Specify that iostat 'package' has been removed to be consistent with
other entries
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Commit fd7312940a (Makefile: add new missing-cpe target) added the
rule to generate a set of files to update the NVD.
For an in-tree build, 'make clean' remove the output directory, so
those files are removed. But for an out-of-tree build, the output
directory is not removed, so those files still linger around after a
clean.
Explicitly remove them on clean, to cater for both cases.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Matthew Weber <matthew.weber@collins.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The application library (liblvm2app) has been dropped since version
2.03.00 and
0d22b58172
It should be noted that lvm2 support must be dropped from udisks until
a bump to at least version 2.7.0 and
4c0709a893
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
- slightly expand help text for legacy BR2_PACKAGE_UDISKS_LVM2
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issues:
- CVE-2020-8696: Description: Improper removal of sensitive information
before storage or transfer in some Intel(R) Processors may allow an
authenticated user to potentially enable information disclosure via local
access
- CVE-2020-8698: Description: Improper isolation of shared resources in some
Intel(R) Processors may allow an authenticated user to potentially enable
information disclosure via local access
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html
License file updated with the new year, so change hash accordingly.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr: explain license hash change]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
From the release notes:
================================================================================
Redis 6.2.3 Released Mon May 3 19:00:00 IST 2021
================================================================================
Upgrade urgency: SECURITY, Contains fixes to security issues that affect
authenticated client connections. LOW otherwise.
Read more on https://github.com/redis/redis/blob/6.2.3/00-RELEASENOTES
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
lvmetad has been dropped since version 2.03.00 and
117160b27e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
When doing analysis it is helpful to be able to view what CVE have
been patched / diagnosed to not apply to Buildroot. This exposes
that list to the reporting and prevents a step where you have to
dig into the .mk's of a pkg to check for sure what has been
ignored.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr: only set background if there are ignored CVEs]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
For cases of a CPE having a unknown version or when there hasn't
been a CPE verified, proposed a search criteria to help the
user research an update.
(libcurl has NIST dict entries but not this version)
cpe:2.3🅰️haxx:libcurl:7.76.1:*:*:*:*:*:*:*
CPE identifier unknown in CPE database (Search)
(jitterentropy-library package doesn't have any NIST dict entries)
no verified CPE identifier (Search)
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr: fix flake8 issues]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
It invokes the recently introduced gen-missing-cpe script.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This script queries the list of CPE IDs for the packages of the
current configuration (based on the "make show-info" output), and:
- for CPE IDs that do not have any matching entry in the CPE
database, it emits a warning
- for CPE IDs that do have a matching entry, but not with the same
version, it generates a snippet of XML that can be used to propose
an updated version to NIST.
Ref: NIST has a group email (cpe_dictionary@nist.gov) used to
recieve these version update and new entry xml files. They do
process the XML and provide feedback. In some cases they will
propose back something different where the vendor or version is
slightly different.
Limitations
- Currently any use of non-number version identifiers isn't
supported by NIST as they use ranges to determine impact
of a CVE
- Any Linux version from a non-upstream is also not supported
without manually adjusting the information as the custom
kernel will more then likely not match the upstream version
used in the dictionary
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: Matt Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr:
- codestyles as spotted by Arnout
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fix CVE-2021-21252: The jQuery Validation Plugin provides drop-in
validation for your existing forms. It is published as an npm package
"jquery-validation". jquery-validation before version 1.19.3 contains
one or more regular expressions that are vulnerable to ReDoS (Regular
Expression Denial of Service).
Update hash of README.md due to changes not related to license
https://github.com/jquery-validation/jquery-validation/releases/tag/1.19.3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
