oss-sec mailing list archives

vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/>

From: Sona Sarmadi <sona.sarmadi () enea com>
Date: Wed, 14 Dec 2016 08:19:09 +0000

Hi all,

It seems that nvd.xml files (e.g. nvdcve-2.0-2016.xml) does not list vulnerable versions correctly. One example is the 
following CVE. Vulnerable versions are according to the link below "linux kernel 4.8.12 and previous versions":

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8655 

      Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 ..


Vulnerable software and versions
+ Configuration 1
* OR
* cpe:/o:linux:linux_kernel:4.8.12 and previous versions

While in the xml file it just mention "cpe:/o:linux:linux_kernel:4.8.12"

nvdcve-2.0-2016.xml:
..
<entry id="CVE-2016-9919">
    <vuln:vulnerable-configuration id="http://nvd.nist.gov/";>
      <cpe-lang:logical-test operator="OR" negate="false">
        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:4.8.12"/>  
      </cpe-lang:logical-test>
    </vuln:vulnerable-configuration>
    <vuln:vulnerable-software-list>
      <vuln:product>cpe:/o:linux:linux_kernel:4.8.12</vuln:product>

Cheers
//Sona

Current thread:

vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/> Sona Sarmadi (Dec 14)
- Re: vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/> Kurt Seifried (Dec 14)
  - Re: vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/> Sona Sarmadi (Dec 14)
    - Re: vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/> Kurt Seifried (Dec 14)
    - Re: vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/> Kurt Seifried (Dec 16)