User:RossBurton/CVE: Difference between revisions

From Yocto Project
Jump to navigationJump to search
No edit summary
No edit summary
Line 1: Line 1:
* apt-1.2.31-r0 do_cve_check: Found unpatched CVE (CVE-2019-3462)
* binutils-native-2.32.0-r0 do_cve_check: Found unpatched CVE (CVE-2018-1000876)
* binutils-2.32.0-r0 do_cve_check: Found unpatched CVE (CVE-2018-1000876 CVE-2019-12972 CVE-2019-9070 CVE-2019-9071 <s>CVE-2019-9072 CVE-2019-9073</s>)
* iptables-1.8.2-r0 do_cve_check: Found unpatched CVE (CVE-2019-11360)
CVE-2019-9072 CVE-2019-9073 can be ignored as per bug comments. We have CVE-2018-1000876 in master/warrior - should probably be backported to thud. CVE-2019-9070 is gcc fix for which is in master.
* libgcrypt-1.8.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-12904)
Patches for CVE-2019-9071 and CVE-2019-12972 on list.
* unzip-1_6.0-r5 do_cve_check: Found unpatched CVE (CVE-2019-13232)
 
* openssl-1.1.1c-r0 do_cve_check: Found unpatched CVE (CVE-2018-16395 CVE-2019-0190)
* boost-1.69.0-r0 do_cve_check: Found unpatched CVE (<s>CVE-2009-3654</s>)
* unzip-native-1_6.0-r5 do_cve_check: Found unpatched CVE (CVE-2019-13232)
3654 is a different Boost.
* curl-7.65.1-r0 do_cve_check: Found unpatched CVE (<s>CVE-2019-5443</s>)
5443 is a Windows-specific issue.
 
* db-1_5.3.28-r1 do_cve_check: Found unpatched CVE (CVE-2016-0682 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2017-3604 CVE-2017-3605 CVE-2017-3606 CVE-2017-3607 CVE-2017-3608 CVE-2017-3609 CVE-2017-3610 CVE-2017-3611 CVE-2017-3612 CVE-2017-3613 CVE-2017-3614 CVE-2017-3615 CVE-2017-3616 CVE-2017-3617)
* db-1_5.3.28-r1 do_cve_check: Found unpatched CVE (CVE-2016-0682 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2017-3604 CVE-2017-3605 CVE-2017-3606 CVE-2017-3607 CVE-2017-3608 CVE-2017-3609 CVE-2017-3610 CVE-2017-3611 CVE-2017-3612 CVE-2017-3613 CVE-2017-3614 CVE-2017-3615 CVE-2017-3616 CVE-2017-3617)
 
* nasm-native-2.14.02-r0 do_cve_check: Found unpatched CVE (CVE-2019-6290 CVE-2019-6291 CVE-2019-8343)
I think for db we'll just have to watch Fedora/RHEL, as some of these are probably in db6 only, or the fix isn't backportable.
* db-native-1_5.3.28-r1 do_cve_check: Found unpatched CVE (CVE-2016-0682 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2017-3604 CVE-2017-3605 CVE-2017-3606 CVE-2017-3607 CVE-2017-3608 CVE-2017-3609 CVE-2017-3610 CVE-2017-3611 CVE-2017-3612 CVE-2017-3613 CVE-2017-3614 CVE-2017-3615 CVE-2017-3616 CVE-2017-3617)
 
* ed-1.15-r0 do_cve_check: Found unpatched CVE (<s>CVE-2015-2987</s>)
 
2987 isnt GNU ed.
 
* flex-2.6.0-r0 do_cve_check: Found unpatched CVE (<s>CVE-2015-1773</s>)
 
1773 isn't GNU Flex.  Need improvement to cve-check class to compare Vendor.
 
* git-2.22.0-r0 do_cve_check: Found unpatched CVE (<s>CVE-2018-1000110 CVE-2018-1000182 CVE-2019-1003010</s>)
These are for Jenkins git plugin.
 
* glib-2.0-1_2.60.4-r0 do_cve_check: Found unpatched CVE (<s>CVE-2019-12450</s>)
Bad CPE, was fixed in 2.60.4.
 
* glibc-2.29-r0 do_cve_check: Found unpatched CVE (CVE-2018-20796 CVE-2019-9192)
* glibc-2.29-r0 do_cve_check: Found unpatched CVE (CVE-2018-20796 CVE-2019-9192)
* gnupg-2.2.16-r0 do_cve_check: Found unpatched CVE (<s>CVE-2019-13050</s>)
* binutils-cross-x86_64-2.32.0-r0 do_cve_check: Found unpatched CVE (CVE-2018-1000876)
Fixed in master
* squashfs-tools-native-4.3+gitrAUTOINC+f95864afe8-r0 do_cve_check: Found unpatched CVE (CVE-2015-4645 CVE-2015-4646)
 
