- Security-bulletin - lists.openatom.io

2024年7月安全公告
by 王晨 02 Jul '24

02 Jul '24

发布于2024.07.02 CVE漏洞描述漏洞影响严重程度受影响的版本受影响的仓库修复链接 CVE-2024-31071方舟eTS运行时类型混淆漏洞本地攻击者通过本漏洞造成app crash低危OpenHarmony-v4.0-Releasarkcompiler_ets_runtime4.0.x CVE-2024-37030方舟eTS运行时释放后使用漏洞远程攻击者通过本漏洞可在任意应用中执行代码高危OpenHarmony-v4.0-Releasarkcompiler_ets_frontend4.0.x CVE-2024-36243方舟eTS运行时跨界内存读漏洞远程攻击者通过本漏洞可在任意应用中执行代码高危OpenHarmony-v4.0-Releasarkcompiler_ets_runtime4.0.x CVE-2024-36278方舟eTS运行时类型混淆漏洞本地攻击者通过本漏洞造成app crash低危OpenHarmony-v4.0-Releasarkcompiler_ets_runtime4.0.x CVE-2024-36260方舟eTS运行时跨界内存写漏洞远程攻击者通过本漏洞可在任意应用中执行代码高危OpenHarmony-v4.0-Releasarkcompiler_ets_runtime4.0.x CVE-2024-37185方舟eTS运行时跨界内存写漏洞远程攻击者通过本漏洞可在任意应用中执行代码高危OpenHarmony-v4.0-Releasarkcompiler_ets_runtime4.0.x CVE-2024-37077方舟eTS运行时跨界内存写漏洞远程攻击者通过本漏洞可在任意应用中执行代码高危OpenHarmony-v4.0-Releasarkcompiler_ets_runtime4.0.x 以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本 CVE严重程度CVSS 3.1 得分受影响的仓库受影响的OpenHarmony版本修复链接 CVE-2021-47474高危8.0kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2021-47479高危7.1kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2021-47483高危7.1kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2021-47485高危8.0kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2021-47506高危7.1kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2021-47521高危8.0kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2022-48655高危7.8kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2023-52467中危5.5kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2024-26602中危5.5kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2024-26852中危4.6kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2024-26862中危4.6kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2024-26883高危7.8kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2024-26884高危7.8kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2024-26885高危7.8kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2024-26901中危5.5kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2024-26903中危5.5kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2024-26923低危2.6kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2024-27004中危4.8kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2024-27038低危2.7kernel_linux_5.10OpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2024-31755中危5.5third_party_cJSONOpenHarmony-v4.0-Release4.0.x 请在合入当月及之前全部已公开安全补丁之后，参考如下各维护版本的安全补丁标签更新方法，更新安全补丁标签至07月。对应维护版本安全补丁修改方式参考链接 4.1.xhttps://gitee.com/openharmony/startup_init/pulls/2895 4.0.xhttps://gitee.com/openharmony/startup_init/pulls/2894

