When a CVE has been issued for an older issue where the fix landed in a release earlier than the devel release, check-cves / active-edit is setting the state of the esm-apps releases incorrectly.
An example CVE that I hit today where this occurs is for CVE-2021-46877 affecting jackson-databind:
======================== CVE details ==========================
CVE-2021-46877
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB tra
nsient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
Patches_jackson-databind:
upstream_jackson-databind: released (2.13.2.2-1)
trusty_jackson-databind: ignored (out of standard support)
xenial_jackson-databind: ignored (out of standard support)
bionic_jackson-databind: needs-triage
focal_jackson-databind: needs-triage
jammy_jackson-databind: needs-triage
kinetic_jackson-databind: not-affected (2.13.2.2-1)
trusty/esm_jackson-databind: not-affected
esm-apps/xenial_jackson-databind: not-affected
esm-apps/bionic_jackson-databind: not-affected
esm-apps/focal_jackson-databind: not-affected
esm-apps/jammy_jackson-databind: not-affected
devel_jackson-databind: not-affected
Note that the version that debian notated was fixed landed in the kinetic cycle, so check-cves or active_edit correctly marked that version as not-affected with the version, and then attempted to mark all later versions (which would just be the devel version (lunar), but instead marked trusty/esm and all the esm-apps versions as not-affected.
When a CVE has been issued for an older issue where the fix landed in a release earlier than the devel release, check-cves / active-edit is setting the state of the esm-apps releases incorrectly.
An example CVE that I hit today where this occurs is for CVE-2021-46877 affecting jackson-databind:
$ ./scripts/ check-cves --cve CVE-2021-46877 nvdcve- 1.1-2021. json git/cve_ trackers/ debian- security- tracker/ data/CVE/ list ... 1.1-2021. json ... ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= === ] 130438317 ETA: 0:00:00
Loading /home/steve/
Loading nvdcve-
97% [======
******* ******* ******* ******* ******* ******* ******* ******* ******* ******* * /cve.mitre. org/cgi- bin/cvename. cgi?name= CVE-2021- 46877 ******* ******* ******* ******* ******* ******* ******* ******* ******* * /github. com/FasterXML/ jackson- databind/ issues/ 3328 /groups. google. com/g/jackson- user/c/ OsBsirPM_ Vw
CVE-2021-46877 (1/1: 100%)
https:/
*******
Published: 2023-03-18 22:15:00 UTC
MISC: https:/
MISC: https:/
======= ======= ======= === CVE details ======= ======= ======= =====
CVE-2021-46877
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB tra
nsient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
======= ======= ======= == Debian details ======= ======= ======= === /groups. google. com/g/jackson- user/c/ OsBsirPM_ Vw /github. com/FasterXML/ jackson- databind/ issues/ 3328 /github. com/FasterXML/ jackson- databind/ commit/ 3ccde7d938fea54 7e598fdefe9a82c ff37fed5cb (jackson- databind- 2.12.6) /github. com/FasterXML/ jackson- databind/ commit/ 3ccde7d938fea54 7e598fdefe9a82c ff37fed5cb (jackson- databind- 3.13.1) updates/ universe
Debian CVE Tracker: FOUND
NOTE: https:/
NOTE: https:/
NOTE: https:/
NOTE: https:/
Debian: jackson-databind: 2.13.2.2-1 (needs-triage)
Ubuntu: jackson-databind | 2.9.8-1~18.04 | bionic-
Ubuntu: jackson-databind | 2.10.2-1 | focal/universe
Ubuntu: jackson-databind | 2.13.0-2 | jammy/universe
Ubuntu: jackson-databind | 2.13.2.2-1 | kinetic/universe
Ubuntu: jackson-databind | 2.14.0-1 | lunar/universe
A]dd (or R]epeat), I]gnore forever, S]kip for now, or Q]uit? [add]
Package(s) affected? [jackson-databind]
# This results in the following CVE file generated:
Candidate: CVE-2021-46877 /cve.mitre. org/cgi- bin/cvename. cgi?name= CVE-2021- 46877 /groups. google. com/g/jackson- user/c/ OsBsirPM_ Vw /github. com/FasterXML/ jackson- databind/ issues/ 3328 /github. com/FasterXML/ jackson- databind/ commit/ 3ccde7d938fea54 7e598fdefe9a82c ff37fed5cb (jackson- databind- 2.12.6) /github. com/FasterXML/ jackson- databind/ commit/ 3ccde7d938fea54 7e598fdefe9a82c ff37fed5cb (jackson- databind- 3.13.1) Description:
PublicDate: 2023-03-21
References:
https:/
https:/
https:/
https:/
https:/
Description:
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before
2.13.1 allows attackers to cause a denial of service (2 GB transient heap
usage per read) in uncommon situations involving JsonNode JDK
serialization.
Ubuntu-
Notes:
Mitigation:
Bugs:
Priority: untriaged
Discovered-by:
Assigned-to:
CVSS:
Patches_ jackson- databind: jackson- databind: released (2.13.2.2-1) jackson- databind: ignored (out of standard support) jackson- databind: ignored (out of standard support) jackson- databind: needs-triage jackson- databind: needs-triage jackson- databind: needs-triage jackson- databind: not-affected (2.13.2.2-1) esm_jackson- databind: not-affected xenial_ jackson- databind: not-affected bionic_ jackson- databind: not-affected focal_jackson- databind: not-affected jammy_jackson- databind: not-affected jackson- databind: not-affected
upstream_
trusty_
xenial_
bionic_
focal_
jammy_
kinetic_
trusty/
esm-apps/
esm-apps/
esm-apps/
esm-apps/
devel_
Note that the version that debian notated was fixed landed in the kinetic cycle, so check-cves or active_edit correctly marked that version as not-affected with the version, and then attempted to mark all later versions (which would just be the devel version (lunar), but instead marked trusty/esm and all the esm-apps versions as not-affected.