By analyzing the oval data XML files, we realized that some packages versions are enclosed between brackets. This is happening only in the Trusty XML file.
Here is an example:
<linux-def:dpkginfo_state id="oval:com.ubuntu.trusty:ste:201153260000000" version="1" comment="The package version is less than '[1.4.6-2ubuntu0.1]'.">
<linux-def:evr datatype="debian_evr_string" operation="less than">[1.4.6-2ubuntu0.1]</linux-def:evr>
</linux-def:dpkginfo_state>
And by parsing the XML file, we got this list of CVS with the same problem:
[0.10.25~dfsg2-2ubuntu1.2]
[0.15-2+deb7u3ubuntu0.1]
[0.15-2ubuntu1.1]
[0.15-2ubuntu1.2]
[0.15.1b-9ubuntu14.04.1]
[0.19.0-2ubuntu0.4]
[0.2.3.22-rc-1]
[0.2.4.27-1build0.14.04.1]
[0.2.4.27-1ubuntu0.1]
[0.3.6-1]
[0.3.6-2ubuntu0.14.04.1]
[0.3.6-2ubuntu0.14.04.2]
[0.5.5-2ubuntu0.14.04.1]
[0.6.0-1ubuntu0.1]
[0.6.2-3ubuntu2.1]
[0.8.0-3+deb7u1ubuntu1]
[1.0.0g-1ubuntu0.14.04.1]
[1.0.0g-1ubuntu0.14.04.3]
[1.0.2+svn18153-0.2+deb7u1build0.14.04.1]
[1.06.27-1ubuntu7]
[1.0~+git0c502e20c4-3+deb7u1build0.14.04.1]
[1.10.6-1]
[1.12.1+g01b65bf-4+deb8u11ubuntu0.14.04.1]
[1.16.0-1ubuntu1.1]
[1.16.33-3.1ubuntu6]
[1.17-5ubuntu0.1]
[1.2-1+deb8u1build14.04.1]
[1.2.12-5+deb9u1build0.14.04.1]
[1.2.2-2ubuntu1.1]
[1.2.4-1~ubuntu1.1]
[1.29-1ubuntu0.1]
[1.3-1.1ubuntu1.1]
[1.3.1-1ubuntu5.1]
[1.3.18-1ubuntu3.1]
[1.3.6p1-4+deb7u1build1]
[1.4.22-1ubuntu4.14.04.1]
[1.4.22-1ubuntu4.14.04.3]
[1.4.3-2ubuntu0.1]
[1.4.3-2ubuntu0.2]
[1.4.6-2ubuntu0.1]
[1.4.7-1]
[1.4.7-1ubuntu0.1]
[1.5.2-1]
[1.5.4+dfsg-1]
[1.8.11-5ubuntu7.1]
[1.9.17.1-5ubuntu0.1]
[1.9.3-2ubuntu0.1]
[14.4.1-3ubuntu1.1]
[1:1.5.15-4+deb8u1build0.14.04.1]
[1:16.b.3-dfsg-1ubuntu2.2]
[1:2.10.9-0ubuntu3.1]
[1:2.10.9-0ubuntu3.2]
[1:2.10.9-0ubuntu3.3]
[1:2.10.9-0ubuntu3.4]
[1:5.6-2ubuntu0.1]
[2.0.5-1+deb7u1build0.14.04.1]
[2.0b4-15ubuntu0.14.04.1]
[2.3.4-4+deb8u2build0.14.04.1]
[2.3.4-4+deb8u2build0.14.04.2]
[2.3.6-1+deb8u1build0.14.04.1]
[2.3.6-1+deb8u2build0.14.04.1]
[2.36.0-0ubuntu3.1]
[2.4.16+dfsg-1.3ubuntu1.1]
[2.4.8+dfsg1-2ubuntu1.1]
[2.5.2.26540.ds4-9ubuntu1.1]
[2.6.3-1~ubuntu14.04.1]
[2.6.4-2~ubuntu14.04.1]
[2.6.5-1~ubuntu14.04.1]
[2.6.6-1~ubuntu14.04.0]
[2.6.6-6]
[2.7-5+deb8u1build0.14.04.1]
[2.8.2-1ubuntu1.3]
[2.8.2-1ubuntu1.4]
[20161222-1~ubuntu0.14.04.1]
[2:1.14.4-1ubuntu2]
[2:1.15.1-0ubuntu2.10]
[2:1.15.1-0ubuntu2.11]
[2:1.15.1-0ubuntu2.4]
[2:1.15.1-0ubuntu2.9]
[2:2.8.4-2ubuntu0.2]
[3.0.21-7+debu1build0.14.04.1]
[3.0.5-2ubuntu0.1]
[3.0b2-1ubuntu0.1]
[3.1-10.2ubuntu0.14.04.1]
[3.1.1-5.1+deb8u1build0.14.04.1]
[3.1.1-5.1~build0.14.04.1]
[3.1.2-1ubuntu0.1]
[3.15.4-3ubuntu0.1]
[3.2.8+dfsg-4ubuntu1.1]
[3.4.3-1ubuntu1.2]
[3.4.3-1ubuntu1.3]
[4.0.4+dfsg-2ubuntu0.1]
[4.01.0-3ubuntu3.1]
[4.3.3-1ubuntu0.1]
[4:4.0.10-1ubuntu0.1]
[4:4.13.1-0ubuntu0.2]
[4:4.13.2a-0ubuntu0.3]
[4:4.13.3-0ubuntu0.2]
[4:4.13.3-0ubuntu0.4]
[4:4.13.3-0ubuntu0.5]
[4:4.8.4+dfsg-0ubuntu20]
[4:4.8.5+git192-g085f851+dfsg-2ubuntu4.1]
[5.1.5-5ubuntu0.1]
[5.6.1-6+deb8u1build0.14.04.1]
[5.6.1-6+deb8u3build0.14.04.1]
[5.9.1-1ubuntu1.1]
[6.0.39-1ubuntu0.1]
[6.1.26-1ubuntu1.2]
[6.5.0+nmu1ubuntu0.1]
[8.14.4-4.1ubuntu1.1]
[9.20.1~dfsg.1-4+deb7u1build0.14.04.1]
[9.20.1~dfsg.1-4+deb7u2build0.14.04.1]
[9.20.1~dfsg.1-4+deb7u3build0.14.04.1]
Hi guys, do you have any update related to this report?
The thing is that we have some automatic mechanisms to analyze the vulnerability reports and compare versions with the versions of the packages installed in the system. So, this is causing some issues.
We would like to know whether this will be kept in this way or not so we may decide if we have to implement a workaround on our side.
Thanks, I'll really appreciate your comments.