User:RossBurton/CVE: Difference between revisions
RossBurton (talk | contribs) No edit summary |
Anuj Mittal (talk | contribs) No edit summary |
||
Line 67: | Line 67: | ||
CHA: Link to upstream patch in [https://bugzilla.redhat.com/show_bug.cgi?id=1511411#c0 Red Hat bug report]. This fixes [https://bugzilla.samba.org/show_bug.cgi?id=13112 upstream bug report] which doesn't have CVE number. | CHA: Link to upstream patch in [https://bugzilla.redhat.com/show_bug.cgi?id=1511411#c0 Red Hat bug report]. This fixes [https://bugzilla.samba.org/show_bug.cgi?id=13112 upstream bug report] which doesn't have CVE number. | ||
* subversion-1.12.0-r0 do_cve_check: Found unpatched CVE (CVE-2017-1000085 CVE-2018-1000111) | * subversion-1.12.0-r0 do_cve_check: Found unpatched CVE (<s>CVE-2017-1000085 CVE-2018-1000111</s>) | ||
These are for Jenkins subversion plugin. | |||
* tiff-4.0.10-r0 do_cve_check: Found unpatched CVE (<s>CVE-2019-6128 CVE-2019-7663</s>) | * tiff-4.0.10-r0 do_cve_check: Found unpatched CVE (<s>CVE-2019-6128 CVE-2019-7663</s>) | ||
Revision as of 00:46, 17 July 2019
- apt-1.2.31-r0 do_cve_check: Found unpatched CVE (CVE-2019-3462)
- binutils-2.32.0-r0 do_cve_check: Found unpatched CVE (CVE-2018-1000876 CVE-2019-12972 CVE-2019-9070 CVE-2019-9071
CVE-2019-9072 CVE-2019-9073)
CVE-2019-9072 CVE-2019-9073 can be ignored as per bug comments. We have CVE-2018-1000876 in master/warrior - should probably be backported to thud. CVE-2019-9070 is gcc fix for which is in master. Patches for CVE-2019-9071 and CVE-2019-12972 on list.
- boost-1.69.0-r0 do_cve_check: Found unpatched CVE (
CVE-2009-3654)
3654 is a different Boost.
- curl-7.65.1-r0 do_cve_check: Found unpatched CVE (
CVE-2019-5443)
5443 is a Windows-specific issue.
- db-1_5.3.28-r1 do_cve_check: Found unpatched CVE (CVE-2016-0682 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2017-3604 CVE-2017-3605 CVE-2017-3606 CVE-2017-3607 CVE-2017-3608 CVE-2017-3609 CVE-2017-3610 CVE-2017-3611 CVE-2017-3612 CVE-2017-3613 CVE-2017-3614 CVE-2017-3615 CVE-2017-3616 CVE-2017-3617)
I think for db we'll just have to watch Fedora/RHEL, as some of these are probably in db6 only, or the fix isn't backportable.
- ed-1.15-r0 do_cve_check: Found unpatched CVE (
CVE-2015-2987)
2987 isnt GNU ed.
- flex-2.6.0-r0 do_cve_check: Found unpatched CVE (
CVE-2015-1773)
1773 isn't GNU Flex. Need improvement to cve-check class to compare Vendor.
- git-2.22.0-r0 do_cve_check: Found unpatched CVE (
CVE-2018-1000110 CVE-2018-1000182 CVE-2019-1003010)
These are for Jenkins git plugin.
- glib-2.0-1_2.60.4-r0 do_cve_check: Found unpatched CVE (
CVE-2019-12450)
Bad CPE, was fixed in 2.60.4.
- glibc-2.29-r0 do_cve_check: Found unpatched CVE (CVE-2018-20796 CVE-2019-9192)
- gnupg-2.2.16-r0 do_cve_check: Found unpatched CVE (
CVE-2019-13050)
Fixed in master
- go-1.12.6-r0 do_cve_check: Found unpatched CVE (CVE-2018-17075 CVE-2018-17142 CVE-2018-17143 CVE-2018-17846 CVE-2018-17847 CVE-2018-17848)
- libgcrypt-1.8.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-12904)
- libid3tag-0.15.1b-r7 do_cve_check: Found unpatched CVE (CVE-2017-11550 CVE-2017-11551)
11550 is patched in mut, 11551 is the same as an existing patched CVE (fixed in mut).
- librsvg-2.40.20-r0 do_cve_check: Found unpatched CVE (
CVE-2018-1000041)
Windows-specific.
- libsndfile1-1.0.28-r0 do_cve_check: Found unpatched CVE (
CVE-2018-13419)
Just a memory leak that nobody else can replicate. Ignore.
- libtasn1-4.13-r0 do_cve_check: Found unpatched CVE (CVE-2018-1000654)
Upstream merge request from suse
- libxslt-1.1.33-r0 do_cve_check: Found unpatched CVE (
CVE-2019-13117 CVE-2019-13118)
Fixed in master.
- mdadm-4.1-r0 do_cve_check: Found unpatched CVE (
CVE-2014-5220)
Bad CPE data. The CPE says 3.3.1 through to 5.14.1 but the Suse bug report demonstrates the fix and this is the corresponding fix upstream. Github tag annotations show it was fixed in 3.3.3 onwards. I've emailed cpe_dictionary@nist.gov with this evidence to get the data changed.
- nasm-2.14.02-r0 do_cve_check: Found unpatched CVE (CVE-2019-6290 CVE-2019-6291 CVE-2019-8343)
- openssl-1.1.1c-r0 do_cve_check: Found unpatched CVE (CVE-2016-7798 CVE-2018-16395 CVE-2019-0190)
CVE-2016-7798 CVE-2018-16395 are in openssl gem for ruby and fixed there. CVE-2019-0190 is for apache and affects only versions <= 2.4.37. master has 2.4.39.
- procps-3.3.15-r0 do_cve_check: Found unpatched CVE (
CVE-2018-1121)
1121 is disputed upstream: procps isn't a security tool.
- python-2.7.16-r0 do_cve_check: Found unpatched CVE (CVE-2010-3492 CVE-2013-7338 CVE-2015-5652 CVE-2017-17522 CVE-2017-18207 CVE-2019-9740 CVE-2019-9947)
- qemu-4.0.0-r0 do_cve_check: Found unpatched CVE (CVE-2019-12155
CVE-2019-12928 CVE-2019-12929)
CVE-2019-12928 CVE-2019-12929 are disputed.
- rsync-3.1.3-r0 do_cve_check: Found unpatched CVE (CVE-2017-16548)
CHA: Link to upstream patch in Red Hat bug report. This fixes upstream bug report which doesn't have CVE number.
- subversion-1.12.0-r0 do_cve_check: Found unpatched CVE (
CVE-2017-1000085 CVE-2018-1000111)
These are for Jenkins subversion plugin.
- tiff-4.0.10-r0 do_cve_check: Found unpatched CVE (
CVE-2019-6128 CVE-2019-7663)
Patches for master on the list.
- virglrenderer-0.7.0-r0 do_cve_check: Found unpatched CVE (
CVE-2017-5957)
CHA: Link to upstream patch in Red Hat bug report
Fixed in 0.6 onwards.
- zip-3.0-r2 do_cve_check: Found unpatched CVE (
CVE-2018-13410)
CHA: CVE is marked as disputed?