Hi, We're using openscap and OVAL files provided by the Debian security team to monitor CVEs on our systems. I'd first like to say that we've found the quality of Debian OVALs to be very good so far, which we cannot say for some other distros even though they are backed by large corporations. Thank you for that!
Last week, CVE-2023-4911 was published which affects GNU C library. Debian security tracker and provided OVALs only state that it affects source package "glibc" while the affected installed package on our systems is "libc6". Thus, openscap doesn't report this CVE as it should. We don't often encounter this issue as main contenders of packages where the name differs from the source package are built in house (e.g. the kernel or apache2). Are we missing something or should the security tracker and OVALs list affected packages and not just the source package in those cases? Thanks, -- Pierre Kuhner Security Engineer @ OVHcloud