* openssl-native-1.1.1c-r0 do_cve_check: Found unpatched CVE (CVE-2018-16395 CVE-2019-0190)
* go-1.12.6-r0 do_cve_check: Found unpatched CVE (CVE-2018-17075 CVE-2018-17142 CVE-2018-17143 CVE-2018-17846 CVE-2018-17847 CVE-2018-17848)
* linux-intel-4.19.55+gitAUTOINC+ad235db461_3347a3790f-r0 do_cve_check: Found unpatched CVE (CVE-2018-1000026 CVE-2018-16880 CVE-2018-20784 CVE-2018-20836 CVE-2019-10125 CVE-2019-10638 CVE-2019-10639 CVE-2019-11191 CVE-2019-11486 CVE-2019-11487 CVE-2019-11599 CVE-2019-11810 CVE-2019-11811 CVE-2019-11815 CVE-2019-11833 CVE-2019-11884 CVE-2019-12378 CVE-2019-12379 CVE-2019-12380 CVE-2019-12381 CVE-2019-12382 CVE-2019-12454 CVE-2019-12455 CVE-2019-12456 CVE-2019-12614 CVE-2019-12615 CVE-2019-12817 CVE-2019-12818 CVE-2019-12819 CVE-2019-12984 CVE-2019-13233 CVE-2019-3459 CVE-2019-3460 CVE-2019-3819 CVE-2019-3887 CVE-2019-3900 CVE-2019-6974 CVE-2019-7221 CVE-2019-7222 CVE-2019-8912 CVE-2019-8956 CVE-2019-8980 CVE-2019-9003 CVE-2019-9857)
* libgcrypt-1.8.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-12904)
* qemu-system-native-4.0.0-r0 do_cve_check: Found unpatched CVE (CVE-2019-13164)
* libid3tag-0.15.1b-r7 do_cve_check: Found unpatched CVE (CVE-2017-11550 CVE-2017-11551)
* qemu-native-4.0.0-r0 do_cve_check: Found unpatched CVE (CVE-2019-13164)
11550 is patched in mut, 11551 is the same as an existing patched CVE (fixed in mut).
 
* librsvg-2.40.20-r0 do_cve_check: Found unpatched CVE (<s>CVE-2018-1000041</s>)
Windows-specific.
 
* libsndfile1-1.0.28-r0 do_cve_check: Found unpatched CVE (<s>CVE-2018-13419</s>)
Just a memory leak that nobody else can replicate. Ignore.
 
* libtasn1-4.13-r0 do_cve_check: Found unpatched CVE (CVE-2018-1000654)
[https://gitlab.com/gnutls/libtasn1/merge_requests/8 Upstream merge request from suse]
 
* libxslt-1.1.33-r0 do_cve_check: Found unpatched CVE (<s>CVE-2019-13117 CVE-2019-13118</s>)
Fixed in master.
 
* mdadm-4.1-r0 do_cve_check: Found unpatched CVE (<s>CVE-2014-5220</s>)
Bad CPE data. The CPE says 3.3.1 through to 5.14.1 but the [https://bugzilla.novell.com/show_bug.cgi?id=910500#c10 Suse bug report demonstrates the fix] and [https://github.com/neilbrown/mdadm/commit/979b1feb093b1c2e0f8b58716329f2da092741d4 this is the corresponding fix upstream].  Github tag annotations show it was fixed in 3.3.3 onwards.  I've emailed
cpe_dictionary@nist.gov with this evidence to get the data changed.
 
* nasm-2.14.02-r0 do_cve_check: Found unpatched CVE (CVE-2019-6290 CVE-2019-6291 CVE-2019-8343)
* openssl-1.1.1c-r0 do_cve_check: Found unpatched CVE (CVE-2016-7798 CVE-2018-16395 CVE-2019-0190)
CVE-2016-7798 CVE-2018-16395 are in openssl gem for ruby and fixed there. CVE-2019-0190 is for apache and affects only versions <= 2.4.37. master has 2.4.39.
 
* procps-3.3.15-r0 do_cve_check: Found unpatched CVE (<s>CVE-2018-1121</s>)
1121 is disputed upstream: procps isn't a security tool.
 
* python-2.7.16-r0 do_cve_check: Found unpatched CVE (CVE-2010-3492 CVE-2013-7338 CVE-2015-5652 CVE-2017-17522 CVE-2017-18207 CVE-2019-9740 CVE-2019-9947)
* qemu-4.0.0-r0 do_cve_check: Found unpatched CVE (CVE-2019-12155 <s>CVE-2019-12928 CVE-2019-12929</s>)
CVE-2019-12928 CVE-2019-12929 are disputed.
 
* rsync-3.1.3-r0 do_cve_check: Found unpatched CVE (CVE-2017-16548)
 
CHA: Link to upstream patch in [https://bugzilla.redhat.com/show_bug.cgi?id=1511411#c0 Red Hat bug report]. This fixes [https://bugzilla.samba.org/show_bug.cgi?id=13112 upstream bug report] which doesn't have CVE number.
 
