From: Ross Burton <Ross.Burton@arm.com>
To: "steve@sakoman.com" <steve@sakoman.com>
Cc: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>,
"yocto-security@lists.yoctoproject.org"
<yocto-security@lists.yoctoproject.org>
Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 28 Jan 2024 01:00:01 AM HST
Date: Mon, 29 Jan 2024 18:20:45 +0000 [thread overview]
Message-ID: <DA908433-CD5E-426B-9938-EFE244792C57@arm.com> (raw)
In-Reply-To: <20240128111816.A9A16106961@builder.sakoman.com>
On 28 Jan 2024, at 11:18, Steve Sakoman via lists.yoctoproject.org <steve=sakoman.com@lists.yoctoproject.org> wrote:
> CVE-2023-4001 (CVSS3: 6.8 MEDIUM): grub:grub-efi:grub-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4001 *
Red Hat specific, posting an ignore.
> CVE-2023-4692 (CVSS3: 7.8 HIGH): grub:grub-efi:grub-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4692 *
> CVE-2023-4693 (CVSS3: 4.6 MEDIUM): grub:grub-efi:grub-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4693 *
Fixed in 2.12, I’ve sent the mail to update the CPEs.
> CVE-2023-48795 (CVSS3: 5.9 MEDIUM): openssh https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-48795 *
Fixed in 9.6, an upgrade from Tim is already on the list.
> CVE-2023-6129 (CVSS3: 6.5 MEDIUM): openssl:openssl-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6129 *
I just posted the backport.
> CVE-2023-6683 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6683 *
Patches upstream, but not yet merged.
> CVE-2023-6816 (CVSS3: 9.8 CRITICAL): xwayland https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6816 *
Upgrade to 23.2.4 already on the list from Khem.
> CVE-2024-0553 (CVSS3: 7.5 HIGH): gnutls:gnutls-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0553 *
> CVE-2024-0567 (CVSS3: 7.5 HIGH): gnutls:gnutls-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0567 *
Fixed in 3.8.3, patch on the list from Simone.
I’ve queued these fixes in poky-contrib:ross/cve for anyone playing along at home.
Ross
prev parent reply other threads:[~2024-01-29 18:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-28 11:18 OE-core CVE metrics for master on Sun 28 Jan 2024 01:00:01 AM HST steve
2024-01-29 18:20 ` Ross Burton [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DA908433-CD5E-426B-9938-EFE244792C57@arm.com \
--to=ross.burton@arm.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=steve@sakoman.com \
--cc=yocto-security@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox