Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 14 Dec 2016 07:26:34 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: vulnerable version: 4.8.12 and previous versions
 but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/>

Why are you complaining about a nist.gov website/data on an opensource
security mailing list/to MITRE? (hint: we can't fix it and neither can
MITRE) Please contact NIST.



On Wed, Dec 14, 2016 at 1:19 AM, Sona Sarmadi <sona.sarmadi@...a.com> wrote:

> Hi all,
>
> It seems that nvd.xml files (e.g. nvdcve-2.0-2016.xml) does not list
> vulnerable versions correctly. One example is the following CVE. Vulnerable
> versions are according to the link below "linux kernel 4.8.12 and previous
> versions":
>
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8655
>
>       Race condition in net/packet/af_packet.c in the Linux kernel through
> 4.8.12 ..
>
>
> Vulnerable software and versions
> + Configuration 1
> * OR
> * cpe:/o:linux:linux_kernel:4.8.12 and previous versions
>
> While in the xml file it just mention "cpe:/o:linux:linux_kernel:4.8.12"
>
> nvdcve-2.0-2016.xml:
> ..
> <entry id="CVE-2016-9919">
>     <vuln:vulnerable-configuration id="http://nvd.nist.gov/">
>       <cpe-lang:logical-test operator="OR" negate="false">
>         <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:4.8.12"/>
>       </cpe-lang:logical-test>
>     </vuln:vulnerable-configuration>
>     <vuln:vulnerable-software-list>
>       <vuln:product>cpe:/o:linux:linux_kernel:4.8.12</vuln:product>
>
> Cheers
> //Sona
>



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