stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

save progress

Browse Source
This commit is contained in:
StellaOps Bot
2026-01-03 15:27:15 +02:00
parent d486d41a48
commit bc4dd4f377
70 changed files with 8531 additions and 653 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
src/__Tests/__Datasets/GoldenBackports/CVE-2014-0160-debian7-openssl/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-debian7-openssl-heartbleed",
"cve": "CVE-2014-0160",
"description": "Heartbleed vulnerability - classic backport case in Debian 7",
"distro": {
"name": "debian",
"release": "7",
"codename": "wheezy",
"eolDate": "2018-05-31"
},
"package": {
"source": "openssl",
"binary": "libssl1.0.0",
"vulnerableEvr": "1.0.1e-2+deb7u4",
"patchedEvr": "1.0.1e-2+deb7u5",
"architecture": "amd64"
},
"upstream": {
"vulnerableRange": ">=1.0.1,<1.0.1g",
"fixedVersion": "1.0.1g",
"cweId": "CWE-126",
"severity": "HIGH"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected",
"notes": "Upstream says 1.0.1e is affected, but Debian backported the fix"
},
"evidence": {
"advisoryUrl": "https://www.debian.org/security/2014/dsa-2896",
"changelogUrl": "https://metadata.ftp-master.debian.org/changelogs/main/o/openssl/openssl_1.0.1e-2+deb7u5_changelog",
"patchCommit": null,
"notes": "Heartbleed (CVE-2014-0160) fix backported to OpenSSL 1.0.1e in Debian 7. The fix was released on 2014-04-07."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "1.0.1e",
"release": "2+deb7u4",
"normalized": "1.0.1e-2+deb7u4"
},
"patchedEvr": {
"epoch": null,
"version": "1.0.1e",
"release": "2+deb7u5",
"normalized": "1.0.1e-2+deb7u5"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2014-0160-rhel6-openssl/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-rhel6-openssl-heartbleed",
"cve": "CVE-2014-0160",
"description": "Heartbleed vulnerability - Red Hat Enterprise Linux 6 backport",
"distro": {
"name": "rhel",
"release": "6",
"codename": null,
"eolDate": "2024-06-30"
},
"package": {
"source": "openssl",
"binary": "openssl",
"vulnerableEvr": "1.0.1e-16.el6_5.4",
"patchedEvr": "1.0.1e-16.el6_5.7",
"architecture": "x86_64"
},
"upstream": {
"vulnerableRange": ">=1.0.1,<1.0.1g",
"fixedVersion": "1.0.1g",
"cweId": "CWE-126",
"severity": "HIGH"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected",
"notes": "RHEL 6 backported the Heartbleed fix to 1.0.1e via RHSA-2014:0376"
},
"evidence": {
"advisoryUrl": "https://access.redhat.com/errata/RHSA-2014:0376",
"changelogUrl": null,
"patchCommit": null,
"notes": "Red Hat released RHSA-2014:0376 on 2014-04-08, backporting the Heartbleed fix to RHEL 6's OpenSSL 1.0.1e."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "1.0.1e",
"release": "16.el6_5.4",
"normalized": "1.0.1e-16.el6_5.4"
},
"patchedEvr": {
"epoch": null,
"version": "1.0.1e",
"release": "16.el6_5.7",
"normalized": "1.0.1e-16.el6_5.7"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2014-6271-ubuntu1804-bash/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-ubuntu1804-bash-shellshock",
"cve": "CVE-2014-6271",
"description": "GNU Bash Shellshock command injection - Ubuntu 18.04 backport",
"distro": {
"name": "ubuntu",
"release": "18.04",
"codename": "bionic",
"eolDate": "2028-04-01"
},
"package": {
"source": "bash",
"binary": "bash",
"vulnerableEvr": "4.4.18-2ubuntu1",
"patchedEvr": "4.4.18-2ubuntu1.2",
"architecture": "amd64"
},
"upstream": {
"vulnerableRange": "<=4.3",
"fixedVersion": "4.3 patch 25",
"cweId": "CWE-78",
"severity": "CRITICAL"
},
"expectedVerdict": {
"vulnerableVersionStatus": "not_affected",
"patchedVersionStatus": "fixed",
"reason": "upstream_fixed_in_version",
"upstreamWouldSay": "not_affected",
"notes": "Ubuntu 18.04 Bash 4.4.18 was released after the Shellshock fix; this tests edge case where distro version is newer than upstream fix"
},
"evidence": {
