| Message ID | 20211015215003.181073-1-paul@crapouillou.net |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/lightning: stop spam! | expand |
Paul, All, +Matthew On 2021-10-15 22:50 +0100, Paul Cercueil spake thusly: > Every week I receive an automated email that tells me about the > CVE-2020-7747 vulnerability in Lightning. This vulnerability however > applies to the Javascript lightning-server project, and not to the > GNU Lightning project. > > Ignore this CVE in the Lightning package to reduce my stress levels. > > Signed-off-by: Paul Cercueil <paul@crapouillou.net> The goal of sending those automated emails, is explicitly to have people registered on DEVELOPPERS, to take action on those CVE reports. Such actions can be bumping the package to an non-affected version, backporting an upstream patch, or, as you did, mark them to be ignored. Bonus point if the NIST CPE DB is updated to avoid the mismatch, like adding an entry for GNU lightning, and thus settign the correct CPE_ID in Buildroot. Matt: is there a process to update the NIST CPE DB? Can we add that in the manual, even just as an URL? Anyway: applied to master, after rewording the commit log to avoid the personal-tone message, thanks. Regards, Yann E. MORIN. > --- > package/lightning/lightning.mk | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/package/lightning/lightning.mk b/package/lightning/lightning.mk > index 3bd17bef56..38b132e082 100644 > --- a/package/lightning/lightning.mk > +++ b/package/lightning/lightning.mk > @@ -12,6 +12,10 @@ LIGHTNING_INSTALL_STAGING = YES > # We're patching include/Makefile.am > LIGHTNING_AUTORECONF = YES > > +# CVE-2020-7747 is for the Javascript lightning-server project, and not for > +# GNU Lightning. > +LIGHTNING_IGNORE_CVES = CVE-2020-7747 > + > ifeq ($(BR2_PACKAGE_LIGHTNING_DISASSEMBLER),y) > LIGHTNING_DEPENDENCIES += binutils zlib > LIGHTNING_CONF_OPTS += --enable-disassembler > -- > 2.33.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
Yann, > From: Yann E. MORIN <yann.morin.1998@free.fr> > Sent: Saturday, October 16, 2021 3:02 AM > To: Paul Cercueil <paul@crapouillou.net> > Cc: buildroot@buildroot.org <buildroot@buildroot.org>; Weber, Matthew L Collins <Matthew.Weber@collins.com> > Subject: [External] Re: [Buildroot] [PATCH] package/lightning: stop spam! > > Paul, All, > > +Matthew > > On 2021-10-15 22:50 +0100, Paul Cercueil spake thusly: > > Every week I receive an automated email that tells me about the > > CVE-2020-7747 vulnerability in Lightning. This vulnerability however > > applies to the Javascript lightning-server project, and not to the > > GNU Lightning project. > > > > Ignore this CVE in the Lightning package to reduce my stress levels. > > > > Signed-off-by: Paul Cercueil <paul@crapouillou.net> > > The goal of sending those automated emails, is explicitly to have people > registered on DEVELOPPERS, to take action on those CVE reports. Such > actions can be bumping the package to an non-affected version, > backporting an upstream patch, or, as you did, mark them to be ignored. > > Bonus point if the NIST CPE DB is updated to avoid the mismatch, like > adding an entry for GNU lightning, and thus settign the correct CPE_ID > in Buildroot. > > Matt: is there a process to update the NIST CPE DB? Can we add that in the > manual, even just as an URL? Thomas and I had started this elinux page covering adding/updating a CVE or CPE. https://www.elinux.org/Buildroot:Security_Vulnerability_Management So in this case, I think we need to submit an entry for the GNU lightning package (cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*) as there isn't a CPE. Once that's added, then this .mk can set "LIGHTNING_CPE_ID_VENDOR = gnu" so the CVE filter is clear for this package (right now it is free txt based and that's why you've picked up the server CVE). I've emailed the XML [1] to NIST to make this update. Regards, Matt [1] <?xml version="1.0" encoding="utf-8"?> <cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:config="http://scap.nist.gov/schema/configuration/0.1" xmlns:cpe-23="http://scap.nist.gov/schema/cpe-extension/2.3" xmlns:meta="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2" xmlns:ns6="http://scap.nist.gov/schema/scap-core/0.1" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://scap.nist.gov/schema/cpe-extension/2.3 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary-extension_2.3.xsd http://cpe.mitre.org/dictionary/2.0 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 https://scap.nist.gov/schema/cpe/2.1/cpe-dictionary-metadata_0.2.xsd http://scap.nist.gov/schema/scap-core/0.3 https://scap.nist.gov/schema/nvd/scap-core_0.3.xsd http://scap.nist.gov/schema/configuration/0.1 https://scap.nist.gov/schema/nvd/configuration_0.1.xsd http://scap.nist.gov/schema/scap-core/0.1 https://scap.nist.gov/schema/nvd/scap-core_0.1.xsd"> <cpe-item name="cpe:/a:gnu:lightning:2.1.3"> <title xml:lang="en-US">GNU Lightning Project 2.1.3</title> <references> <reference href="http://git.savannah.gnu.org/cgit/lightning.git">VERSION</reference> <reference href="https://www.gnu.org/software/lightning/">PRODUCT</reference> </references> <cpe-23:cpe23-item name="cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*"/> </cpe-item> </cpe-list>
