[oe] OpenEmbedded and known security issues
Holger Hans Peter Freyther
holger+oe at freyther.de
Sun Feb 28 14:03:34 UTC 2010
On Sunday 28 February 2010 14:08:03 Holger Hans Peter Freyther wrote:
> It needs the output of "bitbake -s" (minus the first three lines), it needs
> the uncompressed/untared auditfiles.tbz and then it will list some
> stuff... It is not yet comparing the package versions...
Attached is the current script and the current output. I need to compare
versions and bb.utils.vercmp doesn't like some of the BSD versions...
Here is a manual analysis and a list of vulnerable software:
gd needs to be upgraded to at least 2.0.35 + patch
unzip seems vulnerable
gnutls 2.4.42 needs to be upgraded to >2.6.6
dia 0.96.1 is vulnerable
fetchmail 6.3.8 is vulnerable
wireshark 1.0.2 is vulnerable
firefox 3.5.5 is vulnerable
vim 7.0 is vulnerable
wget 1.9.1 is vulnerable
perl 5.8.8 is vulnerable
mt-daapd 0.2.4.2 is vulnerable
cyrus-sasl 2.1.19 is vulnerable
gpdf 2.10.0 is vulnerable
ruby 1.8.7-p248 is vulnerable
pango-native is vulnerable
cscope 15.5 is vulnerable
freeciv 2.0.8 is vulnerable
openssl 0.9.8j is vulnerable
tor 0.1.1.26 is vulnerable
libghttpd 1.4.18 is vulnerable
ipsec-tools 0.6.7 is vulnerable
cyrus-imapd 2.2.12 is vulnerable
gallery 1.5.5. is vulnerable
thuunderbird 1.0.7 is vulnerable
findutils 4.2.29 is vulnerable
findutils-native 4.2.29 is vulernable
streamripper 1.61.10 is vulnerable
id3lib 3.8.3 is vulnerable
vorbis-tools 1.1.1 is vulnerable
libvorbius 1.2.3 is vulnerable (without a patch)
gftp 2.0.18 is vulnerable
gnupg 1.4.2.2 is vulnerable
screen 4.0.3 is vulnerable
wv 1.2.0 is vulnerable
libxine 1.1.16.3 is vulnerable
libcdaudio 0.99.12p2 is vulnerable
imlib 1.9.15 is vulnerable
bogofilter 0.96.0 is vulnerable
gdk-pixbuf maybe too
maradns 10.41 is vulnerable
cdrtools-native 2.01 is vulnerable
squit 2.6.STABLE14 is vulnerable (http://portaudit.FreeBSD.org/6eb580d7-
a29c-11dc-8919-001c2514716c.html)
pngcrush 1.6.4 is vulnerable
pngcrush-native 1.6.4 is vulnerable
gzip 1.3.5 is vulnerable
dnsmask 2.47 is vulnerable
apr 1.3.3 is vulnerable
socat 1.3.2.1 is vulnerable
unrar 3.4.3 is vulnerable
unrar-native 3.4.3 is vulnerable
bitlbee 1.0.4 is vulnerable
ctorrent is vulnerabe
postgressql 8.1.8 is vulnerable
libexif 0.6.17 is vulnerable
libwmf 0.2.8.4 might be vulnerable
libwmf-native same thing
git 1.6.0.4 is vulnerable
git-native 1.6.0.4 is vulernable
netatal 2.0.3 might be vulnerable
lubspf2 1.0.4 is vulnerable
curl-sdk 7.18.2 is vulnerable
bzip2 might be vulnerable
gnome-screensaver 2.28.0 is vulnerable
love
z.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: oe_audit.py
Type: text/x-python
Size: 4151 bytes
Desc: not available
URL: <http://lists.openembedded.org/pipermail/openembedded-devel/attachments/20100228/a33a6e5b/attachment-0002.py>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: current_output.zip
Type: application/zip
Size: 4918 bytes
Desc: not available
URL: <http://lists.openembedded.org/pipermail/openembedded-devel/attachments/20100228/a33a6e5b/attachment-0004.zip>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not_in_oe.bugs.zip
Type: application/zip
Size: 5239 bytes
Desc: not available
URL: <http://lists.openembedded.org/pipermail/openembedded-devel/attachments/20100228/a33a6e5b/attachment-0005.zip>
More information about the Openembedded-devel
mailing list