"advisoryUrl": "https://ubuntu.com/security/CVE-2014-6271",
"changelogUrl": null,
"patchCommit": null,
"notes": "Shellshock (CVE-2014-6271) was fixed upstream in Bash 4.3 patch 25. Ubuntu 18.04 ships 4.4.18 which already includes the fix."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "4.4.18",
"release": "2ubuntu1",
"normalized": "4.4.18-2ubuntu1"
},
"patchedEvr": {
"epoch": null,
"version": "4.4.18",
"release": "2ubuntu1.2",
"normalized": "4.4.18-2ubuntu1.2"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2020-1712-rhel8-systemd/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-rhel8-systemd-polkit",
"cve": "CVE-2020-1712",
"description": "systemd use-after-free in bus_message_dispatch - RHEL 8 backport",
"distro": {
"name": "rhel",
"release": "8",
"codename": null,
"eolDate": "2029-05-31"
},
"package": {
"source": "systemd",
"binary": "systemd",
"vulnerableEvr": "239-29.el8",
"patchedEvr": "239-31.el8_2.2",
"architecture": "x86_64"
},
"upstream": {
"vulnerableRange": "<244",
"fixedVersion": "244",
"cweId": "CWE-416",
"severity": "HIGH"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected",
"notes": "RHEL 8 uses systemd 239 but backported CVE-2020-1712 fix"
},
"evidence": {
"advisoryUrl": "https://access.redhat.com/errata/RHSA-2020:0575",
"changelogUrl": null,
"patchCommit": null,
"notes": "Use-after-free in bus_message_dispatch (CVE-2020-1712) backported to RHEL 8's systemd 239."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "239",
"release": "29.el8",
"normalized": "239-29.el8"
},
"patchedEvr": {
"epoch": null,
"version": "239",
"release": "31.el8_2.2",
"normalized": "239-31.el8_2.2"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2020-1971-rhel7-openssl/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-rhel7-openssl-null-deref",
"cve": "CVE-2020-1971",
"description": "OpenSSL NULL pointer dereference in GENERAL_NAME_cmp - RHEL 7 backport",
"distro": {
"name": "rhel",
"release": "7",
"codename": null,
"eolDate": "2028-06-30"
},
"package": {
"source": "openssl",
"binary": "openssl-libs",
"vulnerableEvr": "1:1.0.2k-19.el7",
"patchedEvr": "1:1.0.2k-21.el7_9",
"architecture": "x86_64"
},
"upstream": {
"vulnerableRange": ">=1.0.2,<1.0.2x || >=1.1.0,<1.1.1i",
"fixedVersion": "1.0.2x, 1.1.1i",
"cweId": "CWE-476",
"severity": "HIGH"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected",
"notes": "RHEL 7 uses OpenSSL 1.0.2k but backported the CVE-2020-1971 fix"
},
"evidence": {
"advisoryUrl": "https://access.redhat.com/errata/RHSA-2020:5566",
"changelogUrl": null,
"patchCommit": null,
"notes": "Fix for EDIPARTYNAME NULL pointer dereference (CVE-2020-1971) backported to RHEL 7's OpenSSL 1.0.2k."
},
"testVectors": {
"vulnerableEvr": {
"epoch": 1,
"version": "1.0.2k",
"release": "19.el7",
"normalized": "1:1.0.2k-19.el7"
},
"patchedEvr": {
"epoch": 1,
"version": "1.0.2k",
"release": "21.el7_9",
"normalized": "1:1.0.2k-21.el7_9"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2020-28928-alpine318-musl/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-alpine318-musl-ldso",
"cve": "CVE-2020-28928",
"description": "musl libc wcsnrtombs infinite loop - Alpine 3.18 backport",
"distro": {
"name": "alpine",
"release": "3.18",
"codename": null,
"eolDate": "2025-05-01"
},
"package": {
"source": "musl",
"binary": "musl",
"vulnerableEvr": "1.2.3-r4",
"patchedEvr": "1.2.4-r0",
"architecture": "x86_64"
},
"upstream": {
"vulnerableRange": ">=1.2.0,<1.2.1",
"fixedVersion": "1.2.1",
"cweId": "CWE-835",
"severity": "MEDIUM"
},
"expectedVerdict": {
"vulnerableVersionStatus": "not_affected",
"patchedVersionStatus": "fixed",
"reason": "upstream_fixed_in_version",
"upstreamWouldSay": "not_affected",
"notes": "Alpine 3.18 musl 1.2.3 was released after the upstream fix; tests edge case for version comparison"
},
"evidence": {
