* [Buildroot] CVE-2022-30550 version range fix
@ 2025-05-17 16:18 Thomas Petazzoni via buildroot
[not found] ` <BY3PR09MB875642446D6D15414F985131ED98A@BY3PR09MB8756.namprd09.prod.outlook.com>
0 siblings, 1 reply; 3+ messages in thread
From: Thomas Petazzoni via buildroot @ 2025-05-17 16:18 UTC (permalink / raw)
To: nvd; +Cc: buildroot@buildroot.org
Hello,
CVE-2022-30550 is documented in your database as affecting versions of
dovecot up to 2.3.20.
However, according to
https://dovecot.org/pipermail/dovecot-news/2022-July/000477.html, the
fix for this issue is:
https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch
And this commit is only in Dovecot 2.4.0, which means that versions
2.3.21, 2.3.21.1 are affected.
Here is some additional evidence based on the Git repository of Dovecot:
$ git log --format=oneline 2.3.21 | grep "auth: Fix handling passdbs with identical driver/args but"
$
So 2.3.21 doesn't have the fix.
$ git log --format=oneline 2.3.21.1 | grep "auth: Fix handling passdbs with identical driver/args but"
$
So 2.3.21.1 doesn't have the fix.
$ git log --format=oneline 2.4.0 | grep "auth: Fix handling passdbs with identical driver/args but"
7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 auth: Fix handling passdbs with identical driver/args but different mechanisms/username_filter
Which means that 2.4.0 has the fix.
Therefore, your entry for CVE-2022-30550 should be fixed to indicate
that versions up to (excluding) 2.4.0 are affected.
Thanks for your great work on maintaining this database! It would be
create to have a public issue tracker to report issues.
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread[parent not found: <BY3PR09MB875642446D6D15414F985131ED98A@BY3PR09MB8756.namprd09.prod.outlook.com>]
* Re: [Buildroot] CVE-2022-30550 version range fix [not found] ` <BY3PR09MB875642446D6D15414F985131ED98A@BY3PR09MB8756.namprd09.prod.outlook.com> @ 2025-05-24 12:22 ` Thomas Petazzoni via buildroot [not found] ` <PH0PR09MB8763C94ABBA656291F0FD84DED6AA@PH0PR09MB8763.namprd09.prod.outlook.com> 0 siblings, 1 reply; 3+ messages in thread From: Thomas Petazzoni via buildroot @ 2025-05-24 12:22 UTC (permalink / raw) To: nvd; +Cc: buildroot@buildroot.org Hello Benjamin, Thanks for the feedback, much appreciated, and thanks for taking into account the feedback. At the end of your e-mail, you said "For CPE related inquiries we request that you send them to cpe_dictionary@nist.gov", does that mean that some of my requests should have been sent to cpe_dictionary@nist.gov instead, and if so which ones? Perhaps you are referring to my request: Subject: Numerous issues in CVEs for the "sox" project ? Could you clarify, so that I can make sure I send my requests to the right contact? Thanks a lot this effort on maintaining the NVD! Best regards, Thomas On Fri, 23 May 2025 16:53:39 +0000 nvd <nvd@nist.gov> wrote: > Good Afternoon, > > Thank you for bringing this to our attention. We appreciate community input in order to provide the most accurate and up-to-date information as possible. After reviewing publicly available information we have made the appropriate modifications to the configuration to list version 2.4.0 as the fixed version. Please allow up to 24 hours for the changes to be reflected on the website and in the data feeds. > > For CPE related inquiries we request that you send them to cpe_dictionary@nist.gov. > > V/r, > Benjamin Wells > National Vulnerability Database Team > National Institute of Standards and Technology (NIST) > nvd@nist.gov > > -----Original Message----- > From: Thomas Petazzoni <thomas.petazzoni@bootlin.com> > Sent: Saturday, May 17, 2025 12:18 PM > To: nvd <nvd@nist.gov> > Cc: buildroot@buildroot.org > Subject: CVE-2022-30550 version range fix > > Hello, > > CVE-2022-30550 is documented in your database as affecting versions of dovecot up to 2.3.20. > > However, according to > https://dovecot.org/pipermail/dovecot-news/2022-July/000477.html, the fix for this issue is: > > https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch > > And this commit is only in Dovecot 2.4.0, which means that versions 2.3.21, 2.3.21.1 are affected. > > Here is some additional evidence based on the Git repository of Dovecot: > > $ git log --format=oneline 2.3.21 | grep "auth: Fix handling passdbs with identical driver/args but" > $ > > So 2.3.21 doesn't have the fix. > > $ git log --format=oneline 2.3.21.1 | grep "auth: Fix handling passdbs with identical driver/args but" > $ > > So 2.3.21.1 doesn't have the fix. > > $ git log --format=oneline 2.4.0 | grep "auth: Fix handling passdbs with identical driver/args but" > 7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 auth: Fix handling passdbs with identical driver/args but different mechanisms/username_filter > > Which means that 2.4.0 has the fix. > > Therefore, your entry for CVE-2022-30550 should be fixed to indicate that versions up to (excluding) 2.4.0 are affected. > > Thanks for your great work on maintaining this database! It would be create to have a public issue tracker to report issues. > > Thomas > -- > Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering and training > https://bootlin.com/ -- Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering and training https://bootlin.com _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 3+ messages in thread
[parent not found: <PH0PR09MB8763C94ABBA656291F0FD84DED6AA@PH0PR09MB8763.namprd09.prod.outlook.com>]
