oss-sec mailing list archives
Re: vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/>
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 14 Dec 2016 07:26:34 -0700
Why are you complaining about a nist.gov website/data on an opensource security mailing list/to MITRE? (hint: we can't fix it and neither can MITRE) Please contact NIST. On Wed, Dec 14, 2016 at 1:19 AM, Sona Sarmadi <sona.sarmadi () enea com> wrote:
Hi all, It seems that nvd.xml files (e.g. nvdcve-2.0-2016.xml) does not list vulnerable versions correctly. One example is the following CVE. Vulnerable versions are according to the link below "linux kernel 4.8.12 and previous versions": https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8655 Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 .. Vulnerable software and versions + Configuration 1 * OR * cpe:/o:linux:linux_kernel:4.8.12 and previous versions While in the xml file it just mention "cpe:/o:linux:linux_kernel:4.8.12" nvdcve-2.0-2016.xml: .. <entry id="CVE-2016-9919"> <vuln:vulnerable-configuration id="http://nvd.nist.gov/"> <cpe-lang:logical-test operator="OR" negate="false"> <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:4.8.12"/> </cpe-lang:logical-test> </vuln:vulnerable-configuration> <vuln:vulnerable-software-list> <vuln:product>cpe:/o:linux:linux_kernel:4.8.12</vuln:product> Cheers //Sona
-- -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Current thread:
- vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/> Sona Sarmadi (Dec 14)
- Re: vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/> Kurt Seifried (Dec 14)