The branch master has been updated via 8ba74cf7cecf400ff776874e4165e5c66653095a (commit) via 11b53fcc49c27a3adaa5282fb2567d084fae8f09 (commit) from f7d3fb4dbadf9235d05d806b974b21b5a8f96487 (commit)
- Log ----------------------------------------------------------------- commit 8ba74cf7cecf400ff776874e4165e5c66653095a Author: Mark J. Cox <m...@awe.com> Date: Mon Feb 5 15:00:47 2018 +0000 Based on discussions with Mitre, over this field that isn't yet defined, but is unlikely to be machine parsable (looking at all the published ones to date). They'd like "Fixed in" and "Affects", so let's give that both in a nice text format for the description and the vulnerability affects sections. commit 11b53fcc49c27a3adaa5282fb2567d084fae8f09 Author: Mark J. Cox <m...@awe.com> Date: Mon Feb 5 14:57:10 2018 +0000 CVE-2004-0081 was missing the 'fixed in 0.9.6d' line, causing it to not get included on the list of 0.9.6 issues and fail json validation. ----------------------------------------------------------------------- Summary of changes: bin/vulnxml2json.py | 23 ++++++++++++----------- news/vulnerabilities.xml | 2 ++ 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/bin/vulnxml2json.py b/bin/vulnxml2json.py index 41afbf8..b905da1 100755 --- a/bin/vulnxml2json.py +++ b/bin/vulnxml2json.py @@ -23,14 +23,16 @@ neverreleased = "1.0.0h,"; # Location of CVE JSON schema (default, can use local file etc) default_cve_schema = "https://raw.githubusercontent.com/CVEProject/automation-working-group/master/cve_json_schema/CVE_JSON_4.0_min_public.schema" -def merge_affects(issue): +def merge_affects(issue,base): # let's merge the affects into a nice list which is better for Mitre text but we have to take into account our stange lettering scheme prev = "" anext = "" alist = list() vlist = list() for affects in issue.getElementsByTagName('affects'): # so we can sort them - vlist.append(affects.getAttribute("version")) + version = affects.getAttribute("version") + if (not base or base in version): + vlist.append(version) for ver in sorted(vlist): # print "version %s (last was %s, next was %s)" %(ver,prev,anext) if (ver != anext): @@ -110,18 +112,17 @@ for issue in issues: if refs: cve['references'] = { "reference_data": refs } - allaffects = list() - for affects in issue.getElementsByTagName('affects'): - allaffects.append({ "version_value":"openssl-"+affects.getAttribute("version")}) + vv = list() + for affects in issue.getElementsByTagName('fixed'): + text = "Fixed in OpenSSL %s (Affected %s)" %(affects.getAttribute('version'),merge_affects(issue,affects.getAttribute("base"))) + # Let's condense into a list form since the format of this field is 'free text' at the moment, not machine readable (as per mail with George Theall) + vv.append({"version_value":text}) + # Mitre want the fixed/affected versions in the text too + desc += " "+text+"." - cve['affects'] = { "vendor" : { "vendor_data" : [ { "vendor_name": "OpenSSL", "product": { "product_data" : [ { "product_name": "OpenSSL", "version": { "version_data" : allaffects}}]}}]}} - - # Mitre want the fixed/affected versions in the text too - - desc += " (Affects "+merge_affects(issue)+")." + cve['affects'] = { "vendor" : { "vendor_data" : [ { "vendor_name": "OpenSSL", "product": { "product_data" : [ { "product_name": "OpenSSL", "version": { "version_data" : vv}}]}}]}} # Mitre want newlines and excess spaces stripped - desc = re.sub('[\n ]+',' ', desc) cve['description'] = { "description_data": [ { "lang":"eng", "value": desc} ] } diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 80786e1..6e4c717 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -4638,6 +4638,8 @@ OpenSSL library in such a way as to cause a crash. <affects base="0.9.6" version="0.9.6a"/> <affects base="0.9.6" version="0.9.6b"/> <affects base="0.9.6" version="0.9.6c"/> + <fixed base="0.9.6" version="0.9.6d" date="20020603"/> <!-- guessed date --> + <advisory url="/news/secadv/20030317.txt"/> <reported source="OpenSSL group"/> <description> _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits