CVE Status: Difference between revisions
Yoann Congal (talk | contribs) m (→CVE-2023-42366 (busybox): syntax fix) |
|||
(32 intermediate revisions by 2 users not shown) | |||
Line 12: | Line 12: | ||
Issue with suid binaries and coredumps. Last known progress on mitigating was [https://lore.kernel.org/lkml/CAAq0SUmw3fGtwDifbBMrD7jgPBGQb7uC0K9hJetVTRQO7boPtA@mail.gmail.com/t/#u this thread]. | Issue with suid binaries and coredumps. Last known progress on mitigating was [https://lore.kernel.org/lkml/CAAq0SUmw3fGtwDifbBMrD7jgPBGQb7uC0K9hJetVTRQO7boPtA@mail.gmail.com/t/#u this thread]. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 CVE-2022-0400] (linux-yocto) === | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 CVE-2022-3219] (gnupg) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 CVE-2022-3219] (gnupg) === | ||
Line 28: | Line 30: | ||
aka EntryBleed. Vulnerable on x86-64 systems. | aka EntryBleed. Vulnerable on x86-64 systems. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 CVE-2022-38096] (linux-yocto) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 CVE-2022-38096] (linux-yocto) === | ||
Line 43: | Line 41: | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0687 CVE-2023-0687] (glibc) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0687 CVE-2023-0687] (glibc) === | ||
Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet. | Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet. NVD pinged 12/02/2024. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 CVE-2023-1386] (qemu) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 CVE-2023-1386] (qemu) === | ||
Still [https://github.com/v9fs/linux/issues/29 open upstream]. | Still [https://github.com/v9fs/linux/issues/29 open upstream]. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3354 CVE-2023-3354] (qemu) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3354 CVE-2023-3354] (qemu) === | ||
Line 90: | Line 74: | ||
[https://gitlab.com/qemu-project/qemu/-/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf Fixed] in 8.1.0. | [https://gitlab.com/qemu-project/qemu/-/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf Fixed] in 8.1.0. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40360 CVE-2023-40360] (qemu) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40360 CVE-2023-40360] (qemu) === | ||
Line 106: | Line 86: | ||
Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/347. | Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/347. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 CVE-2023-42363] (busybox) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 CVE-2023-42363] (busybox) === | ||
Line 132: | Line 101: | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42366 CVE-2023-42366] (busybox) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42366 CVE-2023-42366] (busybox) === | ||
Patch available (not merged yet) : [https://bugs.busybox.net/attachment.cgi?id=9697&action=edit Attachment 9697 Details for Bug 15874 – | Patch available (not merged yet) : [https://bugs.busybox.net/attachment.cgi?id=9697&action=edit Attachment 9697 Details for Bug 15874 – PATCH awk.c: fix CVE-2023-42366 (bug #15874)] | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51767 CVE-2023-51767] (openssh) === | |||
"openssh: authentication bypass via row hammer attack" | |||
Upstream bug : https://bugzilla.mindrot.org/show_bug.cgi?id=3656 (still open, no patch) | |||
Real-world impacts seem quite low | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 CVE-2023-21803] (linux-yocto) === | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24857 CVE-2023-24857] (linux-yocto) === | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24858 CVE-2023-24858] (linux-yocto) === | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24859 CVE-2023-24859] (linux-yocto) === | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24861 CVE-2023-24861] (linux-yocto) === | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24864 CVE-2023-25864] (linux-yocto) === | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6240 CVE-2023-6240] (linux-yocto) === | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6356 CVE-2023-6356] (linux-yocto) === | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6535 CVE-2023-6535] (linux-yocto) === | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6536 CVE-2023-6536] (linux-yocto) === | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7216 CVE-2023-7216] (cpio) === | |||
Open upstream, disputed by maintainer see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25739 CVE-2024-25739] (linux-yocto) === | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25740 CVE-2024-25740] (linux-yocto) === | |||
Latest revision as of 11:29, 10 March 2024
This is a list of CVEs which are currently being reported as open, and the current state.
CVE-2019-14899 (linux-yocto)
Claims to be about breaking into VPN tunnels. OpenVPN dispute, Red Hat think it might actually have a larger scope but also the paper is misleading.
CVE-2021-3714 (linux-yocto)
Flaw in kernel memory de-duplication. Still an issue, albeit minor.
CVE-2021-3864 (linux-yocto)
Issue with suid binaries and coredumps. Last known progress on mitigating was this thread.
CVE-2022-0400 (linux-yocto)
CVE-2022-3219 (gnupg)
Hypothetical DoS. A patch was proposed but hasn't been reviewed or merged.
CVE-2022-0400 (linux-yocto)
Out-of-bounds read in the SMC stack. Details are still embargoed so can't tell what this actually impacts.
CVE-2022-1247 (linux-yocto)
Race in the X.25 AF_ROSE implementation, so only an issue if CONFIG_ROSE is enabled.
CVE-2022-4543 (linux-yocto)
aka EntryBleed. Vulnerable on x86-64 systems.
CVE-2022-38096 (linux-yocto)
Bug in vmwgfx driver, still open. Mitigated if CONFIG_DRM_VMWGFX is not enabled.
CVE-2022-46456 (nasm)
Buffer overflow, still open upstream.
CVE-2023-0687 (glibc)
Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet. NVD pinged 12/02/2024.
CVE-2023-1386 (qemu)
Still open upstream.
CVE-2023-3354 (qemu)
Fixed in 8.1.0.
CVE-2023-3640 (linux-yocto)
CPU-level address leak specific to x86, still an issue.
CVE-2023-3772 (linux-yocto)
Merged in 00374d9b6d9f932802b55181be9831aa948e5b7c, needs backport.
CVE-2023-3773 (linux-yocto)
Merged in 5e2424708da7207087934c5c75211e8584d553a0, needs backport.
CVE-2023-4010 (linux-yocto)
Hang in USB subsystem. No fix yet.
CVE-2023-4128 (linux-yocto)
Merged in 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81, needs backporting.
CVE-2023-4135 (qemu)
Fixed in 8.1.0.
CVE-2023-40360 (qemu)
Fixed in 8.1.0.
CVE-2023-4569 (linux-yocto)
Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/346.
CVE-2023-4611 (linux-yocto)
Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/347.
CVE-2023-42363 (busybox)
Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15865"
CVE-2023-42364 (busybox)
Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15868"
CVE-2023-42365 (busybox)
Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15871 "
CVE-2023-42366 (busybox)
Patch available (not merged yet) : Attachment 9697 Details for Bug 15874 – PATCH awk.c: fix CVE-2023-42366 (bug #15874)
CVE-2023-51767 (openssh)
"openssh: authentication bypass via row hammer attack" Upstream bug : https://bugzilla.mindrot.org/show_bug.cgi?id=3656 (still open, no patch) Real-world impacts seem quite low
CVE-2023-21803 (linux-yocto)
CVE-2023-24857 (linux-yocto)
CVE-2023-24858 (linux-yocto)
CVE-2023-24859 (linux-yocto)
CVE-2023-24861 (linux-yocto)
CVE-2023-25864 (linux-yocto)
CVE-2023-6240 (linux-yocto)
CVE-2023-6356 (linux-yocto)
CVE-2023-6535 (linux-yocto)
CVE-2023-6536 (linux-yocto)
CVE-2023-7216 (cpio)
Open upstream, disputed by maintainer see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html