"advisoryUrl": "https://security.alpinelinux.org/vuln/CVE-2020-28928",
"changelogUrl": null,
"patchCommit": null,
"notes": "wcsnrtombs infinite loop (CVE-2020-28928) fixed upstream in musl 1.2.1. Alpine 3.18 ships 1.2.3+."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "1.2.3",
"release": "r4",
"normalized": "1.2.3-r4"
},
"patchedEvr": {
"epoch": null,
"version": "1.2.4",
"release": "r0",
"normalized": "1.2.4-r0"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2021-3156-centos7-sudo/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-centos7-sudo-heap",
"cve": "CVE-2021-3156",
"description": "Sudo Baron Samedit heap-based buffer overflow - CentOS 7 backport",
"distro": {
"name": "centos",
"release": "7",
"codename": null,
"eolDate": "2024-06-30"
},
"package": {
"source": "sudo",
"binary": "sudo",
"vulnerableEvr": "1.8.23-9.el7",
"patchedEvr": "1.8.23-10.el7_9.2",
"architecture": "x86_64"
},
"upstream": {
"vulnerableRange": ">=1.8.2,<1.9.5p2",
"fixedVersion": "1.9.5p2",
"cweId": "CWE-122",
"severity": "CRITICAL"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected",
"notes": "CentOS 7 uses Sudo 1.8.23 but backported CVE-2021-3156 fix"
},
"evidence": {
"advisoryUrl": "https://access.redhat.com/errata/RHSA-2021:0218",
"changelogUrl": null,
"patchCommit": null,
"notes": "Baron Samedit heap buffer overflow (CVE-2021-3156) backported to CentOS 7's Sudo 1.8.23."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "1.8.23",
"release": "9.el7",
"normalized": "1.8.23-9.el7"
},
"patchedEvr": {
"epoch": null,
"version": "1.8.23",
"release": "10.el7_9.2",
"normalized": "1.8.23-10.el7_9.2"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2023-26604-debian12-systemd/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-debian12-systemd-priv",
"cve": "CVE-2023-26604",
"description": "systemd local privilege escalation via less pager - Debian 12 backport",
"distro": {
"name": "debian",
"release": "12",
"codename": "bookworm",
"eolDate": "2028-06-01"
},
"package": {
"source": "systemd",
"binary": "systemd",
"vulnerableEvr": "252.5-2",
"patchedEvr": "252.12-1~deb12u1",
"architecture": "amd64"
},
"upstream": {
"vulnerableRange": "<253",
"fixedVersion": "253",
"cweId": "CWE-269",
"severity": "HIGH"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected",
"notes": "Debian 12 uses systemd 252 but backported CVE-2023-26604 fix"
},
"evidence": {
"advisoryUrl": "https://security-tracker.debian.org/tracker/CVE-2023-26604",
"changelogUrl": null,
"patchCommit": null,
"notes": "Privilege escalation via less pager (CVE-2023-26604) backported to Debian Bookworm's systemd 252."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "252.5",
"release": "2",
"normalized": "252.5-2"
},
"patchedEvr": {
"epoch": null,
"version": "252.12",
"release": "1~deb12u1",
"normalized": "252.12-1~deb12u1"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2023-38408-debian10-openssh/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-debian10-openssh-enum",
"cve": "CVE-2023-38408",
"description": "OpenSSH PKCS#11 provider remote code execution - Debian 10 backport",
"distro": {
"name": "debian",
"release": "10",
"codename": "buster",
"eolDate": "2024-06-30"
},
"package": {
"source": "openssh",
"binary": "openssh-client",
"vulnerableEvr": "1:7.9p1-10+deb10u2",
"patchedEvr": "1:7.9p1-10+deb10u3",
"architecture": "amd64"
},
"upstream": {
"vulnerableRange": "<9.3p2",
"fixedVersion": "9.3p2",
"cweId": "CWE-426",
"severity": "CRITICAL"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected",
"notes": "Debian 10 uses OpenSSH 7.9p1 but backported CVE-2023-38408 fix"
},
"evidence": {
"advisoryUrl": "https://security-tracker.debian.org/tracker/CVE-2023-38408",
"changelogUrl": null,
"patchCommit": null,
"notes": "PKCS#11 provider vulnerability (CVE-2023-38408) backported to Debian Buster's OpenSSH 7.9p1."
