[Buildroot] [PATCH 1/1] package/apparmor: ignore CVE-2016-1585
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Sat Apr 19 14:05:59 UTC 2025
Hello Raphaël,
On Mon, 14 Apr 2025 16:11:48 +0200
Raphaël Mélotte via buildroot <buildroot at buildroot.org> wrote:
> CVE-2016-1585 is fixed in the following versions:
> apparmor 3.1.6 https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.6
> apparmor 3.0.12 https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.12
> apparmor 2.13.10 https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.10
>
> See the bug report at [1] and in particular the comment at [2].
>
> The NVD CPE does not contain version numbers, so our CVE checker still
> reports it.
> The issue was reported to the NVD by email, but in the meantime let's
> ignore it to reduce the noise in our CVE checker.
Thanks for the patch. However, I'm not sure I'm happy with ignoring
entries that are ultimately "bugs" in the NVD database. Have you heard
back from upstream NVD about your report?
In fact, I'm worried about this APPARMOR_IGNORE_CVES staying forever.
Does our pkg-stats script report those stale CVE entries? If it did,
then we could consider merging your patch, because we know that once
the NVD database gets updated, we'll get a warning/notification from
pkg-stats that this APPARMOR_IGNORE_CVES entry should be dropped.
Best regards,
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
More information about the buildroot
mailing list