From a7da13d660b9fcab77db3e22aeb8a6fb169d602d Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Wed, 12 Jan 2022 16:53:59 +0100 Subject: [PATCH 1/2] changelog/README.md: specify current security fix section format The entries added in changelog/security/ do not follow our existing security section in the release notes: https://www.flatcar.org/releases/#release-3033.2.0 Document the structure and an example to use the right format that we need for release note generation. --- .../src/third_party/coreos-overlay/changelog/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/README.md b/sdk_container/src/third_party/coreos-overlay/changelog/README.md index 4a94640eed..cf4aaf46de 100644 --- a/sdk_container/src/third_party/coreos-overlay/changelog/README.md +++ b/sdk_container/src/third_party/coreos-overlay/changelog/README.md @@ -29,3 +29,11 @@ As `Updates` refer to the package updates, contents of the file should be of the following format: `- Package Name ([Version](link to changelog))`. Example: `- Linux ([5.10.77](https://lwn.net/Articles/874852/))`. Note the leading dash that will create a bullet list in the rendered markdown. + +The security section follows this format: + +``` +- Package Name ([CVE-NUMBER](NIST-LINK), [CVE-NUMBER](NIST-LINK), ...) +``` + +E.g., `Linux ([CVE-2021-4002](https://nvd.nist.gov/vuln/detail/CVE-2021-4002), [CVE-2020-27820](https://nvd.nist.gov/vuln/detail/CVE-2020-27820))`. From 59ad0cd262413925d12937d9af7dce1f9cdb0c87 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Wed, 12 Jan 2022 17:00:26 +0100 Subject: [PATCH 2/2] changelog/security: use right format for release notes --- .../2021-11-30-golang-text-ignition.md | 3 +-- .../changelog/security/2021-12-02-qemu-6.1.md | 19 +------------------ .../2021-12-03-mantle-golang-crypto-text.md | 4 +--- .../2021-12-03-torcx-golang-crypto-text.md | 3 +-- .../security/2021-12-09-golang-1.17.5.md | 3 +-- .../security/2021-12-09-openssh-8.8.md | 2 +- .../security/2022-01-07-containerd-1.5.9.md | 2 +- 7 files changed, 7 insertions(+), 29 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-11-30-golang-text-ignition.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-11-30-golang-text-ignition.md index e286ffc23c..a833c13b71 100644 --- a/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-11-30-golang-text-ignition.md +++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-11-30-golang-text-ignition.md @@ -1,2 +1 @@ -- [CVE-2020-14040](https://nvd.nist.gov/vuln/detail/CVE-2020-14040) -- [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561) +- Ignition ([CVE-2020-14040](https://nvd.nist.gov/vuln/detail/CVE-2020-14040), [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561)) diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-02-qemu-6.1.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-02-qemu-6.1.md index 58fc713603..ce82b3aacd 100644 --- a/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-02-qemu-6.1.md +++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-02-qemu-6.1.md @@ -1,18 +1 @@ -- [CVE-2020-35504](https://nvd.nist.gov/vuln/detail/CVE-2020-35504) -- [CVE-2020-35505](https://nvd.nist.gov/vuln/detail/CVE-2020-35505) -- [CVE-2020-35506](https://nvd.nist.gov/vuln/detail/CVE-2020-35506) -- [CVE-2020-35517](https://nvd.nist.gov/vuln/detail/CVE-2020-35517) -- [CVE-2021-20203](https://nvd.nist.gov/vuln/detail/CVE-2021-20203) -- [CVE-2021-20255](https://nvd.nist.gov/vuln/detail/CVE-2021-20255) -- [CVE-2021-20257](https://nvd.nist.gov/vuln/detail/CVE-2021-20257) -- [CVE-2021-20263](https://nvd.nist.gov/vuln/detail/CVE-2021-20263) -- [CVE-2021-3409](https://nvd.nist.gov/vuln/detail/CVE-2021-3409) -- [CVE-2021-3416](https://nvd.nist.gov/vuln/detail/CVE-2021-3416) -- [CVE-2021-3527](https://nvd.nist.gov/vuln/detail/CVE-2021-3527) -- [CVE-2021-3544](https://nvd.nist.gov/vuln/detail/CVE-2021-3544) -- [CVE-2021-3545](https://nvd.nist.gov/vuln/detail/CVE-2021-3545) -- [CVE-2021-3546](https://nvd.nist.gov/vuln/detail/CVE-2021-3546) -- [CVE-2021-3582](https://nvd.nist.gov/vuln/detail/CVE-2021-3582) -- [CVE-2021-3607](https://nvd.nist.gov/vuln/detail/CVE-2021-3607) -- [CVE-2021-3608](https://nvd.nist.gov/vuln/detail/CVE-2021-3608) -- [CVE-2021-3682](https://nvd.nist.gov/vuln/detail/CVE-2021-3682) +- QEMU ([CVE-2020-35504](https://nvd.nist.gov/vuln/detail/CVE-2020-35504), [CVE-2020-35505](https://nvd.nist.gov/vuln/detail/CVE-2020-35505), [CVE-2020-35506](https://nvd.nist.gov/vuln/detail/CVE-2020-35506), [CVE-2020-35517](https://nvd.nist.gov/vuln/detail/CVE-2020-35517), [CVE-2021-20203](https://nvd.nist.gov/vuln/detail/CVE-2021-20203), [CVE-2021-20255](https://nvd.nist.gov/vuln/detail/CVE-2021-20255), [CVE-2021-20257](https://nvd.nist.gov/vuln/detail/CVE-2021-20257), [CVE-2021-20263](https://nvd.nist.gov/vuln/detail/CVE-2021-20263), [CVE-2021-3409](https://nvd.nist.gov/vuln/detail/CVE-2021-3409), [CVE-2021-3416](https://nvd.nist.gov/vuln/detail/CVE-2021-3416), [CVE-2021-3527](https://nvd.nist.gov/vuln/detail/CVE-2021-3527), [CVE-2021-3544](https://nvd.nist.gov/vuln/detail/CVE-2021-3544), [CVE-2021-3545](https://nvd.nist.gov/vuln/detail/CVE-2021-3545), [CVE-2021-3546](https://nvd.nist.gov/vuln/detail/CVE-2021-3546), [CVE-2021-3582](https://nvd.nist.gov/vuln/detail/CVE-2021-3582), [CVE-2021-3607](https://nvd.nist.gov/vuln/detail/CVE-2021-3607), [CVE-2021-3608](https://nvd.nist.gov/vuln/detail/CVE-2021-3608), [CVE-2021-3682](https://nvd.nist.gov/vuln/detail/CVE-2021-3682)) diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-03-mantle-golang-crypto-text.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-03-mantle-golang-crypto-text.md index 2157cf44be..aba9daefcd 100644 --- a/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-03-mantle-golang-crypto-text.md +++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-03-mantle-golang-crypto-text.md @@ -1,3 +1 @@ -- [CVE-2021-3121](https://nvd.nist.gov/vuln/detail/CVE-2021-3121) -- [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561) -- [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565) +- SDK: mantle ([CVE-2021-3121](https://nvd.nist.gov/vuln/detail/CVE-2021-3121), [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561), [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565)) diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-03-torcx-golang-crypto-text.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-03-torcx-golang-crypto-text.md index 2baea277fe..f96bef56c7 100644 --- a/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-03-torcx-golang-crypto-text.md +++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-03-torcx-golang-crypto-text.md @@ -1,2 +1 @@ -- [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561) -- [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565) +- torcx ([CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561), [CVE-2021-43565](https://nvd.nist.gov/vuln/detail/CVE-2021-43565)) diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-09-golang-1.17.5.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-09-golang-1.17.5.md index dbdcb40761..8e34f9a441 100644 --- a/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-09-golang-1.17.5.md +++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-09-golang-1.17.5.md @@ -1,2 +1 @@ -- [CVE-2021-44716](https://nvd.nist.gov/vuln/detail/CVE-2021-44716) -- [CVE-2021-44717](https://nvd.nist.gov/vuln/detail/CVE-2021-44717) +- Go ([CVE-2021-44716](https://nvd.nist.gov/vuln/detail/CVE-2021-44716), [CVE-2021-44717](https://nvd.nist.gov/vuln/detail/CVE-2021-44717)) diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-09-openssh-8.8.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-09-openssh-8.8.md index 4d2a415c61..b1a7178872 100644 --- a/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-09-openssh-8.8.md +++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2021-12-09-openssh-8.8.md @@ -1 +1 @@ -- [CVE-2021-41617](https://nvd.nist.gov/vuln/detail/CVE-2021-41617) +- OpenSSH ([CVE-2021-41617](https://nvd.nist.gov/vuln/detail/CVE-2021-41617)) diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-07-containerd-1.5.9.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-07-containerd-1.5.9.md index f7b0a6b4bd..0fa563d5e1 100644 --- a/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-07-containerd-1.5.9.md +++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-07-containerd-1.5.9.md @@ -1 +1 @@ -- [CVE-2021-43816](https://nvd.nist.gov/vuln/detail/CVE-2021-43816) +- containerd ([CVE-2021-43816](https://nvd.nist.gov/vuln/detail/CVE-2021-43816))