[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed
Jesus Linares
jesus at wazuh.com
Thu Jul 6 11:24:12 UTC 2017
Hi Tyler,
thanks for the changes. Now, I have around 109 fails.
According to the scripts, if a CVE has one of the following statuses:
- needed
- ignored
- deferred
- pending
it is parsed as "vulnerable" status. The oval generated for "vulnerable"
CVEs is: "check if the package exist". *It doesn't check any version*. This
may make sense for some packages, but I think it is not possible to have
109 fails in an updated host.
What mean those statuses?.
I attached a file with the list of cve files that the Ubuntu Security Team
should review.
OVAL is a great tool and the Ubuntu process to generate the oval checks is
almost ready. I think it just need a little review and be very careful
during the process of assign a status to the cve file. This will be very
useful for the community.
Thanks.
Regards.
On Wed, Jul 5, 2017 at 6:02 PM, Tyler Hicks <tyhicks at canonical.com> wrote:
> On 07/05/2017 10:30 AM, Jesus Linares wrote:
> > Hi Tyler,
> >
> > The Ubuntu Security Team generates that file during CVE triage of
> > newly assigned CVEs.
> >
> >
> > that is a manual process, right?.
>
> Yes, it is manual.
>
> >
> > Because all versions are affected. If the status is 'needed', it
> means
> > that the Ubuntu Security team has not produced security updates that
> fix
> > the CVE. Therefore, all systems with the xfsprogs deb package
> installed
> > are affected.
> >
> >
> > So, right now, all systems with /xfsprogs /are vulnerable?. The cve was
> > in 2012, it is not possible...
> >
> > The description says that only affects to versions before 3.2.4. I think
> > you just need to update the
> > file: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/12851/active/CVE-2012-2150
> > changing the line:
> >
> > xenial_xfsprogs: needed
> >
> > to
> >
> > xenial_xfsprogs: released (version?)
> >
> >
> > /parse_package_status /function for /needed
> > /status: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/generate-oval#L149
> >
> > If that line has the version, the python script will generate the proper
> > oval file.
>
> I thought that you were saying that, in general, a 'needed' status
> without a version number would generate problematic OVAL data. Now I
> understand that you were saying that CVE-2012-2150 needed to be
> retriaged. I've done that here:
>
> http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/revision/12855
>
> I've also committed the oval_lib.py change that you suggested:
>
> http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/revision/12856
>
> Thanks for debugging the issue and providing a fix! Let us know if you
> find any other issues in the generation of OVAL data.
>
> Tyler
>
> >
> >
> > I think I can't help more here, because the error is in the input files,
> > not in the scripts.
> >
> > What do you think?.
> > Thanks.
> > Regards.
> >
> >
> >
> > On Wed, Jul 5, 2017 at 5:12 PM, Tyler Hicks <tyhicks at canonical.com
> > <mailto:tyhicks at canonical.com>> wrote:
> >
> > On 07/05/2017 09:57 AM, Jesus Linares wrote:
> > > Hi,
> > >
> > > it seems there are more errors. For example, I get a "fail" for the
> > > check: CVE-2012-2150.
> > >
> > > If we review the oval file for that check:
> > >
> > > <definition class="vulnerability"
> > > id="oval:com.ubuntu.xenial:def:20122150000" version="1">
> > > ...
> > > <criteria>
> > > <extend_definition definition_ref="oval:com.
> ubuntu.xenial:def:100"
> > > comment="Ubuntu 16.04 LTS (xenial) is installed."
> > > applicability_check="true" />
> > > <criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000"
> > > comment="The 'xfsprogs' package in xenial is affected and needs
> > > fixing." />
> > > </criteria>
> > > </definition>
> > > <linux-def:dpkginfo_test
> > id="oval:com.ubuntu.xenial:tst:20122150000"
> > > version="1" check_existence="at_least_one_exists" check="all"
> > > comment="Does the 'xfsprogs' package exist?">
> > > <linux-def:object
> > object_ref="oval:com.ubuntu.xenial:obj:20122150000"/>
> > > </linux-def:dpkginfo_test>
> > > <linux-def:dpkginfo_object
> > > id="oval:com.ubuntu.xenial:obj:20122150000" version="1"
> > comment="The
> > > 'xfsprogs' package.">
> > > <linux-def:name>xfsprogs</linux-def:name>
> > > </linux-def:dpkginfo_object>
> > >
> > >
> > > It is checking if the /xfsprogs /package exists. In my machine I
> have
> > > /xfsprogs 4.3.0+nmu1ubuntu1/ installed. So, the oscap is working
> > > properly. The point is: is my xfsprogs vulnerable?. If we take a
> look at
> > > the input file to generate the
> > > oval: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/12851/active/CVE-2012-2150
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/12851/active/CVE-2012-2150>
> > >
> > > xfs_metadump in *xfsprogs before 3.2.4* does not properly
> > obfuscate
> > > file data, which allows remote attackers to obtain sensitive
> > > information by reading a generated image.
