How to list the CVEs fixed in a given rpm ?

A quick tip to retrieve the CVEs fixed in a given version of a rpm :


[fool@localhost:~]$ rpm -q --changelog openssl-libs-1.0.1e-51.el7_2.4.x86_64 | grep CVE-2014-3567
- fix CVE-2014-3567 - memory leak when handling session tickets

[fool@localhost:~]$ rpm -q --changelog openssl-libs-1.0.1e-51.el7_2.4.x86_64 | grep CVE-2014-8176
- fix CVE-2014-8176 - invalid free in DTLS buffering code

[fool@localhost:~]$ rpm -q --changelog openssl-libs-1.0.1e-51.el7_2.4.x86_64 | grep CVE-2015-0292
- fix CVE-2015-0292 - integer underflow in base64 decoder

Using the sed utility, all the CVEs fixed can be retrieved.
For the php rpm package :

[fool@localhost:~]$ rpm -q --changelog php |grep 'CVE-201[0-6]-[0-9]\{4\}' |sed -e '1s/^.*\(CVE-201[0-6]-[0-9]\{4\}\)/\1/' -e 's/^-.*\(CVE-201[0-6]-[0-9]\{4\}\)/\1/' -e 's/^\s*.*\(CVE-201[0-6]-[0-9]\{4\}\)/\1/' -e 's/, #[0-9]\{7\}//' |sed -e 's/)//g'

For the openssl rpm package :

[fool@localhost:~]$ rpm -q --changelog openssl |grep 'CVE-201[0-6]-[0-9]\{4\}' |sed -e '1s/^.*\(CVE-201[0-6]-[0-9]\{4\}\)/\1/' -e 's/^-.*\(CVE-201[0-6]-[0-9]\{4\}\)/\1/' -e 's/^\s*.*\(CVE-201[0-6]-[0-9]\{4\}\)/\1/' -e 's/, #[0-9]\{7\}//' |sed -e 's/)//g' |sed -e 's/(#.*$//g' -e 's/(.*//g' -e 's/\s.*$//g'

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s