[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed
seth.arnold at canonical.com
Fri Jul 7 00:13:48 UTC 2017
On Thu, Jul 06, 2017 at 01:24:12PM +0200, Jesus Linares wrote:
> it is parsed as "vulnerable" status. The oval generated for "vulnerable"
> CVEs is: "check if the package exist". *It doesn't check any version*. This
> may make sense for some packages, but I think it is not possible to have
> 109 fails in an updated host.
Strictly speaking, 109 fails in an updated host may make perfect sense:
- The Ubuntu security team provides security support for packages in
main. The security team triages CVEs into different priorities and
may not get around to fixing 'low' or 'negligible' CVEs quickly.
- The Ubuntu community provides security support for packages in universe.
The community may update some packages frequently (mariadb comes to
mind) while others never get updated.
- As Tyler mentioned, it's possible for individual CVE entries to
incorrectly mark that an update is still needed for an issue even
though a fix has filtered in through Debian, perhaps years ago. We
fix these as we find them but probably the majority of fixes in this
category comes from Ubuntu community members researching the open CVEs
on their systems.
This is one of my hopes of having a good OVAL tool: no one can inspect
4000 open CVEs to see which ones still need to be closed. But 109 is an
approachable problem. If everyone with more open CVEs than they expect
investigates a few we'll have this list knocked down in no time!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: not available
More information about the ubuntu-hardened