> > >
> > >
> > > The description says: xfsprogs before 3.2.4 and I have the version
> 4.
> > > Oval is only checking if the package exists, but not its version.
> The
> > > reason is:
> > >
> > > The function /parse_package_status
> > >
> > (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/generate-oval#L117
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/generate-oval#L117>)
> > /parses
> > > the line:
> > >
> > > * "xenial_xfsprogs: needed"
> > > of
> > http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/12851/active/CVE-2012-2150
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/12851/active/CVE-2012-2150>
> > > to
> > > * "{'note': "The 'xfsprogs' package in trusty is affected and
> needs
> > > fixing.", 'status': 'vulnerable'}".
> > > * That means check only the package, not the version, because
> > there is
> > > no version
> > > (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/oval_lib.py#L220
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/oval_lib.py#L220>)
> > >
> > > If we take a look at other checks:
> > >
> > > * "xenial_git: released (1:2.7.4-0ubuntu1.1)" of
> > > http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/retired/CVE-2017-8386
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/retired/CVE-2017-8386>
> > > is parsed to
> > > * {'fix-version': '1:2.7.4-0ubuntu1.1', 'note': "The 'git'
> > package in
> > > xenial was vulnerable but has been fixed (note:
> > > '1:2.7.4-0ubuntu1.1').", 'status': 'fixed'}
> > > * Here the version is checked.
> > >
> > > So, my final questions are:
> > >
> > > * Who generates this
> > > file
> > http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/12851/active/CVE-2012-2150
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/12851/active/CVE-2012-2150>?
> >
> > The Ubuntu Security Team generates that file during CVE triage of
> newly
> > assigned CVEs.
> >
> > > * Why there is no a specific version?
> >
> > Because all versions are affected. If the status is 'needed', it
> means
> > that the Ubuntu Security team has not produced security updates that
> fix
> > the CVE. Therefore, all systems with the xfsprogs deb package
> installed
> > are affected.
> >
> > Do you know how that can be conveyed in the OVAL file?
> >
> > >
> > > There are 109 fails after fix the issue that I commented in the
> previous
> > > email and my OS is updated, so I suspect it is happening the same
> in the
> > > rest of checks.
> >
> > Thanks for tracking down the issue you described in your previous
> email.
> > I'll hold off on committing that change until you're able to get to
> the
> > bottom of the issue you describe in this email.
> >
> > Tyler
> >
> > >
> > > Thanks.
> > > Regards.
> > >
> > >
> > >
> > >
> > > On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <jesus at wazuh.com
> <mailto:jesus at wazuh.com>
> > > <mailto:jesus at wazuh.com <mailto:jesus at wazuh.com>>> wrote:
> > >
> > > Hi,
> > >
> > > finally I found the
> > > issue: http://bazaar.launchpad.net/~
> ubuntu-security/ubuntu-cve-tracker/master/view/head:/
> scripts/oval_lib.py#L110
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/oval_lib.py#L110>
> > > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/oval_lib.py#L110
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/oval_lib.py#L110>>
> > >
> > > In that line there is an if-else. The /else /has the logic to
> add
> > > the "negate" attribute, but the /if/ doesn't have it.
> > >
> > > It is neccesary to replace the lines 111 to 113, for:
> > >
> > > negation_attribute = 'negate = "true" ' if 'negate' in
> > > test_refs[0] and test_refs[0]['negate'] else ''
> > > mapping['criteria'] = '<criterion test_ref="{0}"
> comment="{1}"
> > > {2}/>'.format(test_refs[0]['id'],
> > > escape(test_refs[0]['comment']), negation_attribute)
> > >
> > >
> > > In this way, the scan reports 109 fails instead of 1750. Now,
> I'm
> > > going to review these 109 fails.
> > >
> > > Please, update the script ASAP.
> > >
> > > Thanks.
> > > Regards.
> > >
> > >
> > > On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <jesus at wazuh.com
> <mailto:jesus at wazuh.com>
> > > <mailto:jesus at wazuh.com <mailto:jesus at wazuh.com>>> wrote:
> > >
> > > Hi,
> > >
> > > I'm testing again the oval files for Xenial 16.04
> (updated) and
> > > OpenSCAP reports 1750 /fails/... Something weird is
> > happening. I
> > > will check out this issue again, but I would appreciate
> any help.
> > >
> > > Here an example:
> > >
> > > <linux-def:dpkginfo_test
> > > id="oval:com.ubuntu.xenial:tst:20176919000"
> version="1"
> > > check_existence="any_exist" check="all"
> comment="*Returns
> > > true whether or not the 'drupal7' package exists.*">
> > > <linux-def:object
> > > object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
> > > </linux-def:dpkginfo_test>
> > > <linux-def:dpkginfo_object
> > > id="oval:com.ubuntu.xenial:obj:20076752000"
> version="1"
> > > comment="The 'drupal7' package.">
> > > <linux-def:name>drupal7</linux-def:name>
> > > </linux-def:dpkginfo_object>
> > >
> > >
> > > If the check return always true, it doesn't make sense...
> > >
> > > Thanks.
> > > Regards.
> > >
> > >
> > >
> > > On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <
> jesus at wazuh.com <mailto:jesus at wazuh.com>
> > > <mailto:jesus at wazuh.com <mailto:jesus at wazuh.com>>> wrote:
> > >
> > > Hi,
> > >
> > > this is from the specific
> > > CVE:
> > xenial_libapache-mod-jk:not-affected(1:1.2.40+svn150520-1)
> > >
> > > So, if it is not affected for xenial, the check should
> > > include the "negate" in order to return that is not a
> > > vulnerability, right?.
> > >
> > > Regards.
> > >
> > >
> > > On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold
> > > <seth.arnold at canonical.com <mailto:
> seth.arnold at canonical.com>
> > > <mailto:seth.arnold at canonical.com <mailto:
> seth.arnold at canonical.com>>> wrote:
> > >
> > > On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus
> Linares
> > > wrote:
> > > > I think this test should have the "negate" due
> to the comment "While
> > > > related to the CVE in some way, the
> 'libapache-mod-jk'
> > > package in* xenial
> > > > is not affected*". So, maybe the input of the
> script
> > > is wrong?. Where is
> > > > the input?.
> > >
> > > The input is from the ubuntu-cve-tracker bzr tree;
> > >
> > > https://code.launchpad.net/~
> ubuntu-security/ubuntu-cve-tracker/master <https://code.launchpad.net/~
> ubuntu-security/ubuntu-cve-tracker/master>
> > > <https://code.launchpad.net/~
> ubuntu-security/ubuntu-cve-tracker/master <https://code.launchpad.net/~
> ubuntu-security/ubuntu-cve-tracker/master>>
> > >
> > > In the case of this specific CVE:
> > >
> > > http://bazaar.launchpad.net/~
> ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/active/CVE-2014-8111>
> > > <http://bazaar.launchpad.net/~
> ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/active/CVE-2014-8111>>
> > >
> > > Thanks
> > >
> > > --
> > > ubuntu-hardened mailing list
> > > ubuntu-hardened at lists.ubuntu.com
> > <mailto:ubuntu-hardened at lists.ubuntu.com>
> > > <mailto:ubuntu-hardened at lists.ubuntu.com
> > <mailto:ubuntu-hardened at lists.ubuntu.com>>
> > >
> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
> > <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>
> > <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
> > <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>>
> > >
> > >
> > >
> > >
> > > --
> > > *Jesus Linares*
> > > /IT Security Engineer/
> > > /
> > > /
> > >
> > >
> > >
> > >
> > > --
> > > *Jesus Linares*
> > > /IT Security Engineer/
> > > /
> > > /
> > >
> > >
> > >
> > >
> > > --
> > > *Jesus Linares*
> > > /IT Security Engineer/
> > > /
> > > /
> > >
> > >
> > >
> > >
> > > --
> > > *Jesus Linares*
> > > /IT Security Engineer/
> > > /
> > > /
> > >
> > >
> >
> >
> >
> >
> >
> > --
> > *Jesus Linares*
> > /IT Security Engineer/
> > /
> > /
>
>
>
--
*Jesus Linares*
*IT Security Engineer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170706/f53d74d7/attachment-0001.html>
-------------- next part --------------
./active/CVE-2012-2663: status_text: needed | status: vulnerable
./active/CVE-2012-4024: status_text: needed | status: vulnerable
./active/CVE-2012-4025: status_text: needed | status: vulnerable
