| Message ID | 20201021074424.13589-1-judge.packham@gmail.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | package/syslog-ng: Ignore CVE-2008-5110 | expand |
Hello Chris, On Wed, 21 Oct 2020 20:44:24 +1300 Chris Packham <judge.packham@gmail.com> wrote: > This as fixed in syslog-ng 2.0.10 but the NVD database hasn't been > updated. > > Signed-off-by: Chris Packham <judge.packham@gmail.com> > --- > package/syslog-ng/syslog-ng.mk | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/syslog-ng.mk > index 7c2368efba..8587da746a 100644 > --- a/package/syslog-ng/syslog-ng.mk > +++ b/package/syslog-ng/syslog-ng.mk > @@ -17,6 +17,10 @@ SYSLOG_NG_AUTORECONF = YES > SYSLOG_NG_CONF_OPTS = --disable-manpages --localstatedir=/var/run \ > --disable-java --disable-java-modules --disable-mongodb > > +# CVE-2008-5110 was fixed in syslog-ng 2.0.10 but the NVD database is not > +# aware of the fix, ignore it > +SYSLOG_NG_IGNORE_CVES += CVE-2008-5110 But as proposed over e-mail separately, the proper fix is to modify the NVD database. Have you had the chance to report the issue to the NVD database maintainers ? Thanks! Thomas
Hi Thomas, On Fri, Oct 23, 2020 at 2:43 AM Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > > Hello Chris, > > On Wed, 21 Oct 2020 20:44:24 +1300 > Chris Packham <judge.packham@gmail.com> wrote: > > > This as fixed in syslog-ng 2.0.10 but the NVD database hasn't been > > updated. > > > > Signed-off-by: Chris Packham <judge.packham@gmail.com> > > --- > > package/syslog-ng/syslog-ng.mk | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/syslog-ng.mk > > index 7c2368efba..8587da746a 100644 > > --- a/package/syslog-ng/syslog-ng.mk > > +++ b/package/syslog-ng/syslog-ng.mk > > @@ -17,6 +17,10 @@ SYSLOG_NG_AUTORECONF = YES > > SYSLOG_NG_CONF_OPTS = --disable-manpages --localstatedir=/var/run \ > > --disable-java --disable-java-modules --disable-mongodb > > > > +# CVE-2008-5110 was fixed in syslog-ng 2.0.10 but the NVD database is not > > +# aware of the fix, ignore it > > +SYSLOG_NG_IGNORE_CVES += CVE-2008-5110 > > But as proposed over e-mail separately, the proper fix is to modify the > NVD database. Have you had the chance to report the issue to the NVD > database maintainers ? > Sorry for taking so long to get back. I have reported the issue. Apparently I should be getting an email with a ticket number but no sign of it yet. > Thanks! > > Thomas > -- > Thomas Petazzoni, CTO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com
On Mon, Nov 2, 2020 at 7:54 PM Chris Packham <judge.packham@gmail.com> wrote: > > Hi Thomas, > > On Fri, Oct 23, 2020 at 2:43 AM Thomas Petazzoni > <thomas.petazzoni@bootlin.com> wrote: > > > > Hello Chris, > > > > On Wed, 21 Oct 2020 20:44:24 +1300 > > Chris Packham <judge.packham@gmail.com> wrote: > > > > > This as fixed in syslog-ng 2.0.10 but the NVD database hasn't been > > > updated. > > > > > > Signed-off-by: Chris Packham <judge.packham@gmail.com> > > > --- > > > package/syslog-ng/syslog-ng.mk | 4 ++++ > > > 1 file changed, 4 insertions(+) > > > > > > diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/syslog-ng.mk > > > index 7c2368efba..8587da746a 100644 > > > --- a/package/syslog-ng/syslog-ng.mk > > > +++ b/package/syslog-ng/syslog-ng.mk > > > @@ -17,6 +17,10 @@ SYSLOG_NG_AUTORECONF = YES > > > SYSLOG_NG_CONF_OPTS = --disable-manpages --localstatedir=/var/run \ > > > --disable-java --disable-java-modules --disable-mongodb > > > > > > +# CVE-2008-5110 was fixed in syslog-ng 2.0.10 but the NVD database is not > > > +# aware of the fix, ignore it > > > +SYSLOG_NG_IGNORE_CVES += CVE-2008-5110 > > > > But as proposed over e-mail separately, the proper fix is to modify the > > NVD database. Have you had the chance to report the issue to the NVD > > database maintainers ? > > > > Sorry for taking so long to get back. I have reported the issue. > Apparently I should be getting an email with a ticket number but no > sign of it yet. > They've bumped me on to secalert@redhat.com so we'll see ow that goes. > > Thanks! > > > > Thomas > > -- > > Thomas Petazzoni, CTO, Bootlin > > Embedded Linux and Kernel engineering > > https://bootlin.com
On Wed, 11 Nov 2020, 8:22 PM Chris Packham, <judge.packham@gmail.com> wrote: > On Mon, Nov 2, 2020 at 7:54 PM Chris Packham <judge.packham@gmail.com> > wrote: > > > > Hi Thomas, > > > > On Fri, Oct 23, 2020 at 2:43 AM Thomas Petazzoni > > <thomas.petazzoni@bootlin.com> wrote: > > > > > > Hello Chris, > > > > > > On Wed, 21 Oct 2020 20:44:24 +1300 > > > Chris Packham <judge.packham@gmail.com> wrote: > > > > > > > This as fixed in syslog-ng 2.0.10 but the NVD database hasn't been > > > > updated. > > > > > > > > Signed-off-by: Chris Packham <judge.packham@gmail.com> > > > > --- > > > > package/syslog-ng/syslog-ng.mk | 4 ++++ > > > > 1 file changed, 4 insertions(+) > > > > > > > > diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/ > syslog-ng.mk > > > > index 7c2368efba..8587da746a 100644 > > > > --- a/package/syslog-ng/syslog-ng.mk > > > > +++ b/package/syslog-ng/syslog-ng.mk > > > > @@ -17,6 +17,10 @@ SYSLOG_NG_AUTORECONF = YES > > > > SYSLOG_NG_CONF_OPTS = --disable-manpages --localstatedir=/var/run \ > > > > --disable-java --disable-java-modules --disable-mongodb > > > > > > > > +# CVE-2008-5110 was fixed in syslog-ng 2.0.10 but the NVD database > is not > > > > +# aware of the fix, ignore it > > > > +SYSLOG_NG_IGNORE_CVES += CVE-2008-5110 > > > > > > But as proposed over e-mail separately, the proper fix is to modify the > > > NVD database. Have you had the chance to report the issue to the NVD > > > database maintainers ? > > > > > > > Sorry for taking so long to get back. I have reported the issue. > > Apparently I should be getting an email with a ticket number but no > > sign of it yet. > > > > They've bumped me on to secalert@redhat.com so we'll see how that goes. > Looks like the text has been updated to say that the vulnerability affects versions up to 2.0.9 but the cpe info hasn't been updated yet. >
diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/syslog-ng.mk index 7c2368efba..8587da746a 100644 --- a/package/syslog-ng/syslog-ng.mk +++ b/package/syslog-ng/syslog-ng.mk @@ -17,6 +17,10 @@ SYSLOG_NG_AUTORECONF = YES SYSLOG_NG_CONF_OPTS = --disable-manpages --localstatedir=/var/run \ --disable-java --disable-java-modules --disable-mongodb +# CVE-2008-5110 was fixed in syslog-ng 2.0.10 but the NVD database is not +# aware of the fix, ignore it +SYSLOG_NG_IGNORE_CVES += CVE-2008-5110 + ifeq ($(BR2_PACKAGE_GEOIP),y) SYSLOG_NG_DEPENDENCIES += geoip SYSLOG_NG_CONF_OPTS += --enable-geoip
This as fixed in syslog-ng 2.0.10 but the NVD database hasn't been updated. Signed-off-by: Chris Packham <judge.packham@gmail.com> --- package/syslog-ng/syslog-ng.mk | 4 ++++ 1 file changed, 4 insertions(+)