Security status of the Gateway blueprint

Last status data: Nov 29th, 2021

Cross-checked with dunfell security report from OE-core CVE metrics for dunfell on Sun 28 Nov 2021 04:30:01 AM HST

Take-aways:

  • The kernel contains most of the issues:
    We have 5.10 kernel now, but a few versions behind, 131 issues (128 issues last week, 125 previously)
  • 95 non-kernel issues (down from previous weeks, previous weeks: 115, 109, 130, 117), but 68 issues in non-installed packages → 27 left
  • New CVEs this week: gcc (high impact, disputed), busybox (multiple issues and no lts branch)
  • More than a half od packages has no CVE reports (possible name mismaches). No high risk items visible immediately.

CVE status:
Packages: 357 (previous weeks: 357, 357, 359, 349)
CVES available: 168 (previously 169, 170, 173, 168) packages
No CVEs detected in: 189 (previously 188, 187, 186, 181)
Packages to check (full list available):

  • libmpc
  • libpciaccess
  • mpfr
  • libxshmfence
  • xrandr
  • python3* packages
  • libdrm
  • libusb1-native
  • musl-obstack
  • libusb-compat-native
  • libpthread-stubs
  • xcb-proto
  • libmodule-build-perl
  • liberror-perl
  • tzcode
  • libogg
  • cwautomacros-native
  • xorgproto
  • libmnl
  • xtrans
  • bjam
  • popt
  • argp-standalone
  • wayland*
  • libunistring
  • libgpg-error
  • libassuan
  • btrfs-tools
  • diffutils
  • pi-bluetooth
  • libsnl2
  • libcap-ng
  • libgudev
  • libcheck
  • libdeamon
  • intltool
  • meson
  • swig
  • obexftp
  • tayga
  • iw
  • libwebsockets
  • cmake
  • lzop

Stats file: gateway-2021-11-29.ods (25.9 KB)

About db:

After the Oracle change of licence of DB (Berkeley DB - Wikipedia) most distros dropped the package. If included, this is the older version from ~2013. Debian is somewhat maintaining it (https://metadata.ftp-master.debian.org/changelogs//main/d/db5.3/db5.3_5.3.28+dfsg1-0.8_changelog) but it does not include the fixes for CVEs. Patches from the advisories aren’t directly available, need to create an account and enter a product name to access (?).

Recommendation: track dependencies and remove this package if possible.

DB isn’t installed in the image. In the future: move RPM to sqlite backend and remove db from the compilation

Thanks for update @marta .

Do we anticipate making any headway on the non-kernel updates before 15th Nov?

@idlethread yes a few of them have fixes that we can grab. MRs will follow shortly