[Buildroot] [PATCH v3 0/8] Improving CVE reporting

Titouan Christophe titouan.christophe at railnova.eu
Tue Jul 28 22:07:14 UTC 2020


Hello all,

On 28/07/20 09:52, Thomas Petazzoni wrote:
> 
> Could you give some specific example of where those AND operators with
> child nodes are used ? This would help understand what are the
> situations that make use of this.
> 
> Thanks!
> 
> Thomas
> 

See for example CVE-2019-3699 
(https://nvd.nist.gov/vuln/detail/CVE-2019-3699). This is about a 
vulnerability of privoxy when it runs on OpenSuse. This CVE is currently 
detected for the privoxy package on http://autobuild.buildroot.net/stats/

I have extracted the NVD entry from the NVD 2019 json file for 
convenience: http://paste.awesom.eu/ibNy . The matching CPEs are 
logically declared as follows:

AND(
     privoxy:privoxy <3.0.28-lp151.1.1,
     opensuse:leap:15.1
)


They seem to use this to indicate if a particular distribution/OS is 
vulnerable to the CVE.

Titouan



More information about the buildroot mailing list