* Re: [Buildroot] CVE-2022-30550 version range fix [not found] ` <PH0PR09MB8763C94ABBA656291F0FD84DED6AA@PH0PR09MB8763.namprd09.prod.outlook.com> @ 2025-06-11 8:33 ` Thomas Petazzoni via buildroot 0 siblings, 0 replies; 3+ messages in thread From: Thomas Petazzoni via buildroot @ 2025-06-11 8:33 UTC (permalink / raw) To: nvd; +Cc: buildroot@buildroot.org Hello, I'm still not clear what are CVE inquiries vs. CPE inquiries. My inquiry here was regarding a CVE, so to me it made sense to report it to you as the way to fix the issue was to fix a CVE report. Could you clarify so that I can address any future report to the correct entity? Thanks a lot for your support! Thomas On Tue, 10 Jun 2025 20:01:10 +0000 nvd <nvd@nist.gov> wrote: > Good Afternoon, > > We have requested that you kindly direct your CPE inquiries to cpe_dictionary@nist.gov in the future. Thank you for your previous email inquiries. We would like to confirm that we have received the same and will be addressing them as time and resources allow. > > V/r, > Benjamin Wells > National Vulnerability Database Team > National Institute of Standards and Technology (NIST) > nvd@nist.gov > > -----Original Message----- > From: Thomas Petazzoni <thomas.petazzoni@bootlin.com> > Sent: Saturday, May 24, 2025 8:23 AM > To: nvd <nvd@nist.gov> > Cc: buildroot@buildroot.org > Subject: Re: CVE-2022-30550 version range fix > > Hello Benjamin, > > Thanks for the feedback, much appreciated, and thanks for taking into account the feedback. At the end of your e-mail, you said "For CPE related inquiries we request that you send them to cpe_dictionary@nist.gov", does that mean that some of my requests should have been sent to cpe_dictionary@nist.gov instead, and if so which ones? > > Perhaps you are referring to my request: > > Subject: Numerous issues in CVEs for the "sox" project > > ? > > Could you clarify, so that I can make sure I send my requests to the right contact? > > Thanks a lot this effort on maintaining the NVD! > > Best regards, > > Thomas > > On Fri, 23 May 2025 16:53:39 +0000 > nvd <nvd@nist.gov> wrote: > > > Good Afternoon, > > > > Thank you for bringing this to our attention. We appreciate community input in order to provide the most accurate and up-to-date information as possible. After reviewing publicly available information we have made the appropriate modifications to the configuration to list version 2.4.0 as the fixed version. Please allow up to 24 hours for the changes to be reflected on the website and in the data feeds. > > > > For CPE related inquiries we request that you send them to cpe_dictionary@nist.gov. > > > > V/r, > > Benjamin Wells > > National Vulnerability Database Team > > National Institute of Standards and Technology (NIST) nvd@nist.gov > > > > -----Original Message----- > > From: Thomas Petazzoni <thomas.petazzoni@bootlin.com> > > Sent: Saturday, May 17, 2025 12:18 PM > > To: nvd <nvd@nist.gov> > > Cc: buildroot@buildroot.org > > Subject: CVE-2022-30550 version range fix > > > > Hello, > > > > CVE-2022-30550 is documented in your database as affecting versions of dovecot up to 2.3.20. > > > > However, according to > > https://dovecot.org/pipermail/dovecot-news/2022-July/000477.html, the fix for this issue is: > > > > https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch > > > > And this commit is only in Dovecot 2.4.0, which means that versions 2.3.21, 2.3.21.1 are affected. > > > > Here is some additional evidence based on the Git repository of Dovecot: > > > > $ git log --format=oneline 2.3.21 | grep "auth: Fix handling passdbs with identical driver/args but" > > $ > > > > So 2.3.21 doesn't have the fix. > > > > $ git log --format=oneline 2.3.21.1 | grep "auth: Fix handling passdbs with identical driver/args but" > > $ > > > > So 2.3.21.1 doesn't have the fix. > > > > $ git log --format=oneline 2.4.0 | grep "auth: Fix handling passdbs with identical driver/args but" > > 7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 auth: Fix handling passdbs > > with identical driver/args but different mechanisms/username_filter > > > > Which means that 2.4.0 has the fix. > > > > Therefore, your entry for CVE-2022-30550 should be fixed to indicate that versions up to (excluding) 2.4.0 are affected. > > > > Thanks for your great work on maintaining this database! It would be create to have a public issue tracker to report issues. > > > > Thomas > > -- > > Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel > > engineering and training > > https://boot/ > > lin.com%2F&data=05%7C02%7Cnvd%40nist.gov%7Cf24def78fb57460b488c08dd9ab > > db7dc%7C2ab5d82fd8fa4797a93e054655c61dec%7C0%7C0%7C638836861810040456% > > 7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIl > > AiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=M7H0 > > VkI9xtExvankInTYrtxX4bVat%2FPe0AfogQMt2bg%3D&reserved=0 > > > > -- > Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering and training > https://bootlin.com/ -- Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering and training https://bootlin.com _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-06-11 8:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-17 16:18 [Buildroot] CVE-2022-30550 version range fix Thomas Petazzoni via buildroot
[not found] ` <BY3PR09MB875642446D6D15414F985131ED98A@BY3PR09MB8756.namprd09.prod.outlook.com>
2025-05-24 12:22 ` Thomas Petazzoni via buildroot
[not found] ` <PH0PR09MB8763C94ABBA656291F0FD84DED6AA@PH0PR09MB8763.namprd09.prod.outlook.com>
2025-06-11 8:33 ` Thomas Petazzoni via buildroot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox