CVE Status: Difference between revisions
(Update with new/removed CVEs cw 06/24) |
(mentioned when NVD was pinged 12/02/2024.) |
||
| Line 39: | Line 39: | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0687 CVE-2023-0687] (glibc) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0687 CVE-2023-0687] (glibc) === | ||
Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet. | Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet. NVD pinged 12/02/2024. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 CVE-2023-1386] (qemu) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1386 CVE-2023-1386] (qemu) === | ||
| Line 47: | Line 47: | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3019 CVE-2023-3019] (qemu) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3019 CVE-2023-3019] (qemu) === | ||
Fixed in 8.2.0 with 9050f976e447444ea6ee2ba12c9f77e4b0dc54bc. NVD pinged 06/02/2024. | Fixed in 8.2.0 with 9050f976e447444ea6ee2ba12c9f77e4b0dc54bc. NVD pinged 06/02/2024. NVD pinged 12/02/2024. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3164 CVE-2023-3164] (tiff) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3164 CVE-2023-3164] (tiff) === | ||
| Line 53: | Line 53: | ||
Upstream issue https://gitlab.com/libtiff/libtiff/-/issues/542 closed as "wontfix-unmaintained" | Upstream issue https://gitlab.com/libtiff/libtiff/-/issues/542 closed as "wontfix-unmaintained" | ||
Only affect the tiffcrop tool not compiled by default since 4.6.0 (OE-Core = 4.6.0). | Only affect the tiffcrop tool not compiled by default since 4.6.0 (OE-Core = 4.6.0). | ||
NVD pinged 06/02/2024. | NVD pinged 06/02/2024. NVD pinged 12/02/2024. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3180 CVE-2023-3180] (qemu) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3180 CVE-2023-3180] (qemu) === | ||
| Line 107: | Line 107: | ||
Fix merged https://github.com/qemu/qemu/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e | Fix merged https://github.com/qemu/qemu/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e | ||
Present in >=8.2.0 (OE-core qemu = 8.2.1) | Present in >=8.2.0 (OE-core qemu = 8.2.1) | ||
NVD pinged 06/02/2024 | NVD pinged 06/02/2024. NVD pinged 12/02/2024. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4692 CVE-2023-4692] (grub) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4692 CVE-2023-4692] (grub) === | ||
| Line 113: | Line 113: | ||
(in NTFS support) : Fix merged : e58b870ff926415e23fc386af41ff81b2f588763 + 6 parents , released in 2.12 | (in NTFS support) : Fix merged : e58b870ff926415e23fc386af41ff81b2f588763 + 6 parents , released in 2.12 | ||
OE-Core grub = 2.12 | OE-Core grub = 2.12 | ||
NVD pinged 06/02/2024 | NVD pinged 06/02/2024. NVD pinged 12/02/2024. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4693 CVE-2023-4693] (grub:grub-efi:grub-native) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4693 CVE-2023-4693] (grub:grub-efi:grub-native) === | ||
| Line 119: | Line 119: | ||
(in NTFS support) : Fix merged : e58b870ff926415e23fc386af41ff81b2f588763 + 6 parents , released in 2.12 | (in NTFS support) : Fix merged : e58b870ff926415e23fc386af41ff81b2f588763 + 6 parents , released in 2.12 | ||
OE-Core grub = 2.12 | OE-Core grub = 2.12 | ||
NVD pinged 06/02/2024 | NVD pinged 06/02/2024. NVD pinged 12/02/2024. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6683 CVE-2023-6683] (qemu) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6683 CVE-2023-6683] (qemu) === | ||
| Line 127: | Line 127: | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6693 CVE-2023-6693] (qemu) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6693 CVE-2023-6693] (qemu) === | ||
Backported upstream 939a09575fff7048446e36ce438fa7be6e251d41 in v8.2.1. CPE change request sent to NVD 07/02/2024 | Backported upstream 939a09575fff7048446e36ce438fa7be6e251d41 in v8.2.1. CPE change request sent to NVD 07/02/2024. NVD pinged 12/02/2024. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25584 CVE-2023-25584] (binutils) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25584 CVE-2023-25584] (binutils) === | ||
Merged fix in https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44. Present in binutils >=2.40 | Merged fix in https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44. Present in binutils >=2.40 | ||
NVD pinged 06/02/2024 | NVD pinged 06/02/2024. NVD pinged 12/02/2024. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38559 CVE-2023-38559] (ghostscript) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38559 CVE-2023-38559] (ghostscript) === | ||
| Line 138: | Line 138: | ||
Fix https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1 | Fix https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1 | ||
Present in >= 10.02.0 (OE-core ghostscript = 10.02.1) | Present in >= 10.02.0 (OE-core ghostscript = 10.02.1) | ||
NVD pinged 06/02/2024 | NVD pinged 06/02/2024. NVD pinged 12/02/2024. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 CVE-2023-42363] (busybox) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42363 CVE-2023-42363] (busybox) === | ||
| Line 175: | Line 175: | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6780 CVE-2023-6780] (glibc) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6780 CVE-2023-6780] (glibc) === | ||
Fixed in 2.39 already wrong cpe | Fixed in 2.39 already wrong cpe. NVD pinged 12/02/2024. | ||
=== [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 CVE-2023-21803] (linux-yocto) === | === [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21803 CVE-2023-21803] (linux-yocto) === | ||
Revision as of 17:45, 12 February 2024
This is a list of CVEs which are currently being reported as open, and the current state.
CVE-2019-14899 (linux-yocto)
Claims to be about breaking into VPN tunnels. OpenVPN dispute, Red Hat think it might actually have a larger scope but also the paper is misleading.