1 0

2024年6月安全公告
by 王晨 04 Jun '24

04 Jun '24

发布于2024.06.04 以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本 CVE严重程度CVSS 3.1 得分受影响的仓库受影响的OpenHarmony版本修复链接 CVE-2024-39417低危3.5third_party_mbedtlsOpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x CVE-2024-2478中危4.9third_party_wpa_supplicantOpenHarmony-v4.0-Release4.0.x 4.1.x CVE-2024-2398高危7.5third_party_curlOpenHarmony-v4.1-Release4.1.x CVE-2024-2004中危5.3third_party_curlOpenHarmony-v4.1-Release4.1.x CVE-2024-0450中危6.2third_party_pythonOpenHarmony-v4.0-Release4.0.x CVE-2023-6597高危7.8third_party_pythonOpenHarmony-v4.0-Release4.0.x CVE-2023-52474高危7.8kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-52160中危6.5third_party_wpa_supplicantOpenHarmony-v4.0-Release4.0.x CVE-2022-21499中危6.7kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2022-2078中危5.5kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2022-1012高危8.2kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2022-0854中危5.5kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2021-4001中危4.1kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2021-33655中危6.7kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2024-1059高危8.8web_webviewOpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2024-1283高危9.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-0810高危7.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-0808中危4.3web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-2625高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-1672中危6.1web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-0519高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-0224高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x 4.0.x CVE-2024-1676中危4.3web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-0223高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-1670高危8.6web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-0333中危5.3web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-1077高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-0518高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-0222高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-0807高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x 4.0.x CVE-2024-3157高危8.1web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-3839中危6.5web_webviewOpenHarmony-v4.0-Release OpenHarmony-v4.1-Release4.0.x 4.1.x CVE-2024-3516高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-3837高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2024-3159高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2023-5480中危6.1web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2023-6347高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2023-6703高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2023-6345高危9.6web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2023-6112高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2023-5482高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x 4.0.x 4.0.x CVE-2023-7024高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2023-6510高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2023-6508高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2023-5997高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2023-6705高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2023-6702高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x CVE-2023-5996高危8.8web_webviewOpenHarmony-v4.0-Release4.0.x 请在合入当月及之前全部已公开安全补丁之后，参考如下各维护版本的安全补丁标签更新方法，更新安全补丁标签至06月。对应维护版本安全补丁修改方式参考链接 4.1.xhttps://gitee.com/openharmony/startup_init/pulls/2809 4.0.xhttps://gitee.com/openharmony/startup_init/pulls/2808

1 0

2024年5月安全公告
by 王晨 07 May '24

07 May '24

发布于2024.05.07 备注：OpenHarmony 3.2-Release分支已停止维护，后续该分支的安全漏洞也不再维护，详情参见： OpenHarmony 3.2-Release分支停止维护公告 CVE漏洞描述漏洞影响严重程度受影响的版本受影响的仓库修复链接 CVE-2024-27217MSDP释放后使用漏洞本地攻击者通过本漏洞可在预装应用中执行任意代码中危OpenHarmony-v4.0-Releasemsdp_device_status4.0.x CVE-2024-23808Ark编译器前端越界读漏洞本地攻击者通过本漏洞可在预装应用中执行任意代码中危OpenHarmony-v4.0-Releasearkcompiler_ets_frontend4.0.x CVE-2024-31078蓝牙服务释放后使用漏洞本地攻击者通过本漏洞造成服务crash低危OpenHarmony-v4.0-Releasecommunication_bluetooth_service4.0.x CVE-2024-3757Ark运行时整数溢出漏洞本地攻击者通过本漏洞造成应用crash低危OpenHarmony-v4.0-Releasearkcompiler_ets_runtime4.0.x CVE-2024-3758Hmdfs堆溢出漏洞本地攻击者通过本漏洞可在TCB中执行任意代码中危OpenHarmony-v4.0-Releasekernel_linux_5.104.0.x CVE-2024-3759Hmdfs释放后使用漏洞本地攻击者通过本漏洞可在TCB中执行任意代码中危OpenHarmony-v4.0-Releasekernel_linux_5.104.0.x 以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本 CVE严重程度CVSS 3.1 得分受影响的仓库受影响的OpenHarmony版本修复链接 CVE-2024-26614中危5.3kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2024-26606低危3.5kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2024-26589高危7.8kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-6176中危4.7kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-6121中危4.3kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-52492中危5.7kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-52486中危4.8kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-52444高危7.8kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-52443中危5.5kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-52438高危7.8kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-52435中危5.5kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-51779中危4.6kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2021-46945中危5.7kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2021-33631高危7.8kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x 请在合入当月及之前全部已公开安全补丁之后，参考如下各维护版本的安全补丁标签更新方法，更新安全补丁标签至05月。对应维护版本安全补丁修改方式参考链接 4.0.xhttps://gitee.com/openharmony/startup_init/pulls/2728

1 0

2024年4月安全公告
by 王晨 02 Apr '24

02 Apr '24

发布于2024.04.02 CVE漏洞描述漏洞影响严重程度受影响的版本受影响的仓库修复链接 CVE-2024-21834Arkui类型混淆漏洞本地攻击者通过本漏洞造成app crash低危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasearkui_ace_engine3.2.x CVE-2024-22177Audio权限管理不当漏洞本地攻击者通过本漏洞造成app crash低危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasemultimedia_audio_framework3.2.x CVE-2024-22098AVSession释放后使用漏洞本地攻击者通过本漏洞可在任意应用中执行代码中危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasemultimedia_av_session3.2.x CVE-2024-22180Camera释放后使用漏洞本地攻击者通过本漏洞造成DOS低危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasemultimedia_camera_framework3.2.x 4.0.x CVE-2024-29074Telephony入参检测不完善漏洞本地攻击者通过本漏洞可在任意应用中执行代码中危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasetelephony_cellular_call3.2.x 3.2.x CVE-2024-22092包管理权限管理不当漏洞远程攻击者通过本漏洞绕过管控安装应用, 但需要本地用户的交互高危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasebundlemanager_bundle_framework3.2.x CVE-2024-24581方舟eTS运行时越界写漏洞本地攻击者通过本漏洞可在任意应用中执行代码中危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasearkcompiler_ets_runtime3.2.x 4.0.x CVE-2024-28226文件系统入参检测不完善漏洞远程攻击者通过本漏洞造成DOS高危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasekernel_linux_5.103.2.x 4.0.x CVE-2024-28951方舟eTS运行时释放后使用漏洞本地攻击者通过本漏洞可在预装应用中执行代码中危OpenHarmony-v4.0-Releasearkcompiler_ets_runtime4.0.x CVE-2024-29086方舟eTS运行时栈溢出漏洞本地攻击者通过本漏洞造成DOS低危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasearkcompiler_ets_runtime3.2.x 以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本 CVE严重程度CVSS 3.1 得分受影响的仓库受影响的OpenHarmony版本修复链接 CVE-2024-0641中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2022-48619中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-39197中危4.0kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0584中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-46343中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-23851中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-23850中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-23849中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0639中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0775高危7.1kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-51043高危7.0kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-52340高危7.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-46838高危7.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2022-2503中危6.7kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2014-0069高危8.4kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-1086高危7.8kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2015-5157高危8.4kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2021-46958高危7.8kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-25062高危7.5third_party_libxml2OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-24806致命9.8third_party_libuvOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-22195中危6.1third_party_jinja2OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0814中危6.5third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0810中危4.3third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-6040高危7.8kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x 请在合入当月及之前全部已公开安全补丁之后，参考如下各维护版本的安全补丁标签更新方法，更新安全补丁标签至04月。对应维护版本安全补丁修改方式参考链接 3.2.xhttps://gitee.com/openharmony/startup_init/pulls/2633 4.0.xhttps://gitee.com/openharmony/startup_init/pulls/2632

