* [Buildroot] [PATCH 1/1] package/apache: ignore various CVEs
@ 2022-07-31 11:12 Bernd Kuhls
2022-08-01 17:56 ` Arnout Vandecappelle
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Bernd Kuhls @ 2022-07-31 11:12 UTC (permalink / raw)
To: buildroot
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
package/apache/apache.mk | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/package/apache/apache.mk b/package/apache/apache.mk
index 315282baac..e199194e84 100644
--- a/package/apache/apache.mk
+++ b/package/apache/apache.mk
@@ -11,6 +11,33 @@ APACHE_LICENSE = Apache-2.0
APACHE_LICENSE_FILES = LICENSE
APACHE_CPE_ID_VENDOR = apache
APACHE_CPE_ID_PRODUCT = http_server
+# only Windows affected
+APACHE_IGNORE_CVES += CVE-1999-0289
+# only Debian affected
+APACHE_IGNORE_CVES += CVE-1999-0678
+# unrelated to Linux
+APACHE_IGNORE_CVES += CVE-1999-1412
+# disputed CVE
+APACHE_IGNORE_CVES += CVE-2007-0086
+# unrelated to Apache
+APACHE_IGNORE_CVES += CVE-2007-0450
+# fixed in version 2.2.5
+APACHE_IGNORE_CVES += CVE-2007-4465 CVE-2008-2168
+# fixed in version 2.2.7
+APACHE_IGNORE_CVES += CVE-2007-5000 CVE-2007-6420 CVE-2007-6420 \
+ CVE-2007-6421 CVE-2007-6422 CVE-2007-6423 CVE-2008-0455
+# fixed in version 2.2.10
+APACHE_IGNORE_CVES += CVE-2008-2939
+# fixed in version 2.2.12
+APACHE_IGNORE_CVES += CVE-2009-1195 CVE-2009-1890 CVE-2009-1891
+# fixed in version 2.2.14
+APACHE_IGNORE_CVES += CVE-2009-2699
+# fixed in version 2.2.15
+APACHE_IGNORE_CVES += CVE-2010-0408 CVE-2010-0425 CVE-2010-0434
+# fixed in version 2.2.16
+APACHE_IGNORE_CVES += CVE-2010-1452
+# fixed in version 2.4.10
+APACHE_IGNORE_CVES += CVE-2014-0231
APACHE_SELINUX_MODULES = apache
# Needed for mod_php
APACHE_INSTALL_STAGING = YES
--
2.30.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [Buildroot] [PATCH 1/1] package/apache: ignore various CVEs
2022-07-31 11:12 [Buildroot] [PATCH 1/1] package/apache: ignore various CVEs Bernd Kuhls
@ 2022-08-01 17:56 ` Arnout Vandecappelle
[not found] ` <31fb8cf8-02e4-8bc6-a7b9-c6f9cd0845bc__49535.9333044448$1659376652$gmane$org@mind.be>
[not found] ` <eb4cf15f-6e4d-43ca-f34d-a391044f430e@t-online.de>
2 siblings, 0 replies; 6+ messages in thread
From: Arnout Vandecappelle @ 2022-08-01 17:56 UTC (permalink / raw)
To: Bernd Kuhls, buildroot
On 31/07/2022 13:12, Bernd Kuhls wrote:
> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> ---
> package/apache/apache.mk | 27 +++++++++++++++++++++++++++
> 1 file changed, 27 insertions(+)
>
> diff --git a/package/apache/apache.mk b/package/apache/apache.mk
> index 315282baac..e199194e84 100644
> --- a/package/apache/apache.mk
> +++ b/package/apache/apache.mk
> @@ -11,6 +11,33 @@ APACHE_LICENSE = Apache-2.0
> APACHE_LICENSE_FILES = LICENSE
> APACHE_CPE_ID_VENDOR = apache
> APACHE_CPE_ID_PRODUCT = http_server
> +# only Windows affected
> +APACHE_IGNORE_CVES += CVE-1999-0289
> +# only Debian affected
> +APACHE_IGNORE_CVES += CVE-1999-0678
> +# unrelated to Linux
> +APACHE_IGNORE_CVES += CVE-1999-1412
> +# disputed CVE
That's a bit a weak reason, but OK.
