oss-sec mailing list archives

Re: vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/>

From: Sona Sarmadi <sona.sarmadi () enea com>
Date: Wed, 14 Dec 2016 19:57:11 +0100



On 2016-12-14 15:26, Kurt Seifried wrote:

Why are you complaining about a nist.gov website/data on an opensource
security mailing list/to MITRE? (hint: we can't fix it and neither can
MITRE) Please contact NIST.

Thanks for being so helpful.

I was just trying to see of there are other people out there who also
think this is a problem. This list seemed like a place where I could
find such people.
Perhaps someone knows a work around, perhaps some post-processing tool.
If none exists, I guess we have to try to fix the problem at the source
or use another CVE databse.

Cheers
//Sona

On Wed, Dec 14, 2016 at 1:19 AM, Sona Sarmadi <sona.sarmadi () enea com> wrote:

Hi all,

It seems that nvd.xml files (e.g. nvdcve-2.0-2016.xml) does not list
vulnerable versions correctly. One example is the following CVE. Vulnerable

Current thread:

vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/> Sona Sarmadi (Dec 14)
- Re: vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/> Kurt Seifried (Dec 14)
  - Re: vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/> Sona Sarmadi (Dec 14)
    - Re: vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/> Kurt Seifried (Dec 14)
    - Re: vulnerable version: 4.8.12 and previous versions but xml file says: cpe:/o:linux:linux_kernel:4.8.12"/> Kurt Seifried (Dec 16)