./active/CVE-2012-6655: status_text: needed | status: vulnerable
./active/CVE-2013-7445: status_text: deferred (2017-03-07) | status: vulnerable
./active/CVE-2013-7445: status_text: deferred | status: vulnerable
./active/CVE-2013-7445: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2014-9900: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2014-9900: status_text: needed | status: vulnerable
./active/CVE-2014-9913: status_text: needed | status: vulnerable
./active/CVE-2015-1336: status_text: needed | status: vulnerable
./active/CVE-2015-1350: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2015-1350: status_text: needed | status: vulnerable
./active/CVE-2015-1350: status_text: pending (4.10.0-27.30~16.04.2) | status: vulnerable
./active/CVE-2015-1350: status_text: pending (4.11.0-1003.3) | status: vulnerable
./active/CVE-2015-2877: status_text: deferred (2016-06-01) | status: vulnerable
./active/CVE-2015-2877: status_text: deferred | status: vulnerable
./active/CVE-2015-2877: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2015-4645: status_text: needed | status: vulnerable
./active/CVE-2015-4646: status_text: needed | status: vulnerable
./active/CVE-2015-7837: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2015-7837: status_text: needed | status: vulnerable
./active/CVE-2015-8553: status_text: deferred (2016-03-27) | status: vulnerable
./active/CVE-2015-8553: status_text: deferred | status: vulnerable
./active/CVE-2015-8553: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2015-8553: status_text: needed | status: vulnerable
./active/CVE-2015-8944: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2015-8944: status_text: needed | status: vulnerable
./active/CVE-2015-8944: status_text: pending (4.11.0-1003.3) | status: vulnerable
./active/CVE-2015-8944: status_text: pending (4.4.0-1019.19) | status: vulnerable
./active/CVE-2015-8944: status_text: pending (4.4.0-1023.32) | status: vulnerable
./active/CVE-2015-8944: status_text: pending (4.4.0-1062.70) | status: vulnerable
./active/CVE-2015-8944: status_text: pending (4.4.0-1064.69) | status: vulnerable
./active/CVE-2015-8944: status_text: pending (4.4.0-85.108) | status: vulnerable
./active/CVE-2015-8952: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2015-8952: status_text: needed | status: vulnerable
./active/CVE-2015-8952: status_text: pending (4.11.0-1003.3) | status: vulnerable
./active/CVE-2016-1238: status_text: needed | status: vulnerable
./active/CVE-2016-1585: status_text: deferred (2017-06-12) | status: vulnerable
./active/CVE-2016-2226: status_text: needed | status: vulnerable
./active/CVE-2016-2568: status_text: deferred (2017-01-12) | status: vulnerable
./active/CVE-2016-2779: status_text: needed | status: vulnerable
./active/CVE-2016-2781: status_text: deferred (2017-06-12) | status: vulnerable
./active/CVE-2016-2853: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2016-2853: status_text: needed | status: vulnerable
./active/CVE-2016-3189: status_text: needed | status: vulnerable
./active/CVE-2016-4484: status_text: needed | status: vulnerable
./active/CVE-2016-4614: status_text: deferred (2017-06-16) | status: vulnerable
./active/CVE-2016-4615: status_text: deferred (2017-06-16) | status: vulnerable
./active/CVE-2016-4616: status_text: deferred (2017-06-16) | status: vulnerable
./active/CVE-2016-5011: status_text: needed | status: vulnerable
./active/CVE-2016-7076: status_text: needed | status: vulnerable
./active/CVE-2016-8625: status_text: needed | status: vulnerable
./active/CVE-2016-8636: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2016-8636: status_text: needed | status: vulnerable
./active/CVE-2016-8636: status_text: pending (4.10.0-27.30~16.04.2) | status: vulnerable
./active/CVE-2016-8636: status_text: pending (4.11.0-1003.3) | status: vulnerable
./active/CVE-2016-8660: status_text: needed | status: vulnerable
./active/CVE-2016-9318: status_text: deferred (2017-06-16) | status: vulnerable
./active/CVE-2016-9586: status_text: needed | status: vulnerable
./active/CVE-2016-9844: status_text: needed | status: vulnerable
./active/CVE-2017-0537: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-0537: status_text: needed | status: vulnerable
./active/CVE-2017-0663: status_text: needed | status: vulnerable
