Le 14/05/2021 à 07:49, Andrei Nikonov a écrit : > Good afternoon, > > I am writing to you as you are mentioned as a maintainers of /*apache2* > /package. > > I did some research about Debian vulnerability data and found an issue. > > If I check CVE-2010-1452 > <https://security-tracker.debian.org/tracker/CVE-2010-1452> with Debian > Security Tracker page, I will see that fixed version for apache2 is > *2.2.16-1* (the same version is on page of JSON-formatted security data > <https://security-tracker.debian.org/tracker/data/json>) > > But information of this CVE in the file of OVAL data for Buster > <https://www.debian.org/security/oval/oval-definitions-buster.xml> is > different. Definition of that CVE starts from line 109250 in that file > (I attached a screenshot for convenience). Criterion below tells that > /*apache2 DPKG is earlier than 2.2.19-3*. > / > / > / > My questions are: > 1. Should I consider fixed version 2.2.19-3 for apache2? > 2. Should I rely on OVAL files? Is it just a typo in this case? > > Hoping for an answer.
Hi, security-tracker.debian.org is the reference (updated in real time), it uses information from cve.mitre.org: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1452 This issue is fixed in 2.2.16-1. 2.2.* versions are so old that some information are missing, but 2.2.19-3 wasn't a Debian version (see http://snapshot.debian.org/package/apache2/). So there is probably a typo in criterion. Cheers, Yadd
