Re: [OE-core] OE-core CVE metrics for master on Sun 07 Apr 2024 01:00:01 AM HST

Mon, 08 Apr 2024 04:57:27 -0700 

On Sun, 2024-04-07 at 01:19 -1000, Steve Sakoman wrote:
> Branch: master
> 
> New this week: 21 CVEs
> CVE-2014-4859 (CVSS3: 6.8 MEDIUM): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4859 *
> CVE-2014-4860 (CVSS3: 6.8 MEDIUM): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4860 *

Qi sent a patch for this, thanks.

> CVE-2019-14553 (CVSS3: 4.9 MEDIUM): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14553 *
> CVE-2019-14559 (CVSS3: 7.5 HIGH): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14559 *
> CVE-2019-14562 (CVSS3: 5.5 MEDIUM): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14562 *
> CVE-2019-14563 (CVSS3: 7.8 HIGH): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14563 *
> CVE-2019-14575 (CVSS3: 7.8 HIGH): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14575 *
> CVE-2019-14586 (CVSS3: 8.0 HIGH): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14586 *
> CVE-2019-14587 (CVSS3: 6.5 MEDIUM): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14587 *

I think we will need a patch for these for now as the CPE entries are
missing in NVD. Would you be able to help there please Qi?

> CVE-2022-36763 (CVSS3: 7.8 HIGH): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36763 *
> CVE-2022-36764 (CVSS3: 7.8 HIGH): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36764 *
> CVE-2022-36765 (CVSS3: 7.8 HIGH): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36765 *
> CVE-2023-45229 (CVSS3: 6.5 MEDIUM): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45229 *
> CVE-2023-45230 (CVSS3: 8.8 HIGH): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45230 *
> CVE-2023-45231 (CVSS3: 6.5 MEDIUM): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45231 *
> CVE-2023-45232 (CVSS3: 7.5 HIGH): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45232 *
> CVE-2023-45233 (CVSS3: 7.5 HIGH): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45233 *
> CVE-2023-45234 (CVSS3: 8.8 HIGH): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45234 *
> CVE-2023-45235 (CVSS3: 8.8 HIGH): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45235 *
> CVE-2023-45236 (CVSS3: 7.5 HIGH): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45236 *
> CVE-2023-45237 (CVSS3: 7.5 HIGH): ovmf:ovmf-native 
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45237 *

These are genuine issues and I've merged an upgrade to address them.

Cheers,

Richard

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198009): 
https://lists.openembedded.org/g/openembedded-core/message/198009
Mute This Topic: https://lists.openembedded.org/mt/105380934/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to