Message ID | 20220731111240.12145-1-bernd.kuhls@t-online.de |
---|---|
State | Handled Elsewhere |
Headers | show |
Series | [1/1] package/apache: ignore various CVEs | expand |
On 31/07/2022 13:12, Bernd Kuhls wrote: > Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> > --- > package/apache/apache.mk | 27 +++++++++++++++++++++++++++ > 1 file changed, 27 insertions(+) > > diff --git a/package/apache/apache.mk b/package/apache/apache.mk > index 315282baac..e199194e84 100644 > --- a/package/apache/apache.mk > +++ b/package/apache/apache.mk > @@ -11,6 +11,33 @@ APACHE_LICENSE = Apache-2.0 > APACHE_LICENSE_FILES = LICENSE > APACHE_CPE_ID_VENDOR = apache > APACHE_CPE_ID_PRODUCT = http_server > +# only Windows affected > +APACHE_IGNORE_CVES += CVE-1999-0289 > +# only Debian affected > +APACHE_IGNORE_CVES += CVE-1999-0678 > +# unrelated to Linux > +APACHE_IGNORE_CVES += CVE-1999-1412 > +# disputed CVE That's a bit a weak reason, but OK. > +APACHE_IGNORE_CVES += CVE-2007-0086 > +# unrelated to Apache > +APACHE_IGNORE_CVES += CVE-2007-0450 > +# fixed in version 2.2.5 Then why do we need to exclude it? Is there something wrong with the CVE's CPE information? Or with our own CPE information? Or with our cpedb script? There should be no need to have exclusions for CVEs that are fixed in a version <= the current one - unless it re-surfaced in a newer version. Regards, Arnout > +APACHE_IGNORE_CVES += CVE-2007-4465 CVE-2008-2168 > +# fixed in version 2.2.7 > +APACHE_IGNORE_CVES += CVE-2007-5000 CVE-2007-6420 CVE-2007-6420 \ > + CVE-2007-6421 CVE-2007-6422 CVE-2007-6423 CVE-2008-0455 > +# fixed in version 2.2.10 > +APACHE_IGNORE_CVES += CVE-2008-2939 > +# fixed in version 2.2.12 > +APACHE_IGNORE_CVES += CVE-2009-1195 CVE-2009-1890 CVE-2009-1891 > +# fixed in version 2.2.14 > +APACHE_IGNORE_CVES += CVE-2009-2699 > +# fixed in version 2.2.15 > +APACHE_IGNORE_CVES += CVE-2010-0408 CVE-2010-0425 CVE-2010-0434 > +# fixed in version 2.2.16 > +APACHE_IGNORE_CVES += CVE-2010-1452 > +# fixed in version 2.4.10 > +APACHE_IGNORE_CVES += CVE-2014-0231 > APACHE_SELINUX_MODULES = apache > # Needed for mod_php > APACHE_INSTALL_STAGING = YES
Hi Arnout, Am Mon, 1 Aug 2022 19:56:53 +0200 schrieb Arnout Vandecappelle: >> +# fixed in version 2.2.5 >> +APACHE_IGNORE_CVES += CVE-2007-4465 CVE-2008-2168 > Then why do we need to exclude it? Is there something wrong with the CVE's CPE > information? Or with our own CPE information? Or with our cpedb script? my understanding of the CVE/CPE stuff is rather limited but I guess these CPEs show up for us because the database entry does not contain any version number: cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:* What about ignoring such version-less entries in buildroot? Thomas suggested to get the NIST database fixed: https://lists.buildroot.org/pipermail/buildroot/2022-August/648210.html but these entries can show up again and again... And providing proof that a disputed entry from 2007 should be removed from their database is beyond my capabilities... Regards, Bernd
On 01/08/2022 20:05, Bernd Kuhls wrote: > Hi Arnout, > > Am Mon, 1 Aug 2022 19:56:53 +0200 schrieb Arnout Vandecappelle: > >>> +# fixed in version 2.2.5 >>> +APACHE_IGNORE_CVES += CVE-2007-4465 CVE-2008-2168 > >> Then why do we need to exclude it? Is there something wrong with the > CVE's CPE >> information? Or with our own CPE information? Or with our cpedb script? > > my understanding of the CVE/CPE stuff is rather limited but I guess these > CPEs show up for us because the database entry does not contain any > version number: > > cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:* > > What about ignoring such version-less entries in buildroot? > > Thomas suggested to get the NIST database fixed: > https://lists.buildroot.org/pipermail/buildroot/2022-August/648210.html > > but these entries can show up again and again... And providing proof that > a disputed entry from 2007 should be removed from their database is > beyond my capabilities... The disputed entry is OK(ish). It's the ones where the version information in NVD is wrong that we don't want the exception. Regards, Arnout > > Regards, Bernd > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