1 0

2024年3月安全公告
by 王晨 04 Mar '24

04 Mar '24

发布于2024.03.04 CVE漏洞描述漏洞影响CVSS3.1得分受影响的版本受影响的仓库修复链接 CVE-2023-25176剪切板越界读漏洞本地攻击者通过本漏洞造成信息泄露2.9OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasedistributeddatamgr_pasteboard3.2.x CVE-2023-46708WLAN UAF漏洞本地攻击者通过本漏洞可在任意应用中执行代码4.3OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasecommunication_wifi3.2.x CVE-2023-49602Arkui 类型混淆漏洞本地攻击者通过本漏洞造成应用崩溃2.9OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasearkui_ace_engine3.2.x 3.2.x CVE-2024-21816后台任务管理权限管理不当漏洞本地攻击者通过本漏洞绕过鉴权访问数据4.0OpenHarmony-v4.0-Releaseresourceschedule_background_task_mgr4.0.x CVE-2024-21826密钥管理敏感信息泄露漏洞近场攻击者通过本漏洞造成敏感信息泄露4.3OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasesecurity_huks3.2.x 以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本 CVE严重程度CVSS 3.1 得分受影响的仓库受影响的OpenHarmony版本修复链接 CVE-2024-0519高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0518高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0333中危5.3third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0224高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0223高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0222高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-7192中危4.4kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-7024高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-6531高危7.0kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-6112高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-5997高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-5996高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-5849高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-5717高危7.8kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-5482高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-5480中危6.1third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-51782中危4.6kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-51781中危4.6kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-51780中危4.6kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-45897致命9.1third_party_exfatprogsOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release3.2.x CVE-2022-46908高危7.3third_party_sqliteOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release3.2.x CVE-2021-44879中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x 请在合入当月及之前全部已公开安全补丁之后，参考如下各维护版本的安全补丁标签更新方法，更新安全补丁标签至03月。对应维护版本安全补丁修改方式参考链接 3.2.xhttps://gitee.com/openharmony/startup_init/pulls/2550 4.0.xhttps://gitee.com/openharmony/startup_init/pulls/2549

1 0

2024年2月安全公告
by 王晨 02 Feb '24

02 Feb '24

发布于2024.02.02 CVE漏洞描述漏洞影响CVSS3.1得分受影响的版本受影响的仓库修复链接 CVE-2023-49118软总线越界读漏洞本地攻击者通过本漏洞造成信息泄露2.9OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasecommunication_dsoftbus3.2.x CVE-2023-43756软总线越界读漏洞本地攻击者通过本漏洞造成信息泄露2.9OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasecommunication_dsoftbus3.2.x CVE-2023-45734软总线越界写漏洞近场攻击者通过本漏洞执行代码4.2OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasecommunication_dsoftbus3.2.x CVE-2024-21860软总线释放后使用漏洞近场攻击者通过本漏洞在任意应用中执行代码8.2OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasecommunication_dsoftbus3.2.x 4.0.x CVE-2024-21845软总线整数溢出漏洞近场攻击者通过本漏洞造成堆溢出2.9OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasecommunication_dsoftbus3.2.x 4.0.x CVE-2024-21851软总线整数溢出漏洞近场攻击者通过本漏洞造成堆溢出2.9OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasecommunication_dsoftbus3.2.x 4.0.x CVE-2024-21863软总线数据校验不完善的漏洞近场攻击者通过本漏洞造成DOS4.7OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasecommunication_dsoftbus3.2.x 4.0.x CVE-2024-0285软总线未判断数据长度的漏洞近场攻击者通过本漏洞造成DOS4.7OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasecommunication_ipc3.2.x 4.0.x 以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本 CVECVSS 3.1 得分严重程度受影响的仓库受影响的OpenHarmony版本修复链接 CVE-2023-56785.3中危third_party_opensslOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release3.2.x CVE-2023-444298.8高危third_party_gstreamerOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release3.2.x CVE-2023-444468.8高危third_party_gstreamerOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release3.2.x CVE-2023-65108.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-63459.6致命third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-63478.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-65088.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-68177.8高危kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-69317.8高危kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-69327.0高危kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-350017.8高危kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-71047.3高危third_party_sqliteOpenHarmony-v4.0-Release4.0.x CVE-2023-67058.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-67028.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-67038.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x 请在合入当月及之前全部已公开安全补丁之后，参考如下各维护版本的安全补丁标签更新方法，更新安全补丁标签至02月。对应维护版本安全补丁修改方式参考链接 3.2.xhttps://gitee.com/openharmony/startup_init/pulls/2478 4.0.xhttps://gitee.com/openharmony/startup_init/pulls/2481

1 0

2024年1月安全公告
by 王晨 02 Jan '24

02 Jan '24

发布于2024.01.02 CVE漏洞描述漏洞影响CVSS3.1基础得分受影响的版本受影响的仓库修复链接 CVE-2023-47216Liteos-A 资源未释放的漏洞本地攻击者通过本漏洞造成DOS2.9OpenHarmony-v3.2-Release到OpenHarmony-v3.2.2third_party_musl3.2.x CVE-2023-49142多媒体音频组件指针释放后使用的漏洞本地攻击者通过本漏洞造成音频组件崩溃4.0OpenHarmony-v3.2-Release到OpenHarmony-v3.2.2multimedia_audio_framework3.2.x CVE-2023-47857多媒体相机组件指针释放后使用的漏洞本地攻击者通过本漏洞造成相机组件崩溃4.0OpenHarmony-v3.2-Release到OpenHarmony-v3.2.2multimedia_camera_framework3.2.x CVE-2023-49135多媒体播放器组件指针释放后使用的漏洞本地攻击者通过本漏洞造成播放器组件崩溃4.0OpenHarmony-v3.2-Release到OpenHarmony-v3.2.2multimedia_player_framework3.2.x CVE-2023-48360多媒体播放器组件指针释放后使用的漏洞本地攻击者通过本漏洞造成播放器组件崩溃4.0OpenHarmony-v3.2-Release到OpenHarmony-v3.2.2multimedia_player_framework3.2.x 以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。 CVE严重程度CVSS 3.1得分受影响的仓库受影响的OpenHarmony版本修复链接 CVE-2023-58498.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-54806.1中危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-54828.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-59968.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-61128.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-59978.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-57177.8高危kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-53637.5中危third_party_opensslOpenHarmony-v4.0-Release4.0.x CVE-2022-469087.3中危third_party_sqliteOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release3.2.x CVE-2023-404756.3中危third_party_gstreamerOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-404768.3高危third_party_gstreamerOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-54728.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-54846.5中危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x 如下是各维护版本的安全补丁标签，请在合入当月及之前全部对应安全补丁之后，更新安全补丁标签。安全补丁标签链接 2024年01月[4.0.x] [3.2.x]

1 0

2023年11月安全公告
by 王晨 07 Nov '23

07 Nov '23

1 0

[请阅] 补发10月提前披露安全公告
by 王晨 09 Oct '23

09 Oct '23

1 0

OpenHarmony2023年06月安全公告 Security Vulnerabilities in June 2023
by Zhangadong (zhangadong, OS) 09 Jun '23

