* [Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES @ 2023-09-20 4:31 Daniel Lang 2023-09-20 7:12 ` Thomas Petazzoni via buildroot 2023-09-20 17:37 ` Yann E. MORIN 0 siblings, 2 replies; 6+ messages in thread From: Daniel Lang @ 2023-09-20 4:31 UTC (permalink / raw) To: buildroot As of 2021-05-14 CVE-2017-3139 is no longer listed as affecting bind, only RHEL. Signed-off-by: Daniel Lang <dalang@gmx.at> --- v1 -> v2: add Signed-off-by --- package/bind/bind.mk | 2 -- 1 file changed, 2 deletions(-) diff --git a/package/bind/bind.mk b/package/bind/bind.mk index b934ab3190..618b5b9278 100644 --- a/package/bind/bind.mk +++ b/package/bind/bind.mk @@ -14,8 +14,6 @@ BIND_LICENSE = MPL-2.0 BIND_LICENSE_FILES = COPYRIGHT BIND_CPE_ID_VENDOR = isc BIND_SELINUX_MODULES = bind -# Only applies to RHEL6.x with DNSSEC validation on -BIND_IGNORE_CVES = CVE-2017-3139 # Library CVE and not used by bind but used by ISC DHCP BIND_IGNORE_CVES += CVE-2019-6470 BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage -- 2.42.0 _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES 2023-09-20 4:31 [Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES Daniel Lang @ 2023-09-20 7:12 ` Thomas Petazzoni via buildroot 2023-09-20 17:34 ` Yann E. MORIN 2023-09-20 17:37 ` Yann E. MORIN 1 sibling, 1 reply; 6+ messages in thread From: Thomas Petazzoni via buildroot @ 2023-09-20 7:12 UTC (permalink / raw) To: Daniel Lang; +Cc: buildroot Hello Daniel, On Wed, 20 Sep 2023 06:31:12 +0200 Daniel Lang <dalang@gmx.at> wrote: > As of 2021-05-14 CVE-2017-3139 is no longer listed as affecting bind, only RHEL. > > Signed-off-by: Daniel Lang <dalang@gmx.at> This makes me think that the pkg-stats script should detect this: if a package has CVE-2023-12345 in its ignore list, but CVE-2023-12345 is not known to affect the package (in its current version) according to the NVD database, we should flag this. Thomas -- Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering and training https://bootlin.com _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES 2023-09-20 7:12 ` Thomas Petazzoni via buildroot @ 2023-09-20 17:34 ` Yann E. MORIN 2023-09-21 4:09 ` Daniel Lang 0 siblings, 1 reply; 6+ messages in thread From: Yann E. MORIN @ 2023-09-20 17:34 UTC (permalink / raw) To: Thomas Petazzoni; +Cc: Daniel Lang, buildroot Thomas, Daniel, All, On 2023-09-20 09:12 +0200, Thomas Petazzoni via buildroot spake thusly: > On Wed, 20 Sep 2023 06:31:12 +0200 > Daniel Lang <dalang@gmx.at> wrote: > > As of 2021-05-14 CVE-2017-3139 is no longer listed as affecting bind, only RHEL. > > Signed-off-by: Daniel Lang <dalang@gmx.at> > This makes me think that the pkg-stats script should detect this: if a > package has CVE-2023-12345 in its ignore list, but CVE-2023-12345 is > not known to affect the package (in its current version) according to > the NVD database, we should flag this. Ideally, we would also like that it be done in check-package, but this is going to be a bit more involved... Regards, Yann E. MORIN. -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES 2023-09-20 17:34 ` Yann E. MORIN @ 2023-09-21 4:09 ` Daniel Lang 2023-09-21 6:44 ` Thomas Petazzoni via buildroot 0 siblings, 1 reply; 6+ messages in thread From: Daniel Lang @ 2023-09-21 4:09 UTC (permalink / raw) To: Yann E. MORIN, Thomas Petazzoni; +Cc: buildroot Hey Yann, Thomas, On 20.09.23 19:34, Yann E. MORIN wrote: > Thomas, Daniel, All, > > On 2023-09-20 09:12 +0200, Thomas Petazzoni via buildroot spake thusly: >> On Wed, 20 Sep 2023 06:31:12 +0200 >> Daniel Lang <dalang@gmx.at> wrote: >>> As of 2021-05-14 CVE-2017-3139 is no longer listed as affecting bind, only RHEL. >>> Signed-off-by: Daniel Lang <dalang@gmx.at> >> This makes me think that the pkg-stats script should detect this: if a >> package has CVE-2023-12345 in its ignore list, but CVE-2023-12345 is >> not known to affect the package (in its current version) according to >> the NVD database, we should flag this. Not sure pkg-stats would be the right place as, at least in my uses of it, I simply expect it to collect information and present it to me. Just like it doesn't flag outdated packages, I