expose these? Cheers, Richard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST 2021-01-24 23:20 ` [yocto-security] " Richard Purdie @ 2021-01-25 2:39 ` Lee Chee Yang 2021-01-25 22:10 ` Richard Purdie 0 siblings, 1 reply; 8+ messages in thread From: Lee Chee Yang @ 2021-01-25 2:39 UTC (permalink / raw) To: Richard Purdie, Steve Sakoman, openembedded-core, yocto-security The changes expose these, it ignored trailing character in this version compare ( "i" in this case for openssl_1.1.1i ) (CVE-2019-1543, CVE-2019-1547, CVE-2019-1549, CVE-2019-1551, CVE-2019-1552, CVE-2019-1563, CVE-2020-1967, CVE-2020-1971) behave this way because its difficult to define the trailing characters (like version 1.1b can be 1.1 beta or patched release 1.1b) NVD just updated these recently CVE-2013-0800, CVE-2020-14409, CVE-2020-14410 >-----Original Message----- >From: Richard Purdie <richard.purdie@linuxfoundation.org> >Sent: Monday, 25 January, 2021 7:21 AM >To: Steve Sakoman <steve@sakoman.com>; openembedded- >core@lists.openembedded.org; yocto-security@lists.yoctoproject.org >Cc: Lee, Chee Yang <chee.yang.lee@intel.com> >Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 >07:15:01 AM HST > >On Sun, 2021-01-24 at 07:18 -1000, Steve Sakoman wrote: >> Branch: master >> >> New this week: >> CVE-2013-0800: pixman >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 * >> CVE-2019-1543: openssl >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 * >> CVE-2019-1547: openssl >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 * >> CVE-2019-1549: openssl >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 * >> CVE-2019-1551: openssl >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 * >> CVE-2019-1552: openssl >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 * >> CVE-2019-1563: openssl >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 * >> CVE-2020-14409: libsdl2 >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 * >> CVE-2020-14410: libsdl2 >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 * >> CVE-2020-1967: openssl >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 * >> CVE-2020-1971: openssl >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 * > >Adding Chee Yang, did the recent cve-check change mean some version >comparisons regressed and exposed CVEs that shouldn't be in this list, or were we >making some we need to fix? Or did some other change expose these? > >Cheers, > >Richard > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST 2021-01-25 2:39 ` Lee Chee Yang @ 2021-01-25 22:10 ` Richard Purdie 2021-01-26 3:54 ` Lee Chee Yang 0 siblings, 1 reply; 8+ messages in thread From: Richard Purdie @ 2021-01-25 22:10 UTC (permalink / raw) To: Lee, Chee Yang, Steve Sakoman, openembedded-core, yocto-security I'm not sure its working. For example: https://nvd.nist.gov/vuln/detail/CVE-2019-1543 which says it applies to: 1.1.0 to 1.1.0j and 1.1.1 to 1.1.1b Master has 1.1.1i which is greater than 1.1.1b so we shouldn't be shown as at risk yet the CVE is listed. Cheers, Richard On Mon, 2021-01-25 at 02:39 +0000, Lee, Chee Yang wrote: > The changes expose these, it ignored trailing character in this version compare ( "i" in this case for openssl_1.1.1i ) > (CVE-2019-1543, CVE-2019-1547, CVE-2019-1549, CVE-2019-1551, CVE-2019-1552, CVE-2019-1563, CVE-2020-1967, CVE-2020-1971) > behave this way because its difficult to define the trailing characters (like version 1.1b can be 1.1 beta or patched release 1.1b) > > > NVD just updated these recently > CVE-2013-0800, CVE-2020-14409, CVE-2020-14410 > > > > > -----Original Message----- > > From: Richard Purdie <richard.purdie@linuxfoundation.org> > > Sent: Monday, 25 January, 2021 7:21 AM > > To: Steve Sakoman <steve@sakoman.com>; openembedded- > > core@lists.openembedded.org; yocto-security@lists.yoctoproject.org > > Cc: Lee, Chee