Hello Bernd, On Mon, 1 Aug 2022 20:05:23 +0200 Bernd Kuhls <bernd.kuhls@t-online.de> wrote: > my understanding of the CVE/CPE stuff is rather limited but I guess > these CPEs show up for us because the database entry does not contain > any version number: > > cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:* > > What about ignoring such version-less entries in buildroot? > > Thomas suggested to get the NIST database fixed: > https://lists.buildroot.org/pipermail/buildroot/2022-August/648210.html > > but these entries can show up again and again... And providing proof > that a disputed entry from 2007 should be removed from their database is > beyond my capabilities... Not really, you just have to e-mail nvd@nist.gov, and provide some evidence that the issue has been fixed in commit XYZ, which was merged in release ABC. Thomas
Hello, On Mon, 1 Aug 2022 20:05:23 +0200 Bernd Kuhls <bernd.kuhls@t-online.de> wrote: > my understanding of the CVE/CPE stuff is rather limited but I guess > these CPEs show up for us because the database entry does not contain > any version number: > > cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:* > > What about ignoring such version-less entries in buildroot? No, this cannot work: at the time a CVE is added, it is sometimes not known in which version the issue is fixed... because the fix may not yet be in a stable release. So it is probably quite common to see a CPE ID with "*" as the version, until the issue is fixed in an official release of the project. So ignoring version-less entries is really not a good idea, as we could really miss a lot of real security problems. Thomas
diff --git a/package/apache/apache.mk b/package/apache/apache.mk index 315282baac..e199194e84 100644 --- a/package/apache/apache.mk +++ b/package/apache/apache.mk @@ -11,6 +11,33 @@ APACHE_LICENSE = Apache-2.0 APACHE_LICENSE_FILES = LICENSE APACHE_CPE_ID_VENDOR = apache APACHE_CPE_ID_PRODUCT = http_server +# only Windows affected +APACHE_IGNORE_CVES += CVE-1999-0289 +# only Debian affected +APACHE_IGNORE_CVES += CVE-1999-0678 +# unrelated to Linux +APACHE_IGNORE_CVES += CVE-1999-1412 +# disputed CVE +APACHE_IGNORE_CVES += CVE-2007-0086 +# unrelated to Apache +APACHE_IGNORE_CVES += CVE-2007-0450 +# fixed in version 2.2.5 +APACHE_IGNORE_CVES += CVE-2007-4465 CVE-2008-2168 +# fixed in version 2.2.7 +APACHE_IGNORE_CVES += CVE-2007-5000 CVE-2007-6420 CVE-2007-6420 \ + CVE-2007-6421 CVE-2007-6422 CVE-2007-6423 CVE-2008-0455 +# fixed in version 2.2.10 +APACHE_IGNORE_CVES += CVE-2008-2939 +# fixed in version 2.2.12 +APACHE_IGNORE_CVES += CVE-2009-1195 CVE-2009-1890 CVE-2009-1891 +# fixed in version 2.2.14 +APACHE_IGNORE_CVES += CVE-2009-2699 +# fixed in version 2.2.15 +APACHE_IGNORE_CVES += CVE-2010-0408 CVE-2010-0425 CVE-2010-0434 +# fixed in version 2.2.16 +APACHE_IGNORE_CVES += CVE-2010-1452 +# fixed in version 2.4.10 +APACHE_IGNORE_CVES += CVE-2014-0231 APACHE_SELINUX_MODULES = apache # Needed for mod_php APACHE_INSTALL_STAGING = YES
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> --- package/apache/apache.mk | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)