This must be a stupid question, since no-one else seems to be worried (the search for "arch-audit" doesn't show any postings), but I am starting to get a little bit worried. Since arch-audit became available for Arch Linux ARM, I am using it to check my installation for known vulnerabilities. During the last month, it always shows a number of high-risk vulnerabilities, even for very important packages like binutils. Do I need to worry, or are these vulnerabilities specific to Intel hardware, and harmless on an ARM device?
To be more precise, here is what I am getting today:
$this->bbcode_second_pass_code('', 'Package binutils is affected by ["CVE-2017-9044", "CVE-2017-9043", "CVE-2017-9042", "CVE-2017-9041", "CVE-2017-9040", "CVE-2017-9039", "CVE-2017-9038", "CVE-2017-7210", "CVE-2017-7209", "CVE-2017-6969", "CVE-2017-6966", "CVE-2017-6965"]. High risk!
Package libffi is affected by ["CVE-2017-1000376"]. High risk!
Package libtiff is affected by ["CVE-2016-10095", "CVE-2015-7554"]. Critical risk!
Package pcre is affected by ["CVE-2017-7246", "CVE-2017-7245", "CVE-2017-7244", "CVE-2017-7186"]. High risk!
Package systemd is affected by ["CVE-2017-9445"]. High risk! Update to 233-6 from testing repos!')
For the high-risk systemd vulnerability CVE-2017-9445, there is a simple workaround in stopping systemd-resolved.service - this will make systemd safe for the time being, but of course this doesn't apply to all the other CVEs I was not yet able to check in detail.
Thank you in advance,
Christian
arch-audit reporting high and critical risk vulnerabilities
2 posts
• Page 1 of 1
arch-audit reporting high and critical risk vulnerabilities
by Ente » Thu Jun 29, 2017 1:13 pm
- Ente
- Posts: 6
- Joined: Thu Jan 19, 2017 10:37 pm
Re: arch-audit reporting high and critical risk vulnerabilit
by WarheadsSE » Thu Jun 29, 2017 5:09 pm
Let me point a few things out in regards to that particular CVE: CVE-2017-9445
"High risk! Update to 233-6 from testing repos!" .. um no.
`systemctl status systemd-resolved` shows that `/usr/lib/systemd/system/systemd-resolved.service` is the file being used, and examining that file, I see the following points.
* It drops most capabilities off the bat (CapabilityBoundingSet)
* It is using as many lock-downs as possible (PrivateTmp, PrivateDevices, ProtectSystem, MemoryDenyWriteExecute ...)
This is highly locked down to that application itself, and then highly restricted with namespacing and capabilities bring stripped.
"High risk! Update to 233-6 from testing repos!" .. um no.
`systemctl status systemd-resolved` shows that `/usr/lib/systemd/system/systemd-resolved.service` is the file being used, and examining that file, I see the following points.
* It drops most capabilities off the bat (CapabilityBoundingSet)
* It is using as many lock-downs as possible (PrivateTmp, PrivateDevices, ProtectSystem, MemoryDenyWriteExecute ...)
This is highly locked down to that application itself, and then highly restricted with namespacing and capabilities bring stripped.
- WarheadsSE
- Developer
- Posts: 6807
- Joined: Mon Oct 18, 2010 2:12 pm
2 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 8 guests