Re: [OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports

On 08/06/2018 09:56 AM, mikko.rap...@bmw.de wrote: On Fri, Aug 03, 2018 at 10:37:05PM +, Grygorii Tertychnyi (gtertych) via Openembedded-core wrote: cvert-kernel - generate CVE report for the Linux kernel. NVD entries for the Linux kernel is almost always outdated. For example, https

Re: [OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports

On 08/05/2018 05:52 AM, Victor Kamensky wrote: On Sat, 4 Aug 2018, Alexander Kanavin wrote: How reliable is NVD database for such automated scans? Previously, we have repeatedly concluded that it should not be trusted, and proper patching of vulnerabilities must involve humans looking at vul

Re: [OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports

On 08/04/2018 05:16 PM, akuster808 wrote: On 08/03/2018 03:37 PM, Grygorii Tertychnyi (gtertych) via Openembedded-core wrote: cvert-kernel - generate CVE report for the Linux kernel. NVD entries for the Linux kernel is almost always outdated. For example, https://nvd.nist.gov/vuln/detail/

Re: [OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports

On Fri, Aug 03, 2018 at 10:37:05PM +, Grygorii Tertychnyi (gtertych) via Openembedded-core wrote: > cvert-kernel - generate CVE report for the Linux kernel. > NVD entries for the Linux kernel is almost always outdated. > For example, https://nvd.nist.gov/vuln/detail/CVE-2018-1065 > is sh

Re: [OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports

On Sat, 4 Aug 2018, Alexander Kanavin wrote: How reliable is NVD database for such automated scans? Previously, we have repeatedly concluded that it should not be trusted, and proper patching of vulnerabilities must involve humans looking at vulnerability reports and making appropriate decisi

Re: [OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports

On 08/03/2018 03:37 PM, Grygorii Tertychnyi (gtertych) via Openembedded-core wrote: > cvert-kernel - generate CVE report for the Linux kernel. > NVD entries for the Linux kernel is almost always outdated. > For example, https://nvd.nist.gov/vuln/detail/CVE-2018-1065 > is shown as matched f

Re: [OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports

How reliable is NVD database for such automated scans? Previously, we have repeatedly concluded that it should not be trusted, and proper patching of vulnerabilities must involve humans looking at vulnerability reports and making appropriate decisions - same as Debian is doing for example. Alex 2

[OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports

cvert-kernel - generate CVE report for the Linux kernel. NVD entries for the Linux kernel is almost always outdated. For example, https://nvd.nist.gov/vuln/detail/CVE-2018-1065 is shown as matched for "versions up to (including) 4.15.7", however the patch 57ebd808a97d has been back ported f