On 7 December 2016 at 14:58, Mariano Lopez <mariano.lo...@linux.intel.com>
wrote:

> > We have more recipes which have CVE patches but they are not reported.
> > I have analyzed these; some of these CVEs are still marked as reserved
> on Mitre  and are not present in the nvd.xml files (although they are
> public (e.g. Busybox:
> > https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147).
>
> cve-check-tool will only check against the database that got from the
> nvd.xml files, and these files won't have information for not yet fully
> disclosed CVEs, so that is why you will find these cases frequently in
> OE recipes (Armin does a great job with CVEs).
>

A lot of CVEs get reserved but never actually updated in MITRE.  This is
why the planned successor to cve-check-tool plans to download the Debian /
RHEL / etc security databases to fill in the gaps (I'm not sure what the
state of this rewrite is as we didn't write this tool).

Ross
-- 
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Reply via email to