[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[opensuse-security] CVE OVAL Files



Hi,

I have some concerns with the OVAL files on the OpenSUSE site at:

http://ftp.suse.com/pub/projects/security/oval/

It seems like there is conflicting information in some of the information provided. The criteria that specifies packages have duplicates with different versions.
For example, the following is a snippet from the OVAL file: http://ftp.suse.com/pub/projects/security/oval/opensuse.11.1.xml

<definition id="oval:org.opensuse.security:def:20130160" version="1" class="vulnerability">
  ...
  <criteria operator="OR">
    ...
    <!-- 23807efa0fda2554a9635e4fffacead3 -->
    <criteria operator="AND">
      <criterion test_ref="oval:org.opensuse.security:tst:2009073673" comment="sles11-sp2 is installed"/>
      <criteria operator="OR">
        <criterion test_ref="oval:org.opensuse.security:tst:2009077426" comment="kernel-default less than 3.0.80-0.5.1"/> 
        ...
      </criteria>
    </criteria>
    <!-- 2f736fd60525e237201b485f497a314b -->
    <criteria operator="OR">
      <criteria operator="AND">
        <criterion test_ref="oval:org.opensuse.security:tst:2009073673" comment="sles11-sp2 is installed"/>
        <criteria operator="OR">
          <criterion test_ref="oval:org.opensuse.security:tst:2009077162" comment="kernel-default less than 3.0.74-0.6.6.2"/>
          ...
        </criteria>
      </criteria>

If I am reading this correctly, it specifies the package kernel-default less than version 3.0.80-0.5.1 OR version 3.0.74-0.6.6.2. This effectively specifies the kernel-package version less than 3.0.80-0.5.1.

On a similar note, this CVE (CVE-2013-0160) appears to be affecting SUSE Linux Enterprise Server 11 SP2, based off the OVAL snippet above. However, SLES 11SP2 is not listed on the announcement, here: http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00018.html

Am I understanding this correctly? If this is not in error, could someone please explain the logic behind this?

Thanks,

Jason McFadyen
Security Researcher | Rapid7 | Toronto, ON
(416) 531-3180
This electronic message contains information which may be confidential or privileged. The information is intended for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify us by e-mail at (postmaster@xxxxxxxxxx) immediately.

--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx