Comment 1 for bug 1869918

Thanks for the report. I've fixed this in the CVE tracker in https://git.launchpad.net/ubuntu-cve-tracker/commit/?id=dd75faf42a6cd0bde2bfb12336d90724836b192c and the oval data should be regenerated from it in an hour or two.

Unfortunately, we refresh our CVE descriptions from nvd data, but their data has added some bogus junk into it recently. This is from their json description for CVE-2017-15095:

      "description" : {
        "description_data" : [ {
          "lang" : "en",
          "value" : "A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously."
        }, {
          "lang" : "en",
          "value" : "\\"
        } ]
      }

(It's the second entry consisting of '\\' that caused it to be added.)

There should probably be some filtering both on input to our tracker and in our oval xml output.

THanks for the report!