09 Jun '23

2023年06月安全漏洞发布于2023.06.02 最后更新于2023.06.02 以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。 CVE 严重程度 CVSS 3.1得分受影响的OpenHarmony版本修复链接 CVE-2023-27533 高 8.8 OpenHarmony-v3.2-Release OpenHarmony-v3.1-Release到OpenHarmony-v3.1.7-Release OpenHarmony-v3.0到OpenHarmony-v3.0.8 3.2.x<https://gitee.com/openharmony/third_party_libxml2/pulls/44> 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/130> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/131> CVE-2023-27534 高 8.8 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.7-Release OpenHarmony-v3.0到OpenHarmony-v3.0.8 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/130> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/131> CVE-2023-27535 高 7.5 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.7-Release OpenHarmony-v3.0到OpenHarmony-v3.0.8 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/130> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/131> CVE-2023-27536 严重 9.8 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.7-Release OpenHarmony-v3.0到OpenHarmony-v3.0.8 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/130> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/131> CVE-2023-27538 中 5.5 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.7-Release OpenHarmony-v3.0到OpenHarmony-v3.0.8 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/130> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/131> CVE-2023-29469 中 5.9 OpenHarmony-v3.2-Release OpenHarmony-v3.1-Release到OpenHarmony-v3.1.7-Release OpenHarmony-v3.0到OpenHarmony-v3.0.8 3.2.x<https://gitee.com/openharmony/third_party_libxml2/pulls/44> 3.1.x<https://gitee.com/openharmony/third_party_libxml2/pulls/45> 3.0.x<https://gitee.com/openharmony/third_party_libxml2/pulls/46> CVE-2023-28484 中 5.9 OpenHarmony-v3.2-Release OpenHarmony-v3.1-Release到OpenHarmony-v3.1.7-Release OpenHarmony-v3.0到OpenHarmony-v3.0.8 3.2.x<https://gitee.com/openharmony/third_party_libxml2/pulls/44> 3.1.x<https://gitee.com/openharmony/third_party_libxml2/pulls/45> 3.0.x<https://gitee.com/openharmony/third_party_libxml2/pulls/46> 如下是各维护版本的安全补丁标签，请在合入对应安全补丁的同时，更新安全补丁标签。安全补丁标签链接 2023年6月 [3.2.x]<https://gitee.com/openharmony/startup_init/pulls/2020> [3.1.x]<https://gitee.com/openharmony/startup_syspara_lite/pulls/239> [3.1.x]<https://gitee.com/openharmony/startup_init/pulls/2007> [3.0.x]<https://gitee.com/openharmony/startup_syspara_lite/pulls/238> Security Vulnerabilities in June 2023 published June 2,2023 updated June 2,2023 The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties. CVE severity CVSS 3.1 affected OpenHarmony versions fix links CVE-2023-27533 High 8.8 OpenHarmony-v3.2-Release OpenHarmony-v3.1-Release through OpenHarmony-v3.1.7-Release OpenHarmony-v3.0 through OpenHarmony-v3.0.8 3.2.x<https://gitee.com/openharmony/third_party_curl/pulls/128> 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/130> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/131> CVE-2023-27534 High 8.8 OpenHarmony-v3.1-Release through OpenHarmony-v3.1.7-Release OpenHarmony-v3.0 through OpenHarmony-v3.0.8 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/130> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/131> CVE-2023-27535 High 7.5 OpenHarmony-v3.1-Release through OpenHarmony-v3.1.7-Release OpenHarmony-v3.0 through OpenHarmony-v3.0.8 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/130> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/131> CVE-2023-27536 Critical 9.8 OpenHarmony-v3.1-Release through OpenHarmony-v3.1.7-Release OpenHarmony-v3.0 through OpenHarmony-v3.0.8 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/130> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/131> CVE-2023-27538 Medium 5.5 OpenHarmony-v3.1-Release through OpenHarmony-v3.1.7-Release OpenHarmony-v3.0 through OpenHarmony-v3.0.8 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/130> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/131> CVE-2023-29469 Medium 5.9 OpenHarmony-v3.2-Release OpenHarmony-v3.1-Release through OpenHarmony-v3.1.7-Release OpenHarmony-v3.0 through OpenHarmony-v3.0.8 3.2.x<https://gitee.com/openharmony/third_party_libxml2/pulls/44> 3.1.x<https://gitee.com/openharmony/third_party_libxml2/pulls/45> 3.0.x<https://gitee.com/openharmony/third_party_libxml2/pulls/46> CVE-2023-28484 Medium 5.9 OpenHarmony-v3.2-Release OpenHarmony-v3.1-Release through OpenHarmony-v3.1.7-Release OpenHarmony-v3.0 through OpenHarmony-v3.0.8 3.2.x<https://gitee.com/openharmony/third_party_libxml2/pulls/44> 3.1.x<https://gitee.com/openharmony/third_party_libxml2/pulls/45> 3.0.x<https://gitee.com/openharmony/third_party_libxml2/pulls/46> The following are the security patch labels for each maintenance version. Please update the security patch labels while incorporating the corresponding security patches. Security patch label fix links June 2023 [3.2.x]<https://gitee.com/openharmony/startup_init/pulls/2020> [3.1.x]<https://gitee.com/openharmony/startup_syspara_lite/pulls/239> [3.1.x]<https://gitee.com/openharmony/startup_init/pulls/2007> [3.0.x]<https://gitee.com/openharmony/startup_syspara_lite/pulls/238>

1 0