[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11

[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11

[Chris Packham]

On Mon, Apr 12, 2021 at 5:10 PM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> Packages having CVEs
> ====================
>
> This is the list of packages for which a known CVE is affecting them,
> which means a security vulnerability exists for those packages.
>
> CVEs for the 'master' branch
> ----------------------------
>
>              name              |       CVE        |                             link
> -------------------------------+------------------+--------------------------------------------------------------
>                      syslog-ng | CVE-2008-5110    | https://security-tracker.debian.org/tracker/CVE-2008-5110
>

I've managed to get the CVE updated to say "This flaw affects
syslog-ng versions prior to and including 2.0.9"[1] but I'm still
getting these notifications. Is there something else that needs to
happen now? Actually nist[2] seems to know it's been modified so it
may be a case of hurry up and wait.

[1] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5110
[2] - https://nvd.nist.gov/vuln/detail/CVE-2008-5110

[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11

[Peter Korsgaard]

>>>>> "Chris" == Chris Packham <judge.packham@gmail.com> writes:

 > On Mon, Apr 12, 2021 at 5:10 PM Thomas Petazzoni
 > <thomas.petazzoni@bootlin.com> wrote:
 >> 
 >> Hello,
 >> 
 >> Packages having CVEs
 >> ====================
 >> 
 >> This is the list of packages for which a known CVE is affecting them,
 >> which means a security vulnerability exists for those packages.
 >> 
 >> CVEs for the 'master' branch
 >> ----------------------------
 >> 
 >> name              |       CVE        |                             link
 >> -------------------------------+------------------+--------------------------------------------------------------
 >> syslog-ng | CVE-2008-5110    | https://security-tracker.debian.org/tracker/CVE-2008-5110
 >> 

 > I've managed to get the CVE updated to say "This flaw affects
 > syslog-ng versions prior to and including 2.0.9"[1] but I'm still
 > getting these notifications. Is there something else that needs to
 > happen now? Actually nist[2] seems to know it's been modified so it
 > may be a case of hurry up and wait.

 > [1] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5110
 > [2] - https://nvd.nist.gov/vuln/detail/CVE-2008-5110

Sorry for the slow response. I still don't see any update of this in the
CVE database, E.G. it still lists all syslog-ng versions (
cpe:2.3:a:oneidentity:syslog-ng:-:*:*:*:*:*:*:*). Looking at the changes
(https://nvd.nist.gov/vuln/detail/CVE-2008-5110#VulnChangeHistorySection),
it seems that only the textual description got updated, not the matching
data?

-- 
Bye, Peter Korsgaard

[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11

[Thomas Petazzoni]

Hello Chris,

On Mon, 12 Apr 2021 20:37:46 +1200
Chris Packham <judge.packham@gmail.com> wrote:

> I've managed to get the CVE updated to say "This flaw affects
> syslog-ng versions prior to and including 2.0.9"[1] but I'm still
> getting these notifications. Is there something else that needs to
> happen now? Actually nist[2] seems to know it's been modified so it
> may be a case of hurry up and wait.

If I look up at https://nvd.nist.gov/vuln/detail/CVE-2008-5110, the
list of known affected software configurations is still
cpe:2.3:a:oneidentity:syslog-ng:-:*:*:*:*:*:*:*, which means "all known
versions.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11

[Chris Packham]

On Fri, Jun 11, 2021 at 3:37 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello Chris,
>
> On Mon, 12 Apr 2021 20:37:46 +1200
> Chris Packham <judge.packham@gmail.com> wrote:
>
> > I've managed to get the CVE updated to say "This flaw affects
> > syslog-ng versions prior to and including 2.0.9"[1] but I'm still
> > getting these notifications. Is there something else that needs to
> > happen now? Actually nist[2] seems to know it's been modified so it
> > may be a case of hurry up and wait.
>
> If I look up at https://nvd.nist.gov/vuln/detail/CVE-2008-5110, the
> list of known affected software configurations is still
> cpe:2.3:a:oneidentity:syslog-ng:-:*:*:*:*:*:*:*, which means "all known
> versions.

