[2/2] package/lightning: [revert]ignore not applicable CVE-2020-7747

This reverts commit 613953f8217bf5b27489e0a939147ef7c74c3f7a.

A new CPE ID was assigned by NIST and this whitelist can be
dropped as the package is setup to use the correct CPE (Not
to be confused with the other lightning-* packages which show
up when a free txt search is used to find the CVE.)

Cc: Paul Cercueil <paul@crapouillou.net>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Matthew Weber <matthew.weber@collins.com>
---
 package/lightning/lightning.mk | 4 ----
 1 file changed, 4 deletions(-)

Matthew, All,

On 2021-10-18 16:40 -0500, Matthew Weber via buildroot spake thusly:
> This reverts commit 613953f8217bf5b27489e0a939147ef7c74c3f7a.
> 
> A new CPE ID was assigned by NIST and this whitelist can be
> dropped as the package is setup to use the correct CPE (Not
> to be confused with the other lightning-* packages which show
> up when a free txt search is used to find the CVE.)
> 
> Cc: Paul Cercueil <paul@crapouillou.net>
> Cc: Yann E. MORIN <yann.morin.1998@free.fr>
> Signed-off-by: Matthew Weber <matthew.weber@collins.com>

With a slight reword in the title, applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/lightning/lightning.mk | 4 ----
>  1 file changed, 4 deletions(-)
> 
> diff --git a/package/lightning/lightning.mk b/package/lightning/lightning.mk
> index c0036e5cd1..da8c07e61f 100644
> --- a/package/lightning/lightning.mk
> +++ b/package/lightning/lightning.mk
> @@ -13,10 +13,6 @@ LIGHTNING_CPE_ID_VENDOR = gnu
>  # We're patching include/Makefile.am
>  LIGHTNING_AUTORECONF = YES
>  
> -# CVE-2020-7747 is for the Javascript lightning-server project, and not for
> -# GNU Lightning.
> -LIGHTNING_IGNORE_CVES = CVE-2020-7747
> -
>  ifeq ($(BR2_PACKAGE_LIGHTNING_DISASSEMBLER),y)
>  LIGHTNING_DEPENDENCIES += binutils zlib
>  LIGHTNING_CONF_OPTS += --enable-disassembler
> -- 
> 2.17.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

Hi Matthew, all,

I still get the emails about CVEs in Lightning though :(
I just got one a few hours ago.

-Paul


Le lun., oct. 18 2021 at 16:40:14 -0500, Matthew Weber 
<matthew.weber@collins.com> a écrit :
> This reverts commit 613953f8217bf5b27489e0a939147ef7c74c3f7a.
> 
> A new CPE ID was assigned by NIST and this whitelist can be
> dropped as the package is setup to use the correct CPE (Not
> to be confused with the other lightning-* packages which show
> up when a free txt search is used to find the CVE.)
> 
> Cc: Paul Cercueil <paul@crapouillou.net>
> Cc: Yann E. MORIN <yann.morin.1998@free.fr>
> Signed-off-by: Matthew Weber <matthew.weber@collins.com>
> ---
>  package/lightning/lightning.mk | 4 ----
>  1 file changed, 4 deletions(-)
> 
> diff --git a/package/lightning/lightning.mk 
> b/package/lightning/lightning.mk
> index c0036e5cd1..da8c07e61f 100644
> --- a/package/lightning/lightning.mk
> +++ b/package/lightning/lightning.mk
> @@ -13,10 +13,6 @@ LIGHTNING_CPE_ID_VENDOR = gnu
>  # We're patching include/Makefile.am
>  LIGHTNING_AUTORECONF = YES
> 
> -# CVE-2020-7747 is for the Javascript lightning-server project, and 
> not for
> -# GNU Lightning.
> -LIGHTNING_IGNORE_CVES = CVE-2020-7747
> -
>  ifeq ($(BR2_PACKAGE_LIGHTNING_DISASSEMBLER),y)
>  LIGHTNING_DEPENDENCIES += binutils zlib
>  LIGHTNING_CONF_OPTS += --enable-disassembler
> --
> 2.17.1
>

Paul,


> From: Paul Cercueil <paul@crapouillou.net>
> Sent: Monday, October 25, 2021 4:06 AM
> To: Weber, Matthew L Collins <Matthew.Weber@collins.com>
> Cc: buildroot@buildroot.org <buildroot@buildroot.org>; Yann E . MORIN <yann.morin.1998@free.fr>
> Subject: [External] Re: [PATCH 2/2] package/lightning: [revert]ignore not applicable CVE-2020-7747 
>  
> Hi Matthew, all,
> 
> I still get the emails about CVEs in Lightning though :(
> I just got one a few hours ago.

The changes to resolve that were merged on master last week and I noticed today that Peter applied them to the long term support branch (probably after you received that email).  Which branch did the email list CVE against?

Regards,
Matt

Hi Matthew,

Le lun., oct. 25 2021 at 13:09:25 +0000, "Weber, Matthew L Collins" 
<Matthew.Weber@collins.com> a écrit :
> Paul,
> 
> 
>>  From: Paul Cercueil <paul@crapouillou.net>
>>  Sent: Monday, October 25, 2021 4:06 AM
>>  To: Weber, Matthew L Collins <Matthew.Weber@collins.com>
>>  Cc: buildroot@buildroot.org <buildroot@buildroot.org>; Yann E . 
>> MORIN <yann.morin.1998@free.fr>
>>  Subject: [External] Re: [PATCH 2/2] package/lightning: 
>> [revert]ignore not applicable CVE-2020-7747
>> 
>>  Hi Matthew, all,
>> 
>>  I still get the emails about CVEs in Lightning though :(
>>  I just got one a few hours ago.
> 
> The changes to resolve that were merged on master last week and I 
> noticed today that Peter applied them to the long term support branch 
> (probably after you received that email).  Which branch did the email 
> list CVE against?
> 
> Regards,
> Matt

I get those emails for the 2021.02.x and 2021.08.x branches.

Cheers,
-Paul

>>>>> "Paul" == Paul Cercueil <paul@crapouillou.net> writes:

Hi,

 >>> I still get the emails about CVEs in Lightning though :(
 >>> I just got one a few hours ago.
 >> 
 >> The changes to resolve that were merged on master last week and I
 >> noticed today that Peter applied them to the long term support
 >> branch (probably after you received that email).  Which branch did
 >> the email list CVE against?

 > I get those emails for the 2021.02.x and 2021.08.x branches.

You shouldn't get them any more. Please let me know if you do.