wennan.he
12/22/2022, 2:52 AMMike Myers
12/22/2022, 2:53 AMwennan.he
12/22/2022, 2:54 AMMike Myers
12/22/2022, 2:54 AMwennan.he
12/22/2022, 2:56 AMMike Myers
12/22/2022, 3:01 AMclosed
when we have either provided an analysis on the issue and told our monitoring script to ignore it for now, or, when we have updated the affected library.Stefano Bonicatti
12/22/2022, 10:23 AMseph
12/22/2022, 2:28 PMwennan.he
12/22/2022, 6:01 PMMike Myers
12/23/2022, 5:17 AMwennan.he
12/23/2022, 5:38 AMStefano Bonicatti
12/23/2022, 10:29 AMcpe:2.3:a:file_project:file:5.40:*:*:*:*:*:*:*
When a CVE is created (by the NIST on their database) it is “linked” to a (single or series, depending on how many versions are affected) product CPE.wennan.he
12/23/2022, 8:15 PMStefano Bonicatti
12/23/2022, 11:42 PMlibraries/cmake/source
folder (+ openssl
which is in libraries/cmake/formula
).Mike Myers
12/24/2022, 5:47 PMosquery/libraries
in the source tree (that are git submodules, and populated during the 'configure' step of the build) are built into the compiled osquery. Because osquery only uses some of the functionality of each library, sometimes only part of the library's source code is built into osquery. This is one reason that static analysis can indicate a CVE in the libraries in the source tree, but it is not present in osquery. Another reason is that osquery doesn't use the library in a way that would ever be impacted by the vulnerability. For instance, a compression library like zlib
that has a vulnerability in compression, but osquery only ever uses it to decompress and would not be affected. Or vice versa.wennan.he
12/25/2022, 5:25 AMMike Myers
12/29/2022, 6:06 AMwennan.he
12/29/2022, 6:44 PM