* [Buildroot] [PATCH] package/lightning: stop spam! @ 2021-10-15 21:50 Paul Cercueil 2021-10-16 8:02 ` Yann E. MORIN 0 siblings, 1 reply; 5+ messages in thread From: Paul Cercueil @ 2021-10-15 21:50 UTC (permalink / raw) To: buildroot; +Cc: Paul Cercueil Every week I receive an automated email that tells me about the CVE-2020-7747 vulnerability in Lightning. This vulnerability however applies to the Javascript lightning-server project, and not to the GNU Lightning project. Ignore this CVE in the Lightning package to reduce my stress levels. Signed-off-by: Paul Cercueil <paul@crapouillou.net> --- package/lightning/lightning.mk | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/package/lightning/lightning.mk b/package/lightning/lightning.mk index 3bd17bef56..38b132e082 100644 --- a/package/lightning/lightning.mk +++ b/package/lightning/lightning.mk @@ -12,6 +12,10 @@ LIGHTNING_INSTALL_STAGING = YES # We're patching include/Makefile.am LIGHTNING_AUTORECONF = YES +# CVE-2020-7747 is for the Javascript lightning-server project, and not for +# GNU Lightning. +LIGHTNING_IGNORE_CVES = CVE-2020-7747 + ifeq ($(BR2_PACKAGE_LIGHTNING_DISASSEMBLER),y) LIGHTNING_DEPENDENCIES += binutils zlib LIGHTNING_CONF_OPTS += --enable-disassembler -- 2.33.0 _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH] package/lightning: stop spam! 2021-10-15 21:50 [Buildroot] [PATCH] package/lightning: stop spam! Paul Cercueil @ 2021-10-16 8:02 ` Yann E. MORIN 2021-10-18 13:21 ` [Buildroot] [External] " Weber, Matthew L Collins via buildroot 0 siblings, 1 reply; 5+ messages in thread From: Yann E. MORIN @ 2021-10-16 8:02 UTC (permalink / raw) To: Paul Cercueil; +Cc: Weber, Matthew L Collins, buildroot Paul, All, +Matthew On 2021-10-15 22:50 +0100, Paul Cercueil spake thusly: > Every week I receive an automated email that tells me about the > CVE-2020-7747 vulnerability in Lightning. This vulnerability however > applies to the Javascript lightning-server project, and not to the > GNU Lightning project. > > Ignore this CVE in the Lightning package to reduce my stress levels. > > Signed-off-by: Paul Cercueil <paul@crapouillou.net> The goal of sending those automated emails, is explicitly to have people registered on DEVELOPPERS, to take action on those CVE reports. Such actions can be bumping the package to an non-affected version, backporting an upstream patch, or, as you did, mark them to be ignored. Bonus point if the NIST CPE DB is updated to avoid the mismatch, like adding an entry for GNU lightning, and thus settign the correct CPE_ID in Buildroot. Matt: is there a process to update the NIST CPE DB? Can we add that in the manual, even just as an URL? Anyway: applied to master, after rewording the commit log to avoid the personal-tone message, thanks. Regards, Yann E. MORIN. > --- > package/lightning/lightning.mk | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/package/lightning/lightning.mk b/package/lightning/lightning.mk > index 3bd17bef56..38b132e082 100644 > --- a/package/lightning/lightning.mk > +++ b/package/lightning/lightning.mk > @@ -12,6 +12,10 @@ LIGHTNING_INSTALL_STAGING = YES > # We're patching include/Makefile.am > LIGHTNING_AUTORECONF = YES > > +# CVE-2020-7747 is for the Javascript lightning-server project, and not for > +# GNU Lightning. > +LIGHTNING_IGNORE_CVES = CVE-2020-7747 > + > ifeq ($(BR2_PACKAGE_LIGHTNING_DISASSEMBLER),y) > LIGHTNING_DEPENDENCIES += binutils zlib > LIGHTNING_CONF_OPTS += --enable-disassembler > -- > 2.33.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [External] Re: [PATCH] package/lightning: stop spam! 2021-10-16 8:02 ` Yann E. MORIN @ 2021-10-18 13:21 ` Weber, Matthew L Collins via buildroot 2021-10-18 15:33 ` Yann E. MORIN 0 siblings, 1 reply; 5+ messages in thread From: Weber, Matthew L Collins via buildroot @ 2021-10-18 13:21 UTC (permalink / raw) To: Yann E. MORIN, Paul Cercueil; +Cc: buildroot@buildroot.org Yann, > From: Yann E. MORIN <yann.morin.1998@free.fr> > Sent: Saturday, October 16, 2021 3:02 AM > To: Paul Cercueil <paul@crapouillou.net> > Cc: buildroot@buildroot.org <buildroot@buildroot.org>; Weber, Matthew L Collins <Matthew.Weber@collins.com> > Subject: [External] Re: [Buildroot] [PATCH] package/lightning: stop spam! > > Paul, All, > > +Matthew > > On 2021-10-15 22:50 +0100, Paul Cercueil spake thusly: > > Every week I receive an