[Buildroot] [PATCH 1/2] package/lightning: add LIGHTNING_CPE_ID_VENDOR

[Buildroot] [PATCH 1/2] package/lightning: add LIGHTNING_CPE_ID_VENDOR

[Matthew Weber via buildroot]

cpe:2.3:a:gnu:lightning:*:*:*:*:*:*:*:* is a valid CPE for this pkg

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Alightning

Signed-off-by: Matthew Weber <matthew.weber@collins.com>
---
 package/lightning/lightning.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/lightning/lightning.mk b/package/lightning/lightning.mk
index 38b132e082..c0036e5cd1 100644
--- a/package/lightning/lightning.mk
+++ b/package/lightning/lightning.mk
@@ -9,6 +9,7 @@ LIGHTNING_SITE = $(BR2_GNU_MIRROR)/lightning
 LIGHTNING_LICENSE = LGPL-3.0+
 LIGHTNING_LICENSE_FILES = COPYING.LESSER
 LIGHTNING_INSTALL_STAGING = YES
+LIGHTNING_CPE_ID_VENDOR = gnu
 # We're patching include/Makefile.am
 LIGHTNING_AUTORECONF = YES
 
-- 
2.17.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/2] package/lightning: [revert]ignore not applicable CVE-2020-7747

[Matthew Weber via buildroot]

This reverts commit 613953f8217bf5b27489e0a939147ef7c74c3f7a.

A new CPE ID was assigned by NIST and this whitelist can be
dropped as the package is setup to use the correct CPE (Not
to be confused with the other lightning-* packages which show
up when a free txt search is used to find the CVE.)

Cc: Paul Cercueil <paul@crapouillou.net>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Matthew Weber <matthew.weber@collins.com>
---
 package/lightning/lightning.mk | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/package/lightning/lightning.mk b/package/lightning/lightning.mk
index c0036e5cd1..da8c07e61f 100644
--- a/package/lightning/lightning.mk
+++ b/package/lightning/lightning.mk
@@ -13,10 +13,6 @@ LIGHTNING_CPE_ID_VENDOR = gnu
 # We're patching include/Makefile.am
 LIGHTNING_AUTORECONF = YES
 
-# CVE-2020-7747 is for the Javascript lightning-server project, and not for
-# GNU Lightning.
-LIGHTNING_IGNORE_CVES = CVE-2020-7747
-
 ifeq ($(BR2_PACKAGE_LIGHTNING_DISASSEMBLER),y)
 LIGHTNING_DEPENDENCIES += binutils zlib
 LIGHTNING_CONF_OPTS += --enable-disassembler
-- 
2.17.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/lightning: add LIGHTNING_CPE_ID_VENDOR

[Yann E. MORIN]

Matthew, All,

On 2021-10-18 16:40 -0500, Matthew Weber via buildroot spake thusly:
> cpe:2.3:a:gnu:lightning:*:*:*:*:*:*:*:* is a valid CPE for this pkg
> 
> https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Alightning
> 
> Signed-off-by: Matthew Weber <matthew.weber@collins.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/lightning/lightning.mk | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/lightning/lightning.mk b/package/lightning/lightning.mk
> index 38b132e082..c0036e5cd1 100644
> --- a/package/lightning/lightning.mk
> +++ b/package/lightning/lightning.mk
> @@ -9,6 +9,7 @@ LIGHTNING_SITE = $(BR2_GNU_MIRROR)/lightning
>  LIGHTNING_LICENSE = LGPL-3.0+
>  LIGHTNING_LICENSE_FILES = COPYING.LESSER
>  LIGHTNING_INSTALL_STAGING = YES
> +LIGHTNING_CPE_ID_VENDOR = gnu
>  # We're patching include/Makefile.am
>  LIGHTNING_AUTORECONF = YES
>  
> -- 
> 2.17.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/2] package/lightning: [revert]ignore not applicable CVE-2020-7747

[Yann E. MORIN]

Matthew, All,

On 2021-10-18 16:40 -0500, Matthew Weber via buildroot spake thusly:
> This reverts commit 613953f8217bf5b27489e0a939147ef7c74c3f7a.
> 
> A new CPE ID was assigned by NIST and this whitelist can be
> dropped as the package is setup to use the correct CPE (Not
> to be confused with the other lightning-* packages which show
> up when a free txt search is used to find the CVE.)
> 
> Cc: Paul Cercueil <paul@crapouillou.net>
> Cc: Yann E. MORIN <yann.morin.1998@free.fr>
> Signed-off-by: Matthew Weber <matthew.weber@collins.com>

With a slight reword in the title, applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/lightning/lightning.mk | 4 ----
>  1 file changed, 4 deletions(-)
> 
> diff --git a/package/lightning/lightning.mk b/package/lightning/lightning.mk
> index c0036e5cd1..da8c07e61f 100644
> --- a/package/lightning/lightning.mk
> +++ b/package/lightning/lightning.mk
> @@ -13,10 +13,6 @@ LIGHTNING_CPE_ID_VENDOR = gnu
>  # We're patching include/Makefile.am
>  LIGHTNING_AUTORECONF = YES
>  
> -# CVE-2020-7747 is for the Javascript lightning-server project, and not for
> -# GNU Lightning.
> -LIGHTNING_IGNORE_CVES = CVE-2020-7747
> -
>  ifeq ($(BR2_PACKAGE_LIGHTNING_DISASSEMBLER),y)
>  LIGHTNING_DEPENDENCIES += binutils zlib
>  LIGHTNING_CONF_OPTS += --enable-disassembler
> -- 
> 2.17.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/2] package/lightning: [revert]ignore not applicable CVE-2020-7747

[Paul Cercueil]

Hi Matthew, all,

I still get the emails about CVEs in Lightning though :(
I just got one a few hours ago.

-Paul


Le lun., oct. 18 2021 at 16:40:14 -0500, Matthew Weber 
<matthew.weber@collins.com> a écrit :
> This reverts commit 613953f8217bf5b27489e0a939147ef7c74c3f7a.
> 
> A new CPE ID was assigned by NIST and this whitelist can be
> dropped as the package is setup to use the correct CPE (Not
> to be confused with the other lightning-* packages which show
> up when a free txt search is used to find the CVE.)
> 
> Cc: Paul Cercueil <paul@crapouillou.net>
> Cc: Yann E. MORIN <yann.morin.1998@free.fr>
> Signed-off-by: Matthew Weber <matthew.weber@collins.com>
> ---
>  package/lightning/lightning.mk | 4 ----
>  1 file changed, 4 deletions(-)
> 
> diff --git a/package/lightning/lightning.mk 
> b/package/lightning/lightning.mk
> index c0036e5cd1..da8c07e61f 100644
> --- a/package/lightning/lightning.mk
> +++ b/package/lightning/lightning.mk
> @@ -13,10 +13,6 @@ LIGHTNING_CPE_ID_VENDOR = gnu
>  # We're patching include/Makefile.am
>  LIGHTNING_AUTORECONF = YES
> 
> -# CVE-2020-7747 is for the Javascript lightning-server project, and 
> not for
> -# GNU Lightning.
> -LIGHTNING_IGNORE_CVES = CVE-2020-7747
> -
>  ifeq ($(BR2_PACKAGE_LIGHTNING_DISASSEMBLER),y)
>  LIGHTNING_DEPENDENCIES += binutils zlib
>  LIGHTNING_CONF_OPTS += --enable-disassembler
> --
> 2.17.1
> 


_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/lightning: add LIGHTNING_CPE_ID_VENDOR

[Peter Korsgaard]

>>>>> "Matthew" == Matthew Weber via buildroot <buildroot@buildroot.org> writes:

 > cpe:2.3:a:gnu:lightning:*:*:*:*:*:*:*:* is a valid CPE for this pkg
 > https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Alightning

 > Signed-off-by: Matthew Weber <matthew.weber@collins.com>

Committed to 2021.02.x and 2021.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [External] Re: [PATCH 2/2] package/lightning: [revert]ignore not applicable CVE-2020-7747

[Weber, Matthew L Collins via buildroot]

Paul,


> From: Paul Cercueil <paul@crapouillou.net>
> Sent: Monday, October 25, 2021 4:06 AM
> To: Weber, Matthew L Collins <Matthew.Weber@collins.com>
> Cc: buildroot@buildroot.org <buildroot@buildroot.org>; Yann E . MORIN <yann.morin.1998@free.fr>
> Subject: [External] Re: [PATCH 2/2] package/lightning: [revert]ignore not applicable CVE-2020-7747 
>  
> Hi Matthew, all,
> 
> I still get the emails about CVEs in Lightning though :(
> I just got one a few hours ago.

The changes to resolve that were merged on master last week and I noticed today that Peter applied them to the long term support branch (probably after you received that email).  Which branch did the email list CVE against?

Regards,
Matt
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [External] Re: [PATCH 2/2] package/lightning: [revert]ignore not applicable CVE-2020-7747

[Paul Cercueil]

Hi Matthew,

Le lun., oct. 25 2021 at 13:09:25 +0000, "Weber, Matthew L Collins" 
<Matthew.Weber@collins.com> a écrit :
> Paul,
> 
> 
>>  From: Paul Cercueil <paul@crapouillou.net>
>>  Sent: Monday, October 25, 2021 4:06 AM
>>  To: Weber, Matthew L Collins <Matthew.Weber@collins.com>
>>  Cc: buildroot@buildroot.org <buildroot@buildroot.org>; Yann E . 
>> MORIN <yann.morin.1998@free.fr>
>>  Subject: [External] Re: [PATCH 2/2] package/lightning: 
>> [revert]ignore not applicable CVE-2020-7747
>> 
>>  Hi Matthew, all,
>> 
>>  I still get the emails about CVEs in Lightning though :(
>>  I just got one a few hours ago.
> 
> The changes to resolve that were merged on master last week and I 
> noticed today that Peter applied them to the long term support branch 
> (probably after you received that email).  Which branch did the email 
> list CVE against?
> 
> Regards,
> Matt

I get those emails for the 2021.02.x and 2021.08.x branches.

Cheers,
-Paul


_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [External] Re: [PATCH 2/2] package/lightning: [revert]ignore not applicable CVE-2020-7747

[Peter Korsgaard]

>>>>> "Paul" == Paul Cercueil <paul@crapouillou.net> writes:

Hi,

 >>> I still get the emails about CVEs in Lightning though :(
 >>> I just got one a few hours ago.
 >> 
 >> The changes to resolve that were merged on master last week and I
 >> noticed today that Peter applied them to the long term support
 >> branch (probably after you received that email).  Which branch did
 >> the email list CVE against?

 > I get those emails for the 2021.02.x and 2021.08.x branches.

You shouldn't get them any more. Please let me know if you do.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot