ABCDEFG
1
Yocto project - Milestone 1. Triage CVEs 1-40
This report contains the results of the first 40 CVE triage as of 18 April 2024
Note that the invalid CVEs are sent separately as email patches.
2
No.CVEStatusVersion constraint existsAffected versions
meta-openembedded
version
Solution for Yocto
3
1CVE-2024-22211: freerdpvalidNo needUp to 2.11.5 (excl)
From 3.0.0 (incl) to 3.2.0 (excl)		2.11.2 and 3.4.0The issue is addressed in versions 2.11.5 and 3.2.0.
Update FreeRDP version 2.11.2 to version 2.11.5 or higher.
4
2CVE-2024-21485: dashinvalidNo need----The recipe used in the `meta-openembedded` is a different dash package compared to the one which has the CVE issue.
Package used in `meta-embedded`: https://git.kernel.org/pub/scm/utils/dash/dash.git
Package with CVE issue: https://github.com/plotly/dash
No action required. Remove this issue from the CVE list.
5
3CVE-2024-0962: libcoapvalidNo need4.3.44.3.4Issue is addressed in 4.3.4a. Update libcoap to the patch version 4.3.4a
6
4CVE-2023-51713: proftpd validNo needUp to 1.3.8a (excl.)1.3.7cUpdate proftpd to version 1.3.8b
7
5CVE-2023-48795: proftpdvalidNo needUp to 1.3.8b (excl.)1.3.7c
8
6CVE-2001-0027: proftpdinvalidNo needProFTPD
running the mod_sqlpw module		1.3.7cNo action required.
This is only for ProFTPD running the mod_sqlpw module. This module is not used by meta-openembedded.
9
7CVE-2023-51257: jaspervalidNo needup to 4.1.1 (incl.)4.1.1Update jasper to at least 4.1.2 or above to the latest version 4.2.3
10
8CVE-2020-23026: dhrystonegather evidenceNo need2.12.1The package is archived and not maintained.
A solution would be to replace this package with another benchmark tool.
11
9CVE-2009-1147: aceinvalidNo needVMware ACE 2.5.1 and earlier--This issue is invalid as VMware ACE is no longer used.
open-vm-tools is used instead which is part of the VMware ecosystem but not affected by this CVE.
No action required. Remove this issue from the CVE list.
12
10CVE-2019-3821: civetwebinvalidemail sentup to 1.111.16None of the affected versions is used by meta-openembedded
No action required. Remove this issue from the CVE list.
13
11CVE-2023-4256: tcpreplayvalidNo need4.4.3 and 4.4.44.4.4Upgrade once fix is released. Issue and possible workaround is here.
14
12CVE-2023-50447: python3-pillowvalidNo needUp to 10.1.0 (incl.)10.1.0Update python3-pillow to the latest version 10.3.0
This issue is resolved in 10.2.0, but we suggest to upgrade to the latest version 10.3.0 since this version introduces other CVEs
15
13CVE-2023-48161: giflib:giflib-nativevalidNo need5.2.15.2.1Issue is fixed. Update to version 5.2.2.
16
14CVE-2023-39742: giflib:giflib-nativevalidNo need5.2.15.2.1Issue is fixed. Update giflib to 5.2.2.
17
15CVE-2022-28506: giflib:giflib-nativevalidNo need5.2.15.2.1Issue is fixed. Update giflib to 5.2.2.
18
16CVE-2023-46853: memcachedvalidNo needUp to 1.6.22 (excl.)1.6.17Update memcached to 1.6.22 or higher
19
17CVE-2023-46852: memcachedvalidNo need1.6.22 (excl.)1.6.17Update memcached to 1.6.22 or higher
20
18CVE-2022-26635: memcachedinvalidNo need
PHP-Memcached v2.2.0 and below
--Not a valid issue as we could not find php-memcached in meta-openembedded.
21
19CVE-2023-46045: graphviz:graphviz-nativevalidNo needFrom (incl.) 2.36.0
Up to (excl.) 10.0.0		8.1.0Update graphviz to 10.0.1
22
20CVE-2014-9157: graphviz:graphviz-nativeinvalidemail sent8.0.*
< 2.42.4		8.1.0No action required. Current version is not affected by the issue.
23
21CVE-2017-15644: webminvalidNo needUp to (incl.) 1.8501.850Update webmin to 2.105.
This issue is resolved in 1.860, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
24
22CVE-2017-15645: webminvalidNo needUp to (incl.) 1.8501.850Update webmin to 2.105.
This issue is resolved in 1.860, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
25
23CVE-2017-15646: webminvalidNo needUp to (incl.) 1.8501.850Update webmin to 2.105.
This issue is resolved in 1.860, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
26
24CVE-2017-17089: webminvalidNo needUp to (incl.) 1.8601.850Update webmin to 2.105.
This issue is resolved in 1.870, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
27
25CVE-2019-12840: webminvalidNo needUp to (incl.) 1.9101.850Update webmin to 2.105.
This issue is resolved in 1.920, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
28
26CVE-2019-15107: webminvalidNo needUp to (incl.) 1.9201.850Update webmin to 2.105.
This issue is resolved in 1.930, but we suggest to upgrade to the latest version 2.105 since 1.93 introduces other CVEs
29
27CVE-2019-15641: webminvalidNo needUp to (incl.) 1.9301.850Update webmin to 2.105.
This issue is resolved in 1.941, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
30
28CVE-2019-15642: webminvalidNo needUp to (incl.) 1.9201.850Update webmin to 2.105.
This issue is resolved in 1.860, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
31
29CVE-2020-12670: webminvalidNo needUp to (incl.) 1.9411.850Update webmin to 2.105.
This issue is resolved in 1.930, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
32
30CVE-2020-35606: webminvalidNo needUp to (incl.) 1.9621.850Update webmin to 2.105.
This issue is resolved in 1.970, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
33
31CVE-2020-8820: webminvalidNo needUp to (incl.) 1.9411.850Update webmin to 2.105.
This issue is resolved in 1.953, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
34
32CVE-2020-8821: webmin validNo needUp to (incl.) 1.9411.850Update webmin to 2.105.
This issue is resolved in 1.953, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
35
33 CVE-2022-0824: webminvalidNo needUp to (excl.) 1.9901.850Update webmin to 2.105.
This issue is resolved in 1.991, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
36
34 CVE-2022-0829: webmin validNo needUp to (excl.) 1.9901.850Update webmin to 2.105
This issue is resolved in 1.991, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
37
35CVE-2022-30708: webminvalidNo needUp to (excl.) 1.9911.850Update webmin to 2.105.
This issue is resolved in 1.994, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
38
36CVE-2022-36446: webminvalidNo needUp to (excl.) 1.9971.850Update webmin to 2.105.
This issue is resolved in 1.999, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
39
37CVE-2023-43309: webminvalidNo needUp to (incl.) 2.0021.850Update webmin to 2.105.
This issue is resolved in 2.010, but we suggest to upgrade to the latest version 2.105 since this version introduces other CVEs
40
38CVE-2023-52046: webminvalidNo needUp to (incl.) 2.1051.850There is no fix available yet. 2.105 is the newest version
41
39CVE-2023-44398: exiv2validNo need 0.28.00.28.0Update exiv2 to the latest version 0.28.2
42
40CVE-2007-6353: exiv2invalidemail sentUp to (excl.) 0.160.28.0No action required. Current version is not affected by the issue.
43
This review is done by the Neighbourhoodie team as part of the scope of work with STF and the Yocto team.