* subversion-1.12.0-r0 do_cve_check: Found unpatched CVE (<s>CVE-2017-1000085 CVE-2018-1000111</s>)
These are for Jenkins subversion plugin.
 
* tiff-4.0.10-r0 do_cve_check: Found unpatched CVE (<s>CVE-2019-6128 CVE-2019-7663</s>)
 
Patches for master on the list.
 
* virglrenderer-0.7.0-r0 do_cve_check: Found unpatched CVE (<s>CVE-2017-5957</s>)
 
CHA: Link to upstream patch in [https://bugzilla.redhat.com/show_bug.cgi?id=1421126 Red Hat bug report]
 
Fixed in [https://gitlab.freedesktop.org/virgl/virglrenderer/commit/926b9b3460a48f6454d8bbe9e44313d86a65447f 0.6 onwards].
 
* zip-3.0-r2 do_cve_check: Found unpatched CVE (<s>CVE-2018-13410</s>)
 
CHA: CVE is marked as disputed?

Revision as of 20:21, 18 July 2019

  • binutils-native-2.32.0-r0 do_cve_check: Found unpatched CVE (CVE-2018-1000876)
  • iptables-1.8.2-r0 do_cve_check: Found unpatched CVE (CVE-2019-11360)
  • libgcrypt-1.8.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-12904)
  • unzip-1_6.0-r5 do_cve_check: Found unpatched CVE (CVE-2019-13232)
  • openssl-1.1.1c-r0 do_cve_check: Found unpatched CVE (CVE-2018-16395 CVE-2019-0190)
  • unzip-native-1_6.0-r5 do_cve_check: Found unpatched CVE (CVE-2019-13232)
  • db-1_5.3.28-r1 do_cve_check: Found unpatched CVE (CVE-2016-0682 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2017-3604 CVE-2017-3605 CVE-2017-3606 CVE-2017-3607 CVE-2017-3608 CVE-2017-3609 CVE-2017-3610 CVE-2017-3611 CVE-2017-3612 CVE-2017-3613 CVE-2017-3614 CVE-2017-3615 CVE-2017-3616 CVE-2017-3617)
  • nasm-native-2.14.02-r0 do_cve_check: Found unpatched CVE (CVE-2019-6290 CVE-2019-6291 CVE-2019-8343)
  • db-native-1_5.3.28-r1 do_cve_check: Found unpatched CVE (CVE-2016-0682 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2017-3604 CVE-2017-3605 CVE-2017-3606 CVE-2017-3607 CVE-2017-3608 CVE-2017-3609 CVE-2017-3610 CVE-2017-3611 CVE-2017-3612 CVE-2017-3613 CVE-2017-3614 CVE-2017-3615 CVE-2017-3616 CVE-2017-3617)
  • glibc-2.29-r0 do_cve_check: Found unpatched CVE (CVE-2018-20796 CVE-2019-9192)
  • binutils-cross-x86_64-2.32.0-r0 do_cve_check: Found unpatched CVE (CVE-2018-1000876)
  • squashfs-tools-native-4.3+gitrAUTOINC+f95864afe8-r0 do_cve_check: Found unpatched CVE (CVE-2015-4645 CVE-2015-4646)
  • openssl-native-1.1.1c-r0 do_cve_check: Found unpatched CVE (CVE-2018-16395 CVE-2019-0190)
  • linux-intel-4.19.55+gitAUTOINC+ad235db461_3347a3790f-r0 do_cve_check: Found unpatched CVE (CVE-2018-1000026 CVE-2018-16880 CVE-2018-20784 CVE-2018-20836 CVE-2019-10125 CVE-2019-10638 CVE-2019-10639 CVE-2019-11191 CVE-2019-11486 CVE-2019-11487 CVE-2019-11599 CVE-2019-11810 CVE-2019-11811 CVE-2019-11815 CVE-2019-11833 CVE-2019-11884 CVE-2019-12378 CVE-2019-12379 CVE-2019-12380 CVE-2019-12381 CVE-2019-12382 CVE-2019-12454 CVE-2019-12455 CVE-2019-12456 CVE-2019-12614 CVE-2019-12615 CVE-2019-12817 CVE-2019-12818 CVE-2019-12819 CVE-2019-12984 CVE-2019-13233 CVE-2019-3459 CVE-2019-3460 CVE-2019-3819 CVE-2019-3887 CVE-2019-3900 CVE-2019-6974 CVE-2019-7221 CVE-2019-7222 CVE-2019-8912 CVE-2019-8956 CVE-2019-8980 CVE-2019-9003 CVE-2019-9857)
  • qemu-system-native-4.0.0-r0 do_cve_check: Found unpatched CVE (CVE-2019-13164)
  • qemu-native-4.0.0-r0 do_cve_check: Found unpatched CVE (CVE-2019-13164)
Retrieved from "https://wiki.yoctoproject.org/wiki/index.php?title=User:RossBurton/CVE&oldid=56756"