[Buildroot] [PATCH 1/1] package/freeradius-server: ignore CVE-2002-0318 and CVE-2011-4966

[Buildroot] [PATCH 1/1] package/freeradius-server: ignore CVE-2002-0318 and CVE-2011-4966

[Raphaël Mélotte via buildroot]

CVE-2002-0318 has been mitigated by adding a new config option in
freeradius-server commit f0f762d1439336fff9c8b90291364ddff583f698,
which is part of release_0_5_0 onwards.
See also the original report ([1]).
The NVD database's CPE configuration doesn't have an associated
version number, which is why our CVE check still reports it.

For CVE-2011-4966, the CVE description (see [2]) mentions the issue is
fixed in version 2.2.0 onwards, but the CPE again doesn't use a
version number.

To reduce the noise in the list of CVEs that pkg-stats reports, ignore
them.

FWIW, yocto/oe also ignores them (see [3]).

[1]: https://marc.info/?l=bugtraq&m=101440113410083&w=2#2
[2]: https://nvd.nist.gov/vuln/detail/CVE-2011-4966
[3] https://patchwork.yoctoproject.org/project/oe/patch/20220715133515.14298-1-davide.gardenal@huawei.com/

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
---
 package/freeradius-server/freeradius-server.mk | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/package/freeradius-server/freeradius-server.mk b/package/freeradius-server/freeradius-server.mk
index 94c9331b3d..25eda0cd63 100644
--- a/package/freeradius-server/freeradius-server.mk
+++ b/package/freeradius-server/freeradius-server.mk
@@ -15,6 +15,12 @@ FREERADIUS_SERVER_CPE_ID_PRODUCT = freeradius
 FREERADIUS_SERVER_DEPENDENCIES = libtalloc
 FREERADIUS_SERVER_AUTORECONF = YES
 
+# The NVD database doesn't have a version number configured for the
+# following CVEs
+FREERADIUS_SERVER_IGNORE_CVES += \
+	CVE-2002-0318 \
+	CVE-2011-4966
+
 # We're patching src/modules/rlm_krb5/configure.ac
 define FREERADIUS_SERVER_RUN_KRB5_AUTORECONF
 	cd $(@D)/src/modules/rlm_krb5; $(AUTORECONF) -I$(@D)/m4
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/freeradius-server: ignore CVE-2002-0318 and CVE-2011-4966

[Thomas Petazzoni via buildroot]

Hello Raphaël,

On Mon, 14 Apr 2025 12:46:12 +0200
Raphaël Mélotte via buildroot <buildroot@buildroot.org> wrote:

> CVE-2002-0318 has been mitigated by adding a new config option in
> freeradius-server commit f0f762d1439336fff9c8b90291364ddff583f698,
> which is part of release_0_5_0 onwards.
> See also the original report ([1]).
> The NVD database's CPE configuration doesn't have an associated
> version number, which is why our CVE check still reports it.
> 
> For CVE-2011-4966, the CVE description (see [2]) mentions the issue is
> fixed in version 2.2.0 onwards, but the CPE again doesn't use a
> version number.
> 
> To reduce the noise in the list of CVEs that pkg-stats reports, ignore
> them.

Did you report these to upstream NVD, to get the database updated/fixed?

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/freeradius-server: ignore CVE-2002-0318 and CVE-2011-4966

[Raphaël Mélotte via buildroot]

Hi Thomas,

On 4/19/25 16:07, Thomas Petazzoni wrote:
> [...]
> Did you report these to upstream NVD, to get the database updated/fixed?

Yes I did, but I haven't received any feedback yet.


