Re: vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/>

[Kurt Seifried <kseifried () redhat com>]

Why are you complaining about a nist.gov website/data on an opensource
security mailing list/to MITRE? (hint: we can't fix it and neither can
MITRE) Please contact NIST.



On Wed, Dec 14, 2016 at 1:19 AM, Sona Sarmadi <sona.sarmadi () enea com> wrote:

> Hi all,
>
> It seems that nvd.xml files (e.g. nvdcve-2.0-2016.xml) does not list
> vulnerable versions correctly. One example is the following CVE. Vulnerable
> versions are according to the link below "linux kernel 4.8.12 and previous
> versions":
>
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8655
>
>       Race condition in net/packet/af_packet.c in the Linux kernel through
> 4.8.12 ..
>
>
> Vulnerable software and versions
> + Configuration 1
> * OR
> * cpe:/o:linux:linux_kernel:4.8.12 and previous versions
>
> While in the xml file it just mention "cpe:/o:linux:linux_kernel:4.8.12"
>
> nvdcve-2.0-2016.xml:
> ..
> <entry id="CVE-2016-9919">
>     <vuln:vulnerable-configuration id="http://nvd.nist.gov/";>
>       <cpe-lang:logical-test operator="OR" negate="false">
>         <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:4.8.12"/>
>       </cpe-lang:logical-test>
>     </vuln:vulnerable-configuration>
>     <vuln:vulnerable-software-list>
>       <vuln:product>cpe:/o:linux:linux_kernel:4.8.12</vuln:product>
>
> Cheers
> //Sona



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com