[Buildroot] CVE-2022-30550 version range fix

[Buildroot] CVE-2022-30550 version range fix

[Thomas Petazzoni via buildroot]

Hello,

CVE-2022-30550 is documented in your database as affecting versions of
dovecot up to 2.3.20.

However, according to
https://dovecot.org/pipermail/dovecot-news/2022-July/000477.html, the
fix for this issue is:

  https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch

And this commit is only in Dovecot 2.4.0, which means that versions
2.3.21, 2.3.21.1 are affected.

Here is some additional evidence based on the Git repository of Dovecot:

$ git log --format=oneline 2.3.21  | grep "auth: Fix handling passdbs with identical driver/args but"
$

So 2.3.21 doesn't have the fix.

$ git log --format=oneline 2.3.21.1  | grep "auth: Fix handling passdbs with identical driver/args but"
$

So 2.3.21.1 doesn't have the fix.

$ git log --format=oneline 2.4.0  | grep "auth: Fix handling passdbs with identical driver/args but"
7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 auth: Fix handling passdbs with identical driver/args but different mechanisms/username_filter

Which means that 2.4.0 has the fix.

Therefore, your entry for CVE-2022-30550 should be fixed to indicate
that versions up to (excluding) 2.4.0 are affected.

Thanks for your great work on maintaining this database! It would be
create to have a public issue tracker to report issues.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] CVE-2022-30550 version range fix

[Thomas Petazzoni via buildroot]

Hello Benjamin,

Thanks for the feedback, much appreciated, and thanks for taking into
account the feedback. At the end of your e-mail, you said "For CPE
related inquiries we request that you send them to
cpe_dictionary@nist.gov", does that mean that some of my requests
should have been sent to cpe_dictionary@nist.gov instead, and if so
which ones?

Perhaps you are referring to my request:

	Subject: Numerous issues in CVEs for the "sox" project

 ?

Could you clarify, so that I can make sure I send my requests to the
right contact?

Thanks a lot this effort on maintaining the NVD!

Best regards,

Thomas

On Fri, 23 May 2025 16:53:39 +0000
nvd <nvd@nist.gov> wrote:

> Good Afternoon,
> 
> Thank you for bringing this to our attention. We appreciate community input in order to provide the most accurate and up-to-date information as possible. After reviewing publicly available information we have made the appropriate modifications to the configuration to list version 2.4.0 as the fixed version. Please allow up to 24 hours for the changes to be reflected on the website and in the data feeds.
> 
> For CPE related inquiries we request that you send them to cpe_dictionary@nist.gov.
> 
> V/r,
> Benjamin Wells
> National Vulnerability Database Team
> National Institute of Standards and Technology (NIST)
> nvd@nist.gov
> 
> -----Original Message-----
> From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> Sent: Saturday, May 17, 2025 12:18 PM
> To: nvd <nvd@nist.gov>
> Cc: buildroot@buildroot.org
> Subject: CVE-2022-30550 version range fix
> 
> Hello,
> 
> CVE-2022-30550 is documented in your database as affecting versions of dovecot up to 2.3.20.
> 
> However, according to
> https://dovecot.org/pipermail/dovecot-news/2022-July/000477.html, the fix for this issue is:
> 
>   https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch
> 
> And this commit is only in Dovecot 2.4.0, which means that versions 2.3.21, 2.3.21.1 are affected.
> 
> Here is some additional evidence based on the Git repository of Dovecot:
> 
> $ git log --format=oneline 2.3.21  | grep "auth: Fix handling passdbs with identical driver/args but"
> $
> 
> So 2.3.21 doesn't have the fix.
> 
> $ git log --format=oneline 2.3.21.1  | grep "auth: Fix handling passdbs with identical driver/args but"
> $
> 
> So 2.3.21.1 doesn't have the fix.
> 
> $ git log --format=oneline 2.4.0  | grep "auth: Fix handling passdbs with identical driver/args but"
> 7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 auth: Fix handling passdbs with identical driver/args but different mechanisms/username_filter
> 
> Which means that 2.4.0 has the fix.
> 
> Therefore, your entry for CVE-2022-30550 should be fixed to indicate that versions up to (excluding) 2.4.0 are affected.
> 
> Thanks for your great work on maintaining this database! It would be create to have a public issue tracker to report issues.
> 
> Thomas
> --
> Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering and training
> https://bootlin.com/



-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] CVE-2022-30550 version range fix

[Thomas Petazzoni via buildroot]

Hello,

I'm still not clear what are CVE inquiries vs. CPE inquiries. My
inquiry here was regarding a CVE, so to me it made sense to report it
to you as the way to fix the issue was to fix a CVE report.

