From nobody Fri Mar 25 13:10:46 2022 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C4DEF1A47D44; Fri, 25 Mar 2022 13:10:48 +0000 (UTC) (envelope-from decke@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KQ2X8584hz3FPs; Fri, 25 Mar 2022 13:10:48 +0000 (UTC) (envelope-from decke@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648213848; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=y8q0lEbVQT4dy+t55nv/Hpxhyl01K8TXddPewbHAx4k=; b=aGAPxbEtuPJIMh85hmrgWODAtyEBoGpGwu2TxBaNpm/Z9rAwhrZk/l9ZDf+zxAkhtc609r 6TiRKua18l8NSztdemWH7Eawzo4Ai/aGnQx5CDTstoyMBUFPU7bXULuJFE4NgKZ0FGSUOc RW/bvAO58lYUgS3LVQAa8StGLxwlmu1m5oHJ1gQCTitPnxhAK8EhVaHwEYva6xEH7uhoe6 hJHjoabb+Iu1PFZjwIKPcGW53uLFgvwgzwxLZ7Kg5NyIv8tuU9dcsXFTh+dZYLd6R+E5ra jQ0N3uAyZ/aZFrGTNAcoUDBnyroYbmnHckaSlWQPZ5EVjDMUeSbU5IMWgtML4g== Received: from sender21-mail.zoho.eu (sender21-mail.zoho.eu [31.186.226.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: decke) by smtp.freebsd.org (Postfix) with ESMTPSA id 1BA2FCCFF; Fri, 25 Mar 2022 13:10:48 +0000 (UTC) (envelope-from decke@FreeBSD.org) Received: from mail.zoho.eu by mx.zoho.eu with SMTP id 1648213846117919.3380583719008; Fri, 25 Mar 2022 14:10:46 +0100 (CET) Date: Fri, 25 Mar 2022 14:10:46 +0100 From: decke@freebsd.org To: "Sergey A. Osokin" Cc: "ports-committers" , "dev-commits-ports-all" , "dev-commits-ports-main" Message-ID: <17fc1336864.da2cd6c5338764.5985054358944507347@freebsd.org> In-Reply-To: References: <202203181555.22IFtncp006365@gitrepo.freebsd.org> <17f9ed8fd16.11d434a3315181.2538570885863963752@freebsd.org> Subject: Re: git: 4164ab866d06 - main - lang/njs: Fix CPE information List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Importance: Medium User-Agent: Zoho Mail X-Mailer: Zoho Mail ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648213848; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=y8q0lEbVQT4dy+t55nv/Hpxhyl01K8TXddPewbHAx4k=; b=smSqBHyosx6x8lpRKy+O75tp8Qrr7QaKMBnuW4zrQ23YqgP5aZYTYrVwpbPgsxX/kPWyNJ BFedYiXvwYVhAfjLK2y7qXcDnSG0BzEnCYa/Rfgm5nfDoagYxEg0lmkFH89Q8IF+03lrAd D68oZXnbUnphtsrnjSuQl7SKDL+w3Gb8eMB8RAKC8S2YzBB0gReHEHjMh3hEPNOrwgUNMr lLMbz0cKvetzxo5aloD4gLU0ckaFYbgALfHswiqB52O7JaPx3tGusxlhxFIVFgHa1ddXyd S3M2YeWi6tVx7EcqqzTPpsmVO9GkTuumkKNcvDHL+Wrg4jG9mFJcF6AkNigaug== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648213848; a=rsa-sha256; cv=none; b=OEk112p59bSsq/x7+ViN4VsHEZkvq9NQSslHE0xOyVbEJirsKu8iRfHZSE16KplEwxzqQr S2h7UNIdum4WiE0GkkOdK454i9NKxz1LC4WSUPptbSx3Z+eBmOwT9nqUvWZTV3dT23MvA4 rODPqtVJRgSGu6tGx1kO4xB3ZAgwobQFPv/XYFH+X3UPCVrrJFiqjQR/N9mfJHyjfaIisk rhHJm1NOMz8oHd/VAnU4dhNW0NT6Txg15Q9t3oS0YgOfQynmfRiIQl1ryKM3zm/Rl3b4J8 NKwAn0yJUNKP9aCx6Ti83S1/a6QlUdxbzG/YxZpHMyFs3Tjv4yVmWUysMhvagg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N ---- On Fri, 25 Mar 2022 04:47:15 +0100 Sergey A. Osokin wrote ---- > Hi Bernhard, > > hope you're doing well. > > On Fri, Mar 18, 2022 at 11:01:04PM +0000, Sergey A. Osokin wrote: > > On Fri, Mar 18, 2022 at 10:04:55PM +0100, decke@freebsd.org wrote: > > > ---- On Fri, 18 Mar 2022 19:01:43 +0100 > > > > > On Fri, Mar 18, 2022 at 03:55:49PM +0000, Bernhard Froehlich wrote: > > > > > [...] > > > > > > > > > > -CPE_VENDOR= f5 > > > > > -CPE_PRODUCT= njs > > > > > +CPE_VENDOR= nginx > > > > > > > > Why? > > > > > > > Because the CPE entry was wrong and does not exist in the CPE > > > dictionary. Have a look at a recent CVE for njs and you will see > > > that they use nginx:njs, https://nvd.nist.gov/vuln/detail/CVE-2021-46463 > > > > Thanks for sharing this, Bernhard, I'll take a look on that. > > The CVE's been updated, could you please revert your commit. > > Thank you. > > -- > Sergey A. Osokin > Hi Sergey, thanks for the heads up. As you have already seen NIST has deprecated nginx:njs now and replaced this and all other existing entries with f5:njs like you already had before. Now it looks okay in their database. https://nvd.nist.gov/vuln/detail/CVE-2021-46463#VulnChangeHistorySection https://nvd.nist.gov/products/cpe/detail/1150272?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3A*%3Anjs&status=FINAL So I'm happy to revert it and have done so a few seconds ago. Btw, my tool chkcpe has also noticed that the entry is deprecated now and told me to have a look. So it's all working as expected - which is good. https://github.com/decke/chkcpe/wiki/deprecated Thanks!