Matthew, All, On 2021-10-18 13:21 +0000, Weber, Matthew L Collins spake thusly: > > From: Yann E. MORIN <yann.morin.1998@free.fr> > > Matt: is there a process to update the NIST CPE DB? Can we add that in the > > manual, even just as an URL? > Thomas and I had started this elinux page covering adding/updating a CVE or CPE. > https://www.elinux.org/Buildroot:Security_Vulnerability_Management Ah, great! :-) > So in this case, I think we need to submit an entry for the GNU > lightning package (cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*) as > there isn't a CPE. [...] I've emailed the XML [1] to NIST to make > this update. So if I follow correctly, GNU lightning did not exist in the NIST CPE. I tried to look for it yesterday, and it turned up mothing. But now, in addition to the one version you submitted (as per your XML, below), there are a bunch of results, from version 1.0 up to and including 2.1.3: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe:2.3:a:gnu:lightning They were all added on 2021-10-18, so am I wrong in understanding that your submission triggered some (automated/manual) scanning of the upstream repo to generate all those entries? > Once that's added, then this .mk can set "LIGHTNING_CPE_ID_VENDOR = > gnu" so the CVE filter is clear for this package (right now it is > free txt based and that's why you've picked up the server CVE). Patch pending to be sent; pkg-stats still reports "CPE version unknown in CPE database", although the website does include 2.1.3... Thanks ! :-) Regards, Yann E. MORIN. > Regards, > Matt > > > > [1] > <?xml version="1.0" encoding="utf-8"?> > <cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:config="http://scap.nist.gov/schema/configuration/0.1" xmlns:cpe-23="http://scap.nist.gov/schema/cpe-extension/2.3" xmlns:meta="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2" xmlns:ns6="http://scap.nist.gov/schema/scap-core/0.1" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://scap.nist.gov/schema/cpe-extension/2.3 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary-extension_2.3.xsd http://cpe.mitre.org/dictionary/2.0 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 https://scap.nist.gov/schema/cpe/2.1/cpe-dictionary-metadata_0.2.xsd http://scap.nist.gov/schema/scap-core/0.3 https://scap.nist.gov/schema/nvd/scap-core_0.3.xsd http://scap.nist.gov/schema/configuration/0.1 https://scap.nist.gov/schema/nvd/configuration_0.1.xsd http://scap.nist.gov/schema/scap -core/0.1 https://scap.nist.gov/schema/nvd/scap-core_0.1.xsd"> > <cpe-item name="cpe:/a:gnu:lightning:2.1.3"> > <title xml:lang="en-US">GNU Lightning Project 2.1.3</title> > <references> > <reference href="http://git.savannah.gnu.org/cgit/lightning.git">VERSION</reference> > <reference href="https://www.gnu.org/software/lightning/">PRODUCT</reference> > </references> > <cpe-23:cpe23-item name="cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*"/> > </cpe-item> > </cpe-list>
Yann, > From: Yann E. MORIN <yann.morin.1998@free.fr> > Sent: Monday, October 18, 2021 10:33 AM > To: Weber, Matthew L Collins <Matthew.Weber@collins.com> > Cc: Paul Cercueil <paul@crapouillou.net>; buildroot@buildroot.org <buildroot@buildroot.org> > Subject: Re: [External] Re: [Buildroot] [PATCH] package/lightning: stop spam! > > Matthew, All, > > On 2021-10-18 13:21 +0000, Weber, Matthew L Collins spake thusly: [snip] > > > So in this case, I think we need to submit an entry for the GNU > > lightning package (cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*) as > > there isn't a CPE. [...] I've emailed the XML [1] to NIST to make > > this update. > > So if I follow correctly, GNU lightning did not exist in the NIST CPE. > I tried to look for it yesterday, and it turned up mothing. > > But now, in addition to the one version you submitted (as per your XML, > below), there are a bunch of results, from version 1.0 up to and > including 2.1.3: Correct, they add all entries so that the package now can be tagged with CVE when they come up. They needed the latest example xml and then create the rest. > > Once that's added, then this .mk can set "LIGHTNING_CPE_ID_VENDOR = > > gnu" so the CVE filter is clear for this package (right now it is > > free txt based and that's why you've picked up the server CVE). > > Patch pending to be sent; pkg-stats still reports "CPE version unknown > in CPE database", although the website does include 2.1.3... The CPE isn't yet set as valid in Buildroot so it can't find it. (guessing that script has some delay as well for updates?) Regards, Matt
diff --git a/package/lightning/lightning.mk b/package/lightning/lightning.mk index 3bd17bef56..38b132e082 100644 --- a/package/lightning/lightning.mk +++ b/package/lightning/lightning.mk @@ -12,6 +12,10 @@ LIGHTNING_INSTALL_STAGING = YES # We're patching include/Makefile.am LIGHTNING_AUTORECONF = YES +# CVE-2020-7747 is for the Javascript lightning-server project, and not for +# GNU Lightning. +LIGHTNING_IGNORE_CVES = CVE-2020-7747 + ifeq ($(BR2_PACKAGE_LIGHTNING_DISASSEMBLER),y) LIGHTNING_DEPENDENCIES += binutils zlib LIGHTNING_CONF_OPTS += --enable-disassembler
Every week I receive an automated email that tells me about the CVE-2020-7747 vulnerability in Lightning. This vulnerability however applies to the Javascript lightning-server project, and not to the GNU Lightning project. Ignore this CVE in the Lightning package to reduce my stress levels. Signed-off-by: Paul Cercueil <paul@crapouillou.net> --- package/lightning/lightning.mk | 4 ++++ 1 file changed, 4 insertions(+)