Could you clarify so that I can address any future report to the
correct entity?

Thanks a lot for your support!

Thomas

On Tue, 10 Jun 2025 20:01:10 +0000
nvd <nvd@nist.gov> wrote:

> Good Afternoon,
> 
> We have requested that you kindly direct your CPE inquiries to cpe_dictionary@nist.gov in the future.  Thank you for your previous email inquiries.  We would like to confirm that we have received the same and will be addressing them as time and resources allow.
> 
> V/r,
> Benjamin Wells
> National Vulnerability Database Team
> National Institute of Standards and Technology (NIST)
> nvd@nist.gov
> 
> -----Original Message-----
> From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> Sent: Saturday, May 24, 2025 8:23 AM
> To: nvd <nvd@nist.gov>
> Cc: buildroot@buildroot.org
> Subject: Re: CVE-2022-30550 version range fix
> 
> Hello Benjamin,
> 
> Thanks for the feedback, much appreciated, and thanks for taking into account the feedback. At the end of your e-mail, you said "For CPE related inquiries we request that you send them to cpe_dictionary@nist.gov", does that mean that some of my requests should have been sent to cpe_dictionary@nist.gov instead, and if so which ones?
> 
> Perhaps you are referring to my request:
> 
>         Subject: Numerous issues in CVEs for the "sox" project
> 
>  ?
> 
> Could you clarify, so that I can make sure I send my requests to the right contact?
> 
> Thanks a lot this effort on maintaining the NVD!
> 
> Best regards,
> 
> Thomas
> 
> On Fri, 23 May 2025 16:53:39 +0000
> nvd <nvd@nist.gov> wrote:
> 
> > Good Afternoon,
> >
> > Thank you for bringing this to our attention. We appreciate community input in order to provide the most accurate and up-to-date information as possible. After reviewing publicly available information we have made the appropriate modifications to the configuration to list version 2.4.0 as the fixed version. Please allow up to 24 hours for the changes to be reflected on the website and in the data feeds.
> >
> > For CPE related inquiries we request that you send them to cpe_dictionary@nist.gov.
> >
> > V/r,
> > Benjamin Wells
> > National Vulnerability Database Team
> > National Institute of Standards and Technology (NIST) nvd@nist.gov
> >
> > -----Original Message-----
> > From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> > Sent: Saturday, May 17, 2025 12:18 PM
> > To: nvd <nvd@nist.gov>
> > Cc: buildroot@buildroot.org
> > Subject: CVE-2022-30550 version range fix
> >
> > Hello,
> >
> > CVE-2022-30550 is documented in your database as affecting versions of dovecot up to 2.3.20.
> >
> > However, according to
> > https://dovecot.org/pipermail/dovecot-news/2022-July/000477.html, the fix for this issue is:
> >
> >   https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch
> >
> > And this commit is only in Dovecot 2.4.0, which means that versions 2.3.21, 2.3.21.1 are affected.
> >
> > Here is some additional evidence based on the Git repository of Dovecot:
> >
> > $ git log --format=oneline 2.3.21  | grep "auth: Fix handling passdbs with identical driver/args but"
> > $
> >
> > So 2.3.21 doesn't have the fix.
> >
> > $ git log --format=oneline 2.3.21.1  | grep "auth: Fix handling passdbs with identical driver/args but"
> > $
> >
> > So 2.3.21.1 doesn't have the fix.
> >
> > $ git log --format=oneline 2.4.0  | grep "auth: Fix handling passdbs with identical driver/args but"
> > 7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 auth: Fix handling passdbs
> > with identical driver/args but different mechanisms/username_filter
> >
> > Which means that 2.4.0 has the fix.
> >
> > Therefore, your entry for CVE-2022-30550 should be fixed to indicate that versions up to (excluding) 2.4.0 are affected.
> >
> > Thanks for your great work on maintaining this database! It would be create to have a public issue tracker to report issues.
> >
> > Thomas
> > --
> > Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel
> > engineering and training
> > https://boot/
> > lin.com%2F&data=05%7C02%7Cnvd%40nist.gov%7Cf24def78fb57460b488c08dd9ab
> > db7dc%7C2ab5d82fd8fa4797a93e054655c61dec%7C0%7C0%7C638836861810040456%
> > 7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIl
> > AiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=M7H0
> > VkI9xtExvankInTYrtxX4bVat%2FPe0AfogQMt2bg%3D&reserved=0  
> 
> 
> 
> --
> Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering and training
> https://bootlin.com/



-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot