User:RossBurton/CVE: Difference between revisions

From Yocto Project
Jump to navigationJump to search
No edit summary
No edit summary
Line 46: Line 46:
* rsync-3.1.3-r0 do_cve_check: Found unpatched CVE (CVE-2017-16548)
* rsync-3.1.3-r0 do_cve_check: Found unpatched CVE (CVE-2017-16548)


Fixed but upstream bug report didn't highlight the CVE number, see [https://bugzilla.redhat.com/show_bug.cgi?id=1511411#c0 Red Hat bug report] instead
CHA: Fixed but upstream bug report didn't highlight the CVE number, see [https://bugzilla.redhat.com/show_bug.cgi?id=1511411#c0 Red Hat bug report] instead


* subversion-1.12.0-r0 do_cve_check: Found unpatched CVE (CVE-2017-1000085 CVE-2018-1000111)
* subversion-1.12.0-r0 do_cve_check: Found unpatched CVE (CVE-2017-1000085 CVE-2018-1000111)
* tiff-4.0.10-r0 do_cve_check: Found unpatched CVE (CVE-2019-6128 CVE-2019-7663)
* tiff-4.0.10-r0 do_cve_check: Found unpatched CVE (CVE-2019-6128 CVE-2019-7663)
6128 - https://gitlab.com/libtiff/libtiff/merge_requests/50
 
7663 - https://gitlab.com/libtiff/libtiff/merge_requests/60
CHA: 6128 - https://gitlab.com/libtiff/libtiff/merge_requests/50
CHA: 7663 - https://gitlab.com/libtiff/libtiff/merge_requests/60


* virglrenderer-0.7.0-r0 do_cve_check: Found unpatched CVE (CVE-2017-5957)
* virglrenderer-0.7.0-r0 do_cve_check: Found unpatched CVE (CVE-2017-5957)
Line 59: Line 60:
* zip-3.0-r2 do_cve_check: Found unpatched CVE (CVE-2018-13410)
* zip-3.0-r2 do_cve_check: Found unpatched CVE (CVE-2018-13410)


CVE is marked as disputed?
CHA: CVE is marked as disputed?

Revision as of 17:03, 9 July 2019

  • apt-1.2.31-r0 do_cve_check: Found unpatched CVE (CVE-2019-3462)
  • binutils-2.32.0-r0 do_cve_check: Found unpatched CVE (CVE-2018-1000876 CVE-2019-12972 CVE-2019-9070 CVE-2019-9071 CVE-2019-9072 CVE-2019-9073)
  • boost-1.69.0-r0 do_cve_check: Found unpatched CVE (CVE-2009-3654)

3654 is a different Boost.

  • curl-7.65.1-r0 do_cve_check: Found unpatched CVE (CVE-2019-5443)

5443 is a Windows-specific issue.

  • db-1_5.3.28-r1 do_cve_check: Found unpatched CVE (CVE-2016-0682 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2017-3604 CVE-2017-3605 CVE-2017-3606 CVE-2017-3607 CVE-2017-3608 CVE-2017-3609 CVE-2017-3610 CVE-2017-3611 CVE-2017-3612 CVE-2017-3613 CVE-2017-3614 CVE-2017-3615 CVE-2017-3616 CVE-2017-3617)

I think for db we'll just have to watch Fedora/RHEL, as some of these are probably in db6 only, or the fix isn't backportable.

  • ed-1.15-r0 do_cve_check: Found unpatched CVE (CVE-2015-2987)

2987 isnt GNU ed.

  • flex-2.6.0-r0 do_cve_check: Found unpatched CVE (CVE-2015-1773)

1773 isn't GNU Flex. Need improvement to cve-check class to compare Vendor.

  • git-2.22.0-r0 do_cve_check: Found unpatched CVE (CVE-2018-1000110 CVE-2018-1000182 CVE-2019-1003010)
  • glib-2.0-1_2.60.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-12450)

Bad CPE, was fixed in 2.60.4.

  • glibc-2.29-r0 do_cve_check: Found unpatched CVE (CVE-2018-20796 CVE-2019-9192)
  • gnupg-2.2.16-r0 do_cve_check: Found unpatched CVE (CVE-2019-13050)
  • go-1.12.6-r0 do_cve_check: Found unpatched CVE (CVE-2018-17075 CVE-2018-17142 CVE-2018-17143 CVE-2018-17846 CVE-2018-17847 CVE-2018-17848)
  • libgcrypt-1.8.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-12904)
  • libid3tag-0.15.1b-r7 do_cve_check: Found unpatched CVE (CVE-2017-11550 CVE-2017-11551)
  • librsvg-2.40.20-r0 do_cve_check: Found unpatched CVE (CVE-2018-1000041)
  • libsndfile1-1.0.28-r0 do_cve_check: Found unpatched CVE (CVE-2018-13419)
  • libtasn1-4.13-r0 do_cve_check: Found unpatched CVE (CVE-2018-1000654)

Upstream merge request from suse

  • libxslt-1.1.33-r0 do_cve_check: Found unpatched CVE (CVE-2019-13117 CVE-2019-13118)
  • mdadm-4.1-r0 do_cve_check: Found unpatched CVE (CVE-2014-5220)

Bad CPE data. The CPE says 3.3.1 through to 5.14.1 but the Suse bug report demonstrates the fix and this is the corresponding fix upstream. Github tag annotations show it was fixed in 3.3.3 onwards. I've emailed cpe_dictionary@nist.gov with this evidence to get the data changed.

  • nasm-2.14.02-r0 do_cve_check: Found unpatched CVE (CVE-2019-6290 CVE-2019-6291 CVE-2019-8343)
  • openssl-1.1.1c-r0 do_cve_check: Found unpatched CVE (CVE-2016-7798 CVE-2018-16395 CVE-2019-0190)
  • procps-3.3.15-r0 do_cve_check: Found unpatched CVE (CVE-2018-1121)

1121 is disputed upstream: procps isn't a security tool.

  • python-2.7.16-r0 do_cve_check: Found unpatched CVE (CVE-2010-3492 CVE-2013-7338 CVE-2015-5652 CVE-2017-17522 CVE-2017-18207 CVE-2019-9740 CVE-2019-9947)
  • qemu-4.0.0-r0 do_cve_check: Found unpatched CVE (CVE-2019-12155 CVE-2019-12928 CVE-2019-12929)
  • rsync-3.1.3-r0 do_cve_check: Found unpatched CVE (CVE-2017-16548)

CHA: Fixed but upstream bug report didn't highlight the CVE number, see Red Hat bug report instead

  • subversion-1.12.0-r0 do_cve_check: Found unpatched CVE (CVE-2017-1000085 CVE-2018-1000111)
  • tiff-4.0.10-r0 do_cve_check: Found unpatched CVE (CVE-2019-6128 CVE-2019-7663)

CHA: 6128 - https://gitlab.com/libtiff/libtiff/merge_requests/50 CHA: 7663 - https://gitlab.com/libtiff/libtiff/merge_requests/60

  • virglrenderer-0.7.0-r0 do_cve_check: Found unpatched CVE (CVE-2017-5957)

Fixed in upstream

  • zip-3.0-r2 do_cve_check: Found unpatched CVE (CVE-2018-13410)

CHA: CVE is marked as disputed?