Yang <chee.yang.lee@intel.com> > > Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 > > 07:15:01 AM HST > > > > On Sun, 2021-01-24 at 07:18 -1000, Steve Sakoman wrote: > > > Branch: master > > > > > > New this week: > > > CVE-2013-0800: pixman > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 * > > > CVE-2019-1543: openssl > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 * > > > CVE-2019-1547: openssl > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 * > > > CVE-2019-1549: openssl > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 * > > > CVE-2019-1551: openssl > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 * > > > CVE-2019-1552: openssl > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 * > > > CVE-2019-1563: openssl > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 * > > > CVE-2020-14409: libsdl2 > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 * > > > CVE-2020-14410: libsdl2 > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 * > > > CVE-2020-1967: openssl > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 * > > > CVE-2020-1971: openssl > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 * > > > > Adding Chee Yang, did the recent cve-check change mean some version > > comparisons regressed and exposed CVEs that shouldn't be in this list, or were we > > making some we need to fix? Or did some other change expose these? > > > > Cheers, > > > > Richard > > > > > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST 2021-01-25 22:10 ` Richard Purdie @ 2021-01-26 3:54 ` Lee Chee Yang 2021-01-26 9:54 ` [OE-core] " Ross Burton 0 siblings, 1 reply; 8+ messages in thread From: Lee Chee Yang @ 2021-01-26 3:54 UTC (permalink / raw) To: Richard Purdie, Steve Sakoman, openembedded-core, yocto-security for this case the new changes only consider 1.1.1 from both 1.1.1i and 1.1.1b , do not takes the trailing "i" and "b" when comparing them , so these 2 version are treated as same version ( 1.1.1 ) when comparing them. I expected this although knowing that compare version in this way can falsely report more CVE, but this can capture some corner case. >-----Original Message----- >From: Richard Purdie <richard.purdie@linuxfoundation.org> >Sent: Tuesday, 26 January, 2021 6:10 AM >To: Lee, Chee Yang <chee.yang.lee@intel.com>; Steve Sakoman ><steve@sakoman.com>; openembedded-core@lists.openembedded.org; yocto- >security@lists.yoctoproject.org >Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 >07:15:01 AM HST > >I'm not sure its working. For example: > >https://nvd.nist.gov/vuln/detail/CVE-2019-1543 > >which says it applies to: > >1.1.0 to 1.1.0j >and >1.1.1 to 1.1.1b > >Master has 1.1.1i which is greater than 1.1.1b so we shouldn't be shown as at risk >yet the CVE is listed. > >Cheers, > >Richard > >On Mon, 2021-01-25 at 02:39 +0000, Lee, Chee Yang wrote: >> The changes expose these, it ignored trailing character in this >> version compare ( "i" in this case for openssl_1.1.1i ) >> (CVE-2019-1543, CVE-2019-1547, CVE-2019-1549, CVE-2019-1551, >> CVE-2019-1552, CVE-2019-1563, CVE-2020-1967, CVE-2020-1971) behave >> this way because its difficult to define the trailing characters (like >> version 1.1b can be 1.1 beta or patched release 1.1b) >> >> >> NVD just updated these recently >> CVE-2013-0800, CVE-2020-14409, CVE-2020-14410 >> >> >> >> > -----Original Message----- >> > From: Richard Purdie <richard.purdie@linuxfoundation.org> >> > Sent: Monday, 25 January, 2021 7:21 AM >> > To: Steve Sakoman <steve@sakoman.com>; openembedded- >> > core@lists.openembedded.org; yocto-security@lists.yoctoproject.org >> > Cc: Lee, Chee Yang <chee.yang.lee@intel.com> >> > Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun >> > 24 Jan 2021 >> > 07:15:01 AM HST >> > >> > On Sun, 2021-01-24 at 07:18 -1000, Steve Sakoman wrote: >> > > Branch: master >> > > >> > > New