This bug was fixed in the package openscap - 1.2.17-0.1ubuntu7.22.04.1 --------------- openscap (1.2.17-0.1ubuntu7.22.04.1) jammy; urgency=medium
* Make dpkg version comparison less strict for epoch digit. (LP: #2004476) - d/p/debian-epoch-less-strict.patch: oval_cmp_evr_string: Make epoch comparison less restrict for dpkg. * Allow build of ComplianceAsCode and USG projects for platforms that use remote resources. (LP: #2002551) - d/p/allow-DS-session-to-continue-without-remote-resource.patch: Allow DS session to continue without remote resource. -- Eduardo Barretto <eduardo.barre...@canonical.com> Tue, 31 Jan 2023 13:18:40 +0100 ** Changed in: openscap (Ubuntu Jammy) Status: Fix Committed => Fix Released ** Changed in: openscap (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/2004476 Title: [SRU] Allow openscap to be less strict about epoch digit and able to build security certification projects Status in openscap package in Ubuntu: Confirmed Status in openscap source package in Trusty: Fix Committed Status in openscap source package in Xenial: Fix Committed Status in openscap source package in Bionic: Fix Released Status in openscap source package in Focal: Fix Released Status in openscap source package in Jammy: Fix Released Status in openscap source package in Kinetic: Fix Released Bug description: [Impact] Back in [1] where we added dpkg version comparison algorithm, we were too strict about the epoch number, where oscap would return an error message if no epoch number was provided. This SRU backports the fix provided to upstream [2] and released with openscap 1.3.7, meaning lunar is not affected by it. [Test Case] Attached to this bug is a zip file that contains OVAL data for one package (expat) and data of one CVE (CVE-2022-43680). The OVAL data is in both OCI and non-OCI format. The test consists of comparing the installed version of the mentioned packages, to different versions where the CVE could have been fixed. Testing procedure (Bionic): $ sudo apt update $ sudo apt install libopenscap8 $ sudo apt install libexpat1 $ tar -xzf test-data.tar.gz $ cd test-data/ $ ./run.sh Here is the output of the test, with current openscap in jammy: $ ./run.sh oscap oval eval com.ubuntu.jammy.cve.oval.xml Definition oval:com.ubuntu.jammy:def:2022436800000000: error Definition oval:com.ubuntu.jammy:def:100: true OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399] oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml Definition oval:com.ubuntu.jammy:def:2022436800000000: error OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399] and the output of the test, with patched openscap in jammy: $ ./run.sh oscap oval eval com.ubuntu.jammy.cve.oval.xml Definition oval:com.ubuntu.jammy:def:2022436800000000: false Definition oval:com.ubuntu.jammy:def:100: true Evaluation done. oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml Definition oval:com.ubuntu.jammy:def:2022436800000000: false Evaluation done. [Where problems could occur] The patch touches the comparison algorithm, so any regressions that it might have, might impact the comparison and scanning results. [Other Info] The epoch issue affects all releases from Bionic to Kinetic, and it also Trusty ESM and Xenial ESM and we will be handling those in the ESM PPAs. The versioning algorithm implemented is based on dpkg's algorithm. Upstream accepted and merged the Debian epoch fix to its maint-1.3 branch and it already made into 1.3.7 version [3] [1] https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791 [2] https://github.com/OpenSCAP/openscap/pull/1901 [3] https://github.com/OpenSCAP/openscap/releases/tag/1.3.7 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2004476/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp