On Thu, 6 Jun 2019 at 20:04, Leroy Tennison <le...@datavoiceint.com> wrote: > > The reason I ask is I have a commercial vulnerability scanner reporting as "fail" a test (for example, CVE-2016-5387)of our systems where https://people.canonical.com/~ubuntu-security/cve/ states that a fix has been released and our current version appears to be later than that release. I need to dispute that finding for compliance reasons but would like an official statement to show to the vendor concerning how Ubuntu handles these things. I suspect the vendor is only checking the upstream major and minor version number rather than actually testing and thus concluding a "fail" erroneously. > > > Harriscomputer
Ubuntu publishes it's CVE status in OVAL (https://oval.mitre.org/) which I would expect a commercial vulnerability scanner to be able to parse. https://people.canonical.com/~ubuntu-security/oval/ e.g. com.ubuntu.xenial.cve.oval.xml.bz2 for xenial release. >From xenial release data, it does contain definition for: <reference source="CVE" ref_id="CVE-2016-5387" ref_url=" > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387"; /> The criteria that must be applied for this CVE on Ubuntu 16.04 Xenial release are: <criteria> > <extend_definition > definition_ref="oval:com.ubuntu.xenial:def:100" comment="Ubuntu 16.04 LTS > (xenial) is installed." applicability_check="true" /> > <criteria operator="OR"> > <criterion > test_ref="oval:com.ubuntu.xenial:tst:201653870000000" comment="apache2 > package in xenial was vulnerable but has been fixed (note: > '2.4.18-2ubuntu3.1')." /> > <criterion > test_ref="oval:com.ubuntu.xenial:tst:201653870000010" comment="apache2-bin > package in xenial was vulnerable but has been fixed (note: > '2.4.18-2ubuntu3.1')." /> > <criterion > test_ref="oval:com.ubuntu.xenial:tst:201653870000020" comment="apache2-data > package in xenial was vulnerable but has been fixed (note: > '2.4.18-2ubuntu3.1')." /> > <criterion > test_ref="oval:com.ubuntu.xenial:tst:201653870000030" > comment="apache2-suexec-custom package in xenial was vulnerable but has > been fixed (note: '2.4.18-2ubuntu3.1')." /> > <criterion > test_ref="oval:com.ubuntu.xenial:tst:201653870000040" > comment="apache2-suexec-pristine package in xenial was vulnerable but has > been fixed (note: '2.4.18-2ubuntu3.1')." /> > <criterion > test_ref="oval:com.ubuntu.xenial:tst:201653870000050" > comment="apache2-utils package in xenial was vulnerable but has been fixed > (note: '2.4.18-2ubuntu3.1')." /> > </criteria> > </criteria> Meaning that if those packages are installed, they need to be at least of those versions..... Granted I can see how actual version numbers are basically freeform text in a commend field, but that is as official answer as it gets. "was vulnerable but has been fixed". Ditto similar for trusty release. So extracting the full xml paragraph covering the CVE-2016-5387 is an adequate answer as to which set of packages were affected, and which versions of them mitigate the CVE in question. -- Regards, Dimitri.
-- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
