[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed

Seth Arnold seth.arnold at canonical.com
Fri Jul 7 00:13:48 UTC 2017

On Thu, Jul 06, 2017 at 01:24:12PM +0200, Jesus Linares wrote:
> it is parsed as "vulnerable" status. The oval generated for "vulnerable"
> CVEs is: "check if the package exist". *It doesn't check any version*. This
> may make sense for some packages, but I think it is not possible to have
> 109 fails in an updated host.

Strictly speaking, 109 fails in an updated host may make perfect sense:

- The Ubuntu security team provides security support for packages in
  main. The security team triages CVEs into different priorities and
  may not get around to fixing 'low' or 'negligible' CVEs quickly.

- The Ubuntu community provides security support for packages in universe.
  The community may update some packages frequently (mariadb comes to
  mind) while others never get updated.

- As Tyler mentioned, it's possible for individual CVE entries to
  incorrectly mark that an update is still needed for an issue even
  though a fix has filtered in through Debian, perhaps years ago. We
  fix these as we find them but probably the majority of fixes in this
  category comes from Ubuntu community members researching the open CVEs
  on their systems.

This is one of my hopes of having a good OVAL tool: no one can inspect
4000 open CVEs to see which ones still need to be closed. But 109 is an
approachable problem. If everyone with more open CVEs than they expect
investigates a few we'll have this list knocked down in no time!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170706/ad1a99a4/attachment-0001.pgp>

More information about the ubuntu-hardened mailing list