Re: [OE-core] [yocto-security] CVE status for scathgap on 2024-05-16 and ask for help

Thu, 16 May 2024 06:29:20 -0700 

Thank you Marko for the feedback! For CVE-2024-34397 the reason is simple:

"affected": [
                {
                    "vendor": "n/a",
                    "product": "n/a",
                    "versions": [
                        {
                            "version": "n/a",
                            "status": "affected"
                        }
                    ]
                }
            ],

I'm fixing this... Strange that this one was assigned by MITRE itself...

Regards,
Marta

On Thu, May 16, 2024 at 3:26 PM Marko, Peter <[email protected]>
wrote:

> Hello Marta,
>
>
>
> Glibc fixes are already staged in scarthgap-nut.
>
> Interesting would be to check why the prototype does not list glib-2.0
> CVE-2024-34397 which is staged there, too.
>
>
>
> Peter
>
>
>
> *From:* [email protected] <
> [email protected]> *On Behalf Of *Marta Rybczynska
> via lists.yoctoproject.org
> *Sent:* Thursday, May 16, 2024 15:21
> *To:* [email protected]; OE-core <
> [email protected]>
> *Cc:* Richard Purdie <[email protected]>; Steve Sakoman <
> [email protected]>; [email protected]; [email protected]; Khem
> Raj <[email protected]>
> *Subject:* [yocto-security] CVE status for scathgap on 2024-05-16 and ask
> for help
>
>
>
> > Hello all,
>
> > The prototype CVE check via the MITRE database is giving the following
> for scathgap today (adding maintainers of affected packages in copy):
>
> >
>
> > CVE-2024-32002.json: affected: git 2.44.0
> > CVE-2024-32004.json: affected: git 2.44.0
> > CVE-2024-32020.json: affected: git 2.44.0
> > CVE-2024-32021.json: affected: git 2.44.0
> > CVE-2024-3205.json: affected: libyaml 0.2.5
> > CVE-2024-32465.json: affected: git 2.44.0
> > CVE-2024-33599.json: affected glibc 2.39
> > CVE-2024-33600.json: affected: glibc 2.39
> > CVE-2024-33601.json: affected: glibc 2.39
> > CVE-2024-33602.json: affected: glibc 2.39
>
> >
>
> > I would also like to ask for volunteers to help with looking up the
> following CVEs and submitting fixes to
> https://github.com/mrybczyn/cvelistV5-overrides/tree/overrides if they
> are malformed:
>
> > go: CVE-2024-24788, CVE=2024-24787
>
> > aiohttp: CVE-2024-30251
>
> > x server: CVE-2024-31053, CVE-2024-31082
>
> > bluez: CVE-2023-27349, CVE-2023-50229, CVE-2023-50230
>
> > gstreamer: CVE-2023-50186, CVE-2023-44446
>
> > less: CVE-2024-32407
>
> > ncurses: CVE-2023-45988
>
> > ofono: CVE-2023-4234, CVE-2023-4233
>
> >
>
> > If you have any question on how to do that, ask me.
>
> >
>
> > Kind regards,
>
> > Marta
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199488): 
https://lists.openembedded.org/g/openembedded-core/message/199488
Mute This Topic: https://lists.openembedded.org/mt/106134282/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to