[Kernel-packages] [Bug 1834439] Re: designated object in OVAL definition may be wrong

Thu, 27 Jun 2019 19:10:51 -0700 

this issue is unrelated to the actual linux operating system but the OVAL 
definition ubuntu security team has provided.
hence the obvious omission of log files.

** Changed in: linux (Ubuntu)
       Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1834439

Title:
  designated object in OVAL definition may be wrong

Status in linux package in Ubuntu:
  Confirmed

Bug description:
  recently published OVAL definition (https://people.canonical.com
  /~ubuntu-security/oval/) may have some breaking change as following:

  all definition which referenced 'linux' binary package object, has
  been affected.

  How to reproduce:
  for example find definition id: oval:com.ubuntu.xenial:def:2019114770000000
  then in criterions find test_ref="oval:com.ubuntu.xenial:tst:2019114770000000"
  then in that test, find object: oval:com.ubuntu.xenial:obj:201245420000000, 
which represent 'linux' package binaries.
  in this `dpkginfo_object`, <linux-def:name> used to contain only the name of 
the binary package, but now it contains a var_ref which points to multiple full 
name of the most recent binary package for linux kernel image:

           <constant_variable id="oval:com.ubuntu.xenial:var:201245420000000" 
version="1" datatype="string" comment="'linux' package binaries">
              <value>linux-image-4.4.0-151-generic</value>
              <value>linux-image-4.4.0-151-generic-lpae</value>
              <value>linux-image-4.4.0-151-lowlatency</value>
              <value>linux-image-4.4.0-151-powerpc-e500mc</value>
              <value>linux-image-4.4.0-151-powerpc-smp</value>
              <value>linux-image-4.4.0-151-powerpc64-emb</value>
              <value>linux-image-4.4.0-151-powerpc64-smp</value>
              <value>linux-image-unsigned-4.4.0-151-generic</value>
              <value>linux-image-unsigned-4.4.0-151-lowlatency</value>
          </constant_variable>

  
  I believe this is an error, an 'linux' binary package should not contain any 
version information, as can be seen in other packages objects which only 
contains a name of package. 

  can you please explain the purpose of this section?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1834439/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to