designated object in OVAL definition may be wrong
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu CVE Tracker |
Opinion
|
Undecided
|
Unassigned |
Bug Description
recently published OVAL definition (https:/
all definition which referenced 'linux' binary package object, has been affected.
How to reproduce:
for example find definition id: oval:com.
then in criterions find test_ref=
then in that test, find object: oval:com.
# oval:com.
in this `dpkginfo_object`, <linux-def:name> used to contain only the name of the binary package, but now it contains a var_ref which points to multiple full name of the most recent binary package for linux kernel image:
# oval:com.
In previous version, an object of 'Linux' package has no var_ref and looks like this:
# oval:com.
Compare the object above to the recent version
oval:com.
I believe this is an error, an 'linux' binary package should not contain any version information, as can be seen in other packages objects which only contains a name of package.
CVE References
affects: | ubuntu → linux (Ubuntu) |
Changed in linux (Ubuntu): | |
status: | Incomplete → New |
description: | updated |
description: | updated |
information type: | Public → Public Security |
description: | updated |
description: | updated |
Changed in ubuntu-cve-tracker: | |
status: | Invalid → Opinion |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1834439
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.