After some effort the description was updated to say "This flaw
affects syslog-ng versions prior to and including 2.0.9.". But the cpe
entry hasn't been updated (if I understand correctly the reporter
controls the description but nist controls the configurations). The
CVE entry does now say that it has been modified since it was last
analyzed so I'm not sure how/when that will happen.

>
> Thomas
> --
> Thomas Petazzoni, co-owner and CEO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11

[Thomas Petazzoni]

Hello Chris,

On Mon, 14 Jun 2021 19:58:12 +1200
Chris Packham <judge.packham@gmail.com> wrote:

> After some effort the description was updated to say "This flaw
> affects syslog-ng versions prior to and including 2.0.9.". But the cpe
> entry hasn't been updated (if I understand correctly the reporter
> controls the description but nist controls the configurations). The
> CVE entry does now say that it has been modified since it was last
> analyzed so I'm not sure how/when that will happen.

How did you contact the NVD maintainers? Because I contacted them a few
weeks ago about some CVE details, and they fixed up like a few days
later.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11

[Chris Packham]

On Mon, Jun 14, 2021 at 8:45 PM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello Chris,
>
> On Mon, 14 Jun 2021 19:58:12 +1200
> Chris Packham <judge.packham@gmail.com> wrote:
>
> > After some effort the description was updated to say "This flaw
> > affects syslog-ng versions prior to and including 2.0.9.". But the cpe
> > entry hasn't been updated (if I understand correctly the reporter
> > controls the description but nist controls the configurations). The
> > CVE entry does now say that it has been modified since it was last
> > analyzed so I'm not sure how/when that will happen.
>
> How did you contact the NVD maintainers? Because I contacted them a few
> weeks ago about some CVE details, and they fixed up like a few days
> later.
>

Via the contact form. Then got bumped onto redhat who updated the
description. I guess I could try again.

> Thomas
> --
> Thomas Petazzoni, co-owner and CEO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11

[Thomas Petazzoni]

On Mon, 14 Jun 2021 22:00:22 +1200
Chris Packham <judge.packham@gmail.com> wrote:

> Via the contact form. Then got bumped onto redhat who updated the
> description. I guess I could try again.

I contacted them over e-mail, got an answer the next day pretty much in
the entire discussion.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11

[Chris Packham]

On Fri, 11 Jun 2021, 3:37 AM Thomas Petazzoni, <thomas.petazzoni@bootlin.com>
wrote:

> Hello Chris,
>
> On Mon, 12 Apr 2021 20:37:46 +1200
> Chris Packham <judge.packham@gmail.com> wrote:
>
> > I've managed to get the CVE updated to say "This flaw affects
> > syslog-ng versions prior to and including 2.0.9"[1] but I'm still
> > getting these notifications. Is there something else that needs to
> > happen now? Actually nist[2] seems to know it's been modified so it
> > may be a case of hurry up and wait.
>
> If I look up at https://nvd.nist.gov/vuln/detail/CVE-2008-5110, the
> list of known affected software configurations is still
> cpe:2.3:a:oneidentity:syslog-ng:-:*:*:*:*:*:*:*, which means "all known
> versions.
>

I've been in touch with the nvd maintainers and it looks like the nvd entry
has been updated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20210623/79d1b3fb/attachment.html>

[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11

[Thomas Petazzoni]

On Wed, 23 Jun 2021 19:58:14 +1200
Chris Packham <judge.packham@gmail.com> wrote:

> I've been in touch with the nvd maintainers and it looks like the nvd entry
> has been updated.

Yes, it seems like it has been updated! I see we're still listing that
CVE as affecting syslog-ng in Buildroot though, in
http://autobuild.buildroot.net/stats/master.html. We'll have to have a
look at why this is the case.

Best regards,

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com