[oniro-dev] CVE status for 2.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[oniro-dev] CVE status for 2.0

From: Marta Rybczynska <marta.rybczynska@xxxxxxxxxx>
Date: Thu, 24 Nov 2022 14:29:51 +0100
Delivered-to: oniro-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/oniro-dev/>
List-help: <mailto:oniro-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/oniro-dev>, <mailto:oniro-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/oniro-dev>, <mailto:oniro-dev-request@eclipse.org?subject=unsubscribe>

Dear all,

I have first results of CVE checks for the upcoming 2.0. For simplification, you have the details from the qemu x86-64 image (rootfs only, excluding SDK).

With the database of yesterday, we have 378 issues. Out of that:

4 at or above CVSSv3 9.0 (curl, libpam, 2xlinux)

122 at or above CVSSv3 7.5 (including the openssl issue that made the news, expat, python, dropbear)

Apart from the Linux kernel, most should go away with a kirkstone update.

The question is if we release like that or we spend time to fix issues above certain CVSS (like 9.0 or 8.0)?

Kind regards,

Marta

Attachment: qemu_x86-2022_11_23_image_sorted.ods
Description: application/vnd.oasis.opendocument.spreadsheet

Follow-Ups:
- Re: [oniro-dev] CVE status for 2.0
  - From: Davide Ricci

Prev by Date: [oniro-dev] Oniro IT meeting 2022wk47 MoM
Next by Date: Re: [oniro-dev] CVE status for 2.0
Previous by thread: [oniro-dev] Oniro IT meeting 2022wk47 MoM
Next by thread: Re: [oniro-dev] CVE status for 2.0
Index(es):
- Date
- Thread

Breadcrumbs