> +APACHE_IGNORE_CVES += CVE-2007-0086
> +# unrelated to Apache
> +APACHE_IGNORE_CVES += CVE-2007-0450
> +# fixed in version 2.2.5
Then why do we need to exclude it? Is there something wrong with the CVE's CPE
information? Or with our own CPE information? Or with our cpedb script?
There should be no need to have exclusions for CVEs that are fixed in a
version <= the current one - unless it re-surfaced in a newer version.
Regards,
Arnout
> +APACHE_IGNORE_CVES += CVE-2007-4465 CVE-2008-2168
> +# fixed in version 2.2.7
> +APACHE_IGNORE_CVES += CVE-2007-5000 CVE-2007-6420 CVE-2007-6420 \
> + CVE-2007-6421 CVE-2007-6422 CVE-2007-6423 CVE-2008-0455
> +# fixed in version 2.2.10
> +APACHE_IGNORE_CVES += CVE-2008-2939
> +# fixed in version 2.2.12
> +APACHE_IGNORE_CVES += CVE-2009-1195 CVE-2009-1890 CVE-2009-1891
> +# fixed in version 2.2.14
> +APACHE_IGNORE_CVES += CVE-2009-2699
> +# fixed in version 2.2.15
> +APACHE_IGNORE_CVES += CVE-2010-0408 CVE-2010-0425 CVE-2010-0434
> +# fixed in version 2.2.16
> +APACHE_IGNORE_CVES += CVE-2010-1452
> +# fixed in version 2.4.10
> +APACHE_IGNORE_CVES += CVE-2014-0231
> APACHE_SELINUX_MODULES = apache
> # Needed for mod_php
> APACHE_INSTALL_STAGING = YES
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread[parent not found: <31fb8cf8-02e4-8bc6-a7b9-c6f9cd0845bc__49535.9333044448$1659376652$gmane$org@mind.be>]
* Re: [Buildroot] [PATCH 1/1] package/apache: ignore various CVEs
[not found] ` <31fb8cf8-02e4-8bc6-a7b9-c6f9cd0845bc__49535.9333044448$1659376652$gmane$org@mind.be>
@ 2022-08-01 18:05 ` Bernd Kuhls
2022-08-01 18:16 ` Arnout Vandecappelle
0 siblings, 1 reply; 6+ messages in thread
From: Bernd Kuhls @ 2022-08-01 18:05 UTC (permalink / raw)
To: buildroot
Hi Arnout,
Am Mon, 1 Aug 2022 19:56:53 +0200 schrieb Arnout Vandecappelle:
>> +# fixed in version 2.2.5
>> +APACHE_IGNORE_CVES += CVE-2007-4465 CVE-2008-2168
> Then why do we need to exclude it? Is there something wrong with the
CVE's CPE
> information? Or with our own CPE information? Or with our cpedb script?
my understanding of the CVE/CPE stuff is rather limited but I guess these
CPEs show up for us because the database entry does not contain any
version number:
cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*
What about ignoring such version-less entries in buildroot?
Thomas suggested to get the NIST database fixed:
https://lists.buildroot.org/pipermail/buildroot/2022-August/648210.html
but these entries can show up again and again... And providing proof that
a disputed entry from 2007 should be removed from their database is
beyond my capabilities...
Regards, Bernd
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Buildroot] [PATCH 1/1] package/apache: ignore various CVEs
2022-08-01 18:05 ` Bernd Kuhls
@ 2022-08-01 18:16 ` Arnout Vandecappelle
0 siblings, 0 replies; 6+ messages in thread
From: Arnout Vandecappelle @ 2022-08-01 18:16 UTC (permalink / raw)
To: Bernd Kuhls, buildroot
On 01/08/2022 20:05, Bernd Kuhls wrote:
> Hi Arnout,
>
> Am Mon, 1 Aug 2022 19:56:53 +0200 schrieb Arnout Vandecappelle:
>
>>> +# fixed in version 2.2.5
>>> +APACHE_IGNORE_CVES += CVE-2007-4465 CVE-2008-2168
>
>> Then why do we need to exclude it? Is there something wrong with the
> CVE's CPE
>> information? Or with our own CPE information? Or with our cpedb script?
