[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-10-18

All of lore.kernel.org
 help / color / mirror / Atom feed

* [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-10-18
       [not found] <5f8d3b76.1c69fb81.a6c23.a6eeSMTPIN_ADDED_MISSING@mx.google.com>
@ 2020-10-20  6:46 ` Chris Packham
  2020-10-20 11:44   ` Matthew Weber
  0 siblings, 1 reply; 4+ messages in thread
From: Chris Packham @ 2020-10-20  6:46 UTC (permalink / raw)
  To: buildroot

On Mon, 19 Oct 2020, 8:08 PM Thomas Petazzoni, <thomas.petazzoni@bootlin.com>
wrote:

> Hello,
>
> Packages with CVEs
> ==================
>
> This is the list of packages for which a known CVE is affecting
> them, which means a security vulnerability exists for
> those packages.
>
>              name              |       CVE        |
>      link
>
> -------------------------------+------------------+--------------------------------------------------------------
>                      syslog-ng | CVE-2008-5110    |
> https://security-tracker.debian.org/tracker/CVE-2008-5110
>

I think this is a false positive that's a pretty old CVE.

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20201020/6855eb8e/attachment.html>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-10-18
  2020-10-20  6:46 ` [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-10-18 Chris Packham
@ 2020-10-20 11:44   ` Matthew Weber
  2020-10-21  7:00     ` Chris Packham
  0 siblings, 1 reply; 4+ messages in thread
From: Matthew Weber @ 2020-10-20 11:44 UTC (permalink / raw)
  To: buildroot

Chris,

On Tue, Oct 20, 2020 at 1:50 AM Chris Packham <judge.packham@gmail.com> wrote:
>
>
>
> On Mon, 19 Oct 2020, 8:08 PM Thomas Petazzoni, <thomas.petazzoni@bootlin.com> wrote:
>>
>> Hello,
>>
>> Packages with CVEs
>> ==================
>>
>> This is the list of packages for which a known CVE is affecting
>> them, which means a security vulnerability exists for
>> those packages.
>>
>>              name              |       CVE        |                             link
>> -------------------------------+------------------+--------------------------------------------------------------
>>                      syslog-ng | CVE-2008-5110    | https://security-tracker.debian.org/tracker/CVE-2008-5110
>
>
> I think this is a false positive that's a pretty old CVE.

Would you mind checking NVD
(https://nvd.nist.gov/vuln/detail/CVE-2008-5110) and making sure it
has been correctly allocated to the correct range of versions?  If it
doesn't look correct, I've captured some notes on how to update the
entry.
https://elinux.org/Buildroot:Security_Vulnerability_Management



Best Regards,
Matt

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-10-18
  2020-10-20 11:44   ` Matthew Weber
@ 2020-10-21  7:00     ` Chris Packham
  2020-10-21  7:36       ` Thomas Petazzoni
  0 siblings, 1 reply; 4+ messages in thread
From: Chris Packham @ 2020-10-21  7:00 UTC (permalink / raw)
  To: buildroot

On Wed, 21 Oct 2020, 12:45 AM Matthew Weber, <matthew.weber@collins.com>
wrote:

> Chris,
>
> On Tue, Oct 20, 2020 at 1:50 AM Chris Packham <judge.packham@gmail.com>
> wrote:
> >
> >
> >
> > On Mon, 19 Oct 2020, 8:08 PM Thomas Petazzoni, <
> thomas.petazzoni at bootlin.com> wrote:
> >>
> >> Hello,
> >>
> >> Packages with CVEs
> >> ==================
> >>
> >> This is the list of packages for which a known CVE is affecting
> >> them, which means a security vulnerability exists for
> >> those packages.
> >>
> >>              name              |       CVE        |
>          link
> >>
> -------------------------------+------------------+--------------------------------------------------------------
> >>                      syslog-ng | CVE-2008-5110    |
> https://security-tracker.debian.org/tracker/CVE-2008-5110
> >
> >
> > I think this is a false positive that's a pretty old CVE.
>
> Would you mind checking NVD
> (https://nvd.nist.gov/vuln/detail/CVE-2008-5110) and making sure it
> has been correctly allocated to the correct range of versions?  If it
> doesn't look correct, I've captured some notes on how to update the
> entry.
> https://elinux.org/Buildroot:Security_Vulnerability_Management
>
>
>
> Best Regards,
> Matt
>

The NVD entry looks weird it doesn't list any version range. The debian bug
report says the affected version is 2.0.9 bulidroot is using version
3.29.1. I think the NVD entry is just matching any syslog-ng version. We
should probably just add an ignore entry for it.

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20201021/58414bb6/attachment.html>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-10-18
  2020-10-21  7:00     ` Chris Packham
@ 2020-10-21  7:36       ` Thomas Petazzoni
  0 siblings, 0 replies; 4+ messages in thread
From: Thomas Petazzoni @ 2020-10-21  7:36 UTC (permalink / raw)
  To: buildroot

On Wed, 21 Oct 2020 20:00:53 +1300
Chris Packham <judge.packham@gmail.com> wrote:

> > Would you mind checking NVD
> > (https://nvd.nist.gov/vuln/detail/CVE-2008-5110) and making sure it
> > has been correctly allocated to the correct range of versions?  If it
> > doesn't look correct, I've captured some notes on how to update the
> > entry.
> > https://elinux.org/Buildroot:Security_Vulnerability_Management
> 
> The NVD entry looks weird it doesn't list any version range. The debian bug
> report says the affected version is 2.0.9 bulidroot is using version
> 3.29.1. I think the NVD entry is just matching any syslog-ng version. We
> should probably just add an ignore entry for it.

No, what we've been trying to do is to get the NVD database entries
fixed instead of papering over the problem. The link given by Matt
provides some details on how to report such issues to the NVD
maintainers. We have already managed to get them to fix other CVE
entries.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2020-10-21  7:36 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <5f8d3b76.1c69fb81.a6c23.a6eeSMTPIN_ADDED_MISSING@mx.google.com>
2020-10-20  6:46 ` [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-10-18 Chris Packham
2020-10-20 11:44   ` Matthew Weber
2020-10-21  7:00     ` Chris Packham
2020-10-21  7:36       ` Thomas Petazzoni

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.