💾 Archived View for gem.librehacker.com › gemlog › tech › 20210901-0.gmi captured on 2024-06-16 at 12:32:09. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
Someone in #guix IRC gave me this helpful command for listing CVEs for your active Guix profile and system:
guix lint -c cve $(guix package -p ~/.guix-profile -p /run/current-system/profile -I | cut -f1)
Things were a little more complicated for me because I use inferiors, so some installed packages are not in the current guix pull. I had to add some grep calls to exclude those packages from the list:
christopher@theoden ~$ guix lint -c cve $(guix package -p ~/.guix-profile -p /run/current-system/profile -I | grep -v qucs | grep -v linphoneqt | cut -f1) gnu/packages/admin.scm:1932:2: wpa-supplicant@2.9: probably vulnerable to CVE-2019-16275 gnu/packages/avahi.scm:38:2: avahi@0.8: probably vulnerable to CVE-2021-26720, CVE-2021-3468 gnu/packages/base.scm:180:2: tar@1.32: probably vulnerable to CVE-2021-20193, CVE-2021-32803, CVE-2021-32804 gnu/packages/base.scm:238:2: patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638, CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-2018-6952 gnu/packages/admin.scm:803:2: shadow@4.8.1: probably vulnerable to CVE-2019-19882 gnu/packages/wget.scm:46:2: wget@1.20.3: probably vulnerable to CVE-2021-31879 gnu/packages/databases.scm:1289:2: recutils@1.8: probably vulnerable to CVE-2019-11637, CVE-2019-11638, CVE-2019-11639, CVE-2019-11640, CVE-2019-6455, CVE-2019-6456, CVE-2019-6457, CVE-2019-6458, CVE-2019-6459, CVE-2019-6460 gnu/packages/gnome.scm:10753:2: evolution@3.34.2: probably vulnerable to CVE-2021-3349 gnu/packages/dns.scm:318:2: bind@9.16.16: probably vulnerable to CVE-2019-6470 gnu/packages/compression.scm:1692:2: zip@3.0: probably vulnerable to CVE-2018-13410 gnu/packages/compression.scm:1796:2: unzip@6.0: probably vulnerable to CVE-2019-13232 gnu/packages/rsync.scm:73:2: rsync@3.2.3: probably vulnerable to CVE-2020-14387 gnu/packages/virtualization.scm:144:2: qemu@6.0.0: probably vulnerable to CVE-2021-20255, CVE-2021-3507, CVE-2021-3527, CVE-2021-3544, CVE-2021-3545, CVE-2021-3546, CVE-2021-3682, CVE-2020-35503 gnu/packages/python.scm:108:2: python2@2.7.17: probably vulnerable to CVE-2021-23336, CVE-2021-3426, CVE-2020-8492, CVE-2019-18348, CVE-2019-20907, CVE-2019-9674 gnu/packages/python.scm:366:2: python@3.8.2: probably vulnerable to CVE-2021-23336, CVE-2021-29921, CVE-2021-3426, CVE-2020-14422, CVE-2020-27619, CVE-2019-18348 gnu/packages/tls.scm:495:2: openssl@1.1.1l: probably vulnerable to CVE-2018-16395
Most of these are Medium level CVEs. It looks like a lot of vulnerabilities, but things are not so clear when you start actually reading the CVEs. Many of them have notes similar to "this CVE has been modified and is awaiting re-analysis" or "it is highly unlikely that this vulnerability would ever be exposed in any real use of the application" or "third parties dispute the significance of this issue". The CVE shown attached to openssl, at a quick glance, appears to be more of a vulnerability in the Ruby module that uses openssl.
Alaskalinuxuser, 2021-09-02
Yes, I find one must carefully read the CVEs before blindly taking action when I work with Android kernels.