OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST

All of lore.kernel.org
 help / color / mirror / Atom feed

* OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST
@ 2021-09-12 15:01 Steve Sakoman
  2021-09-12 15:57 ` [yocto-security] " Richard Purdie
  2021-09-15 16:58 ` [OE-core] " Anuj Mittal
  0 siblings, 2 replies; 10+ messages in thread
From: Steve Sakoman @ 2021-09-12 15:01 UTC (permalink / raw)
  To: openembedded-core, yocto-security

Branch: hardknott

New this week: 0 CVEs

Removed this week: 2 CVEs
CVE-2020-27748: xdg-utils https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27748 *
CVE-2021-38185: cpio https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38185 *

Full list:  Found 27 unpatched CVEs
CVE-2013-0340: expat:expat-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0340 *
CVE-2019-12067: qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067 *
CVE-2019-6293: flex:flex-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6293 *
CVE-2019-6470: bind https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6470 *
CVE-2020-18974: nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974 *
CVE-2020-29623: webkitgtk https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29623 *
CVE-2020-35503: qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35503 *
CVE-2021-0129: bluez5 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0129 *
CVE-2021-1765: webkitgtk https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1765 *
CVE-2021-1789: webkitgtk https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1789 *
CVE-2021-1799: webkitgtk https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1799 *
CVE-2021-1801: webkitgtk https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1801 *
CVE-2021-1870: webkitgtk https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1870 *
CVE-2021-20196: qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20196 *
CVE-2021-20255: qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 *
CVE-2021-22922: curl:curl-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22922 *
CVE-2021-22923: curl:curl-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22923 *
CVE-2021-29923: go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29923 *
CVE-2021-31810: ruby:ruby-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31810 *
CVE-2021-31879: wget https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31879 *
CVE-2021-32066: ruby:ruby-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32066 *
CVE-2021-3445: libdnf https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3445 *
CVE-2021-3507: qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3507 *
CVE-2021-35331: tcl:tcl-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35331 *
CVE-2021-3682: qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3682 *
CVE-2021-36976: libarchive https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36976 *
CVE-2021-3713: qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3713 *

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [yocto-security] OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST
  2021-09-12 15:01 OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST Steve Sakoman
@ 2021-09-12 15:57 ` Richard Purdie
  2021-09-12 16:04   ` Steve Sakoman
       [not found]   ` <16A41EB09718E439.21276@lists.openembedded.org>
  2021-09-15 16:58 ` [OE-core] " Anuj Mittal
  1 sibling, 2 replies; 10+ messages in thread
From: Richard Purdie @ 2021-09-12 15:57 UTC (permalink / raw)
  To: Steve Sakoman, openembedded-core, yocto-security

On Sun, 2021-09-12 at 05:01 -1000, Steve Sakoman wrote:
> Branch: hardknott
> 
> New this week: 0 CVEs
> 
> Removed this week: 2 CVEs
> CVE-2020-27748: xdg-utils https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27748 *
> CVE-2021-38185: cpio https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38185 *

I'm not sure I believe these numbers as tar CVEs which showed up for dunfell and
master don't show up here. Why? :/

Cheers,

Richard


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [yocto-security] OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST
  2021-09-12 15:57 ` [yocto-security] " Richard Purdie
@ 2021-09-12 16:04   ` Steve Sakoman
       [not found]   ` <16A41EB09718E439.21276@lists.openembedded.org>
  1 sibling, 0 replies; 10+ messages in thread
From: Steve Sakoman @ 2021-09-12 16:04 UTC (permalink / raw)
  To: Richard Purdie
  Cc: Patches and discussions about the oe-core layer, yocto-security

[-- Attachment #1: Type: text/plain, Size: 656 bytes --]

On Sun, Sep 12, 2021, 5:57 AM Richard Purdie <
richard.purdie@linuxfoundation.org> wrote:

> On Sun, 2021-09-12 at 05:01 -1000, Steve Sakoman wrote:
> > Branch: hardknott
> >
> > New this week: 0 CVEs
> >
> > Removed this week: 2 CVEs
> > CVE-2020-27748: xdg-utils
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27748 *
> > CVE-2021-38185: cpio
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38185 *
>
> I'm not sure I believe these numbers as tar CVEs which showed up for
> dunfell and
> master don't show up here. Why? :/
>

Don't know! Will investigate tomorrow.

