[Buildroot] [PATCH 1/1] package/apache: ignore various CVEs
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Mon Aug 1 18:55:52 UTC 2022
Hello Bernd,
On Mon, 1 Aug 2022 20:05:23 +0200
Bernd Kuhls <bernd.kuhls at t-online.de> wrote:
> my understanding of the CVE/CPE stuff is rather limited but I guess
> these CPEs show up for us because the database entry does not contain
> any version number:
>
> cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*
>
> What about ignoring such version-less entries in buildroot?
>
> Thomas suggested to get the NIST database fixed:
> https://lists.buildroot.org/pipermail/buildroot/2022-August/648210.html
>
> but these entries can show up again and again... And providing proof
> that a disputed entry from 2007 should be removed from their database is
> beyond my capabilities...
Not really, you just have to e-mail nvd at nist.gov, and provide some
evidence that the issue has been fixed in commit XYZ, which was merged
in release ABC.
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
More information about the buildroot
mailing list