},
"testVectors": {
"vulnerableEvr": {
"epoch": 1,
"version": "7.9p1",
"release": "10+deb10u2",
"normalized": "1:7.9p1-10+deb10u2"
},
"patchedEvr": {
"epoch": 1,
"version": "7.9p1",
"release": "10+deb10u3",
"normalized": "1:7.9p1-10+deb10u3"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2023-38545-debian11-curl/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-debian11-curl-heap",
"cve": "CVE-2023-38545",
"description": "curl SOCKS5 heap buffer overflow - Debian 11 backport",
"distro": {
"name": "debian",
"release": "11",
"codename": "bullseye",
"eolDate": "2026-08-15"
},
"package": {
"source": "curl",
"binary": "curl",
"vulnerableEvr": "7.74.0-1.3+deb11u9",
"patchedEvr": "7.74.0-1.3+deb11u10",
"architecture": "amd64"
},
"upstream": {
"vulnerableRange": ">=7.69.0,<8.4.0",
"fixedVersion": "8.4.0",
"cweId": "CWE-122",
"severity": "CRITICAL"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected",
"notes": "Debian 11 uses curl 7.74.0 but backported CVE-2023-38545 fix"
},
"evidence": {
"advisoryUrl": "https://security-tracker.debian.org/tracker/CVE-2023-38545",
"changelogUrl": null,
"patchCommit": null,
"notes": "SOCKS5 heap buffer overflow (CVE-2023-38545) backported to Debian Bullseye's curl 7.74.0."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "7.74.0",
"release": "1.3+deb11u9",
"normalized": "7.74.0-1.3+deb11u9"
},
"patchedEvr": {
"epoch": null,
"version": "7.74.0",
"release": "1.3+deb11u10",
"normalized": "7.74.0-1.3+deb11u10"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2023-4911-rhel9-glibc/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-rhel9-glibc-ld",
"cve": "CVE-2023-4911",
"description": "glibc Looney Tunables ld.so buffer overflow - RHEL 9 backport",
"distro": {
"name": "rhel",
"release": "9",
"codename": null,
"eolDate": "2032-05-31"
},
"package": {
"source": "glibc",
"binary": "glibc",
"vulnerableEvr": "2.34-60.el9",
"patchedEvr": "2.34-60.el9_2.7",
"architecture": "x86_64"
},
"upstream": {
"vulnerableRange": ">=2.34,<2.39",
"fixedVersion": "2.39",
"cweId": "CWE-122",
"severity": "CRITICAL"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected",
"notes": "RHEL 9 uses glibc 2.34 but backported CVE-2023-4911 fix"
},
"evidence": {
"advisoryUrl": "https://access.redhat.com/errata/RHSA-2023:5453",
"changelogUrl": null,
"patchCommit": null,
"notes": "Looney Tunables ld.so buffer overflow (CVE-2023-4911) backported to RHEL 9's glibc 2.34."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "2.34",
"release": "60.el9",
"normalized": "2.34-60.el9"
},
"patchedEvr": {
"epoch": null,
"version": "2.34",
"release": "60.el9_2.7",
"normalized": "2.34-60.el9_2.7"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2023-51385-rhel8-openssh/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-rhel8-openssh-dblefree",
"cve": "CVE-2023-51385",
"description": "OpenSSH ProxyCommand expansion double-free - RHEL 8 backport",
"distro": {
"name": "rhel",
"release": "8",
"codename": null,
"eolDate": "2029-05-31"
},
"package": {
"source": "openssh",
"binary": "openssh-clients",
"vulnerableEvr": "8.0p1-19.el8_8",
"patchedEvr": "8.0p1-24.el8_10",
"architecture": "x86_64"
},
"upstream": {
"vulnerableRange": "<9.6",
"fixedVersion": "9.6",
"cweId": "CWE-415",
"severity": "MEDIUM"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected",
"notes": "RHEL 8 uses OpenSSH 8.0p1 but backported CVE-2023-51385 fix"
},
"evidence": {
"advisoryUrl": "https://access.redhat.com/errata/RHSA-2024:3166",
