Re: OE-core CVE metrics for master on Sun 29 Jan 2023 02:00:01 AM HST

Ross Burton

On 29 Jan 2023, at 12:03, Steve Sakoman via <> wrote:
Full list: Found 9 unpatched CVEs
CVE-2022-23521 (CVSS3: 9.8 CRITICAL): git *
CVE-2022-41903 (CVSS3: 9.8 CRITICAL): git *
CVE-2022-41953 (CVSS3: 7.8 HIGH): git *
Patches sent (upgrade and ignore).

CVE-2022-3550 (CVSS3: 8.8 HIGH): xserver-xorg *
CVE-2022-3551 (CVSS3: 6.5 MEDIUM): xserver-xorg *
CVE-2022-46457 (CVSS3: 5.5 MEDIUM): nasm:nasm-native *
NIST haven’t taken the CPE fixes I sent, re-sent.

CVE-2022-3996 (CVSS3: 7.5 HIGH): openssl:openssl-native *
This was fixed by a patch on the list that was incorrectly labelled as langdale, I’ve reposted it.

CVE-2022-4055 (CVSS3: 7.4 HIGH): xdg-utils *
CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native *
Both still open upstream.


Join to automatically receive all group messages.