Steve


> Cheers,
>
> Richard
>
>

[-- Attachment #2: Type: text/html, Size: 1526 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

[parent not found: <16A41EB09718E439.21276@lists.openembedded.org>]

* Re: [OE-core] [yocto-security] OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST
       [not found]   ` <16A41EB09718E439.21276@lists.openembedded.org>
@ 2021-09-13 15:19     ` Steve Sakoman
  2021-09-13 17:01       ` Richard Purdie
  0 siblings, 1 reply; 10+ messages in thread
From: Steve Sakoman @ 2021-09-13 15:19 UTC (permalink / raw)
  To: Steve Sakoman
  Cc: Richard Purdie, Patches and discussions about the oe-core layer,
	yocto-security

On Sun, Sep 12, 2021 at 6:05 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
>
>
> On Sun, Sep 12, 2021, 5:57 AM Richard Purdie <richard.purdie@linuxfoundation.org> wrote:
>>
>> On Sun, 2021-09-12 at 05:01 -1000, Steve Sakoman wrote:
>> > Branch: hardknott
>> >
>> > New this week: 0 CVEs
>> >
>> > Removed this week: 2 CVEs
>> > CVE-2020-27748: xdg-utils https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27748 *
>> > CVE-2021-38185: cpio https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38185 *
>>
>> I'm not sure I believe these numbers as tar CVEs which showed up for dunfell and
>> master don't show up here. Why? :/
>
>
> Don't know! Will investigate tomorrow.

I re-ran the hardknott report this morning and it now includes the
missing tar cve's (as well as the libsolv, vim, and inetutils cve's we
saw in master/dunfell)

No idea why these weren't in yesterday's report since they were
obviously in the upstream database and appeared in the master and
dunfell runs (and hardknott runs last)

I've seen this kind of thing once or twice in the past and have never
been able to figure out what is going on since it is so intermittent.

Steve

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [OE-core] [yocto-security] OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST
  2021-09-13 15:19     ` [OE-core] " Steve Sakoman
@ 2021-09-13 17:01       ` Richard Purdie
  2021-09-13 17:26         ` Steve Sakoman
  0 siblings, 1 reply; 10+ messages in thread
From: Richard Purdie @ 2021-09-13 17:01 UTC (permalink / raw)
  To: Steve Sakoman
  Cc: Patches and discussions about the oe-core layer, yocto-security

On Mon, 2021-09-13 at 05:19 -1000, Steve Sakoman wrote:
> On Sun, Sep 12, 2021 at 6:05 AM Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> wrote:
> > 
> > 
> > 
> > On Sun, Sep 12, 2021, 5:57 AM Richard Purdie <richard.purdie@linuxfoundation.org> wrote:
> > > 
> > > On Sun, 2021-09-12 at 05:01 -1000, Steve Sakoman wrote:
> > > > Branch: hardknott
> > > > 
> > > > New this week: 0 CVEs
> > > > 
> > > > Removed this week: 2 CVEs
> > > > CVE-2020-27748: xdg-utils https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27748 *
> > > > CVE-2021-38185: cpio https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38185 *
> > > 
> > > I'm not sure I believe these numbers as tar CVEs which showed up for dunfell and
> > > master don't show up here. Why? :/
> > 
> > 
> > Don't know! Will investigate tomorrow.
> 
> I re-ran the hardknott report this morning and it now includes the
> missing tar cve's (as well as the libsolv, vim, and inetutils cve's we
> saw in master/dunfell)
> 
> No idea why these weren't in yesterday's report since they were
> obviously in the upstream database and appeared in the master and
> dunfell runs (and hardknott runs last)
> 
> I've seen this kind of thing once or twice in the past and have never
> been able to figure out what is going on since it is so intermittent.

I'm not sure how we pull the database but is it possible that there are multiple
upstream servers of that data and we pull from different instances which may not
have all updated to the same data? Would there be any way to investigate/prove
that?

I'm a little worried about the inconsistencies. I'm guessing your builds don't
share a DL_DIR so they'd fetch different CVE databases?