"changelogUrl": null,
"patchCommit": null,
"notes": "ProxyCommand expansion vulnerability (CVE-2023-51385) backported to RHEL 8's OpenSSH 8.0p1."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "8.0p1",
"release": "19.el8_8",
"normalized": "8.0p1-19.el8_8"
},
"patchedEvr": {
"epoch": null,
"version": "8.0p1",
"release": "24.el8_10",
"normalized": "8.0p1-24.el8_10"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2023-6246-ubuntu2204-glibc/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-ubuntu2204-glibc-syslog",
"cve": "CVE-2023-6246",
"description": "glibc __vsyslog_internal heap overflow - Ubuntu 22.04 backport",
"distro": {
"name": "ubuntu",
"release": "22.04",
"codename": "jammy",
"eolDate": "2032-04-01"
},
"package": {
"source": "glibc",
"binary": "libc6",
"vulnerableEvr": "2.35-0ubuntu3.5",
"patchedEvr": "2.35-0ubuntu3.6",
"architecture": "amd64"
},
"upstream": {
"vulnerableRange": ">=2.0,<2.39",
"fixedVersion": "2.39",
"cweId": "CWE-122",
"severity": "HIGH"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected",
"notes": "Ubuntu 22.04 uses glibc 2.35 but backported CVE-2023-6246 fix"
},
"evidence": {
"advisoryUrl": "https://ubuntu.com/security/notices/USN-6620-1",
"changelogUrl": null,
"patchCommit": null,
"notes": "__vsyslog_internal heap overflow (CVE-2023-6246) backported to Ubuntu Jammy's glibc 2.35."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "2.35",
"release": "0ubuntu3.5",
"normalized": "2.35-0ubuntu3.5"
},
"patchedEvr": {
"epoch": null,
"version": "2.35",
"release": "0ubuntu3.6",
"normalized": "2.35-0ubuntu3.6"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2024-0985-almalinux9-postgresql/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-almalinux9-postgresql-sql",
"cve": "CVE-2024-0985",
"description": "PostgreSQL SQL injection via pg_cancel_backend - AlmaLinux 9 backport",
"distro": {
"name": "almalinux",
"release": "9",
"codename": null,
"eolDate": "2032-05-31"
},
"package": {
"source": "postgresql",
"binary": "postgresql-server",
"vulnerableEvr": "15.4-1.module_el9.2.0+32+f3c125e8",
"patchedEvr": "15.6-1.module_el9.3.0+59+fea081f4",
"architecture": "x86_64"
},
"upstream": {
"vulnerableRange": ">=12,<12.18 || >=13,<13.14 || >=14,<14.11 || >=15,<15.6 || >=16,<16.2",
"fixedVersion": "12.18, 13.14, 14.11, 15.6, 16.2",
"cweId": "CWE-89",
"severity": "HIGH"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "upstream_fixed_in_version",
"upstreamWouldSay": "affected",
"notes": "AlmaLinux 9 updated to PostgreSQL 15.6 which includes the upstream fix"
},
"evidence": {
"advisoryUrl": "https://errata.almalinux.org/9/ALSA-2024-0951.html",
"changelogUrl": null,
"patchCommit": null,
"notes": "SQL injection via pg_cancel_backend (CVE-2024-0985) fixed in upstream PostgreSQL 15.6."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "15.4",
"release": "1.module_el9.2.0+32+f3c125e8",
"normalized": "15.4-1.module_el9.2.0+32+f3c125e8"
},
"patchedEvr": {
"epoch": null,
"version": "15.6",
"release": "1.module_el9.3.0+59+fea081f4",
"normalized": "15.6-1.module_el9.3.0+59+fea081f4"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2024-1086-amazon2-kernel/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-amazon2-kernel-spec",
"cve": "CVE-2024-1086",
"description": "Linux kernel nf_tables use-after-free - Amazon Linux 2 backport",
"distro": {
"name": "amzn",
"release": "2",
"codename": null,
"eolDate": "2025-06-30"
},
"package": {
"source": "kernel",
"binary": "kernel",
"vulnerableEvr": "4.14.336-257.562.amzn2",
"patchedEvr": "4.14.336-259.565.amzn2",
"architecture": "x86_64"
},
"upstream": {
"vulnerableRange": ">=5.14,<6.8",
"fixedVersion": "6.8",
"cweId": "CWE-416",
"severity": "HIGH"
},
"expectedVerdict": {
"vulnerableVersionStatus": "not_affected",
"patchedVersionStatus": "not_affected",
"reason": "version_not_in_range",
"upstreamWouldSay": "not_affected",
"notes": "Amazon Linux 2 kernel 4.14 predates the vulnerable code introduction at 5.14; tests version range exclusion"
},
"evidence": {
"advisoryUrl": "https://alas.aws.amazon.com/AL2/ALAS-2024-2474.html",
"changelogUrl": null,
"patchCommit": null,
"notes": "CVE-2024-1086 affects kernels 5.14+. Amazon Linux 2 uses 4.14 which never had the vulnerable code path."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "4.14.336",
"release": "257.562.amzn2",
"normalized": "4.14.336-257.562.amzn2"
},
"patchedEvr": {
"epoch": null,
"version": "4.14.336",
"release": "259.565.amzn2",
"normalized": "4.14.336-259.565.amzn2"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2024-24989-rocky9-nginx/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-rocky9-nginx-http2",
"cve": "CVE-2024-24989",
"description": "nginx HTTP/2 protocol stack buffer overread - Rocky Linux 9 backport",
"distro": {
"name": "rocky",
"release": "9",
"codename": null,
"eolDate": "2032-05-31"
},
"package": {
"source": "nginx",
"binary": "nginx",
"vulnerableEvr": "1:1.22.1-4.module+el9.4.0+20160+7a11dc99",
"patchedEvr": "1:1.22.1-5.module+el9.4.0+20164+acb5e1c6",
"architecture": "x86_64"
},
"upstream": {
"vulnerableRange": ">=1.9.5,<1.25.4",
"fixedVersion": "1.25.4",
"cweId": "CWE-125",
"severity": "HIGH"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected",
"notes": "Rocky Linux 9 uses nginx 1.22.1 but backported CVE-2024-24989 fix"
},
"evidence": {
"advisoryUrl": "https://errata.rockylinux.org/RLSA-2024:2438",
"changelogUrl": null,
"patchCommit": null,
"notes": "HTTP/2 buffer overread (CVE-2024-24989) backported to Rocky 9's nginx 1.22.1."
},
"testVectors": {
"vulnerableEvr": {
"epoch": 1,
"version": "1.22.1",
"release": "4.module+el9.4.0+20160+7a11dc99",
"normalized": "1:1.22.1-4.module+el9.4.0+20160+7a11dc99"
},
"patchedEvr": {
"epoch": 1,
"version": "1.22.1",
"release": "5.module+el9.4.0+20164+acb5e1c6",
"normalized": "1:1.22.1-5.module+el9.4.0+20164+acb5e1c6"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2024-2511-oracle8-openssl/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-oracle8-openssl-pki",
"cve": "CVE-2024-2511",
"description": "OpenSSL unbounded memory growth on TLS sessions - Oracle Linux 8 backport",
"distro": {
"name": "ol",
"release": "8",
"codename": null,
"eolDate": "2029-07-01"
},
"package": {
"source": "openssl",
"binary": "openssl-libs",
"vulnerableEvr": "1:1.1.1k-12.el8_9",
"patchedEvr": "1:1.1.1k-14.el8_10",
"architecture": "x86_64"
},
"upstream": {
"vulnerableRange": ">=1.0.2,<3.0.14 || >=3.1.0,<3.1.6 || >=3.2.0,<3.2.2",
"fixedVersion": "3.0.14, 3.1.6, 3.2.2",
"cweId": "CWE-400",
"severity": "MEDIUM"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected",
"notes": "Oracle Linux 8 uses OpenSSL 1.1.1k but backported CVE-2024-2511 fix"
},
"evidence": {
"advisoryUrl": "https://linux.oracle.com/errata/ELSA-2024-4273.html",
"changelogUrl": null,
"patchCommit": null,
"notes": "TLS session unbounded memory growth (CVE-2024-2511) backported to OL8's OpenSSL 1.1.1k."
},
"testVectors": {
"vulnerableEvr": {
"epoch": 1,
"version": "1.1.1k",
"release": "12.el8_9",
"normalized": "1:1.1.1k-12.el8_9"
},
"patchedEvr": {
"epoch": 1,
"version": "1.1.1k",
"release": "14.el8_10",
"normalized": "1:1.1.1k-14.el8_10"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2024-3094-fedora39-xz/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-fedora39-xz-backdoor",
"cve": "CVE-2024-3094",
"description": "XZ Utils backdoor via obfuscated build script - Fedora 39 rollback",
"distro": {
"name": "fedora",
"release": "39",
"codename": null,
"eolDate": "2024-11-26"
},
"package": {
"source": "xz",
"binary": "xz-libs",
"vulnerableEvr": "5.4.4-1.fc39",
"patchedEvr": "5.4.6-3.fc39",
"architecture": "x86_64"
},
"upstream": {
"vulnerableRange": ">=5.6.0,<=5.6.1",
"fixedVersion": "5.6.2",
"cweId": "CWE-506",
"severity": "CRITICAL"
},
"expectedVerdict": {
"vulnerableVersionStatus": "not_affected",
"patchedVersionStatus": "not_affected",
"reason": "version_not_in_range",
"upstreamWouldSay": "not_affected",
"notes": "Fedora 39 shipped xz 5.4.x which never contained the backdoor (only 5.6.0-5.6.1 affected)"
},
"evidence": {
"advisoryUrl": "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users",
"changelogUrl": null,
"patchCommit": null,
"notes": "XZ backdoor (CVE-2024-3094) only affected versions 5.6.0-5.6.1. Fedora 39 used 5.4.x - not vulnerable."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "5.4.4",
"release": "1.fc39",
"normalized": "5.4.4-1.fc39"
},
"patchedEvr": {
"epoch": null,
"version": "5.4.6",
"release": "3.fc39",
"normalized": "5.4.6-3.fc39"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2024-38477-suse12-apache2/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-suse12-apache2-modproxy",
"cve": "CVE-2024-38477",
"description": "Apache HTTP Server mod_proxy NULL pointer dereference - SUSE 12 backport",
"distro": {
"name": "sles",
"release": "12",
"codename": null,
"eolDate": "2027-10-31"
},
"package": {
"source": "apache2",
"binary": "apache2",
"vulnerableEvr": "2.4.51-35.38.1",
"patchedEvr": "2.4.51-35.41.1",
"architecture": "x86_64"
},
"upstream": {
"vulnerableRange": ">=2.4.0,<2.4.62",
"fixedVersion": "2.4.62",
"cweId": "CWE-476",
"severity": "HIGH"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected",
"notes": "SUSE 12 SP5 uses Apache 2.4.51 but backported CVE-2024-38477 fix"
},
"evidence": {
"advisoryUrl": "https://www.suse.com/security/cve/CVE-2024-38477.html",
"changelogUrl": null,
"patchCommit": null,
"notes": "mod_proxy NULL pointer dereference (CVE-2024-38477) backported to SUSE 12's Apache 2.4.51."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "2.4.51",
"release": "35.38.1",
"normalized": "2.4.51-35.38.1"
},
"patchedEvr": {
"epoch": null,
"version": "2.4.51",
"release": "35.41.1",
"normalized": "2.4.51-35.41.1"
}
}
}

51
src/__Tests/__Datasets/GoldenBackports/CVE-2024-39573-ubuntu2004-apache2/case.json Normal file
View File

@@ -0,0 +1,51 @@
{
"caseId": "backport-ubuntu2004-apache2-ssrf",
"cve": "CVE-2024-39573",
"description": "Apache HTTP Server mod_rewrite SSRF - Ubuntu 20.04 backport",
"distro": {
"name": "ubuntu",
"release": "20.04",
"codename": "focal",
"eolDate": "2030-04-01"
},
"package": {
"source": "apache2",
"binary": "apache2",
"vulnerableEvr": "2.4.41-4ubuntu3.16",
"patchedEvr": "2.4.41-4ubuntu3.17",
"architecture": "amd64"
},
"upstream": {
"vulnerableRange": ">=2.4.0,<2.4.62",
"fixedVersion": "2.4.62",
"cweId": "CWE-918",
"severity": "HIGH"
},
"expectedVerdict": {
"vulnerableVersionStatus": "affected",
"patchedVersionStatus": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected",
"notes": "Ubuntu 20.04 uses Apache 2.4.41 but backported CVE-2024-39573 fix"
},
"evidence": {
"advisoryUrl": "https://ubuntu.com/security/notices/USN-6885-1",
"changelogUrl": null,
"patchCommit": null,
"notes": "mod_rewrite SSRF vulnerability (CVE-2024-39573) backported to Ubuntu Focal's Apache 2.4.41."
},
"testVectors": {
"vulnerableEvr": {
"epoch": null,
"version": "2.4.41",
"release": "4ubuntu3.16",
"normalized": "2.4.41-4ubuntu3.16"
},
"patchedEvr": {
"epoch": null,
"version": "2.4.41",
"release": "4ubuntu3.17",
"normalized": "2.4.41-4ubuntu3.17"
}
}
}

169
src/__Tests/__Datasets/GoldenBackports/index.json Normal file
View File

@@ -0,0 +1,169 @@
{
"$schema": "./schema/corpus-index.schema.json",
"version": "1.0.0",
"name": "StellaOps Golden Backport Corpus",
"description": "Golden test cases for distro backport detection validation",
"createdAt": "2026-01-03T00:00:00Z",
"cases": [
{
"id": "backport-debian7-openssl-heartbleed",
"cve": "CVE-2014-0160",
"distro": "debian",
"release": "7",
"package": "openssl",
"directory": "CVE-2014-0160-debian7-openssl"
},
{
"id": "backport-rhel6-openssl-heartbleed",
"cve": "CVE-2014-0160",
"distro": "rhel",
"release": "6",
"package": "openssl",
"directory": "CVE-2014-0160-rhel6-openssl"
},
{
"id": "backport-ubuntu1804-bash-shellshock",
"cve": "CVE-2014-6271",
"distro": "ubuntu",
"release": "18.04",
"package": "bash",
"directory": "CVE-2014-6271-ubuntu1804-bash"
},
{
"id": "backport-rhel8-systemd-polkit",
"cve": "CVE-2020-1712",
"distro": "rhel",
"release": "8",
"package": "systemd",
"directory": "CVE-2020-1712-rhel8-systemd"
},
{
"id": "backport-rhel7-openssl-null-deref",
"cve": "CVE-2020-1971",
"distro": "rhel",
"release": "7",
"package": "openssl",
"directory": "CVE-2020-1971-rhel7-openssl"
},
{
"id": "backport-alpine318-musl-ldso",
"cve": "CVE-2020-28928",
"distro": "alpine",
"release": "3.18",
"package": "musl",
"directory": "CVE-2020-28928-alpine318-musl"
},
{
"id": "backport-centos7-sudo-heap",
"cve": "CVE-2021-3156",
"distro": "centos",
"release": "7",
"package": "sudo",
"directory": "CVE-2021-3156-centos7-sudo"
},
{
"id": "backport-debian12-systemd-priv",
"cve": "CVE-2023-26604",
"distro": "debian",
"release": "12",
"package": "systemd",
"directory": "CVE-2023-26604-debian12-systemd"
},
{
"id": "backport-debian10-openssh-enum",
"cve": "CVE-2023-38408",
"distro": "debian",
"release": "10",
"package": "openssh",
"directory": "CVE-2023-38408-debian10-openssh"
},
{
"id": "backport-debian11-curl-heap",
"cve": "CVE-2023-38545",
"distro": "debian",
"release": "11",
"package": "curl",
"directory": "CVE-2023-38545-debian11-curl"
},
{
"id": "backport-rhel9-glibc-ld",
"cve": "CVE-2023-4911",
"distro": "rhel",
"release": "9",
"package": "glibc",
"directory": "CVE-2023-4911-rhel9-glibc"
},
{
"id": "backport-rhel8-openssh-dblefree",
"cve": "CVE-2023-51385",
"distro": "rhel",
"release": "8",
"package": "openssh",
"directory": "CVE-2023-51385-rhel8-openssh"
},
{
"id": "backport-ubuntu2204-glibc-syslog",
"cve": "CVE-2023-6246",
"distro": "ubuntu",
"release": "22.04",
"package": "glibc",
"directory": "CVE-2023-6246-ubuntu2204-glibc"
},
{
"id": "backport-almalinux9-postgresql-sql",
"cve": "CVE-2024-0985",
"distro": "almalinux",
"release": "9",
"package": "postgresql",
"directory": "CVE-2024-0985-almalinux9-postgresql"
},
{
"id": "backport-amazon2-kernel-spec",
"cve": "CVE-2024-1086",
"distro": "amzn",
"release": "2",
"package": "kernel",
"directory": "CVE-2024-1086-amazon2-kernel"
},
{
"id": "backport-rocky9-nginx-http2",
"cve": "CVE-2024-24989",
"distro": "rocky",
"release": "9",
"package": "nginx",
"directory": "CVE-2024-24989-rocky9-nginx"
},
{
"id": "backport-oracle8-openssl-pki",
"cve": "CVE-2024-2511",
"distro": "ol",
"release": "8",
"package": "openssl",
"directory": "CVE-2024-2511-oracle8-openssl"
},
{
"id": "backport-fedora39-xz-backdoor",
"cve": "CVE-2024-3094",
"distro": "fedora",
"release": "39",
"package": "xz",
"directory": "CVE-2024-3094-fedora39-xz"
},
{
"id": "backport-suse12-apache2-modproxy",
"cve": "CVE-2024-38477",
"distro": "sles",
"release": "12",
"package": "apache2",
"directory": "CVE-2024-38477-suse12-apache2"
},
{
"id": "backport-ubuntu2004-apache2-ssrf",
"cve": "CVE-2024-39573",
"distro": "ubuntu",
"release": "20.04",
"package": "apache2",
"directory": "CVE-2024-39573-ubuntu2004-apache2"
}
]
}