this week: >> > > CVE-2013-0800: pixman >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 * >> > > CVE-2019-1543: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 * >> > > CVE-2019-1547: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 * >> > > CVE-2019-1549: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 * >> > > CVE-2019-1551: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 * >> > > CVE-2019-1552: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 * >> > > CVE-2019-1563: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 * >> > > CVE-2020-14409: libsdl2 >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 * >> > > CVE-2020-14410: libsdl2 >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 * >> > > CVE-2020-1967: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 * >> > > CVE-2020-1971: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 * >> > >> > Adding Chee Yang, did the recent cve-check change mean some version >> > comparisons regressed and exposed CVEs that shouldn't be in this >> > list, or were we making some we need to fix? Or did some other change >expose these? >> > >> > Cheers, >> > >> > Richard >> > >> > >> >> > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST 2021-01-26 3:54 ` Lee Chee Yang @ 2021-01-26 9:54 ` Ross Burton 2021-01-26 16:19 ` Lee Chee Yang 0 siblings, 1 reply; 8+ messages in thread From: Ross Burton @ 2021-01-26 9:54 UTC (permalink / raw) To: Lee Chee Yang Cc: Richard Purdie, Steve Sakoman, openembedded-core, yocto-security [-- Attachment #1: Type: text/plain, Size: 4090 bytes --] Versions using a single character for patch level isn’t rare, and OpenSSL is high impact. Can we special case these in the parser? Ross On Tue, 26 Jan 2021 at 03:55, Lee Chee Yang <chee.yang.lee@intel.com> wrote: > for this case the new changes only consider 1.1.1 from both 1.1.1i and > 1.1.1b , do not takes the trailing "i" and "b" when comparing them , so > these 2 version are treated as same version ( 1.1.1 ) when comparing them. > > I expected this although knowing that compare version in this way can > falsely report more CVE, but this can capture some corner case. > > >-----Original Message----- > >From: Richard Purdie <richard.purdie@linuxfoundation.org> > >Sent: Tuesday, 26 January, 2021 6:10 AM > >To: Lee, Chee Yang <chee.yang.lee@intel.com>; Steve Sakoman > ><steve@sakoman.com>; openembedded-core@lists.openembedded.org; yocto- > >security@lists.yoctoproject.org > >Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 24 > Jan 2021 > >07:15:01 AM HST > > > >I'm not sure its working. For example: > > > >https://nvd.nist.gov/vuln/detail/CVE-2019-1543 > > > >which says it applies to: > > > >1.1.0 to 1.1.0j > >and > >1.1.1 to 1.1.1b > > > >Master has 1.1.1i which is greater than 1.1.1b so we shouldn't be shown > as at risk > >yet the CVE is listed. > > > >Cheers, > > > >Richard > > > >On Mon, 2021-01-25 at 02:39 +0000, Lee, Chee Yang wrote: > >> The changes expose these, it ignored trailing character in this > >> version compare ( "i" in this case for openssl_1.1.1i ) > >> (CVE-2019-1543, CVE-2019-1547, CVE-2019-1549, CVE-2019-1551, > >> CVE-2019-1552, CVE-2019-1563, CVE-2020-1967, CVE-2020-1971) behave > >> this way because its difficult to define the trailing characters (like > >> version 1.1b can be 1.1 beta or patched release 1.1b) > >> > >> > >> NVD just updated these recently > >> CVE-2013-0800, CVE-2020-14409, CVE-2020-14410 > >> > >> > >> > >> > -----Original Message----- > >> > From: Richard Purdie <richard.purdie@linuxfoundation.org> > >> > Sent: Monday, 25 January, 2021 7:21 AM > >> > To: Steve Sakoman <steve@sakoman.com>; openembedded- > >> > core@lists.openembedded.org; yocto-security@lists.yoctoproject.org > >> > Cc: Lee, Chee Yang <chee.yang.lee@intel.com> > >> > Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun > >> > 24 Jan 2021 > >> > 07:15:01 AM HST > >> > > >> > On Sun, 2021-01-24 at 07:18 -1000, Steve Sakoman wrote: > >> > > Branch: master > >> > > > >> > > New this week: > >> > > CVE-2013-0800: pixman > >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 * > >> > > CVE-2019-1543: openssl > >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 * > >> > > CVE-2019-1547: openssl > >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 * > >> > > CVE-2019-1549: openssl > >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 * > >> > > CVE-2019-1551: openssl > >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 * > >> > > CVE-2019-1552: openssl > >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 * > >> > > CVE-2019-1563: openssl > >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 * > >> > > CVE-2020-14409: libsdl2 > >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 * > >> > > CVE-2020-14410: libsdl2 > >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 * > >> > > CVE-2020-1967: openssl > >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 * > >> > > CVE-2020-1971: openssl > >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 * > >> > > >> > Adding Chee Yang, did the recent cve-check change mean some version > >> > comparisons regressed and exposed CVEs that shouldn't be in this > >> > list, or were we making some we need to fix? Or did some other change > >expose these? > >> > > >> > Cheers, > >> > > >> > Richard > >> > > >> > > >> > >> > > > > > > > [-- Attachment #2: Type: text/html, Size: 7303 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST 2021-01-26 9:54 ` [OE-core] " Ross Burton @ 2021-01-26 16:19 ` Lee Chee Yang 2021-01-26 16:55 ` Richard Purdie 0 siblings, 1 reply; 8+ messages in thread From: Lee Chee Yang @ 2021-01-26 16:19 UTC (permalink / raw) To: Ross Burton Cc: Richard Purdie, Steve Sakoman, openembedded-core, yocto-security [-- Attachment #1: Type: text/plain, Size: 4888 bytes --] A variable in recipe to indicate the character as patch level? like CVE_VERSION_SUFFIX in “alphabetical” so the parser understand the last alphabetical character as patched release From: Ross Burton <ross@burtonini.com> Sent: Tuesday, 26 January, 2021 5:54 PM To: Lee, Chee Yang <chee.yang.lee@intel.com> Cc: Richard Purdie <richard.purdie@linuxfoundation.org>; Steve Sakoman <steve@sakoman.com>; openembedded-core@lists.openembedded.org; yocto-security@lists.yoctoproject.org Subject: Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST Versions using a single character for patch level isn’t rare, and OpenSSL is high impact. Can we special case these in the parser? Ross On Tue, 26 Jan 2021 at 03:55, Lee Chee Yang <chee.yang.lee@intel.com<mailto:chee.yang.lee@intel.com>> wrote: for this case the new changes only consider 1.1.1 from both 1.1.1i and 1.1.1b , do not takes the trailing "i" and "b" when comparing them , so these 2 version are treated as same version ( 1.1.1 ) when comparing them. I expected this although knowing that compare version in this way can falsely report more CVE, but this can capture some corner case. >-----Original Message----- >From: Richard Purdie <richard.purdie@linuxfoundation.org<mailto:richard.purdie@linuxfoundation.org>> >Sent: Tuesday, 26 January, 2021 6:10 AM >To: Lee, Chee Yang <chee.yang.lee@intel.com<mailto:chee.yang.lee@intel.com>>; Steve Sakoman ><steve@sakoman.com<mailto:steve@sakoman.com>>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>; yocto- >security@lists.yoctoproject.org<mailto:security@lists.yoctoproject.org> >Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 >07:15:01 AM HST > >I'm not sure its working. For example: > >https://nvd.nist.gov/vuln/detail/CVE-2019-1543 > >which says it applies to: > >1.1.0 to 1.1.0j >and >1.1.1 to 1.1.1b > >Master has 1.1.1i which is greater than 1.1.1b so we shouldn't be shown as