-
Notifications
You must be signed in to change notification settings - Fork 0
CVE Triage
hulkoba edited this page Apr 17, 2024
·
3 revisions
This report contains the results of the first 40 CVE triage as of 4/17/2024.
Note that the invalid CVEs are sent separately as email patches.
| No. | CVE | Status | Affected versions | meta-openembedded uses version | Solution |
|---|---|---|---|---|---|
| 1 | CVE-2024-22211: freerdp | valid | Up to 2.11.5 (excl) From 3.0.0 (incl) to 3.2.0 (excl) |
2.11.2 and 3.4.0 | The issue is addressed in versions 2.11.5 and 3.2.0. Update FreeRDP version 2.11.2 to version 2.11.5 or higher. |
| 2 | CVE-2024-21485: dash | invalid | -- | -- | The recipe used in the `meta-openembedded` is a different dash package compared to the one which has the CVE issue. Package used in `meta-embedded`: https://git.kernel.org/pub/scm/utils/dash/dash.git Package with CVE issue: https://github.com/plotly/dash No action required. Remove this issue from the CVE list. |
| 3 | CVE-2024-0962: libcoap | valid | 4.3.4 (including) | 4.3.4 | Issue is addressed in 4.3.4a. Update libcoap to the patch version 4.3.4a |
| 4 | CVE-2023-51713: proftpd | valid | 1.3.8a (excluding) | 1.3.7c | Update proftpd to version 1.3.8b |
| 5 | CVE-2023-48795: proftpd | valid | 1.3.8b (excluding) | 1.3.7c | Update proftpd to version 1.3.8b |
| 6 | CVE-2001-0027: proftpd | invalid | ProFTPD running the mod_sqlpw module | 1.3.7c | No action required. This is only for ProFTPD running the mod_sqlpw module. This module is not used by meta-openembedded. |
| 7 | CVE-2023-51257: jasper | valid | up to 4.1.1 (including) | 4.1.1 | Update jasper to at least 4.1.2 or above to the latest version 4.2.3 |
| 8 | CVE-2020-23026: dhrystone | gather evidence | 2.1 | 2.1 | The package is archived and not maintained. A solution would be to replace this package with another benchmark tool. |
| 9 | CVE-2009-1147: ace | invalid | VMware ACE 2.5.1 and earlier | -- | This issue is invalid as VMware ACE is no longer used. open-vm-tools is used instead which is part of the VMware ecosystem but not affected by this CVE. No action required. Remove this issue from the CVE list. |
| 10 | CVE-2019-3821: civetweb | invalid | 1.12 | 1.16 | None of the affected versions is used by meta-openembedded No action required. Remove this issue from the CVE list. |
| 11 | CVE-2023-4256: tcpreplay | valid | 4.4.3 and 4.4.4 | 4.4.4 | Upgrade once fix is released. Issue and possible workaround is here. |
| 12 | CVE-2023-50447: python3-pillow | valid | 10.1.0 (incl.) | 10.1.0 | Update python3-pillow to the latest version 10.3.0 This issue is resolved in 10.2.0, but we suggest to upgrade to the latest version 10.3.0 since this version introduces other CVEs |
| 13 | CVE-2023-48161: giflib:giflib-native | valid | 5.2.1 (incl.) | 5.2.1 | Issue is fixed. Update to version 5.2.2. |
| 14 | CVE-2023-39742: giflib:giflib-native | valid | 5.2.1 (incl.) | 5.2.1 | Issue is fixed. Update giflib to 5.2.2. |
| 15 | CVE-2022-28506: giflib:giflib-native | valid | 5.2.1 (excl.) | 5.2.1 | Issue is fixed. Update giflib to 5.2.2. |
| 16 | CVE-2023-46853: memcached | valid | 1.6.22 (excl.) | 1.6.17 | Update memcached to 1.6.22 or higher |
| 17 | CVE-2023-46852: memcached | valid | 1.6.22 (excl.) | 1.6.17 | Update memcached to 1.6.22 or higher |
| 18 | CVE-2022-26635: memcached | invalid | PHP-Memcached v2.2.0 and below | -- | Not a valid issue as we could not find php-memcached in meta-openembedded. |
| 19 | CVE-2023-46045: graphviz:graphviz-native | valid | From (incl.) 2.36.0 Up to (excl.) 10.0.0 |
8.1.0 | Update graphviz to 10.0.1 |
| 20 | CVE-2014-9157: graphviz:graphviz-native | invalid | 8.0.* | 8.1.0 | No action required. Current version is not affected by the issue. |
| 21 | CVE-2017-15644: webmin | valid | Up to (incl.) 1.850 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.860, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 22 | CVE-2017-15645: webmin | valid | Up to (incl.) 1.850 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.860, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 23 | CVE-2017-15646: webmin | valid | Up to (incl.) 1.850 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.860, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 24 | CVE-2017-17089: webmin | valid | Up to (incl.) 1.860 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.870, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 25 | CVE-2019-12840: webmin | valid | Up to (incl.) 1.910 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.920, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 26 | CVE-2019-15107: webmin | valid | Up to (incl.) 1.920 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.930, but we suggest to upgrade to the latest version 2.105 since 1.93 introduces other CVEs |
| 27 | CVE-2019-15641: webmin | valid | Up to (incl.) 1.930 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.941, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 28 | CVE-2019-15642: webmin | valid | Up to (incl.) 1.920 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.860, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 29 | CVE-2020-12670: webmin | valid | Up to (incl.) 1.941 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.930, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 30 | CVE-2020-35606: webmin | valid | Up to (incl.) 1.962 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.970, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 31 | CVE-2020-8820: webmin | valid | Up to (incl.) 1.941 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.953, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 32 | CVE-2020-8821: webmin | valid | Up to (incl.) 1.941 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.953, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 33 | CVE-2022-0824: webmin | valid | Up to (excl.) 1.990 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.991, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 34 | CVE-2022-0829: webmin | valid | Up to (excl.) 1.990 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.991, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 35 | CVE-2022-30708: webmin | valid | Up to (excl.) 1.991 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.994, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 36 | CVE-2022-36446: webmin | valid | Up to (excl.) 1.997 | 1.850 | Update webmin to 2.105. This issue is resolved in 1.999, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 37 | CVE-2023-43309: webmin | valid | Up to (incl.) 2.002 | 1.850 | Update webmin to 2.105. This issue is resolved in 2.010, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs |
| 38 | CVE-2023-52046: webmin | valid | Up to (incl.) 2.105 | 1.850 | There is no fix available yet. 2.105 is the newest version |
| 39 | CVE-2023-44398: exiv2 | valid | v0.28.0 | 0.28.0 | This bug is fixed in version v0.28.1 |
| 40 | CVE-2007-6353: exiv2 | invalid | < 0.13-r1 | 0.28.0 | No action required. Current version is not affected by the issue. |
This review is done by the Neighbourhoodie team as part of the scope of work with STF and the Yocto team.