wouldn't expect it to flag mismatched CVEs or outdated CPEs for that matter. > > Ideally, we would also like that it be done in check-package, but this > is going to be a bit more involved... I haven't looked at check-package closely, but the actual checking should be doable. The problem that I see is NVD's new API, because the initial download of all CVEs now takes ~30 minutes or so. Seeing as check-package is run on Gitlab CI for every push, the database needs to somehow be kept between runs to avoid re-downloading everything. I will see if I can come up with a solution. > > Regards, > Yann E. MORIN. > Regards Daniel _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES 2023-09-21 4:09 ` Daniel Lang @ 2023-09-21 6:44 ` Thomas Petazzoni via buildroot 0 siblings, 0 replies; 6+ messages in thread From: Thomas Petazzoni via buildroot @ 2023-09-21 6:44 UTC (permalink / raw) To: Daniel Lang; +Cc: Yann E. MORIN, buildroot On Thu, 21 Sep 2023 06:09:38 +0200 Daniel Lang <dalang@gmx.at> wrote: > Not sure pkg-stats would be the right place as, at least in my uses of it, > I simply expect it to collect information and present it to me. > Just like it doesn't flag outdated packages, I wouldn't expect it to flag > mismatched CVEs or outdated CPEs for that matter. I'm not sure to follow you here. pkg-stats is a general tool to help with package maintenance. It provides things like the number of check-package warnings, the number of patches, the list of CVEs affecting the package, so it's a perfect fit to also list the CVEs ignored but not affecting the package. > I haven't looked at check-package closely, but the actual checking should > be doable. > The problem that I see is NVD's new API, because the initial download of > all CVEs now takes ~30 minutes or so. Seeing as check-package is run on > Gitlab CI for every push, the database needs to somehow be kept between > runs to avoid re-downloading everything. I don't think putting this logic in check-package is reasonable. There is nothing CVE related in check-package right, and like you point out, the fact that it needs the CVE database is a big change that is going to be annoying. I maintain my position that this should be done in pkg-stats, where we already do all the CVE matching dance, as it's a simple addition to pkg-stats. Thomas -- Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering and training https://bootlin.com _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES 2023-09-20 4:31 [Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES Daniel Lang 2023-09-20 7:12 ` Thomas Petazzoni via buildroot @ 2023-09-20 17:37 ` Yann E. MORIN 1 sibling, 0 replies; 6+ messages in thread From: Yann E. MORIN @ 2023-09-20 17:37 UTC (permalink / raw) To: Daniel Lang; +Cc: buildroot Daniel, All, On 2023-09-20 06:31 +0200, Daniel Lang spake thusly: > As of 2021-05-14 CVE-2017-3139 is no longer listed as affecting bind, only RHEL. > > Signed-off-by: Daniel Lang <dalang@gmx.at> Applied to master, thanks. Regards, Yann E. MORIN. > --- > v1 -> v2: > add Signed-off-by > --- > package/bind/bind.mk | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/package/bind/bind.mk b/package/bind/bind.mk > index b934ab3190..618b5b9278 100644 > --- a/package/bind/bind.mk > +++ b/package/bind/bind.mk > @@ -14,8 +14,6 @@ BIND_LICENSE = MPL-2.0 > BIND_LICENSE_FILES = COPYRIGHT > BIND_CPE_ID_VENDOR = isc > BIND_SELINUX_MODULES = bind > -# Only applies to RHEL6.x with DNSSEC validation on > -BIND_IGNORE_CVES = CVE-2017-3139 > # Library CVE and not used by bind but used by ISC DHCP > BIND_IGNORE_CVES += CVE-2019-6470 > BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage > -- > 2.42.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-09-21 6:45 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-09-20 4:31 [Buildroot] [PATCH v2] package/bind: drop CVE-2017-3139 from IGNORE_CVES Daniel Lang 2023-09-20 7:12 ` Thomas Petazzoni via buildroot 2023-09-20 17:34 ` Yann E. MORIN 2023-09-21 4:09 ` Daniel Lang 2023-09-21 6:44 ` Thomas Petazzoni via buildroot 2023-09-20 17:37 ` Yann E. MORIN
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox