Re: [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-08-15

Re: [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-08-15

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

Hi,

 > Packages having CVEs
 > ====================

 > This is the list of packages for which a known CVE is affecting them,
 > which means a security vulnerability exists for those packages.

 > CVEs for the 'master' branch
 > ----------------------------

 >              name              |       CVE        |                             link                            
 > -------------------------------+------------------+--------------------------------------------------------------
 >                      mosquitto | CVE-2021-34432   | https://security-tracker.debian.org/tracker/CVE-2021-34432  


 > CVEs for the '2021.02.x' branch
 > -------------------------------

 >              name              |       CVE        |                             link                            
 > -------------------------------+------------------+--------------------------------------------------------------
 >                      mosquitto | CVE-2021-34432   | https://security-tracker.debian.org/tracker/CVE-2021-34432  


 > CVEs for the '2021.05.x' branch
 > -------------------------------

 >              name              |       CVE        |                             link                            
 > -------------------------------+------------------+--------------------------------------------------------------
 >                      mosquitto | CVE-2021-34432   | https://security-tracker.debian.org/tracker/CVE-2021-34432  


 > CVEs for the 'next' branch
 > --------------------------

 >              name              |       CVE        |                             link                            
 > -------------------------------+------------------+--------------------------------------------------------------
 >                      mosquitto | CVE-2021-34432   | https://security-tracker.debian.org/tracker/CVE-2021-34432  

Hmm, looks like we have a bug in the version comparison logic. We have
2.0.11 and the CPE data states <= 2.0.7:

https://nvd.nist.gov/vuln/detail/CVE-2021-34432

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

Re: [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-08-15

[Thomas Petazzoni]

On Tue, 17 Aug 2021 12:35:20 +0200
Peter Korsgaard <peter@korsgaard.com> wrote:

>  >              name              |       CVE        |                             link                            
>  > -------------------------------+------------------+--------------------------------------------------------------
>  >                      mosquitto | CVE-2021-34432   | https://security-tracker.debian.org/tracker/CVE-2021-34432    
> 
> Hmm, looks like we have a bug in the version comparison logic. We have
> 2.0.11 and the CPE data states <= 2.0.7:

No, the CPE data states: "Up to (including) 2.07". Notice how 2.07 is
different than 2.0.7 ?

2.07 is indeed "newer" than 2.0.11, so our comparison logic works fine.
You can look at
https://nvd.nist.gov/vuln/detail/CVE-2021-34432/cpes?expandCpeRanges=true
which shows the full list of CPE IDs that are considered vulnerable,
and 2.0.11 is among the one considered vulnerable, based on the
(probably incorrect) 2.07 information.

If you have some evidence that shows that the fix only affects versions
up to 2.0.7, then we can contact the NVD maintainers and get the issue
fixed.

Best regards,

Thomas Petazzoni
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

Re: [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-08-15

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

 > On Tue, 17 Aug 2021 12:35:20 +0200
 > Peter Korsgaard <peter@korsgaard.com> wrote:

 >> >              name              |       CVE        |                             link                            
 >> > -------------------------------+------------------+--------------------------------------------------------------
 >> >                      mosquitto | CVE-2021-34432   | https://security-tracker.debian.org/tracker/CVE-2021-34432    
 >> 
 >> Hmm, looks like we have a bug in the version comparison logic. We have
 >> 2.0.11 and the CPE data states <= 2.0.7:

 > No, the CPE data states: "Up to (including) 2.07". Notice how 2.07 is
 > different than 2.0.7 ?

 > 2.07 is indeed "newer" than 2.0.11, so our comparison logic works fine.
 > You can look at
 > https://nvd.nist.gov/vuln/detail/CVE-2021-34432/cpes?expandCpeRanges=true
 > which shows the full list of CPE IDs that are considered vulnerable,
 > and 2.0.11 is among the one considered vulnerable, based on the
 > (probably incorrect) 2.07 information.

Ahh, indeed!


 > If you have some evidence that shows that the fix only affects versions
 > up to 2.0.7, then we can contact the NVD maintainers and get the issue
 > fixed.

Yes, it was (silently) fixed in 2.0.8 as mentioned in the linked
bugtracker issue:

https://github.com/eclipse/mosquitto/commit/9b08faf0bdaf5a4f2e6e3dd1ea7e8c57f70418d6

What was the process for reporting issues in the CPE data again?

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

Re: [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-08-15

[Thomas Petazzoni]

On Tue, 17 Aug 2021 13:10:03 +0200
Peter Korsgaard <peter@korsgaard.com> wrote:

>  > If you have some evidence that shows that the fix only affects versions
>  > up to 2.0.7, then we can contact the NVD maintainers and get the issue
>  > fixed.  
> 
> Yes, it was (silently) fixed in 2.0.8 as mentioned in the linked
> bugtracker issue:
> 
> https://github.com/eclipse/mosquitto/commit/9b08faf0bdaf5a4f2e6e3dd1ea7e8c57f70418d6
> 
> What was the process for reporting issues in the CPE data again?

E-mail to: nvd <nvd@nist.gov>

Make sure to give enough details about the issue, the last time I
interacted with them, they really wanted good explanation and evidence
before changing/adjusting the NVD data.

Cheers,

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

Re: [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-08-15

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

Hi,

 >> What was the process for reporting issues in the CPE data again?

 > E-mail to: nvd <nvd@nist.gov>

 > Make sure to give enough details about the issue, the last time I
 > interacted with them, they really wanted good explanation and evidence
 > before changing/adjusting the NVD data.

Thanks, it should be fixed now:

Thank you for bringing this to our attention. We appreciate community
input in order to provide the most accurate and up-to-date information
as possible. After reviewing the information provided, we have made the
appropriate modifications to reflect that the affected versions of
Mosquitto are up to (including) 2.0.7. Please allow up to 24 hours for
the changes to be reflected on the website and in the data feeds.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

Re: [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-08-15

[Thomas Petazzoni]

On Tue, 17 Aug 2021 17:42:05 +0200
Peter Korsgaard <peter@korsgaard.com> wrote:

> Thank you for bringing this to our attention. We appreciate community
> input in order to provide the most accurate and up-to-date information
> as possible. After reviewing the information provided, we have made the
> appropriate modifications to reflect that the affected versions of
> Mosquitto are up to (including) 2.0.7. Please allow up to 24 hours for
> the changes to be reflected on the website and in the data feeds.

Great. In my experience they were really responsive, and it seems that
once again they were responsive, which is good.

Best regards,

Thomas Petazzoni
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot