[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-08-15

Thomas Petazzoni thomas.petazzoni at bootlin.com
Tue Aug 17 10:56:24 UTC 2021


On Tue, 17 Aug 2021 12:35:20 +0200
Peter Korsgaard <peter at korsgaard.com> wrote:

>  >              name              |       CVE        |                             link                            
>  > -------------------------------+------------------+--------------------------------------------------------------
>  >                      mosquitto | CVE-2021-34432   | https://security-tracker.debian.org/tracker/CVE-2021-34432    
> 
> Hmm, looks like we have a bug in the version comparison logic. We have
> 2.0.11 and the CPE data states <= 2.0.7:

No, the CPE data states: "Up to (including) 2.07". Notice how 2.07 is
different than 2.0.7 ?

2.07 is indeed "newer" than 2.0.11, so our comparison logic works fine.
You can look at
https://nvd.nist.gov/vuln/detail/CVE-2021-34432/cpes?expandCpeRanges=true
which shows the full list of CPE IDs that are considered vulnerable,
and 2.0.11 is among the one considered vulnerable, based on the
(probably incorrect) 2.07 information.

If you have some evidence that shows that the fix only affects versions
up to 2.0.7, then we can contact the NVD maintainers and get the issue
fixed.

Best regards,

Thomas Petazzoni
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


More information about the buildroot mailing list