Kind regards,

Raphaël
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/freeradius-server: ignore CVE-2002-0318 and CVE-2011-4966

[Thomas Petazzoni via buildroot]

Hello Raphaël,

On Mon, 14 Apr 2025 12:46:12 +0200
Raphaël Mélotte via buildroot <buildroot@buildroot.org> wrote:

> CVE-2002-0318 has been mitigated by adding a new config option in
> freeradius-server commit f0f762d1439336fff9c8b90291364ddff583f698,
> which is part of release_0_5_0 onwards.
> See also the original report ([1]).
> The NVD database's CPE configuration doesn't have an associated
> version number, which is why our CVE check still reports it.
> 
> For CVE-2011-4966, the CVE description (see [2]) mentions the issue is
> fixed in version 2.2.0 onwards, but the CPE again doesn't use a
> version number.
> 
> To reduce the noise in the list of CVEs that pkg-stats reports, ignore
> them.
> 
> FWIW, yocto/oe also ignores them (see [3]).
> 
> [1]: https://marc.info/?l=bugtraq&m=101440113410083&w=2#2
> [2]: https://nvd.nist.gov/vuln/detail/CVE-2011-4966
> [3] https://patchwork.yoctoproject.org/project/oe/patch/20220715133515.14298-1-davide.gardenal@huawei.com/
> 
> Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>

Thanks Raphaël, I applied your patch, but after changing it a bit, see
below.

> +# The NVD database doesn't have a version number configured for the
> +# following CVEs

The NVD database doesn't really "configure" anything, so the word
"configure" here is a bit misleading.

And actually, we try to have a little bit more information attached to
each ignored CVE, so I've changed your patch to:

+# Mitigated upstream since version 0.5.0, NVD database entry not
+# up-to-date
+FREERADIUS_SERVER_IGNORE_CVES += CVE-2002-0318
+
+# Fixed in 2.2.0, NVD database entry not up-to-date
+FREERADIUS_SERVER_IGNORE_CVES += CVE-2011-4966

which I believe is slightly more descriptive.

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/freeradius-server: ignore CVE-2002-0318 and CVE-2011-4966

[Arnout Vandecappelle via buildroot]

On 14/04/2025 12:46, Raphaël Mélotte via buildroot wrote:
> CVE-2002-0318 has been mitigated by adding a new config option in
> freeradius-server commit f0f762d1439336fff9c8b90291364ddff583f698,
> which is part of release_0_5_0 onwards.
> See also the original report ([1]).
> The NVD database's CPE configuration doesn't have an associated
> version number, which is why our CVE check still reports it.
> 
> For CVE-2011-4966, the CVE description (see [2]) mentions the issue is
> fixed in version 2.2.0 onwards, but the CPE again doesn't use a
> version number.
> 
> To reduce the noise in the list of CVEs that pkg-stats reports, ignore
> them.
> 
> FWIW, yocto/oe also ignores them (see [3]).
> 
> [1]: https://marc.info/?l=bugtraq&m=101440113410083&w=2#2
> [2]: https://nvd.nist.gov/vuln/detail/CVE-2011-4966
> [3] https://patchwork.yoctoproject.org/project/oe/patch/20220715133515.14298-1-davide.gardenal@huawei.com/
> 
> Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>

  Applied to 2025.02.x, thanks.

  Regards,
  Arnout

> ---
>   package/freeradius-server/freeradius-server.mk | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> diff --git a/package/freeradius-server/freeradius-server.mk b/package/freeradius-server/freeradius-server.mk
> index 94c9331b3d..25eda0cd63 100644
> --- a/package/freeradius-server/freeradius-server.mk
> +++ b/package/freeradius-server/freeradius-server.mk
> @@ -15,6 +15,12 @@ FREERADIUS_SERVER_CPE_ID_PRODUCT = freeradius
>   FREERADIUS_SERVER_DEPENDENCIES = libtalloc
>   FREERADIUS_SERVER_AUTORECONF = YES
>   
> +# The NVD database doesn't have a version number configured for the
> +# following CVEs
> +FREERADIUS_SERVER_IGNORE_CVES += \
> +	CVE-2002-0318 \
> +	CVE-2011-4966
> +
>   # We're patching src/modules/rlm_krb5/configure.ac
>   define FREERADIUS_SERVER_RUN_KRB5_AUTORECONF
>   	cd $(@D)/src/modules/rlm_krb5; $(AUTORECONF) -I$(@D)/m4

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot