Re: [oniro-dev] CVE status for 2.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [oniro-dev] CVE status for 2.0

From: Davide Ricci <davide.ricci@xxxxxxxxxx>
Date: Thu, 24 Nov 2022 14:20:54 +0000
Accept-language: en-US
Delivered-to: oniro-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/oniro-dev/>
List-help: <mailto:oniro-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/oniro-dev>, <mailto:oniro-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/oniro-dev>, <mailto:oniro-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHZAAjiFQUMZ6GYO0CqdECfFENklq5OHRFwgAABW9CAAADJcA==
Thread-topic: CVE status for 2.0

Ok reviewed the sheet.

My recommendation (which is also a question of feasibility / time) would be to try a kirkstone update see where it takes us in terms of breaking builds / tests if it takes us far with minimum damage see how many are left to fix and focus on CVSS score above 8.

If a kirkstone update breaks all things – then focus on select resolution of CVEs with CVSS score greater than 8.

My 2 cents.

Cheers

From: oniro-dev <oniro-dev-bounces@xxxxxxxxxxx> On Behalf Of Davide Ricci
Sent: giovedì 24 novembre 2022 15:16
To: onirocore developer discussions <oniro-dev@xxxxxxxxxxx>; Marta Rybczynska <marta.rybczynska@xxxxxxxxxx>
Subject: Re: [oniro-dev] CVE status for 2.0

Stupid me,

An excel sheet was attached … I am reviewing it now.

From: oniro-dev <oniro-dev-bounces@xxxxxxxxxxx> On Behalf Of Davide Ricci
Sent: giovedì 24 novembre 2022 15:12
To: Marta Rybczynska <marta.rybczynska@xxxxxxxxxx>; onirocore developer discussions <oniro-dev@xxxxxxxxxxx>
Subject: Re: [oniro-dev] CVE status for 2.0

Since we are aware of the issues, we ought to try to fix the most sever ones – do we have the breakdown and know how many CVEs per CVSS severity class do we have?

Thanks

From: Marta Rybczynska <marta.rybczynska@xxxxxxxxxx>
Sent: giovedì 24 novembre 2022 14:30
To: Davide Ricci <davide.ricci@xxxxxxxxxx>; onirocore developer discussions <oniro-dev@xxxxxxxxxxx>
Subject: CVE status for 2.0

Dear all,

I have first results of CVE checks for the upcoming 2.0. For simplification, you have the details from the qemu x86-64 image (rootfs only, excluding SDK).

With the database of yesterday, we have 378 issues. Out of that:

4 at or above CVSSv3 9.0 (curl, libpam, 2xlinux)

122 at or above CVSSv3 7.5 (including the openssl issue that made the news, expat, python, dropbear)

Apart from the Linux kernel, most should go away with a kirkstone update.

The question is if we release like that or we spend time to fix issues above certain CVSS (like 9.0 or 8.0)?

Kind regards,

Marta

References:
- [oniro-dev] CVE status for 2.0
  - From: Marta Rybczynska
- Re: [oniro-dev] CVE status for 2.0
  - From: Davide Ricci
- Re: [oniro-dev] CVE status for 2.0
  - From: Davide Ricci

Prev by Date: Re: [oniro-dev] CVE status for 2.0
Next by Date: Re: [oniro-dev] CVE status for 2.0
Previous by thread: Re: [oniro-dev] CVE status for 2.0
Next by thread: [oniro-dev] Oniro IT meeting 2022wk49 MoM
Index(es):
- Date
- Thread

Breadcrumbs