
Managing vulnerabilities: Understanding patch notifications and fixing CVEs
The content of this blog has been updated to reflect features and functionality that have been added to Timesys’ Vigiles Vulnerability Monitoring and Management.
After CVE Notification: The Next Steps
In a previous blog, we covered how Timesys handles security monitoring and notification of open source software vulnerabilities, how to generate reports on demand for the current state of a Yocto, Buildroot or Factory build on the desktop, and how to view and generate reports on the web. If you missed it, now would be a good time to catch up before reading this post, because the next steps cover what to do with the information contained in those reports. Specifically, you may have the following questions:
- What should I fix?
- Where do I find the fixes?
- How do I apply fixes to my build?
We’ll start by explaining the meaning of the subcategories of “Unfixed” CVEs and the “Attack Vector” column in the reports, and then break down each of the above questions. Along the way, you’ll see how the Vigiles Vulnerability Management solution offered by Timesys can save you countless hours spent searching for patches, applying them to your build, and dealing with conflicts that arise when upgrading.