oss-sec mailing list archives
vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/>
From: Sona Sarmadi <sona.sarmadi () enea com>
Date: Wed, 14 Dec 2016 08:19:09 +0000
Hi all, It seems that nvd.xml files (e.g. nvdcve-2.0-2016.xml) does not list vulnerable versions correctly. One example is the following CVE. Vulnerable versions are according to the link below "linux kernel 4.8.12 and previous versions": https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8655 Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 .. Vulnerable software and versions + Configuration 1 * OR * cpe:/o:linux:linux_kernel:4.8.12 and previous versions While in the xml file it just mention "cpe:/o:linux:linux_kernel:4.8.12" nvdcve-2.0-2016.xml: .. <entry id="CVE-2016-9919"> <vuln:vulnerable-configuration id="http://nvd.nist.gov/"> <cpe-lang:logical-test operator="OR" negate="false"> <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:4.8.12"/> </cpe-lang:logical-test> </vuln:vulnerable-configuration> <vuln:vulnerable-software-list> <vuln:product>cpe:/o:linux:linux_kernel:4.8.12</vuln:product> Cheers //Sona
Current thread:
- vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/> Sona Sarmadi (Dec 14)