On Mon, 2022-09-12 at 18:45 -0700, Khem Raj wrote: > On 9/11/22 7:02 AM, Steve Sakoman wrote: > > Branch: master > > > > New this week: 10 CVEs > > CVE-2020-35538 (CVSS3: 5.5 MEDIUM): libjpeg-turbo:libjpeg-turbo-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35538 * > > CVE-2022-1354 (CVSS3: 5.5 MEDIUM): tiff > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1354 * > > CVE-2022-1355 (CVSS3: 6.1 MEDIUM): tiff > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1355 * > > CVE-2022-3099 (CVSS3: 7.8 HIGH): vim > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3099 * > > CVE-2022-3134 (CVSS3: 7.8 HIGH): vim > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3134 * > > CVE-2022-38126 (CVSS3: 5.5 MEDIUM): > > binutils:binutils-cross-testsuite:binutils-cross-x86_64 > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38126 * > > CVE-2022-38127 (CVSS3: 5.5 MEDIUM): > > binutils:binutils-cross-testsuite:binutils-cross-x86_64 > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38127 * > > CVE-2022-38128 (CVSS3: 5.5 MEDIUM): > > binutils:binutils-cross-testsuite:binutils-cross-x86_64 > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38128 * > > CVE-2022-39028 (CVSS3: 7.5 HIGH): inetutils > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39028 * > > CVE-2022-39046 (CVSS3: 5.3 MEDIUM): glibc > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39046 * > > > > Removed this week: 4 CVEs > > CVE-2021-3929 (CVSS3: 8.2 HIGH): qemu:qemu-native:qemu-system-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3929 * > > CVE-2022-2953 (CVSS3: 5.5 MEDIUM): tiff > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2953 * > > CVE-2022-32893 (CVSS3: 8.8 HIGH): webkitgtk > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32893 * > > CVE-2022-38533 (CVSS3: 5.5 MEDIUM): > > binutils:binutils-cross-testsuite:binutils-cross-x86_64 > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38533 * > > > > Full list: Found 15 unpatched CVEs > > CVE-2020-35538 (CVSS3: 5.5 MEDIUM): libjpeg-turbo:libjpeg-turbo-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35538 * > > We are at 2.1.4 in master and this was fixed in 2.0.6 via > https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9120a247436e84c0b4eea828cb11e8f665fcde30 > > so I wonder why its being flagged.
The CVE entry says 2.0.5 onwards. I've emailed them to suggest it apply to 2.0.5 only as 2.0.6 is fixed. > > CVE-2021-3521 (CVSS3: 4.7 MEDIUM): rpm:rpm-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3521 * > > CVE-2021-35937 (CVSS3: 6.4 MEDIUM): rpm:rpm-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35937 * > > CVE-2021-35938 (CVSS3: 7.8 HIGH): rpm:rpm-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35938 * > > CVE-2021-35939 (CVSS3: 7.8 HIGH): rpm:rpm-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35939 * > > CVE-2021-4158 (CVSS3: 6.0 MEDIUM): qemu:qemu-native:qemu-system-native > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4158 * > > CVE-2022-1354 (CVSS3: 5.5 MEDIUM): tiff > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1354 * > > CVE-2022-1355 (CVSS3: 6.1 MEDIUM): tiff > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1355 * > > there is a patch on ml for this. The version restrictions on those are also wrong. I've sent email to correct them. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#170565): https://lists.openembedded.org/g/openembedded-core/message/170565 Mute This Topic: https://lists.openembedded.org/mt/93611544/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
