Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 14 Dec 2016 08:19:09 +0000
From: Sona Sarmadi <sona.sarmadi@...a.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: "cve-assign@...re.org" <cve-assign@...re.org>
Subject: vulnerable version: 4.8.12 and previous versions but xml file says:
 cpe:/o:linux:linux_kernel:4.8.12"/>  

Hi all,

It seems that nvd.xml files (e.g. nvdcve-2.0-2016.xml) does not list vulnerable versions correctly. One example is the following CVE. Vulnerable versions are according to the link below "linux kernel 4.8.12 and previous versions":

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8655 

      Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 ..


Vulnerable software and versions
+ Configuration 1
* OR
* cpe:/o:linux:linux_kernel:4.8.12 and previous versions

While in the xml file it just mention "cpe:/o:linux:linux_kernel:4.8.12"

nvdcve-2.0-2016.xml:
..
<entry id="CVE-2016-9919">
    <vuln:vulnerable-configuration id="http://nvd.nist.gov/">
      <cpe-lang:logical-test operator="OR" negate="false">
        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:4.8.12"/>  
      </cpe-lang:logical-test>
    </vuln:vulnerable-configuration>
    <vuln:vulnerable-software-list>
      <vuln:product>cpe:/o:linux:linux_kernel:4.8.12</vuln:product>

Cheers
//Sona

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