Re: [Buildroot] CVE-2022-30550 version range fix

From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: nvd <nvd@nist.gov>
Cc: "buildroot@buildroot.org" <buildroot@buildroot.org>
Subject: Re: [Buildroot] CVE-2022-30550 version range fix
Date: Sat, 24 May 2025 14:22:55 +0200	[thread overview]
Message-ID: <20250524142255.36be5c43@windsurf> (raw)
In-Reply-To: <BY3PR09MB875642446D6D15414F985131ED98A@BY3PR09MB8756.namprd09.prod.outlook.com>

Hello Benjamin,

Thanks for the feedback, much appreciated, and thanks for taking into
account the feedback. At the end of your e-mail, you said "For CPE
related inquiries we request that you send them to
cpe_dictionary@nist.gov", does that mean that some of my requests
should have been sent to cpe_dictionary@nist.gov instead, and if so
which ones?

Perhaps you are referring to my request:

	Subject: Numerous issues in CVEs for the "sox" project

 ?

Could you clarify, so that I can make sure I send my requests to the
right contact?

Thanks a lot this effort on maintaining the NVD!

Best regards,

Thomas

On Fri, 23 May 2025 16:53:39 +0000
nvd <nvd@nist.gov> wrote:

> Good Afternoon,
> 
> Thank you for bringing this to our attention. We appreciate community input in order to provide the most accurate and up-to-date information as possible. After reviewing publicly available information we have made the appropriate modifications to the configuration to list version 2.4.0 as the fixed version. Please allow up to 24 hours for the changes to be reflected on the website and in the data feeds.
> 
> For CPE related inquiries we request that you send them to cpe_dictionary@nist.gov.
> 
> V/r,
> Benjamin Wells
> National Vulnerability Database Team
> National Institute of Standards and Technology (NIST)
> nvd@nist.gov
> 
> -----Original Message-----
> From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> Sent: Saturday, May 17, 2025 12:18 PM
> To: nvd <nvd@nist.gov>
> Cc: buildroot@buildroot.org
> Subject: CVE-2022-30550 version range fix
> 
> Hello,
> 
> CVE-2022-30550 is documented in your database as affecting versions of dovecot up to 2.3.20.
> 
> However, according to
> https://dovecot.org/pipermail/dovecot-news/2022-July/000477.html, the fix for this issue is:
> 
>   https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch
> 
> And this commit is only in Dovecot 2.4.0, which means that versions 2.3.21, 2.3.21.1 are affected.
> 
> Here is some additional evidence based on the Git repository of Dovecot:
> 
> $ git log --format=oneline 2.3.21  | grep "auth: Fix handling passdbs with identical driver/args but"
> $
> 
> So 2.3.21 doesn't have the fix.
> 
> $ git log --format=oneline 2.3.21.1  | grep "auth: Fix handling passdbs with identical driver/args but"
> $
> 
> So 2.3.21.1 doesn't have the fix.
> 
> $ git log --format=oneline 2.4.0  | grep "auth: Fix handling passdbs with identical driver/args but"
> 7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 auth: Fix handling passdbs with identical driver/args but different mechanisms/username_filter
> 
> Which means that 2.4.0 has the fix.
> 
> Therefore, your entry for CVE-2022-30550 should be fixed to indicate that versions up to (excluding) 2.4.0 are affected.
> 
> Thanks for your great work on maintaining this database! It would be create to have a public issue tracker to report issues.
> 
> Thomas
> --
> Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering and training
> https://bootlin.com/

-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot