Arch-Audit Risks

I just installed Arch-Audit and I seem to have many issues. Is this all fixable or should I reinstall?

arch-audit

Package binutils is affected by CVE-2021-20197, CVE-2020-35448. Medium risk! Update to 2.36-1!
Package cairo is affected by CVE-2020-35492. Medium risk!
Package cups is affected by CVE-2020-10001. Medium risk! Update to 1:2.3.3op2-1!
Package dnsmasq is affected by CVE-2020-25687, CVE-2020-25686, CVE-2020-25685, CVE-2020-25684, CVE-2020-25683, CVE-2020-25682, CVE-2020-25681. High risk! Update to 2.83-1!
Package ffmpeg is affected by CVE-2020-35965, CVE-2020-35964. Medium risk!
Package firefox is affected by CVE-2021-23965, CVE-2021-23964, CVE-2021-23963, CVE-2021-23962, CVE-2021-23961, CVE-2021-23960, CVE-2021-23958, CVE-2021-23956, CVE-2021-23955, CVE-2021-23954, CVE-2021-23953. High risk! Update to 85.0-1!
Package flac is affected by CVE-2020-0499. Medium risk!
Package glibc is affected by CVE-2021-3326, CVE-2020-29562, CVE-2020-27618, CVE-2019-25013. Low risk! Update to 2.33-1!
Package gnome-autoar is affected by CVE-2020-36241. Medium risk!
Package inetutils is affected by CVE-2020-10188, CVE-2019-0053. High risk!
Package lib32-cairo is affected by CVE-2020-35492. Medium risk!
Package lib32-glibc is affected by CVE-2021-3326, CVE-2020-29562, CVE-2020-27618, CVE-2019-25013. Low risk! Update to 2.33-1!
Package libgcrypt is affected by CVE-2021-3345. Critical risk! Update to 1.9.1-1!
Package libvirt is affected by CVE-2020-25637. Critical risk! Update to 1:7.0.0-1!
Package openjpeg2 is affected by CVE-2019-6988, CVE-2018-20846, CVE-2018-16376. Medium risk!
Package python is affected by CVE-2021-3177. Medium risk!
Package python-cryptography is affected by CVE-2020-36242. Medium risk!
Package python-yaml is affected by CVE-2020-14343. Medium risk!
Package qemu is affected by CVE-2021-3392, CVE-2021-20221, CVE-2021-20203, CVE-2021-20196, CVE-2021-20181, CVE-2020-35517, CVE-2020-35506, CVE-2020-35505, CVE-2020-35504, CVE-2020-35503, CVE-2020-29443, CVE-2020-27821, CVE-2020-15469, CVE-2020-14394. Medium risk!
Package spice is affected by CVE-2021-20201, CVE-2020-14355. Critical risk!
Package sqlite is affected by CVE-2021-20227. Medium risk! Update to 3.34.1-1!
Package sudo is affected by CVE-2021-3156, CVE-2021-23239. Critical risk! Update to 1.9.5.p2-1!
Package tar is affected by CVE-2021-20193. Low risk!
Package thunderbird is affected by CVE-2021-23964, CVE-2021-23960, CVE-2021-23954, CVE-2021-23953, CVE-2020-26976, CVE-2020-15685. High risk! Update to 78.7.0-1!
Package unzip is affected by CVE-2018-1000035. Low risk!
Package wpa_supplicant is affected by CVE-2021-0326. High risk!
Package xdg-utils is affected by CVE-2020-27748. Medium risk!

Is this all fixable …

it is - in time

or should I reinstall?

there is not much you can do
and none of this is your fault
if you change branch to testing or unstable - or run Arch - you’ll have fewer CVE’s reported, but not none

Please read what the program does
GitHub - ilpianista/arch-audit: A utility like pkg-audit for Arch Linux. Based on Arch Security Team data.
pkg-audit(8)
https://security.archlinux.org/

After reading the CVE’s you may decide not to use certain software until the issue is fixed.

1 Like

Some are upstream issues, some have already been fixed.

https://security.archlinux.org/

You can either switch to the stable staging, testing or unstable branch if you want the updates sooner. Otherwise they’ll be along in the next stable update.

Hey there, I was asking myself the same questions:
from the manual:

u, --upgradable
           Show only packages that have already been fixed.

I think that’s important. This makes the following differences on my system (note, that I run testing):

~ >>> arch-audit                                                               
Package binutils is affected by CVE-2021-20197. Medium risk!
Package cairo is affected by CVE-2020-35492. Medium risk!
Package ffmpeg is affected by CVE-2020-35965, CVE-2020-35964. Medium risk!
Package flac is affected by CVE-2020-0499. Medium risk!
Package gnome-autoar is affected by CVE-2020-36241. Medium risk!
Package inetutils is affected by CVE-2020-10188, CVE-2019-0053. High risk!
Package jasper is affected by CVE-2021-3272. Low risk!
Package lib32-cairo is affected by CVE-2020-35492. Medium risk!
Package openjpeg2 is affected by CVE-2019-6988, CVE-2018-20846, CVE-2018-16376. Medium risk!
Package python is affected by CVE-2021-3177. Medium risk!
Package python-cryptography is affected by CVE-2020-36242. Medium risk!
Package python-yaml is affected by CVE-2020-14343. Medium risk!
Package tar is affected by CVE-2021-20193. Low risk!
Package unzip is affected by CVE-2018-1000035. Low risk!
Package wpa_supplicant is affected by CVE-2021-0326. High risk!
Package xdg-utils is affected by CVE-2020-27748. Medium risk!

~ >>> arch-audit -u                                                            
Package wpa_supplicant is affected by CVE-2021-0326. High risk!

But also note, that in this case, the package wpa_supplicant can be updated, but this CVE is not yet fixed: wpa_supplicant - Arch Linux

As you see, there are many packages, that have no update yet.

In this case - it’s not even a confirmed CVE yet - as far as I found out from a very short look around. Something was found via fuzzing four days ago and a mitigation via config option exists.
CVE-2021-0326 - wpa_supplicant - Arch Linux
oss-security - wpa_supplicant P2P group information processing vulnerability

I’m not sure whether I’d even be susceptible to this - with my network consisting of a home router running OpenWRT and my notebook and two phones connecting to it.
… I’m not worried - as of yet I see no reason to be

2 Likes

It is now:

2 Likes

Is this something I have to manually update or will it show automatically in Pamac?

Arch just updated it. It’ll come down the pipe and you’ll see it as an update in Pamac.

1 Like