automated email that tells me about the > > CVE-2020-7747 vulnerability in Lightning. This vulnerability however > > applies to the Javascript lightning-server project, and not to the > > GNU Lightning project. > > > > Ignore this CVE in the Lightning package to reduce my stress levels. > > > > Signed-off-by: Paul Cercueil <paul@crapouillou.net> > > The goal of sending those automated emails, is explicitly to have people > registered on DEVELOPPERS, to take action on those CVE reports. Such > actions can be bumping the package to an non-affected version, > backporting an upstream patch, or, as you did, mark them to be ignored. > > Bonus point if the NIST CPE DB is updated to avoid the mismatch, like > adding an entry for GNU lightning, and thus settign the correct CPE_ID > in Buildroot. > > Matt: is there a process to update the NIST CPE DB? Can we add that in the > manual, even just as an URL? Thomas and I had started this elinux page covering adding/updating a CVE or CPE. https://www.elinux.org/Buildroot:Security_Vulnerability_Management So in this case, I think we need to submit an entry for the GNU lightning package (cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*) as there isn't a CPE. Once that's added, then this .mk can set "LIGHTNING_CPE_ID_VENDOR = gnu" so the CVE filter is clear for this package (right now it is free txt based and that's why you've picked up the server CVE). I've emailed the XML [1] to NIST to make this update. Regards, Matt [1] <?xml version="1.0" encoding="utf-8"?> <cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:config="http://scap.nist.gov/schema/configuration/0.1" xmlns:cpe-23="http://scap.nist.gov/schema/cpe-extension/2.3" xmlns:meta="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2" xmlns:ns6="http://scap.nist.gov/schema/scap-core/0.1" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://scap.nist.gov/schema/cpe-extension/2.3 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary-extension_2.3.xsd http://cpe.mitre.org/dictionary/2.0 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 https://scap.nist.gov/schema/cpe/2.1/cpe-dictionary-metadata_0.2.xsd http://scap.nist.gov/schema/scap-core/0.3 https://scap.nist.gov/schema/nvd/scap-core_0.3.xsd http://scap.nist.gov/schema/configuration/0.1 https://scap.nist.gov/schema/nvd/configuration_0.1.xsd http://scap.nist.gov/schema/scap-core/0.1 https://scap.nist.gov/schema/nvd/scap-core_0.1.xsd"> <cpe-item name="cpe:/a:gnu:lightning:2.1.3"> <title xml:lang="en-US">GNU Lightning Project 2.1.3</title> <references> <reference href="http://git.savannah.gnu.org/cgit/lightning.git">VERSION</reference> <reference href="https://www.gnu.org/software/lightning/">PRODUCT</reference> </references> <cpe-23:cpe23-item name="cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*"/> </cpe-item> </cpe-list> _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [External] Re: [PATCH] package/lightning: stop spam! 2021-10-18 13:21 ` [Buildroot] [External] " Weber, Matthew L Collins via buildroot @ 2021-10-18 15:33 ` Yann E. MORIN 2021-10-18 18:13 ` Weber, Matthew L Collins via buildroot 0 siblings, 1 reply; 5+ messages in thread From: Yann E. MORIN @ 2021-10-18 15:33 UTC (permalink / raw) To: Weber, Matthew L Collins Cc: Paul Cercueil, buildroot@buildroot.org Matthew, All, On 2021-10-18 13:21 +0000, Weber, Matthew L Collins spake thusly: > > From: Yann E. MORIN <yann.morin.1998@free.fr> > > Matt: is there a process to update the NIST CPE DB? Can we add that in the > > manual, even just as an URL? > Thomas and I had started this elinux page covering adding/updating a CVE or CPE. > https://www.elinux.org/Buildroot:Security_Vulnerability_Management Ah, great! :-) > So in this case, I think we need to submit an entry for the GNU > lightning package (cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*) as > there isn't a CPE. [...] I've emailed the XML [1] to NIST to make > this update. So if I follow correctly, GNU lightning did not exist in the NIST CPE. I tried to look for it yesterday, and it turned up mothing. But now, in addition to the one version you submitted (as per your XML, below), there are a bunch of results, from version 1.0 up to and including 2.1.3: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe:2.3:a:gnu:lightning They were all added on 2021-10-18, so am I wrong in understanding that your submission triggered some (automated/manual) scanning of the upstream repo to generate all those entries? > Once that's added, then this .mk can set "LIGHTNING_CPE_ID_VENDOR = > gnu" so the CVE filter is clear for this package (right now it is > free txt based and that's why you've picked up the server CVE). Patch pending to be sent; pkg-stats still reports "CPE version unknown in CPE database", although the website does include 2.1.3... Thanks ! :-) Regards, Yann E. MORIN. > Regards, > Matt > > > > [1] > <?xml version="1.0" encoding="utf-8"?