./active/CVE-2017-1000365: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-1000365: status_text: needed | status: vulnerable
./active/CVE-2017-1000370: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-1000370: status_text: needed | status: vulnerable
./active/CVE-2017-1000371: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-1000371: status_text: needed | status: vulnerable
./active/CVE-2017-1000380: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-1000380: status_text: needed | status: vulnerable
./active/CVE-2017-1000380: status_text: pending (4.11.0-1003.3) | status: vulnerable
./active/CVE-2017-1000380: status_text: pending (4.4.0-1019.19) | status: vulnerable
./active/CVE-2017-1000380: status_text: pending (4.4.0-1023.32) | status: vulnerable
./active/CVE-2017-1000380: status_text: pending (4.4.0-1062.70) | status: vulnerable
./active/CVE-2017-1000380: status_text: pending (4.4.0-1064.69) | status: vulnerable
./active/CVE-2017-1000380: status_text: pending (4.4.0-85.108) | status: vulnerable
./active/CVE-2017-10790: status_text: needed | status: vulnerable
./active/CVE-2017-2618: status_text: needed | status: vulnerable
./active/CVE-2017-2618: status_text: pending (4.10.0-27.30~16.04.2) | status: vulnerable
./active/CVE-2017-2618: status_text: pending (4.11.0-1003.3) | status: vulnerable
./active/CVE-2017-2618: status_text: pending (4.4.0-1009.18) | status: vulnerable
./active/CVE-2017-2618: status_text: pending (4.4.0-1048.55) | status: vulnerable
./active/CVE-2017-2618: status_text: pending (4.4.0-1051.55) | status: vulnerable
./active/CVE-2017-2618: status_text: pending (4.4.0-67.88) | status: vulnerable
./active/CVE-2017-3204: status_text: ignored (code not used) | status: vulnerable
./active/CVE-2017-5550: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-5550: status_text: needed | status: vulnerable
./active/CVE-2017-5550: status_text: pending (4.10.0-27.30~16.04.2) | status: vulnerable
./active/CVE-2017-5550: status_text: pending (4.11.0-1003.3) | status: vulnerable
./active/CVE-2017-5953: status_text: needed | status: vulnerable
./active/CVE-2017-5967: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-5967: status_text: needed | status: vulnerable
./active/CVE-2017-5967: status_text: pending (4.11.0-1003.3) | status: vulnerable
./active/CVE-2017-5969: status_text: needed | status: vulnerable
./active/CVE-2017-6349: status_text: needed | status: vulnerable
./active/CVE-2017-6350: status_text: needed | status: vulnerable
./active/CVE-2017-6508: status_text: needed | status: vulnerable
./active/CVE-2017-6512: status_text: needed | status: vulnerable
./active/CVE-2017-6965: status_text: needed | status: vulnerable
./active/CVE-2017-6966: status_text: needed | status: vulnerable
./active/CVE-2017-6969: status_text: needed | status: vulnerable
./active/CVE-2017-7209: status_text: needed | status: vulnerable
./active/CVE-2017-7210: status_text: needed | status: vulnerable
./active/CVE-2017-7223: status_text: needed | status: vulnerable
./active/CVE-2017-7224: status_text: needed | status: vulnerable
./active/CVE-2017-7225: status_text: needed | status: vulnerable
./active/CVE-2017-7226: status_text: needed | status: vulnerable
./active/CVE-2017-7227: status_text: needed | status: vulnerable
./active/CVE-2017-7299: status_text: needed | status: vulnerable
./active/CVE-2017-7300: status_text: needed | status: vulnerable
./active/CVE-2017-7301: status_text: needed | status: vulnerable
./active/CVE-2017-7302: status_text: needed | status: vulnerable
./active/CVE-2017-7346: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-7346: status_text: needed | status: vulnerable
./active/CVE-2017-7346: status_text: pending (4.11.0-1003.3) | status: vulnerable
./active/CVE-2017-7346: status_text: pending (4.4.0-1019.19) | status: vulnerable
./active/CVE-2017-7346: status_text: pending (4.4.0-1023.32) | status: vulnerable
./active/CVE-2017-7346: status_text: pending (4.4.0-1062.70) | status: vulnerable
./active/CVE-2017-7346: status_text: pending (4.4.0-1064.69) | status: vulnerable
./active/CVE-2017-7346: status_text: pending (4.4.0-85.108) | status: vulnerable
./active/CVE-2017-7375: status_text: needed | status: vulnerable
./active/CVE-2017-7376: status_text: needed | status: vulnerable
./active/CVE-2017-7407: status_text: needed | status: vulnerable
./active/CVE-2017-7482: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-7482: status_text: needed | status: vulnerable
./active/CVE-2017-7495: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-7495: status_text: needed | status: vulnerable
./active/CVE-2017-7495: status_text: pending (4.11.0-1003.3) | status: vulnerable
./active/CVE-2017-7518: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-7518: status_text: needed | status: vulnerable
./active/CVE-2017-7614: status_text: needed | status: vulnerable
./active/CVE-2017-8283: status_text: needed | status: vulnerable
./active/CVE-2017-8797: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-8797: status_text: needed | status: vulnerable
./active/CVE-2017-8797: status_text: pending (4.11.0-1003.3) | status: vulnerable
./active/CVE-2017-8831: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-8831: status_text: needed | status: vulnerable
./active/CVE-2017-8872: status_text: deferred (2017-06-16) | status: vulnerable
./active/CVE-2017-9038: status_text: needed | status: vulnerable
./active/CVE-2017-9039: status_text: needed | status: vulnerable
./active/CVE-2017-9040: status_text: needed | status: vulnerable
./active/CVE-2017-9041: status_text: needed | status: vulnerable
./active/CVE-2017-9043: status_text: needed | status: vulnerable
./active/CVE-2017-9044: status_text: needed | status: vulnerable
./active/CVE-2017-9047: status_text: needed | status: vulnerable
./active/CVE-2017-9048: status_text: needed | status: vulnerable
./active/CVE-2017-9049: status_text: needed | status: vulnerable
./active/CVE-2017-9050: status_text: needed | status: vulnerable
./active/CVE-2017-9059: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-9059: status_text: needed | status: vulnerable
./active/CVE-2017-9150: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-9150: status_text: needed | status: vulnerable
./active/CVE-2017-9150: status_text: pending (4.10.0-27.30~16.04.2) | status: vulnerable
./active/CVE-2017-9150: status_text: pending (4.11.0-1003.3) | status: vulnerable
./active/CVE-2017-9150: status_text: pending (4.4.0-1019.19) | status: vulnerable
./active/CVE-2017-9150: status_text: pending (4.4.0-1023.32) | status: vulnerable
./active/CVE-2017-9150: status_text: pending (4.4.0-1062.70) | status: vulnerable
./active/CVE-2017-9150: status_text: pending (4.4.0-1064.69) | status: vulnerable
./active/CVE-2017-9150: status_text: pending (4.4.0-85.108) | status: vulnerable
./active/CVE-2017-9217: status_text: needed | status: vulnerable
./active/CVE-2017-9445: status_text: needed | status: vulnerable
./active/CVE-2017-9605: status_text: ignored (abandoned) | status: vulnerable
./active/CVE-2017-9605: status_text: needed | status: vulnerable
./active/CVE-2017-9605: status_text: pending (4.11.0-1003.3) | status: vulnerable
./active/CVE-2017-9605: status_text: pending (4.4.0-1019.19) | status: vulnerable
./active/CVE-2017-9605: status_text: pending (4.4.0-1023.32) | status: vulnerable
./active/CVE-2017-9605: status_text: pending (4.4.0-1062.70) | status: vulnerable
./active/CVE-2017-9605: status_text: pending (4.4.0-1064.69) | status: vulnerable
./active/CVE-2017-9605: status_text: pending (4.4.0-85.108) | status: vulnerable
./active/CVE-2017-9742: status_text: needed | status: vulnerable
./active/CVE-2017-9744: status_text: needed | status: vulnerable
./active/CVE-2017-9745: status_text: needed | status: vulnerable
./active/CVE-2017-9746: status_text: needed | status: vulnerable
./active/CVE-2017-9747: status_text: needed | status: vulnerable
./active/CVE-2017-9748: status_text: needed | status: vulnerable
./active/CVE-2017-9749: status_text: needed | status: vulnerable
./active/CVE-2017-9750: status_text: needed | status: vulnerable
./active/CVE-2017-9751: status_text: needed | status: vulnerable
./active/CVE-2017-9752: status_text: needed | status: vulnerable
./active/CVE-2017-9753: status_text: needed | status: vulnerable
./active/CVE-2017-9754: status_text: needed | status: vulnerable
./active/CVE-2017-9755: status_text: needed | status: vulnerable
./active/CVE-2017-9756: status_text: needed | status: vulnerable
./active/CVE-2017-9955: status_text: needed | status: vulnerable
More information about the ubuntu-hardened
mailing list