at risk >yet the CVE is listed. > >Cheers, > >Richard > >On Mon, 2021-01-25 at 02:39 +0000, Lee, Chee Yang wrote: >> The changes expose these, it ignored trailing character in this >> version compare ( "i" in this case for openssl_1.1.1i ) >> (CVE-2019-1543, CVE-2019-1547, CVE-2019-1549, CVE-2019-1551, >> CVE-2019-1552, CVE-2019-1563, CVE-2020-1967, CVE-2020-1971) behave >> this way because its difficult to define the trailing characters (like >> version 1.1b can be 1.1 beta or patched release 1.1b) >> >> >> NVD just updated these recently >> CVE-2013-0800, CVE-2020-14409, CVE-2020-14410 >> >> >> >> > -----Original Message----- >> > From: Richard Purdie <richard.purdie@linuxfoundation.org<mailto:richard.purdie@linuxfoundation.org>> >> > Sent: Monday, 25 January, 2021 7:21 AM >> > To: Steve Sakoman <steve@sakoman.com<mailto:steve@sakoman.com>>; openembedded- >> > core@lists.openembedded.org<mailto:core@lists.openembedded.org>; yocto-security@lists.yoctoproject.org<mailto:yocto-security@lists.yoctoproject.org> >> > Cc: Lee, Chee Yang <chee.yang.lee@intel.com<mailto:chee.yang.lee@intel.com>> >> > Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun >> > 24 Jan 2021 >> > 07:15:01 AM HST >> > >> > On Sun, 2021-01-24 at 07:18 -1000, Steve Sakoman wrote: >> > > Branch: master >> > > >> > > New this week: >> > > CVE-2013-0800: pixman >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0800 * >> > > CVE-2019-1543: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1543 * >> > > CVE-2019-1547: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1547 * >> > > CVE-2019-1549: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1549 * >> > > CVE-2019-1551: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1551 * >> > > CVE-2019-1552: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1552 * >> > > CVE-2019-1563: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1563 * >> > > CVE-2020-14409: libsdl2 >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14409 * >> > > CVE-2020-14410: libsdl2 >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14410 * >> > > CVE-2020-1967: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1967 * >> > > CVE-2020-1971: openssl >> > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1971 * >> > >> > Adding Chee Yang, did the recent cve-check change mean some version >> > comparisons regressed and exposed CVEs that shouldn't be in this >> > list, or were we making some we need to fix? Or did some other change >expose these? >> > >> > Cheers, >> > >> > Richard >> > >> > >> >> > [-- Attachment #2: Type: text/html, Size: 10104 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST 2021-01-26 16:19 ` Lee Chee Yang @ 2021-01-26 16:55 ` Richard Purdie 0 siblings, 0 replies; 8+ messages in thread From: Richard Purdie @ 2021-01-26 16:55 UTC (permalink / raw) To: Lee, Chee Yang, Ross Burton Cc: Steve Sakoman, openembedded-core, yocto-security On Tue, 2021-01-26 at 16:19 +0000, Lee, Chee Yang wrote: > A variable in recipe to indicate the character as patch level? > like CVE_VERSION_SUFFIX in “alphabetical” so the parser understand > the last alphabetical character as patched release Something like that could work. We really need to handle openssl versioning in particular so we need to do something (or revert the change if we can't fix it). Cheers, Richard ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-01-26 16:55 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-01-24 17:18 OE-core CVE metrics for master on Sun 24 Jan 2021 07:15:01 AM HST Steve Sakoman 2021-01-24 23:20 ` [yocto-security] " Richard Purdie 2021-01-25 2:39 ` Lee Chee Yang 2021-01-25 22:10 ` Richard Purdie 2021-01-26 3:54 ` Lee Chee Yang 2021-01-26 9:54 ` [OE-core] " Ross Burton 2021-01-26 16:19 ` Lee Chee Yang 2021-01-26 16:55 ` Richard Purdie
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.