| Message ID | 20200721180555.31453-1-guillaume.bressaix@gmail.com |
|---|---|
| State | Rejected |
| Headers | show |
| Series | [1/1] package/libnids: NVD database has been updated | expand |
On Tue, 21 Jul 2020 20:05:55 +0200 guillaume.bressaix@gmail.com wrote: > From: "Guillaume W. Bres" <guillaume.bressaix@gmail.com> > > Thanks to Matthew W. & Thomas, the NVD database has been updated > and CVE-2010-0751 is now declared fixed, see > https://security-tracker.debian.org/tracker/CVE-2010-0751 > > Signed-off-by: Guillaume W. Bres <guillaume.bressaix@gmail.com> Are you sure it has already been fixed ? https://nvd.nist.gov/vuln/detail/CVE-2010-0751 still marks 1.24 as affected as far as I can see. Thomas
Ugh, looks like they only updated the description and didn't adjust the rest of the version references https://nvd.nist.gov/vuln/detail/CVE-2010-0751#match-5471142 On Tue, Jul 21, 2020 at 1:46 PM Thomas Petazzoni < thomas.petazzoni@bootlin.com> wrote: > On Tue, 21 Jul 2020 20:05:55 +0200 > guillaume.bressaix@gmail.com wrote: > > > From: "Guillaume W. Bres" <guillaume.bressaix@gmail.com> > > > > Thanks to Matthew W. & Thomas, the NVD database has been updated > > and CVE-2010-0751 is now declared fixed, see > > https://security-tracker.debian.org/tracker/CVE-2010-0751 > > > > Signed-off-by: Guillaume W. Bres <guillaume.bressaix@gmail.com> > > Are you sure it has already been fixed ? > > https://nvd.nist.gov/vuln/detail/CVE-2010-0751 still marks 1.24 as > affected as far as I can see. > > Thomas > -- > Thomas Petazzoni, CTO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot >
> > Ugh, looks like they only updated the description and didn't adjust the > rest of the version references yes that's what happened 😂 we may need to wait a little longer Guillaume W. Bres Software engineer <guillaume.bressaix@gmail.com> Le mar. 21 juil. 2020 à 22:09, Matthew Weber <matthew.weber@collins.com> a écrit : > Ugh, looks like they only updated the description and didn't adjust the > rest of the version references > > https://nvd.nist.gov/vuln/detail/CVE-2010-0751#match-5471142 > > On Tue, Jul 21, 2020 at 1:46 PM Thomas Petazzoni < > thomas.petazzoni@bootlin.com> wrote: > >> On Tue, 21 Jul 2020 20:05:55 +0200 >> guillaume.bressaix@gmail.com wrote: >> >> > From: "Guillaume W. Bres" <guillaume.bressaix@gmail.com> >> > >> > Thanks to Matthew W. & Thomas, the NVD database has been updated >> > and CVE-2010-0751 is now declared fixed, see >> > https://security-tracker.debian.org/tracker/CVE-2010-0751 >> > >> > Signed-off-by: Guillaume W. Bres <guillaume.bressaix@gmail.com> >> >> Are you sure it has already been fixed ? >> >> https://nvd.nist.gov/vuln/detail/CVE-2010-0751 still marks 1.24 as >> affected as far as I can see. >> >> Thomas >> -- >> Thomas Petazzoni, CTO, Bootlin >> Embedded Linux and Kernel engineering >> https://bootlin.com >> _______________________________________________ >> buildroot mailing list >> buildroot@busybox.net >> http://lists.busybox.net/mailman/listinfo/buildroot >> >
Guillaume, I've submitted another request with more detail and hopefully they'll update all the references to the version On Wed, Jul 22, 2020 at 2:34 AM Guillaume Bres <guillaume.bressaix@gmail.com> wrote: > Ugh, looks like they only updated the description and didn't adjust the >> rest of the version references > > > yes that's what happened 😂 we may need to wait a little longer > > Guillaume W. Bres > Software engineer > <guillaume.bressaix@gmail.com> > > > Le mar. 21 juil. 2020 à 22:09, Matthew Weber <matthew.weber@collins.com> > a écrit : > >> Ugh, looks like they only updated the description and didn't adjust the >> rest of the version references >> >> https://nvd.nist.gov/vuln/detail/CVE-2010-0751#match-5471142 >> >> On Tue, Jul 21, 2020 at 1:46 PM Thomas Petazzoni < >> thomas.petazzoni@bootlin.com> wrote: >> >>> On Tue, 21 Jul 2020 20:05:55 +0200 >>> guillaume.bressaix@gmail.com wrote: >>> >>> > From: "Guillaume W. Bres" <guillaume.bressaix@gmail.com> >>> > >>> > Thanks to Matthew W. & Thomas, the NVD database has been updated >>> > and CVE-2010-0751 is now declared fixed, see >>> > https://security-tracker.debian.org/tracker/CVE-2010-0751 >>> > >>> > Signed-off-by: Guillaume W. Bres <guillaume.bressaix@gmail.com> >>> >>> Are you sure it has already been fixed ? >>> >>> https://nvd.nist.gov/vuln/detail/CVE-2010-0751 still marks 1.24 as >>> affected as far as I can see. >>> >>> Thomas >>> -- >>> Thomas Petazzoni, CTO, Bootlin >>> Embedded Linux and Kernel engineering >>> https://bootlin.com >>> _______________________________________________ >>> buildroot mailing list >>> buildroot@busybox.net >>> http://lists.busybox.net/mailman/listinfo/buildroot >>> >> _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot >
It has been fixed but I had to update the wiki notes because there are two steps. The first is a CVE description update by the Mitre/CVE team and the second is a CPE assignment update by the dictionary team. I checked the NVD link that Thomas provided and it looks correct to me. On Thu, Jul 30, 2020 at 1:01 PM Matthew Weber <matthew.weber@collins.com> wrote: > Guillaume, I've submitted another request with more detail and hopefully > they'll update all the references to the version > > On Wed, Jul 22, 2020 at 2:34 AM Guillaume Bres < > guillaume.bressaix@gmail.com> wrote: > >> Ugh, looks like they only updated the description and didn't adjust the >>> rest of the version references >> >> >> yes that's what happened 😂 we may need to wait a little longer >> >> Guillaume W. Bres >> Software engineer >> <guillaume.bressaix@gmail.com> >> >> >> Le mar. 21 juil. 2020 à 22:09, Matthew Weber <matthew.weber@collins.com> >> a écrit : >> >>> Ugh, looks like they only updated the description and didn't adjust the >>> rest of the version references >>> >>> https://nvd.nist.gov/vuln/detail/CVE-2010-0751#match-5471142 >>> >>> On Tue, Jul 21, 2020 at 1:46 PM Thomas Petazzoni < >>> thomas.petazzoni@bootlin.com> wrote: >>> >>>> On Tue, 21 Jul 2020 20:05:55 +0200 >>>> guillaume.bressaix@gmail.com wrote: >>>> >>>> > From: "Guillaume W. Bres" <guillaume.bressaix@gmail.com> >>>> > >>>> > Thanks to Matthew W. & Thomas, the NVD database has been updated >>>> > and CVE-2010-0751 is now declared fixed, see >>>> > https://security-tracker.debian.org/tracker/CVE-2010-0751 >>>> > >>>> > Signed-off-by: Guillaume W. Bres <guillaume.bressaix@gmail.com> >>>> >>>> Are you sure it has already been fixed ? >>>> >>>> https://nvd.nist.gov/vuln/detail/CVE-2010-0751 still marks 1.24 as >>>> affected as far as I can see. >>>> >>>> Thomas >>>> -- >>>> Thomas Petazzoni, CTO, Bootlin >>>> Embedded Linux and Kernel engineering >>>> https://bootlin.com >>>> _______________________________________________ >>>> buildroot mailing list >>>> buildroot@busybox.net >>>> http://lists.busybox.net/mailman/listinfo/buildroot >>>> >>> _______________________________________________ >> buildroot mailing list >> buildroot@busybox.net >> http://lists.busybox.net/mailman/listinfo/buildroot >> >
Hello, On Wed, 5 Aug 2020 11:18:24 -0500 Matthew Weber <matthew.weber@collins.com> wrote: > It has been fixed but I had to update the wiki notes because there are two > steps. The first is a CVE description update by the Mitre/CVE team and the > second is a CPE assignment update by the dictionary team. I checked the > NVD link that Thomas provided and it looks correct to me. Thanks for following up on this. However, what the Wiki page says is not very clear to me as it doesn't really seem to match what you're saying here with the two steps process that is needed. Thomas
Thomas, On Wed, Aug 5, 2020 at 2:51 PM Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > > Hello, > > On Wed, 5 Aug 2020 11:18:24 -0500 > Matthew Weber <matthew.weber@collins.com> wrote: > > > It has been fixed but I had to update the wiki notes because there are two > > steps. The first is a CVE description update by the Mitre/CVE team and the > > second is a CPE assignment update by the dictionary team. I checked the > > NVD link that Thomas provided and it looks correct to me. > > Thanks for following up on this. However, what the Wiki page says is > not very clear to me as it doesn't really seem to match what you're > saying here with the two steps process that is needed. > Hopefully this is a little better https://elinux.org/Buildroot:Security_Vulnerability_Management#Managing_CPE_entries
diff --git a/package/libnids/libnids.mk b/package/libnids/libnids.mk index fb3df318b4..4a67215242 100644 --- a/package/libnids/libnids.mk +++ b/package/libnids/libnids.mk @@ -12,10 +12,6 @@ LIBNIDS_INSTALL_STAGING = YES LIBNIDS_DEPENDENCIES = host-pkgconf libpcap LIBNIDS_AUTORECONF = YES -# CVE-2010-0751 was fixed in libnids v1.24 but the NVD database is not -# aware of the fix, ignore it until this is updated -LIBNIDS_IGNORE_CVES += CVE-2010-0751 - # disable libnet if not available # Tests in configure.in expect --with-libnet=$build_dir # not an installation patch like in our context.