Re: [Buildroot] [PATCH] package/lightning: stop spam!

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Paul Cercueil <paul@crapouillou.net>
Cc: "Weber, Matthew L Collins" <Matthew.Weber@collins.com>,
	buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/lightning: stop spam!
Date: Sat, 16 Oct 2021 10:02:38 +0200	[thread overview]
Message-ID: <20211016080238.GD4165837@scaer> (raw)
In-Reply-To: <20211015215003.181073-1-paul@crapouillou.net>

Paul, All,

+Matthew

On 2021-10-15 22:50 +0100, Paul Cercueil spake thusly:
> Every week I receive an automated email that tells me about the
> CVE-2020-7747 vulnerability in Lightning. This vulnerability however
> applies to the Javascript lightning-server project, and not to the
> GNU Lightning project.
> 
> Ignore this CVE in the Lightning package to reduce my stress levels.
> 
> Signed-off-by: Paul Cercueil <paul@crapouillou.net>

The goal of sending those automated emails, is explicitly to have people
registered on DEVELOPPERS, to take action on those CVE reports. Such
actions can be bumping the package to an non-affected version,
backporting an upstream patch, or, as you did, mark them to be ignored.

Bonus point if the NIST CPE DB is updated to avoid the mismatch, like
adding an entry for GNU lightning, and thus settign the correct CPE_ID
in Buildroot.

Matt: is there a process to update the NIST CPE DB? Can we add that in the
manual, even just as an URL?

Anyway: applied to master, after rewording the commit log to avoid the
personal-tone message, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/lightning/lightning.mk | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/package/lightning/lightning.mk b/package/lightning/lightning.mk
> index 3bd17bef56..38b132e082 100644
> --- a/package/lightning/lightning.mk
> +++ b/package/lightning/lightning.mk
> @@ -12,6 +12,10 @@ LIGHTNING_INSTALL_STAGING = YES
>  # We're patching include/Makefile.am
>  LIGHTNING_AUTORECONF = YES
>  
> +# CVE-2020-7747 is for the Javascript lightning-server project, and not for
> +# GNU Lightning.
> +LIGHTNING_IGNORE_CVES = CVE-2020-7747
> +
>  ifeq ($(BR2_PACKAGE_LIGHTNING_DISASSEMBLER),y)
>  LIGHTNING_DEPENDENCIES += binutils zlib
>  LIGHTNING_CONF_OPTS += --enable-disassembler
> -- 
> 2.33.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot