[1/1] package/apache: ignore various CVEs

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
 package/apache/apache.mk | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

On 31/07/2022 13:12, Bernd Kuhls wrote:
> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> ---
>   package/apache/apache.mk | 27 +++++++++++++++++++++++++++
>   1 file changed, 27 insertions(+)
> 
> diff --git a/package/apache/apache.mk b/package/apache/apache.mk
> index 315282baac..e199194e84 100644
> --- a/package/apache/apache.mk
> +++ b/package/apache/apache.mk
> @@ -11,6 +11,33 @@ APACHE_LICENSE = Apache-2.0
>   APACHE_LICENSE_FILES = LICENSE
>   APACHE_CPE_ID_VENDOR = apache
>   APACHE_CPE_ID_PRODUCT = http_server
> +# only Windows affected
> +APACHE_IGNORE_CVES += CVE-1999-0289
> +# only Debian affected
> +APACHE_IGNORE_CVES += CVE-1999-0678
> +# unrelated to Linux
> +APACHE_IGNORE_CVES += CVE-1999-1412
> +# disputed CVE

  That's a bit a weak reason, but OK.

> +APACHE_IGNORE_CVES += CVE-2007-0086
> +# unrelated to Apache
> +APACHE_IGNORE_CVES += CVE-2007-0450
> +# fixed in version 2.2.5

  Then why do we need to exclude it? Is there something wrong with the CVE's CPE 
information? Or with our own CPE information? Or with our cpedb script?

  There should be no need to have exclusions for CVEs that are fixed in a 
version <= the current one - unless it re-surfaced in a newer version.

  Regards,
  Arnout

> +APACHE_IGNORE_CVES += CVE-2007-4465 CVE-2008-2168
> +# fixed in version 2.2.7
> +APACHE_IGNORE_CVES += CVE-2007-5000 CVE-2007-6420 CVE-2007-6420 \
> +	CVE-2007-6421 CVE-2007-6422 CVE-2007-6423 CVE-2008-0455
> +# fixed in version 2.2.10
> +APACHE_IGNORE_CVES += CVE-2008-2939
> +# fixed in version 2.2.12
> +APACHE_IGNORE_CVES += CVE-2009-1195 CVE-2009-1890 CVE-2009-1891
> +# fixed in version 2.2.14
> +APACHE_IGNORE_CVES += CVE-2009-2699
> +# fixed in version 2.2.15
> +APACHE_IGNORE_CVES += CVE-2010-0408 CVE-2010-0425 CVE-2010-0434
> +# fixed in version 2.2.16
> +APACHE_IGNORE_CVES += CVE-2010-1452
> +# fixed in version 2.4.10
> +APACHE_IGNORE_CVES += CVE-2014-0231
>   APACHE_SELINUX_MODULES = apache
>   # Needed for mod_php
>   APACHE_INSTALL_STAGING = YES

Hi Arnout,

Am Mon, 1 Aug 2022 19:56:53 +0200 schrieb Arnout Vandecappelle:

>> +# fixed in version 2.2.5
>> +APACHE_IGNORE_CVES += CVE-2007-4465 CVE-2008-2168

>   Then why do we need to exclude it? Is there something wrong with the 
CVE's CPE 
> information? Or with our own CPE information? Or with our cpedb script?

my understanding of the CVE/CPE stuff is rather limited but I guess these 
CPEs show up for us because the database entry does not contain any 
version number:

cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*

What about ignoring such version-less entries in buildroot?

Thomas suggested to get the NIST database fixed:
https://lists.buildroot.org/pipermail/buildroot/2022-August/648210.html

but these entries can show up again and again... And providing proof that 
a disputed entry from 2007 should be removed from their database is 
beyond my capabilities...

Regards, Bernd

On 01/08/2022 20:05, Bernd Kuhls wrote:
> Hi Arnout,
> 
> Am Mon, 1 Aug 2022 19:56:53 +0200 schrieb Arnout Vandecappelle:
> 
>>> +# fixed in version 2.2.5
>>> +APACHE_IGNORE_CVES += CVE-2007-4465 CVE-2008-2168
> 
>>    Then why do we need to exclude it? Is there something wrong with the
> CVE's CPE
>> information? Or with our own CPE information? Or with our cpedb script?
> 
> my understanding of the CVE/CPE stuff is rather limited but I guess these
> CPEs show up for us because the database entry does not contain any
> version number:
> 
> cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*
> 
> What about ignoring such version-less entries in buildroot?
> 
> Thomas suggested to get the NIST database fixed:
> https://lists.buildroot.org/pipermail/buildroot/2022-August/648210.html
> 
> but these entries can show up again and again... And providing proof that
> a disputed entry from 2007 should be removed from their database is
> beyond my capabilities...

  The disputed entry is OK(ish). It's the ones where the version information in 
NVD is wrong that we don't want the exception.

  Regards,
  Arnout

> 
> Regards, Bernd
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

Hello Bernd,

On Mon, 1 Aug 2022 20:05:23 +0200
Bernd Kuhls <bernd.kuhls@t-online.de> wrote:

> my understanding of the CVE/CPE stuff is rather limited but I guess 
> these CPEs show up for us because the database entry does not contain 
> any version number:
> 
> cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*
> 
> What about ignoring such version-less entries in buildroot?
> 
> Thomas suggested to get the NIST database fixed:
> https://lists.buildroot.org/pipermail/buildroot/2022-August/648210.html
> 
> but these entries can show up again and again... And providing proof 
> that a disputed entry from 2007 should be removed from their database is 
> beyond my capabilities...

Not really, you just have to e-mail nvd@nist.gov, and provide some
evidence that the issue has been fixed in commit XYZ, which was merged
in release ABC.

Thomas

Hello,

On Mon, 1 Aug 2022 20:05:23 +0200
Bernd Kuhls <bernd.kuhls@t-online.de> wrote:

> my understanding of the CVE/CPE stuff is rather limited but I guess 
> these CPEs show up for us because the database entry does not contain 
> any version number:
> 
> cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*
> 
> What about ignoring such version-less entries in buildroot?

No, this cannot work: at the time a CVE is added, it is sometimes not
known in which version the issue is fixed... because the fix may not
yet be in a stable release. So it is probably quite common to see a CPE
ID with "*" as the version, until the issue is fixed in an official
release of the project.

So ignoring version-less entries is really not a good idea, as we could
really miss a lot of real security problems.

Thomas