CVE Status: Difference between revisions
RossBurton (talk | contribs) mNo edit summary |
RossBurton (talk | contribs) No edit summary |
||
| Line 46: | Line 46: | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 CVE-2019-14899] (linux-yocto) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14899 CVE-2019-14899] (linux-yocto) === | ||
Claims to be about breaking into VPN tunnels. OpenVPN dispute, Red Hat think it might actually have a larger scope but also the paper is misleading. | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 CVE-2021-3714] (linux-yocto) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 CVE-2021-3714] (linux-yocto) === | ||
Flaw in kernel memory de-duplication. Still an issue, albeit minor. | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 CVE-2021-3864] (linux-yocto) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 CVE-2021-3864] (linux-yocto) === | ||
Issue with suid binaries and coredumps. Last known progress on mitigating was [https://lore.kernel.org/lkml/CAAq0SUmw3fGtwDifbBMrD7jgPBGQb7uC0K9hJetVTRQO7boPtA@mail.gmail.com/t/#u this thread]. | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 CVE-2022-0400] (linux-yocto) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 CVE-2022-0400] (linux-yocto) === | ||
Out-of-bounds read in the SMC stack. Details are still embargoed so can't tell what this actually impacts. | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 CVE-2022-1247] (linux-yocto) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 CVE-2022-1247] (linux-yocto) === | ||
Race in the X.25 AF_ROSE implementation, so only an issue if <tt>CONFIG_ROSE</tt> is enabled. | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 CVE-2022-4543] (linux-yocto) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 CVE-2022-4543] (linux-yocto) === | ||
aka EntryBleed. Vulnerable on x86-64 systems. | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36402 CVE-2022-36402] (linux-yocto) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36402 CVE-2022-36402] (linux-yocto) === | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 CVE-2022-38096] (linux-yocto) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 CVE-2022-38096] (linux-yocto) === | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 CVE-2023-3640] (linux-yocto) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3640 CVE-2023-3640] (linux-yocto) === | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3772 CVE-2023-3772] (linux-yocto) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3772 CVE-2023-3772] (linux-yocto) === | ||
Merged in 00374d9b6d9f932802b55181be9831aa948e5b7c, needs backport. | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3773 CVE-2023-3773] (linux-yocto) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3773 CVE-2023-3773] (linux-yocto) === | ||
Merged in 5e2424708da7207087934c5c75211e8584d553a0, needs backport. | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 CVE-2023-4010] (linux-yocto) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4010 CVE-2023-4010] (linux-yocto) === | ||
Hang in USB subsystem. No fix yet. | |||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4128 CVE-2023-4128] (linux-yocto) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4128 CVE-2023-4128] (linux-yocto) === | ||
Use-after-free. Fixed with [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81 this commit], needs backporting. | |||
<!-- | <!-- | ||
Revision as of 12:18, 25 August 2023
This is a list of CVEs which are currently being reported as open, and the current state.
CVE-2022-3219 (gnupg)
Hypothetical DoS. A patch was proposed but hasn't been reviewed or merged.
CVE-2022-33065 (libsndfile1)
Integer overflow, still open upstream.
CVE-2022-46456 (nasm)
Buffer overflow, still open upstream.
CVE-2023-0687 (glibc)
Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet.
CVE-2023-37769 (pixman)
Appears to be a floating point exception in a test, should verify that the crash is in the test code and not the library. This ticket has the details.
CVE-2023-1386 (qemu)
Still open upstream.
CVE-2023-3019 (qemu)
Linked patches need rebasing and review.
CVE-2023-3180 (qemu)
Fixed in 8.1.0.
CVE-2023-3354 (qemu)
Fixed in 8.1.0.
CVE-2023-40360 (qemu)
Fixed in 8.1.0.
CVE-2023-4135 (qemu)
Fixed in 8.1.0.
CVE-2019-14899 (linux-yocto)
Claims to be about breaking into VPN tunnels. OpenVPN dispute, Red Hat think it might actually have a larger scope but also the paper is misleading.
CVE-2021-3714 (linux-yocto)
Flaw in kernel memory de-duplication. Still an issue, albeit minor.
CVE-2021-3864 (linux-yocto)
Issue with suid binaries and coredumps. Last known progress on mitigating was this thread.
CVE-2022-0400 (linux-yocto)
Out-of-bounds read in the SMC stack. Details are still embargoed so can't tell what this actually impacts.
CVE-2022-1247 (linux-yocto)
Race in the X.25 AF_ROSE implementation, so only an issue if CONFIG_ROSE is enabled.
CVE-2022-4543 (linux-yocto)
aka EntryBleed. Vulnerable on x86-64 systems.
CVE-2022-36402 (linux-yocto)
CVE-2022-38096 (linux-yocto)
CVE-2023-3640 (linux-yocto)
CVE-2023-3772 (linux-yocto)
Merged in 00374d9b6d9f932802b55181be9831aa948e5b7c, needs backport.
CVE-2023-3773 (linux-yocto)
Merged in 5e2424708da7207087934c5c75211e8584d553a0, needs backport.
CVE-2023-4010 (linux-yocto)
Hang in USB subsystem. No fix yet.
CVE-2023-4128 (linux-yocto)
Use-after-free. Fixed with this commit, needs backporting.