Cheers,

Richard




^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [OE-core] [yocto-security] OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST
  2021-09-13 17:01       ` Richard Purdie
@ 2021-09-13 17:26         ` Steve Sakoman
  2021-09-15 11:08           ` Ross Burton
  0 siblings, 1 reply; 10+ messages in thread
From: Steve Sakoman @ 2021-09-13 17:26 UTC (permalink / raw)
  To: Richard Purdie
  Cc: Patches and discussions about the oe-core layer, yocto-security,
	Ross Burton

On Mon, Sep 13, 2021 at 7:01 AM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Mon, 2021-09-13 at 05:19 -1000, Steve Sakoman wrote:
> > On Sun, Sep 12, 2021 at 6:05 AM Steve Sakoman via
> > lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> > wrote:
> > >
> > >
> > >
> > > On Sun, Sep 12, 2021, 5:57 AM Richard Purdie <richard.purdie@linuxfoundation.org> wrote:
> > > >
> > > > On Sun, 2021-09-12 at 05:01 -1000, Steve Sakoman wrote:
> > > > > Branch: hardknott
> > > > >
> > > > > New this week: 0 CVEs
> > > > >
> > > > > Removed this week: 2 CVEs
> > > > > CVE-2020-27748: xdg-utils https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27748 *
> > > > > CVE-2021-38185: cpio https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38185 *
> > > >
> > > > I'm not sure I believe these numbers as tar CVEs which showed up for dunfell and
> > > > master don't show up here. Why? :/
> > >
> > >
> > > Don't know! Will investigate tomorrow.
> >
> > I re-ran the hardknott report this morning and it now includes the
> > missing tar cve's (as well as the libsolv, vim, and inetutils cve's we
> > saw in master/dunfell)
> >
> > No idea why these weren't in yesterday's report since they were
> > obviously in the upstream database and appeared in the master and
> > dunfell runs (and hardknott runs last)
> >
> > I've seen this kind of thing once or twice in the past and have never
> > been able to figure out what is going on since it is so intermittent.
>
> I'm not sure how we pull the database but is it possible that there are multiple
> upstream servers of that data and we pull from different instances which may not
> have all updated to the same data? Would there be any way to investigate/prove
> that?

Taking a quick look at the code in cve-update-db-native.bb I see that
database updates can fail with a warning message printed.  So it could
well be that the update failed for some reason, printed the warning,
and then used the old database for the scan. That would explain what
we are seeing.

Perhaps someone who knows the code better can comment (Ross? I see
you've mucked about in this section of the code!)

Unfortunately I didn't enable cron logging on the machine that does
the reports, but I will enable that now so that I can examine the cron
output if this happens in the future.

> I'm a little worried about the inconsistencies. I'm guessing your builds don't
> share a DL_DIR so they'd fetch different CVE databases?

Correct -- I use a separate DL_DIR for each branch.

Steve

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [OE-core] [yocto-security] OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST
  2021-09-13 17:26         ` Steve Sakoman
@ 2021-09-15 11:08           ` Ross Burton
  2021-09-15 14:09             ` Steve Sakoman
  0 siblings, 1 reply; 10+ messages in thread
From: Ross Burton @ 2021-09-15 11:08 UTC (permalink / raw)
  To: Steve Sakoman
  Cc: Richard Purdie, Patches and discussions about the oe-core layer,
	yocto-security

On Mon, 13 Sept 2021 at 18:26, Steve Sakoman <steve@sakoman.com> wrote:

> Taking a quick look at the code in cve-update-db-native.bb I see that
> database updates can fail with a warning message printed.  So it could
> well be that the update failed for some reason, printed the warning,
> and then used the old database for the scan. That would explain what
> we are seeing.
>
> Perhaps someone who knows the code better can comment (Ross? I see
> you've mucked about in this section of the code!)
>
> Unfortunately I didn't enable cron logging on the machine that does
> the reports, but I will enable that now so that I can examine the cron
> output if this happens in the future.

That's indeed a good hypothesis, and having the log to hand would be
useful.  If you don't delete the tmpdir after the event then the
console logs will be available in there still.

A hunch is that if you have all three jobs running at once, they might
be rejecting some of your connections.  Maybe stagger the runs by ten
minutes?

