Buildroot:Security Vulnerability Management

Vulnerability Reporting
There are many different vulnerability databases (open/paid). This section documents the use of the National Vulnerability Database(NVD) provided by the National Institute of Standards and Technology (NIST).

Package Report
The http://autobuild.buildroot.net/stats/ includes a holistic view of all packages CVEs. This information should match the individual reports sent out to the package maintainers but double check the timestamp at the bottom of the page as the pkgstats and maintainer reports don't occur at the same time.

Package Maintainer Reporting
Each week the package maintainers listed in the DEVELOPERS file are emailed with all CVE entries applicable to the current version of the packages they maintain. In some cases these reports may list patched CVEs and a maintainer could sent in updates to the _IGNORE_CVES list under the respective package. On the following week the report will reflect the additional CVE being filtered out. For more information on the ignoring CVEs, see https://buildroot.org/downloads/manual/manual.html under the "generic-package reference" section.

Updating CVE dictionary entries
The NIST organization manages the dictionary we use to identify CVE against packages. Sometimes this can be incorrect or need additional information. To make an update, navigate to https://cveform.mitre.org/ and fill out the form in a similar manner to this example fix-up of the libnids version issue. The important detail is to provide enough argument to make the change and examples of what change you'd propose. If the CPE assignment is incorrect, use the CPE updating notes below instead.


 * 1) "Select a request type" as "Request and update to an existing CVE Entry"
 * 2) "Type of update requested" is suggested to select "Other" and then provide the details in the description field.
 * 3) "CVE ID to be updated" as 2010-0751
 * 4) "Description" as "We've found that the v1.24 fixes the CVE and all prior versions contain the bug.  The CVE currently lists that 1.24 is still vulnerable.  This can be proved by checking the CHANGES file within the source archive(https://sourceforge.net/projects/libnids/files/libnids/1.24/libnids-1.24.tar.gz/download) that outlines this ("fixed another remotely triggerable NULL dereference in ip_fragment.c") comment.  Also within that archive the source code src/ip_fragment on line 378 has the fix (https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5) (NOTE 2010-1144 is a rejected CVE which was split to include 2010-0751)."

Managing CPE entries
To submit a new entry or updated entry to NIST, create an request email to the cpe_dictionary@nist.gov recipient and if possible, attach an individual xml file per package being added/updated. It is OK to have multiple version updates in a single file as long as they are all for the same package. For reference the guidance can be found on the NIST CPE site (https://nvd.nist.gov/products/cpe). (TBD, pending patchsets to try to automate creating this xml http://patchwork.ozlabs.org/project/buildroot/list/?series=183798&archive=both&state=*)