> > <cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:config="http://scap.nist.gov/schema/configuration/0.1" xmlns:cpe-23="http://scap.nist.gov/schema/cpe-extension/2.3" xmlns:meta="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2" xmlns:ns6="http://scap.nist.gov/schema/scap-core/0.1" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://scap.nist.gov/schema/cpe-extension/2.3 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary-extension_2.3.xsd http://cpe.mitre.org/dictionary/2.0 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 https://scap.nist.gov/schema/cpe/2.1/cpe-dictionary-metadata_0.2.xsd http://scap.nist.gov/schema/scap-core/0.3 https://scap.nist.gov/schema/nvd/scap-core_0.3.xsd http://scap.nist.gov/schema/configuration/0.1 https://scap.nist.gov/schema/nvd/configuration_0.1.xsd http://scap.nist.gov/schema/scap -core/0.1 https://scap.nist.gov/schema/nvd/scap-core_0.1.xsd"> > <cpe-item name="cpe:/a:gnu:lightning:2.1.3"> > <title xml:lang="en-US">GNU Lightning Project 2.1.3</title> > <references> > <reference href="http://git.savannah.gnu.org/cgit/lightning.git">VERSION</reference> > <reference href="https://www.gnu.org/software/lightning/">PRODUCT</reference> > </references> > <cpe-23:cpe23-item name="cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*"/> > </cpe-item> > </cpe-list> -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [External] Re: [PATCH] package/lightning: stop spam! 2021-10-18 15:33 ` Yann E. MORIN @ 2021-10-18 18:13 ` Weber, Matthew L Collins via buildroot 0 siblings, 0 replies; 5+ messages in thread From: Weber, Matthew L Collins via buildroot @ 2021-10-18 18:13 UTC (permalink / raw) To: Yann E. MORIN; +Cc: Paul Cercueil, buildroot@buildroot.org Yann, > From: Yann E. MORIN <yann.morin.1998@free.fr> > Sent: Monday, October 18, 2021 10:33 AM > To: Weber, Matthew L Collins <Matthew.Weber@collins.com> > Cc: Paul Cercueil <paul@crapouillou.net>; buildroot@buildroot.org <buildroot@buildroot.org> > Subject: Re: [External] Re: [Buildroot] [PATCH] package/lightning: stop spam! > > Matthew, All, > > On 2021-10-18 13:21 +0000, Weber, Matthew L Collins spake thusly: [snip] > > > So in this case, I think we need to submit an entry for the GNU > > lightning package (cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*) as > > there isn't a CPE. [...] I've emailed the XML [1] to NIST to make > > this update. > > So if I follow correctly, GNU lightning did not exist in the NIST CPE. > I tried to look for it yesterday, and it turned up mothing. > > But now, in addition to the one version you submitted (as per your XML, > below), there are a bunch of results, from version 1.0 up to and > including 2.1.3: Correct, they add all entries so that the package now can be tagged with CVE when they come up. They needed the latest example xml and then create the rest. > > Once that's added, then this .mk can set "LIGHTNING_CPE_ID_VENDOR = > > gnu" so the CVE filter is clear for this package (right now it is > > free txt based and that's why you've picked up the server CVE). > > Patch pending to be sent; pkg-stats still reports "CPE version unknown > in CPE database", although the website does include 2.1.3... The CPE isn't yet set as valid in Buildroot so it can't find it. (guessing that script has some delay as well for updates?) Regards, Matt _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-10-18 18:14 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-10-15 21:50 [Buildroot] [PATCH] package/lightning: stop spam! Paul Cercueil 2021-10-16 8:02 ` Yann E. MORIN 2021-10-18 13:21 ` [Buildroot] [External] " Weber, Matthew L Collins via buildroot 2021-10-18 15:33 ` Yann E. MORIN 2021-10-18 18:13 ` Weber, Matthew L Collins via buildroot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox