Just curious if there is any documentation that shows the history of vulnerabilities that have been patched on OpenWrt.
I'm thinking of this in terms of how we sometimes see users on really old versions who are unwilling to (or, for hardware reasons, unable to) upgrade to a currently supported version. We will often say "that version has many actively exploited vulnerabilities" but I'd love to be able to point to a list that basically allows them to see the entire history and how many exploits, the severity, and the type that we're talking about.
If a user is running 15.05.0, for example, they would see that everything patched 15.05.1 and later is not fixed for the version they are running. Obviously some CVEs would not apply (i.e. for technologies not developed/implemented until later versions), and it wouldn't really be necessary to catalog every version that a given CVE impacts. This would just be a quick way for us to say "look at this list... your current running version absolutely has some these critical bugs, and may be vulnerable to any/all of the ones patched since then."
In recent times, the CVE ID usually gets added to the commit description, but don't rely on it being there every time (especially for older commits, but it might also be missed in contemporary ones for a number of reasons) - and neither will tell you about the severity.
Thanks. Yeah, I figured that the info would be generally available (although as you point out, it may not always be fully noted), but it sounds like would probably require quite a bit of effort to aggregate it into a table.
I guess the followup question is: would there sufficient value in a table like this to warrant anyone's time to build a script that would theoretically scrape this information from the release notes/commits and assemble it into an easily digested format? I'm not skilled in this arena, so I can't volunteer my own time/effort.
Are you talking about CVEs related to OpenWrt itself?
Or about all the CVEs related to all upstream packages?
There aren't that many CVEs related to core OpenWrt itself.
The latter would likely be huge (if complete) and mostly useless.
E.g. all Linux vulnerabilities patched there since 2015? We don't have that info here and individual CVEs have lately not been mentioned in kernel bumps. (They were mentioned more frequently a few years ago.)
The same goes for version bumps of general upstream packages.
Most version bumps do not contain the CVE references. but some do.
CVEs are typically mentioned if the upstream release is specifically done fixing a cve. Or when we have backported an upstream commit into OpenWrt for fixing a cve before the upstream does the next proper release.
Quick search into commit messages shows the easily available info regarding the main repo.