On 08/06/2018 09:56 AM, mikko.rap...@bmw.de wrote:
On Fri, Aug 03, 2018 at 10:37:05PM +0000, Grygorii Tertychnyi (gtertych) via
Openembedded-core wrote:
cvert-kernel - generate CVE report for the Linux kernel.
NVD entries for the Linux kernel is almost always outdated.
For example, https://nvd.nist.gov/vuln/detail/CVE-2018-1065
is shown as matched for "versions up to (including) 4.15.7",
however the patch 57ebd808a97d has been back ported for 4.14.
cvert-kernel script checks NVD Resource entries for the patch URLs
and looking for the commits in the local git tree.
This is an interesting approach.
For the kernel I've been using information not from NVD but from
https://github.com/nluedtke/linux_kernel_cves/
As an example, all CVE fixed in 4.14 kernel series point releases AND all
non-fixed CVE are listed in:
https://github.com/nluedtke/linux_kernel_cves/blob/master/4.14/4.14_security.txt
I have not tried to automate this, but I do find the information there
much better than NVD.
Thanks for the links!
I did not know about these, I'll defenetly try it.
-Mikko
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
