Viewing CVEs For Your Active Guix Profile And System

Someone in #guix IRC gave me this helpful command for listing CVEs for your active Guix profile and system:

Things were a little more complicated for me because I use inferiors, so some installed packages are not in the current guix pull. I had to add some grep calls to exclude those packages from the list:

Most of these are Medium level CVEs. It looks like a lot of vulnerabilities, but things are not so clear when you start actually reading the CVEs. Many of them have notes similar to "this CVE has been modified and is awaiting re-analysis" or "it is highly unlikely that this vulnerability would ever be exposed in any real use of the application" or "third parties dispute the significance of this issue". The CVE shown attached to openssl, at a quick glance, appears to be more of a vulnerability in the Ruby module that uses openssl.

Comments

Alaskalinuxuser, 2021-09-02

Yes, I find one must carefully read the CVEs before blindly taking action when I work with Android kernels.

Proxied content from gemini://gem.librehacker.com/gemlog/tech/20210901-0.gmi

Gemini request details:

Original URL
gemini://gem.librehacker.com/gemlog/tech/20210901-0.gmi
Status code
Success
Meta
text/gemini
Proxied by
kineto

Be advised that no attempt was made to verify the remote SSL certificate.