>
> my understanding of the CVE/CPE stuff is rather limited but I guess these
> CPEs show up for us because the database entry does not contain any
> version number:
>
> cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*
>
> What about ignoring such version-less entries in buildroot?
>
> Thomas suggested to get the NIST database fixed:
> https://lists.buildroot.org/pipermail/buildroot/2022-August/648210.html
>
> but these entries can show up again and again... And providing proof that
> a disputed entry from 2007 should be removed from their database is
> beyond my capabilities...
The disputed entry is OK(ish). It's the ones where the version information in
NVD is wrong that we don't want the exception.
Regards,
Arnout
>
> Regards, Bernd
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <eb4cf15f-6e4d-43ca-f34d-a391044f430e@t-online.de>]
* Re: [Buildroot] [PATCH 1/1] package/apache: ignore various CVEs
[not found] ` <eb4cf15f-6e4d-43ca-f34d-a391044f430e@t-online.de>
@ 2022-08-01 18:55 ` Thomas Petazzoni via buildroot
2022-08-01 18:57 ` Thomas Petazzoni via buildroot
1 sibling, 0 replies; 6+ messages in thread
From: Thomas Petazzoni via buildroot @ 2022-08-01 18:55 UTC (permalink / raw)
To: Bernd Kuhls; +Cc: buildroot@buildroot.org
Hello Bernd,
On Mon, 1 Aug 2022 20:05:23 +0200
Bernd Kuhls <bernd.kuhls@t-online.de> wrote:
> my understanding of the CVE/CPE stuff is rather limited but I guess
> these CPEs show up for us because the database entry does not contain
> any version number:
>
> cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*
>
> What about ignoring such version-less entries in buildroot?
>
> Thomas suggested to get the NIST database fixed:
> https://lists.buildroot.org/pipermail/buildroot/2022-August/648210.html
>
> but these entries can show up again and again... And providing proof
> that a disputed entry from 2007 should be removed from their database is
> beyond my capabilities...
Not really, you just have to e-mail nvd@nist.gov, and provide some
evidence that the issue has been fixed in commit XYZ, which was merged
in release ABC.
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Buildroot] [PATCH 1/1] package/apache: ignore various CVEs
[not found] ` <eb4cf15f-6e4d-43ca-f34d-a391044f430e@t-online.de>
2022-08-01 18:55 ` Thomas Petazzoni via buildroot
@ 2022-08-01 18:57 ` Thomas Petazzoni via buildroot
1 sibling, 0 replies; 6+ messages in thread
From: Thomas Petazzoni via buildroot @ 2022-08-01 18:57 UTC (permalink / raw)
To: Bernd Kuhls; +Cc: buildroot@buildroot.org
Hello,
On Mon, 1 Aug 2022 20:05:23 +0200
Bernd Kuhls <bernd.kuhls@t-online.de> wrote:
> my understanding of the CVE/CPE stuff is rather limited but I guess
> these CPEs show up for us because the database entry does not contain
> any version number:
>
> cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*
>
> What about ignoring such version-less entries in buildroot?
No, this cannot work: at the time a CVE is added, it is sometimes not
known in which version the issue is fixed... because the fix may not
yet be in a stable release. So it is probably quite common to see a CPE
ID with "*" as the version, until the issue is fixed in an official
release of the project.
So ignoring version-less entries is really not a good idea, as we could
really miss a lot of real security problems.
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-08-01 18:57 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-31 11:12 [Buildroot] [PATCH 1/1] package/apache: ignore various CVEs Bernd Kuhls
2022-08-01 17:56 ` Arnout Vandecappelle
[not found] ` <31fb8cf8-02e4-8bc6-a7b9-c6f9cd0845bc__49535.9333044448$1659376652$gmane$org@mind.be>
2022-08-01 18:05 ` Bernd Kuhls
2022-08-01 18:16 ` Arnout Vandecappelle
[not found] ` <eb4cf15f-6e4d-43ca-f34d-a391044f430e@t-online.de>
2022-08-01 18:55 ` Thomas Petazzoni via buildroot
2022-08-01 18:57 ` Thomas Petazzoni via buildroot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox