package vulnerability

I ran this command arch-audit-r
It shows

Package ffmpeg is affected by CVE-2020-13904. It's required by audacious-plugins, chromaprint, chromium, ciano, ffmpegthumbnailer, firefox, gst-libav, libopenshot, mplayer, mpv, openshot, peek, qt5-webengine, shotcut, simplescreenrecorder, vlc. High risk!
Package imagemagick is affected by CVE-2020-13902. It's required by ciano, cups-filters, libopenshot, zbar. Medium risk!
Package inetutils is affected by CVE-2019-0053. It's required by profile-sync-daemon, xorg-xinit. High risk!
Package json-c is affected by CVE-2020-12762. It's required by bind-tools, bluez, cryptsetup, libmypaint, ndctl, psensor, tpm2-tss. High risk!
Package libexif is affected by CVE-2020-13114, CVE-2020-13113, CVE-2020-13112, CVE-2020-12767, CVE-2020-0093, CVE-2019-9278, CVE-2018-20030, CVE-2017-7544, CVE-2016-6328. It's required by gimp, libgphoto2, thunar. High risk!
Package libjcat is affected by CVE-2020-10759. It's required by fwupd. High risk!
Package libreoffice-still is affected by CVE-2020-12803, CVE-2020-12802. Medium risk!
Package libupnp is affected by CVE-2020-13848. It's required by vlc. Medium risk!
Package python-pip is affected by CVE-2018-20225. It's required by python-reportlab. High risk!
Package sqlite is affected by CVE-2020-13871. It's required by aria2, avidemux-cli, colord, elfutils, filezilla, gnupg, lib32-sqlite, libchamplain, libsoup, nss, python2, qt5-base, subversion, sunpinyin, tracker, vnstat, zeitgeist. High risk!
Package unzip is affected by CVE-2018-1000035. It's required by engrampa, file-roller. Low risk!

Some are old stuff like

Package python-pip is affected by CVE-2018-20225
Package unzip is affected by CVE-2018-1000035

Are there worries about these vulnerabilities?

1 Like

What branch of Manjaro are you on, and how long ago has it been since you last updated your system?

It is unstable branch. I check updates many times every day. The system is fully updated.

Well, on the one hand, there's a reason as to why Manjaro labels it the Unstable branch, but on the other hand, some of those CVEs are high-risk vulnerabilities, and we wouldn't want those percolating into the Stable branch. :thinking:

Pinging @Manjaro-Team.

1 Like

You are right. Unstable gets the latest of vulnerabilities as well. One high risk is from 2018, another from 2019.

Package python-pip is affected by CVE-2018-20225. It's required by python-reportlab. High risk!
Package inetutils is affected by CVE-2019-0053. It's required by profile-sync-daemon, xorg-xinit. High risk!

I thought to report. Thanks for your reply and pinging the developers.

1 Like

Well, then this from stable branch need addressed too:

Package ffmpeg is affected by CVE-2020-13904. It's required by chromaprint, chromium, ffmpegthumbnailer, gst-libav, qt5-webengine, vlc. High risk!
Package imagemagick is affected by CVE-2020-13902. It's required by cups-filters, zbar. Medium risk!
Package inetutils is affected by CVE-2019-0053. It's required by xorg-xinit. High risk!
Package json-c is affected by CVE-2020-12762. It's required by bluez, cryptsetup, ndctl. High risk!
Package libexif is affected by CVE-2020-13114, CVE-2020-13113, CVE-2020-13112, CVE-2020-12767, CVE-2020-0093, CVE-2019-9278, CVE-2018-20030, CVE-2017-7544, CVE-2016-6328. It's required by libgphoto2, tracker-miners. High risk!
Package libupnp is affected by CVE-2020-13848. It's required by vlc. Medium risk!
Package python-pip is affected by CVE-2018-20225. It's required by python-reportlab. High risk!
Package sqlite is affected by CVE-2020-13871. It's required by colord, elfutils, geary, gnupg, gom, libsoup, nss, python2, qt5-base, subversion, tracker. High risk!
Package unzip is affected by CVE-2018-1000035. It's required by file-roller. Low risk!
2 Likes

You could read what is said about them

The source website https://nvd.nist.gov/

The search page https://nvd.nist.gov/vuln/search

3 Likes

Just booted up a live iso, latest stable and i get this list after installing arch-audit i get:

Package dbus is affected by CVE-2020-12049. It's required by at-spi2-core, avahi, bluez, colord, cups, dbus-glib, dnsmasq, flatpak, fluidsynth, ghostscript, lib32-dbus, libpcap, libproxy, libpulse, libteam, manjaro-hotfixes, pipewire, python-dbus, rtkit, spice-vdagent, steam-manjaro, systemd, wpa_supplicant, xorg-server, zbar. Low risk! Update to 1.12.18-1!
Package ffmpeg is affected by CVE-2020-13904. It's required by chromaprint, ffmpegthumbs, firefox, gst-libav, kfilemetadata, mpd, qt5-webengine, transcode, vlc. High risk!
Package gnutls is affected by CVE-2020-13777. It's required by ffmpeg, glib-networking, gnupg, gnustep-base, libcups, libimobiledevice, libjcat, libmicrohttpd, libnice, libzip, nbd, openconnect, pamac-common, pkcs11-helper, qpdf, rtmpdump, samba, smbclient, vlc, vte3, wget, xmlsec. High risk! Update to 3.6.14-1!
Package imagemagick is affected by CVE-2020-13902. It's required by cups-filters, transcode, zbar. Medium risk!
Package inetutils is affected by CVE-2019-0053. It's required by xorg-xinit. High risk!
Package intel-ucode is affected by CVE-2020-0549, CVE-2020-0548, CVE-2020-0543. High risk! Update to 20200609-1!
Package json-c is affected by CVE-2020-12762. It's required by bluez, cryptsetup, ndctl, tpm2-tss. High risk!
Package libexif is affected by CVE-2020-13114, CVE-2020-13113, CVE-2020-13112, CVE-2020-12767, CVE-2020-0093, CVE-2019-9278, CVE-2018-20030, CVE-2017-7544, CVE-2016-6328. It's required by libgphoto2. High risk!
Package libjcat is affected by CVE-2020-10759. It's required by fwupd. High risk!
Package libupnp is affected by CVE-2020-13848. It's required by mpd, vlc. Medium risk!
Package python-pip is affected by CVE-2018-20225. It's required by python-reportlab. High risk!
Package sqlite is affected by CVE-2020-13871. It's required by colord, elfutils, gnupg, lib32-sqlite, libaccounts-glib, libsoup, mpd, nss, qt5-base, subversion, thunderbird. High risk!
Package thunderbird is affected by CVE-2020-12410, CVE-2020-12406, CVE-2020-12405, CVE-2020-12399, CVE-2020-12398. High risk! Update to 68.9.0-1!

I can read about those links, but i know a few users that would get freaked out and not know where to look for explanations, so maybe we can avoid all together an output for someone that just installs Manjaro ...

1 Like

So never be anxious about the next day, for the next day will have its own anxieties. Each day has enough of its own troubles. - Mat 6:34

3 Likes

Well, if in Arch testing i get this:

Package ffmpeg is affected by CVE-2020-13904. It's required by firefox, firefox-developer-edition, kfilemetadata, opencv, qt5-webengine. High risk!
Package inetutils is affected by CVE-2019-0053. High risk!
Package json-c is affected by CVE-2020-12762. It's required by bluez, cryptsetup, libmypaint, ndctl. High risk!
Package nasm is affected by CVE-2019-8343. High risk!
Package sqlite is affected by CVE-2020-13871. It's required by colord, elfutils, gnupg, libaccounts-glib, libsoup, nss, python2, qt5-base, thunderbird. High risk!
Package unzip is affected by CVE-2018-1000035. Low risk!

i'm fine :smiley:

1 Like

There will always be some time from the disclosure of a vulnerability until it actually gets fixed :slight_smile:

“I've had a lot of worries in my life, most of which never happened.” ― Mark Twain

Probably a rephrase of this one

"My life has been filled with terrible misfortune; most of which never happened." ― Michel de Montaigne

3 Likes

I hope they get fix. These are old

Package python-pip is affected by CVE-2018-20225. It's required by python-reportlab. High risk!
Package inetutils is affected by CVE-2019-0053. It's required by profile-sync-daemon, xorg-xinit. High risk

Thanks for the links in your post. I will read them.

Don't forget https://security.archlinux.org/ :wink:

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by