[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-10-25
Matthew Weber
matthew.weber at rockwellcollins.com
Tue Oct 27 13:32:39 UTC 2020
Tudor,
On Mon, Oct 26, 2020 at 4:08 AM Tudor Holton <tudor at tudorholton.com> wrote:
>
> Hi all,
>
> The CVE listed below appears only to relate to openjdk6 and openjdk7.
> The current package builds openjdk11.0.8 or openjdk14.0.2.
>
The vulnerability database must not be mapping the impacted versions
correctly (ie. CVE is applicable to which CPE or range of CPE
versions). When I look at
https://nvd.nist.gov/vuln/detail/CVE-2013-0169 , I see specific
entries for 1.6 / 1.7 / 1.8 and an entry of
cpe:2.3:a:oracle:openjdk:-:*:*:*:*:*:*:* . I wonder if we are
incorrectly string matching that "-" as a version? +Gregory any
ideas?
Tudor, you can definitely send a patch to ignore this CVE but I
believe we may have a matching issue with our scripts. As the
following are the listed CPE matches which according to the CVE text
look correct.
cpe:2.3:a:oracle:openjdk:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:openjdk:1.6.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:openjdk:1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:openjdk:1.8.0:*:*:*:*:*:*:*
Best Regards,
Matt
More information about the buildroot
mailing list