CVE-2021-3714 (linux-yocto)
Flaw in kernel memory de-duplication. Still an issue, albeit minor.
CVE-2021-3864 (linux-yocto)
Issue with suid binaries and coredumps. Last known progress on mitigating was this thread.
CVE-2022-3219 (gnupg)
Hypothetical DoS. A patch was proposed but hasn't been reviewed or merged.
CVE-2022-0400 (linux-yocto)
Out-of-bounds read in the SMC stack. Details are still embargoed so can't tell what this actually impacts.
CVE-2022-1247 (linux-yocto)
Race in the X.25 AF_ROSE implementation, so only an issue if CONFIG_ROSE is enabled.
CVE-2022-4543 (linux-yocto)
aka EntryBleed. Vulnerable on x86-64 systems.
CVE-2022-38096 (linux-yocto)
Bug in vmwgfx driver, still open. Mitigated if CONFIG_DRM_VMWGFX is not enabled.
CVE-2022-46456 (nasm)
Buffer overflow, still open upstream.
CVE-2023-0687 (glibc)
Bad CPE, should be marked as fixed in 2.38. Emailed NIST, data not updated yet. NVD pinged 12/02/2024.
CVE-2023-1386 (qemu)
Still open upstream.
CVE-2023-3019 (qemu)
Fixed in 8.2.0 with 9050f976e447444ea6ee2ba12c9f77e4b0dc54bc. NVD pinged 06/02/2024. NVD pinged 12/02/2024.
CVE-2023-3164 (tiff)
Upstream issue https://gitlab.com/libtiff/libtiff/-/issues/542 closed as "wontfix-unmaintained" Only affect the tiffcrop tool not compiled by default since 4.6.0 (OE-Core = 4.6.0). NVD pinged 06/02/2024. NVD pinged 12/02/2024.
CVE-2023-3180 (qemu)
Fixed in 8.1.0.
CVE-2023-3354 (qemu)
Fixed in 8.1.0.
CVE-2023-3640 (linux-yocto)
CPU-level address leak specific to x86, still an issue.
CVE-2023-3772 (linux-yocto)
Merged in 00374d9b6d9f932802b55181be9831aa948e5b7c, needs backport.
CVE-2023-3773 (linux-yocto)
Merged in 5e2424708da7207087934c5c75211e8584d553a0, needs backport.
CVE-2023-4010 (linux-yocto)
Hang in USB subsystem. No fix yet.
CVE-2023-4128 (linux-yocto)
Merged in 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81, needs backporting.
CVE-2023-4135 (qemu)
Fixed in 8.1.0.
CVE-2023-37769 (pixman)
Appears to be a floating point exception in a test, should verify that the crash is in the test code and not the library. This ticket has the details.
CVE-2023-40360 (qemu)
Fixed in 8.1.0.
CVE-2023-4569 (linux-yocto)
Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/346.
CVE-2023-4611 (linux-yocto)
Fixed upstream. LKC https://github.com/nluedtke/linux_kernel_cves/issues/347.
CVE-2023-5088 (qemu)
Fix merged https://github.com/qemu/qemu/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e Present in >=8.2.0 (OE-core qemu = 8.2.1) NVD pinged 06/02/2024. NVD pinged 12/02/2024.
CVE-2023-4692 (grub)
(in NTFS support) : Fix merged : e58b870ff926415e23fc386af41ff81b2f588763 + 6 parents , released in 2.12 OE-Core grub = 2.12 NVD pinged 06/02/2024. NVD pinged 12/02/2024.
CVE-2023-4693 (grub:grub-efi:grub-native)
(in NTFS support) : Fix merged : e58b870ff926415e23fc386af41ff81b2f588763 + 6 parents , released in 2.12 OE-Core grub = 2.12 NVD pinged 06/02/2024. NVD pinged 12/02/2024.
CVE-2023-6683 (qemu)
Patch posted : ui/clipboard: avoid crash upon request when clipboard peer is no not merged yet
CVE-2023-6693 (qemu)
Backported upstream 939a09575fff7048446e36ce438fa7be6e251d41 in v8.2.1. CPE change request sent to NVD 07/02/2024. NVD pinged 12/02/2024.
CVE-2023-25584 (binutils)
Merged fix in https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44. Present in binutils >=2.40 NVD pinged 06/02/2024. NVD pinged 12/02/2024.
CVE-2023-38559 (ghostscript)
Fix https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1 Present in >= 10.02.0 (OE-core ghostscript = 10.02.1) NVD pinged 06/02/2024. NVD pinged 12/02/2024.
CVE-2023-42363 (busybox)
Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15865"
CVE-2023-42364 (busybox)
Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15868"
CVE-2023-42365 (busybox)
Upstream bug still open https://bugs.busybox.net/show_bug.cgi?id=15871 "
CVE-2023-42366 (busybox)
Patch available (not merged yet) : Attachment 9697 Details for Bug 15874 – PATCH awk.c: fix CVE-2023-42366 (bug #15874)
CVE-2023-48795 (openssh)
Fix WIP : https://lists.openembedded.org/g/openembedded-core/topic/103546397#193372
CVE-2023-51384 (openssh)
Fix WIP : https://lists.openembedded.org/g/openembedded-core/topic/103546397#193372
CVE-2023-51385 (openssh)
Fix WIP : https://lists.openembedded.org/g/openembedded-core/topic/103546397#193372
CVE-2023-51767 (openssh)
"openssh: authentication bypass via row hammer attack" Upstream bug : https://bugzilla.mindrot.org/show_bug.cgi?id=3656 (still open, no patch) Real-world impacts seem quite low
CVE-2023-6780 (glibc)
Fixed in 2.39 already wrong cpe. NVD pinged 12/02/2024.
