[Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES

[Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES

[Daniel Lang]

As of 2021-05-14 CVE-2017-3139 is no longer listed as affecting bind, only RHEL.

Signed-off-by: Daniel Lang <dalang@gmx.at>
---
v1 -> v2:
add Signed-off-by
---
 package/bind/bind.mk | 2 --
 1 file changed, 2 deletions(-)

diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index b934ab3190..618b5b9278 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -14,8 +14,6 @@ BIND_LICENSE = MPL-2.0
 BIND_LICENSE_FILES = COPYRIGHT
 BIND_CPE_ID_VENDOR = isc
 BIND_SELINUX_MODULES = bind
-# Only applies to RHEL6.x with DNSSEC validation on
-BIND_IGNORE_CVES = CVE-2017-3139
 # Library CVE and not used by bind but used by ISC DHCP
 BIND_IGNORE_CVES += CVE-2019-6470
 BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
-- 
2.42.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES

[Thomas Petazzoni via buildroot]

Hello Daniel,

On Wed, 20 Sep 2023 06:31:12 +0200
Daniel Lang <dalang@gmx.at> wrote:

> As of 2021-05-14 CVE-2017-3139 is no longer listed as affecting bind, only RHEL.
> 
> Signed-off-by: Daniel Lang <dalang@gmx.at>

This makes me think that the pkg-stats script should detect this: if a
package has CVE-2023-12345 in its ignore list, but CVE-2023-12345 is
not known to affect the package (in its current version) according to
the NVD database, we should flag this.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES

[Yann E. MORIN]

Thomas, Daniel, All,

On 2023-09-20 09:12 +0200, Thomas Petazzoni via buildroot spake thusly:
> On Wed, 20 Sep 2023 06:31:12 +0200
> Daniel Lang <dalang@gmx.at> wrote:
> > As of 2021-05-14 CVE-2017-3139 is no longer listed as affecting bind, only RHEL.
> > Signed-off-by: Daniel Lang <dalang@gmx.at>
> This makes me think that the pkg-stats script should detect this: if a
> package has CVE-2023-12345 in its ignore list, but CVE-2023-12345 is
> not known to affect the package (in its current version) according to
> the NVD database, we should flag this.

Ideally, we would also like that it be done in check-package, but this
is going to be a bit more involved...

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES

[Yann E. MORIN]

Daniel, All,

On 2023-09-20 06:31 +0200, Daniel Lang spake thusly:
> As of 2021-05-14 CVE-2017-3139 is no longer listed as affecting bind, only RHEL.
> 
> Signed-off-by: Daniel Lang <dalang@gmx.at>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
> v1 -> v2:
> add Signed-off-by
> ---
>  package/bind/bind.mk | 2 --
>  1 file changed, 2 deletions(-)
> 
> diff --git a/package/bind/bind.mk b/package/bind/bind.mk
> index b934ab3190..618b5b9278 100644
> --- a/package/bind/bind.mk
> +++ b/package/bind/bind.mk
> @@ -14,8 +14,6 @@ BIND_LICENSE = MPL-2.0
>  BIND_LICENSE_FILES = COPYRIGHT
>  BIND_CPE_ID_VENDOR = isc
>  BIND_SELINUX_MODULES = bind
> -# Only applies to RHEL6.x with DNSSEC validation on
> -BIND_IGNORE_CVES = CVE-2017-3139
>  # Library CVE and not used by bind but used by ISC DHCP
>  BIND_IGNORE_CVES += CVE-2019-6470
>  BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
> -- 
> 2.42.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES

[Daniel Lang]

Hey Yann, Thomas,

On 20.09.23 19:34, Yann E. MORIN wrote:
> Thomas, Daniel, All,
>
> On 2023-09-20 09:12 +0200, Thomas Petazzoni via buildroot spake thusly:
>> On Wed, 20 Sep 2023 06:31:12 +0200
>> Daniel Lang <dalang@gmx.at> wrote:
>>> As of 2021-05-14 CVE-2017-3139 is no longer listed as affecting bind, only RHEL.
>>> Signed-off-by: Daniel Lang <dalang@gmx.at>
>> This makes me think that the pkg-stats script should detect this: if a
>> package has CVE-2023-12345 in its ignore list, but CVE-2023-12345 is
>> not known to affect the package (in its current version) according to
>> the NVD database, we should flag this.

Not sure pkg-stats would be the right place as, at least in my uses of it,
I simply expect it to collect information and present it to me.
Just like it doesn't flag outdated packages, I wouldn't expect it to flag
mismatched CVEs or outdated CPEs for that matter.

>
> Ideally, we would also like that it be done in check-package, but this
> is going to be a bit more involved...

I haven't looked at check-package closely, but the actual checking should
be doable.
The problem that I see is NVD's new API, because the initial download of
all CVEs now takes ~30 minutes or so. Seeing as check-package is run on
Gitlab CI for every push, the database needs to somehow be kept between
runs to avoid re-downloading everything.

I will see if I can come up with a solution.

>
> Regards,
> Yann E. MORIN.
>

Regards
Daniel
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES

[Thomas Petazzoni via buildroot]

On Thu, 21 Sep 2023 06:09:38 +0200
Daniel Lang <dalang@gmx.at> wrote:

> Not sure pkg-stats would be the right place as, at least in my uses of it,
> I simply expect it to collect information and present it to me.
> Just like it doesn't flag outdated packages, I wouldn't expect it to flag
> mismatched CVEs or outdated CPEs for that matter.

I'm not sure to follow you here. pkg-stats is a general tool to help
with package maintenance. It provides things like the number of
check-package warnings, the number of patches, the list of CVEs
affecting the package, so it's a perfect fit to also list the CVEs
ignored but not affecting the package.

> I haven't looked at check-package closely, but the actual checking should
> be doable.
> The problem that I see is NVD's new API, because the initial download of
> all CVEs now takes ~30 minutes or so. Seeing as check-package is run on
> Gitlab CI for every push, the database needs to somehow be kept between
> runs to avoid re-downloading everything.

I don't think putting this logic in check-package is reasonable. There
is nothing CVE related in check-package right, and like you point out,
the fact that it needs the CVE database is a big change that is going
to be annoying.

I maintain my position that this should be done in pkg-stats, where we
already do all the CVE matching dance, as it's a simple addition to
pkg-stats.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot