Hi Yadd, Thank You for clarification!
Is it possible to fix typo in the OVAL file? Thanks again. Fr, 14 May 2021, 12:30, Yadd <y...@debian.org>: > Le 14/05/2021 à 07:49, Andrei Nikonov a écrit : > > Good afternoon, > > > > I am writing to you as you are mentioned as a maintainers of /*apache2* > > /package. > > > > I did some research about Debian vulnerability data and found an issue. > > > > If I check CVE-2010-1452 > > <https://security-tracker.debian.org/tracker/CVE-2010-1452> with Debian > > Security Tracker page, I will see that fixed version for apache2 is > > *2.2.16-1* (the same version is on page of JSON-formatted security data > > <https://security-tracker.debian.org/tracker/data/json>) > > > > But information of this CVE in the file of OVAL data for Buster > > <https://www.debian.org/security/oval/oval-definitions-buster.xml> is > > different. Definition of that CVE starts from line 109250 in that file > > (I attached a screenshot for convenience). Criterion below tells that > > /*apache2 DPKG is earlier than 2.2.19-3*. > > / > > / > > / > > My questions are: > > 1. Should I consider fixed version 2.2.19-3 for apache2? > > 2. Should I rely on OVAL files? Is it just a typo in this case? > > > > Hoping for an answer. > > Hi, > > security-tracker.debian.org is the reference (updated in real time), it > uses information from cve.mitre.org: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1452 > > This issue is fixed in 2.2.16-1. 2.2.* versions are so old that some > information are missing, but 2.2.19-3 wasn't a Debian version (see > http://snapshot.debian.org/package/apache2/). So there is probably a > typo in criterion. > > Cheers, > Yadd > -- Andrey Nikonov, Security engineer, "Frodex" Ltd. Ufa, Russia.
