* [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11 [not found] <6073d64f.1c69fb81.9d11e.7f35SMTPIN_ADDED_MISSING@mx.google.com> @ 2021-04-12 8:37 ` Chris Packham 2021-04-25 7:10 ` Peter Korsgaard 2021-06-10 15:37 ` Thomas Petazzoni 0 siblings, 2 replies; 9+ messages in thread From: Chris Packham @ 2021-04-12 8:37 UTC (permalink / raw) To: buildroot On Mon, Apr 12, 2021 at 5:10 PM Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > > Hello, > > Packages having CVEs > ==================== > > This is the list of packages for which a known CVE is affecting them, > which means a security vulnerability exists for those packages. > > CVEs for the 'master' branch > ---------------------------- > > name | CVE | link > -------------------------------+------------------+-------------------------------------------------------------- > syslog-ng | CVE-2008-5110 | https://security-tracker.debian.org/tracker/CVE-2008-5110 > I've managed to get the CVE updated to say "This flaw affects syslog-ng versions prior to and including 2.0.9"[1] but I'm still getting these notifications. Is there something else that needs to happen now? Actually nist[2] seems to know it's been modified so it may be a case of hurry up and wait. [1] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5110 [2] - https://nvd.nist.gov/vuln/detail/CVE-2008-5110 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11 2021-04-12 8:37 ` [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11 Chris Packham @ 2021-04-25 7:10 ` Peter Korsgaard 2021-06-10 15:37 ` Thomas Petazzoni 1 sibling, 0 replies; 9+ messages in thread From: Peter Korsgaard @ 2021-04-25 7:10 UTC (permalink / raw) To: buildroot >>>>> "Chris" == Chris Packham <judge.packham@gmail.com> writes: > On Mon, Apr 12, 2021 at 5:10 PM Thomas Petazzoni > <thomas.petazzoni@bootlin.com> wrote: >> >> Hello, >> >> Packages having CVEs >> ==================== >> >> This is the list of packages for which a known CVE is affecting them, >> which means a security vulnerability exists for those packages. >> >> CVEs for the 'master' branch >> ---------------------------- >> >> name | CVE | link >> -------------------------------+------------------+-------------------------------------------------------------- >> syslog-ng | CVE-2008-5110 | https://security-tracker.debian.org/tracker/CVE-2008-5110 >> > I've managed to get the CVE updated to say "This flaw affects > syslog-ng versions prior to and including 2.0.9"[1] but I'm still > getting these notifications. Is there something else that needs to > happen now? Actually nist[2] seems to know it's been modified so it > may be a case of hurry up and wait. > [1] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5110 > [2] - https://nvd.nist.gov/vuln/detail/CVE-2008-5110 Sorry for the slow response. I still don't see any update of this in the CVE database, E.G. it still lists all syslog-ng versions ( cpe:2.3:a:oneidentity:syslog-ng:-:*:*:*:*:*:*:*). Looking at the changes (https://nvd.nist.gov/vuln/detail/CVE-2008-5110#VulnChangeHistorySection), it seems that only the textual description got updated, not the matching data? -- Bye, Peter Korsgaard ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11 2021-04-12 8:37 ` [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11 Chris Packham 2021-04-25 7:10 ` Peter Korsgaard @ 2021-06-10 15:37 ` Thomas Petazzoni 2021-06-14 7:58 ` Chris Packham 2021-06-23 7:58 ` Chris Packham 1 sibling, 2 replies; 9+ messages in thread From: Thomas Petazzoni @ 2021-06-10 15:37 UTC (permalink / raw) To: buildroot Hello Chris, On Mon, 12 Apr 2021 20:37:46 +1200 Chris Packham <judge.packham@gmail.com> wrote: > I've managed to get the CVE updated to say "This flaw affects > syslog-ng versions prior to and including 2.0.9"[1] but I'm still > getting these notifications. Is there something else that needs to > happen now? Actually nist[2] seems to know it's been modified so it > may be a case of hurry up and wait. If I look up at https://nvd.nist.gov/vuln/detail/CVE-2008-5110, the list of known affected software configurations is still cpe:2.3:a:oneidentity:syslog-ng:-:*:*:*:*:*:*:*, which means "all known versions. Thomas -- Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11 2021-06-10 15:37 ` Thomas Petazzoni @ 2021-06-14 7:58 ` Chris Packham 2021-06-14 8:45 ` Thomas Petazzoni 2021-06-23 7:58 ` Chris Packham 1 sibling, 1 reply; 9+ messages in thread From: Chris Packham @ 2021-06-14 7:58 UTC (permalink / raw) To: buildroot On Fri, Jun 11, 2021 at 3:37 AM Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > > Hello Chris, > > On Mon, 12 Apr 2021 20:37:46 +1200 > Chris Packham <judge.packham@gmail.com> wrote: > > > I've managed to get the CVE updated to say "This flaw affects > > syslog-ng versions prior to and including 2.0.9"[1] but I'm still > > getting these notifications. Is there something else that needs to > > happen now? Actually nist[2] seems to know it's been modified so it > > may be a case of hurry up and wait. > > If I look up at https://nvd.nist.gov/vuln/detail/CVE-2008-5110, the > list of known affected software configurations is still > cpe:2.3:a:oneidentity:syslog-ng:-:*:*:*:*:*:*:*, which means "all known > versions. After some effort the description was updated to say "This flaw affects syslog-ng versions prior to and including 2.0.9.". But the cpe entry hasn't been updated (if I understand correctly the reporter controls the description but nist controls the configurations). The CVE entry does now say that it has been modified since it was last analyzed so I'm not sure how/when that will happen. > > Thomas > -- > Thomas Petazzoni, co-owner and CEO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11 2021-06-14 7:58 ` Chris Packham @ 2021-06-14 8:45 ` Thomas Petazzoni 2021-06-14 10:00 ` Chris Packham 0 siblings, 1 reply; 9+ messages in thread From: Thomas Petazzoni @ 2021-06-14 8:45 UTC (permalink / raw) To: buildroot Hello Chris, On Mon, 14 Jun 2021 19:58:12 +1200 Chris Packham <judge.packham@gmail.com> wrote: > After some effort the description was updated to say "This flaw > affects syslog-ng versions prior to and including 2.0.9.". But the cpe > entry hasn't been updated (if I understand correctly the reporter > controls the description but nist controls the configurations). The > CVE entry does now say that it has been modified since it was last > analyzed so I'm not sure how/when that will happen. How did you contact the NVD maintainers? Because I contacted them a few weeks ago about some CVE details, and they fixed up like a few days later. Thomas -- Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11 2021-06-14 8:45 ` Thomas Petazzoni @ 2021-06-14 10:00 ` Chris Packham 2021-06-14 12:01 ` Thomas Petazzoni 0 siblings, 1 reply; 9+ messages in thread From: Chris Packham @ 2021-06-14 10:00 UTC (permalink / raw) To: buildroot On Mon, Jun 14, 2021 at 8:45 PM Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > > Hello Chris, > > On Mon, 14 Jun 2021 19:58:12 +1200 > Chris Packham <judge.packham@gmail.com> wrote: > > > After some effort the description was updated to say "This flaw > > affects syslog-ng versions prior to and including 2.0.9.". But the cpe > > entry hasn't been updated (if I understand correctly the reporter > > controls the description but nist controls the configurations). The > > CVE entry does now say that it has been modified since it was last > > analyzed so I'm not sure how/when that will happen. > > How did you contact the NVD maintainers? Because I contacted them a few > weeks ago about some CVE details, and they fixed up like a few days > later. > Via the contact form. Then got bumped onto redhat who updated the description. I guess I could try again. > Thomas > -- > Thomas Petazzoni, co-owner and CEO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11 2021-06-14 10:00 ` Chris Packham @ 2021-06-14 12:01 ` Thomas Petazzoni 0 siblings, 0 replies; 9+ messages in thread From: Thomas Petazzoni @ 2021-06-14 12:01 UTC (permalink / raw) To: buildroot On Mon, 14 Jun 2021 22:00:22 +1200 Chris Packham <judge.packham@gmail.com> wrote: > Via the contact form. Then got bumped onto redhat who updated the > description. I guess I could try again. I contacted them over e-mail, got an answer the next day pretty much in the entire discussion. Thomas -- Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11 2021-06-10 15:37 ` Thomas Petazzoni 2021-06-14 7:58 ` Chris Packham @ 2021-06-23 7:58 ` Chris Packham 2021-06-23 12:33 ` Thomas Petazzoni 1 sibling, 1 reply; 9+ messages in thread From: Chris Packham @ 2021-06-23 7:58 UTC (permalink / raw) To: buildroot On Fri, 11 Jun 2021, 3:37 AM Thomas Petazzoni, <thomas.petazzoni@bootlin.com> wrote: > Hello Chris, > > On Mon, 12 Apr 2021 20:37:46 +1200 > Chris Packham <judge.packham@gmail.com> wrote: > > > I've managed to get the CVE updated to say "This flaw affects > > syslog-ng versions prior to and including 2.0.9"[1] but I'm still > > getting these notifications. Is there something else that needs to > > happen now? Actually nist[2] seems to know it's been modified so it > > may be a case of hurry up and wait. > > If I look up at https://nvd.nist.gov/vuln/detail/CVE-2008-5110, the > list of known affected software configurations is still > cpe:2.3:a:oneidentity:syslog-ng:-:*:*:*:*:*:*:*, which means "all known > versions. > I've been in touch with the nvd maintainers and it looks like the nvd entry has been updated. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20210623/79d1b3fb/attachment.html> ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11 2021-06-23 7:58 ` Chris Packham @ 2021-06-23 12:33 ` Thomas Petazzoni 0 siblings, 0 replies; 9+ messages in thread From: Thomas Petazzoni @ 2021-06-23 12:33 UTC (permalink / raw) To: buildroot On Wed, 23 Jun 2021 19:58:14 +1200 Chris Packham <judge.packham@gmail.com> wrote: > I've been in touch with the nvd maintainers and it looks like the nvd entry > has been updated. Yes, it seems like it has been updated! I see we're still listing that CVE as affecting syslog-ng in Buildroot though, in http://autobuild.buildroot.net/stats/master.html. We'll have to have a look at why this is the case. Best regards, Thomas -- Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-06-23 12:33 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <6073d64f.1c69fb81.9d11e.7f35SMTPIN_ADDED_MISSING@mx.google.com>
2021-04-12 8:37 ` [Buildroot] [autobuild.buildroot.net] Your daily results for 2021-04-11 Chris Packham
2021-04-25 7:10 ` Peter Korsgaard
2021-06-10 15:37 ` Thomas Petazzoni
2021-06-14 7:58 ` Chris Packham
2021-06-14 8:45 ` Thomas Petazzoni
2021-06-14 10:00 ` Chris Packham
2021-06-14 12:01 ` Thomas Petazzoni
2021-06-23 7:58 ` Chris Packham
2021-06-23 12:33 ` Thomas Petazzoni
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox