Re: [OE-core] OE-core CVE metrics for master on Sun 12 Nov 2023 01:00:01 AM HST

[Khem Raj]

On Mon, Nov 13, 2023 at 5:55 AM Ross Burton <ross.bur...@arm.com> wrote:
>
> On 12 Nov 2023, at 11:17, Steve Sakoman via lists.openembedded.org 
> <steve=sakoman....@lists.openembedded.org> wrote:
> > New this week: 8 CVEs
>
> Such fun!
>
> I did some research and have included my notes below.  Do we have any 
> volunteers for the avahi patchbomb?

I think we should bump avahi to use master branch like many other distros

>
> > CVE-2023-3397 (CVSS3: 6.3 MEDIUM): linux-yocto 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3397 *
>
> NIST link to a “patch” which was prompted rejected.  I don’t believe we 
> enable JFS so we could likely exclude this.
>
> > CVE-2023-38469 (CVSS3: 5.5 MEDIUM): avahi 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38469 *
>
> Issue lathiat/avahi#455, fixed with lathiat/avahi PR#500 a337a1.
>
> > CVE-2023-38470 (CVSS3: 5.5 MEDIUM): avahi 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38470 *
>
> Issue lathiat/avahi#454, fixed with lathiat/avahi - 94cb64.
>
> > CVE-2023-38471 (CVSS3: 5.5 MEDIUM): avahi 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38471 *
>
> Issue lathiat/avahi#453 fixed with lathiat/avahi PR#494 d486bc.
>
> > CVE-2023-38472 (CVSS3: 5.5 MEDIUM): avahi 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38472 *
>
> Issue lathiat/avahi#452 fixed with lathiat/avahi PR#490 d886dc.
>
> > CVE-2023-38473 (CVSS3: 5.5 MEDIUM): avahi 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38473 *
>
> Issue lathiat/avahi#451 fixed with lathiat/avahi PR#486 5edc17.
>
> > CVE-2023-46246 (CVSS3: 5.5 MEDIUM): vim 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46246 *
>
> Fix in vim/vim - 9198c1.
>
> > CVE-2023-46407 (CVSS3: 5.5 MEDIUM): ffmpeg 
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46407 *
>
> Fix in FFmpeg/FFmpeg - bf8143. This is part of the 6.1 release so upgrading 
> ffmpeg will make that go away.
>
> Ross
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190484): 
https://lists.openembedded.org/g/openembedded-core/message/190484
Mute This Topic: https://lists.openembedded.org/mt/102540446/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-