Ross

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [OE-core] [yocto-security] OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST
  2021-09-15 11:08           ` Ross Burton
@ 2021-09-15 14:09             ` Steve Sakoman
  0 siblings, 0 replies; 10+ messages in thread
From: Steve Sakoman @ 2021-09-15 14:09 UTC (permalink / raw)
  To: Ross Burton
  Cc: Richard Purdie, Patches and discussions about the oe-core layer,
	yocto-security

On Wed, Sep 15, 2021 at 1:08 AM Ross Burton <ross@burtonini.com> wrote:
>
> On Mon, 13 Sept 2021 at 18:26, Steve Sakoman <steve@sakoman.com> wrote:
>
> > Taking a quick look at the code in cve-update-db-native.bb I see that
> > database updates can fail with a warning message printed.  So it could
> > well be that the update failed for some reason, printed the warning,
> > and then used the old database for the scan. That would explain what
> > we are seeing.
> >
> > Perhaps someone who knows the code better can comment (Ross? I see
> > you've mucked about in this section of the code!)
> >
> > Unfortunately I didn't enable cron logging on the machine that does
> > the reports, but I will enable that now so that I can examine the cron
> > output if this happens in the future.
>
> That's indeed a good hypothesis, and having the log to hand would be
> useful.  If you don't delete the tmpdir after the event then the
> console logs will be available in there still.

You are my hero Ross :-)  I should have thought to look in tmpdir,
harknott was the last to run so the log was still there:

DEBUG: Executing python function do_fetch
DEBUG: Updating 2002
WARNING: Failed to fetch CVE data (Service Unavailable)
DEBUG: Python function do_fetch finished

So my hypothesis was indeed correct.

> A hunch is that if you have all three jobs running at once, they might
> be rejecting some of your connections.  Maybe stagger the runs by ten
> minutes?

 I stagger them by 30 minutes, so we should be good unless they are
really picky!

Steve

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [OE-core] OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST
  2021-09-12 15:01 OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST Steve Sakoman
  2021-09-12 15:57 ` [yocto-security] " Richard Purdie
@ 2021-09-15 16:58 ` Anuj Mittal
  2021-09-15 17:03   ` Steve Sakoman
  1 sibling, 1 reply; 10+ messages in thread
From: Anuj Mittal @ 2021-09-15 16:58 UTC (permalink / raw)
  To: openembedded-core, steve, yocto-security

Can we also set commercial flag while generating this list so recipes
like ffmpeg are also picked up?

Thanks,

Anuj

On Sun, 2021-09-12 at 05:01 -1000, Steve Sakoman wrote:
> Branch: hardknott
> 
> New this week: 0 CVEs
> 
> Removed this week: 2 CVEs
> CVE-2020-27748: xdg-utils
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27748 *
> CVE-2021-38185: cpio
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38185 *
> 
> Full list:  Found 27 unpatched CVEs
> CVE-2013-0340: expat:expat-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0340 *
> CVE-2019-12067: qemu:qemu-native:qemu-system-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067 *
> CVE-2019-6293: flex:flex-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6293 *
> CVE-2019-6470: bind
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6470 *
> CVE-2020-18974: nasm:nasm-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974 *
> CVE-2020-29623: webkitgtk
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29623 *
> CVE-2020-35503: qemu:qemu-native:qemu-system-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35503 *
> CVE-2021-0129: bluez5
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0129 *
> CVE-2021-1765: webkitgtk
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1765 *
> CVE-2021-1789: webkitgtk
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1789 *
> CVE-2021-1799: webkitgtk
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1799 *
> CVE-2021-1801: webkitgtk
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1801 *
> CVE-2021-1870: webkitgtk
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1870 *
> CVE-2021-20196: qemu:qemu-native:qemu-system-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20196 *
> CVE-2021-20255: qemu:qemu-native:qemu-system-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 *
> CVE-2021-22922: curl:curl-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22922 *
> CVE-2021-22923: curl:curl-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22923 *
> CVE-2021-29923: go
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29923 *
> CVE-2021-31810: ruby:ruby-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31810 *
> CVE-2021-31879: wget
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31879 *
> CVE-2021-32066: ruby:ruby-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32066 *
> CVE-2021-3445: libdnf
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3445 *
> CVE-2021-3507: qemu:qemu-native:qemu-system-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3507 *
> CVE-2021-35331: tcl:tcl-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35331 *
> CVE-2021-3682: qemu:qemu-native:qemu-system-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3682 *
> CVE-2021-36976: libarchive
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36976 *
> CVE-2021-3713: qemu:qemu-native:qemu-system-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3713 *
> 
> 
> 


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [OE-core] OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST
  2021-09-15 16:58 ` [OE-core] " Anuj Mittal
@ 2021-09-15 17:03   ` Steve Sakoman
  0 siblings, 0 replies; 10+ messages in thread
From: Steve Sakoman @ 2021-09-15 17:03 UTC (permalink / raw)
  To: Anuj Mittal; +Cc: openembedded-core, yocto-security

On Wed, Sep 15, 2021 at 6:59 AM Anuj Mittal <anuj.mittal@intel.com> wrote:
>
> Can we also set commercial flag while generating this list so recipes
> like ffmpeg are also picked up?

Yes, I can do that.

Steve

>
> Thanks,
>
> Anuj
>
> On Sun, 2021-09-12 at 05:01 -1000, Steve Sakoman wrote:
> > Branch: hardknott
> >
> > New this week: 0 CVEs
> >
> > Removed this week: 2 CVEs
> > CVE-2020-27748: xdg-utils
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27748 *
> > CVE-2021-38185: cpio
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38185 *
> >
> > Full list:  Found 27 unpatched CVEs
> > CVE-2013-0340: expat:expat-native
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0340 *
> > CVE-2019-12067: qemu:qemu-native:qemu-system-native
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067 *
> > CVE-2019-6293: flex:flex-native
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6293 *
> > CVE-2019-6470: bind
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6470 *
> > CVE-2020-18974: nasm:nasm-native
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974 *
> > CVE-2020-29623: webkitgtk
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29623 *
> > CVE-2020-35503: qemu:qemu-native:qemu-system-native
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35503 *
> > CVE-2021-0129: bluez5
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0129 *
> > CVE-2021-1765: webkitgtk
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1765 *
> > CVE-2021-1789: webkitgtk
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1789 *
> > CVE-2021-1799: webkitgtk
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1799 *
> > CVE-2021-1801: webkitgtk
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1801 *
> > CVE-2021-1870: webkitgtk
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1870 *
> > CVE-2021-20196: qemu:qemu-native:qemu-system-native
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20196 *
> > CVE-2021-20255: qemu:qemu-native:qemu-system-native
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 *
> > CVE-2021-22922: curl:curl-native
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22922 *
> > CVE-2021-22923: curl:curl-native
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22923 *
> > CVE-2021-29923: go
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29923 *
> > CVE-2021-31810: ruby:ruby-native
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31810 *
> > CVE-2021-31879: wget
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31879 *
> > CVE-2021-32066: ruby:ruby-native
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32066 *
> > CVE-2021-3445: libdnf
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3445 *
> > CVE-2021-3507: qemu:qemu-native:qemu-system-native
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3507 *
> > CVE-2021-35331: tcl:tcl-native
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35331 *
> > CVE-2021-3682: qemu:qemu-native:qemu-system-native
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3682 *
> > CVE-2021-36976: libarchive
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36976 *
> > CVE-2021-3713: qemu:qemu-native:qemu-system-native
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3713 *
> >
> >
> >
>
>
> 
>

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2021-09-15 17:03 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-12 15:01 OE-core CVE metrics for hardknott on Sun 12 Sep 2021 05:00:01 AM HST Steve Sakoman
2021-09-12 15:57 ` [yocto-security] " Richard Purdie
2021-09-12 16:04   ` Steve Sakoman
     [not found]   ` <16A41EB09718E439.21276@lists.openembedded.org>
2021-09-13 15:19     ` [OE-core] " Steve Sakoman
2021-09-13 17:01       ` Richard Purdie
2021-09-13 17:26         ` Steve Sakoman
2021-09-15 11:08           ` Ross Burton
2021-09-15 14:09             ` Steve Sakoman
2021-09-15 16:58 ` [OE-core] " Anuj Mittal
2021-09-15 17:03   ` Steve Sakoman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.