Buildroot:Security Vulnerability Management
Package CVE Report
The http://autobuild.buildroot.net/stats/ includes a holistic view of all packages CVEs. This information should match the individual reports sent out to the package maintainers but double check the timestamp at the bottom of the page as the pkgstats and maintainer reports don't occur at the same time.
Package Maintainer CVE Reporting
Each week the package maintainers listed in the DEVELOPERS file are emailed with all CVE entries applicable to the current version of the packages they maintain. In some cases these reports may list patched CVEs and a maintainer could sent in updates to the <pkg>_IGNORE_CVES list under the respective package. On the following week the report will reflect the additional CVE being filtered out. For more information on the ignoring CVEs, see https://buildroot.org/downloads/manual/manual.html under the "generic-package reference" section.
Updating CVE dictionary entries
The NIST organization manages the dictionary we use to identify CVE against packages. Sometimes this can be incorrect or need additional information. To make an update, navigate to https://cveform.mitre.org/ and fill out the form in a similar manner to this example fix-up of the libnids version issue. The important detail is to provide enough argument to make the change and examples of what change you'd propose.
- "Select a request type" as "Request and update to an existing CVE Entry"
- "Type of update requested" as "Update Description"
- "CVE ID to be updated" as 2010-0751
- "Description" as "We've found that the v1.24 fixes the CVE and all prior versions contain the bug. The CVE currently lists that 1.24 is still vulnerable. This can be proved by checking the CHANGES file within the source archive(https://sourceforge.net/projects/libnids/files/libnids/1.24/libnids-1.24.tar.gz/download) that outlines this ("fixed another remotely triggerable NULL dereference in ip_fragment.c") comment. Also within that archive the source code src/ip_fragment on line 378 has the fix (https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5) (NOTE 2010-1144 is a rejected CVE which was split to include 2010-0751)."