product advisories update
This commit is contained in:
master
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,617 @@
|
||||
Here’s a compact, plug‑and‑play plan to build a **cross‑distro “golden set”** so your retrieval can correctly handle **backported fixes** and avoid false “still vulnerable” flags.
|
||||
|
||||
---
|
||||
|
||||
# What this golden set is
|
||||
|
||||
A small, curated corpus of tuples **(distro, release, package, CVE)** with:
|
||||
|
||||
* the **vendor‑declared fixed version** (what the distro claims)
|
||||
* a **counterexample** where **upstream is still affected** but the distro **backported** the patch (so version comparison alone would be misleading)
|
||||
|
||||
Use it as regression tests + seed facts for your policy engine and matchers.
|
||||
|
||||
---
|
||||
|
||||
# Minimum schema (normalize for reuse)
|
||||
|
||||
**Tables**
|
||||
|
||||
* `vendor_package`
|
||||
`(vendor_id, distro, release, src_name, bin_name, epoch, version, revision, arch)`
|
||||
* `cve`
|
||||
`(cve_id, description, CWE, published, severity, cvss_vector)`
|
||||
* `fix_decl` (vendor declarations)
|
||||
`(distro, release, src_name, cve_id, status ENUM('fixed','not_affected','affected','wont_fix'), fixed_epoch, fixed_version, fixed_revision, evidence_uri, evidence_hash, declared_at)`
|
||||
* `patch_evidence` (backport facts)
|
||||
`(distro, release, src_name, cve_id, patch_id, upstream_commit, backport_commit, applied_in_epoch, applied_in_version, applied_in_revision, diff_hash, proving_fn ENUM('hunk','symbol','function','binary'), notes)`
|
||||
* `upstream_affects` (ground truth on upstream tags)
|
||||
`(project, cve_id, affected_range (SemVer/commit range), last_affected_tag, first_fixed_tag, fix_commit)`
|
||||
* `golden_case` (test harness)
|
||||
`(case_id, distro, release, src_name, bin_name, cve_id, vendor_fixed_spec, upstream_state ENUM('still_affected','fixed'), backport_present BOOL, rationale)`
|
||||
|
||||
**Indexes**
|
||||
|
||||
* `idx_fix_decl_key (distro, release, src_name, cve_id)`
|
||||
* `idx_patch_evidence_key (distro, release, src_name, cve_id)`
|
||||
* `idx_upstream_affects (project, cve_id)`
|
||||
|
||||
---
|
||||
|
||||
# Version math you must use
|
||||
|
||||
Implement distro‑specific comparators:
|
||||
|
||||
* **Debian/Ubuntu**: `dpkg --compare-versions` (Epoch:Version-Revision)
|
||||
* **RHEL/Fedora/CentOS/SUSE**: **RPMVERCMP** (Epoch:Version-Release)
|
||||
* **Alpine**: **apk version** rules
|
||||
Store a normalized sortable key (e.g., `verkey`) alongside raw fields for each family.
|
||||
|
||||
---
|
||||
|
||||
# Golden‑set curation algorithm (daily job)
|
||||
|
||||
1. **Select targets**
|
||||
|
||||
* Choose top N packages (openssl, glibc, curl, zlib, libxml2, expat, xz, sudo, bash, systemd, sqlite, curl, busybox, python3 stdlib, musl, libssh2, libx11, nginx, apache, postgresql, mariadb, openssh).
|
||||
* Cross all with major CVEs known to have **backports**.
|
||||
|
||||
2. **Ingest vendor claims**
|
||||
|
||||
* Scrape/consume security trackers (Debian, Ubuntu USN, RHEL, SUSE, Alpine, Fedora). Normalize into `fix_decl`.
|
||||
* Compute `verkey_fixed`.
|
||||
|
||||
3. **Verify backport reality**
|
||||
|
||||
* For each `(distro, release, pkg, cve)` with status “fixed” where **upstream tag** still falls in `affected_range`:
|
||||
|
||||
* Pull **src package diff** (dsc+patches or SRPM .patch).
|
||||
* Extract fix‑hunks (functions/symbols) from upstream `fix_commit`.
|
||||
* Run **proving functions**:
|
||||
|
||||
* `hunk` match: patch hunks present
|
||||
* `symbol/function` match: AST/name diff present
|
||||
* `binary` match: pattern in compiled object (for golden set, keep source‑level first)
|
||||
* If proof ≥ threshold, write to `patch_evidence` and set `backport_present=true` in `golden_case`.
|
||||
|
||||
4. **Create counterexample**
|
||||
|
||||
* Ensure at least one case per distro where:
|
||||
|
||||
* **Upstream version number looks vulnerable**, but distro has **backport evidence** → mark as **“counterexample”** in `golden_case`.
|
||||
|
||||
5. **Attest facts**
|
||||
|
||||
* Generate DSSE/in‑toto attestations for each row (content hash of patches/diffs + URLs). Store `evidence_hash`.
|
||||
|
||||
---
|
||||
|
||||
# Retrieval‑time decision function (pseudo)
|
||||
|
||||
```
|
||||
bool is_vulnerable(pkg, ver, distro, release, cve):
|
||||
decl = get_fix_decl(distro, release, pkg.src, cve)
|
||||
if decl is null:
|
||||
return heuristic_by_upstream_ranges(pkg.project, ver, cve)
|
||||
|
||||
if decl.status == 'not_affected': return false
|
||||
if decl.status == 'wont_fix': return true // unless patch_evidence says otherwise
|
||||
|
||||
// status == 'fixed' -> check two paths
|
||||
if compare(ver, decl.fixed_spec, distro_family) >= 0:
|
||||
return false // version >= declared fixed
|
||||
|
||||
// version < declared fixed: still check for backport proof pinned to our exact build
|
||||
if has_patch_evidence(distro, release, pkg.src, cve, ver):
|
||||
return false // verified backport on this version/build
|
||||
|
||||
return true
|
||||
```
|
||||
|
||||
**Note:** `has_patch_evidence` should accept **(epoch, version, revision)** and allow `applied_in_* <= installed_*`.
|
||||
|
||||
---
|
||||
|
||||
# Golden test harness (what “must pass”)
|
||||
|
||||
For each `golden_case`:
|
||||
|
||||
1. Resolve installed `(epoch,version,revision)`.
|
||||
2. Evaluate `is_vulnerable`.
|
||||
3. Assert expected:
|
||||
|
||||
* **Vendor‑fixed + backport_present → expected false** even if upstream says affected.
|
||||
* **No backport + version < fixed_spec → expected true**.
|
||||
|
||||
Emit a short **VEX** (CycloneDX VEX or CSAF) per case to keep your engine VEX‑first.
|
||||
|
||||
---
|
||||
|
||||
# Minimal data loaders (first pass)
|
||||
|
||||
* **Debian/Ubuntu**: `security-tracker`, USN JSON, `Sources` + `.dsc` + `debian/patches/*`.
|
||||
* **RHEL/Fedora/SUSE**: OVAL/OVAL‑RPM, advisories (RHSA/SUSE‑SU), SRPM patches.
|
||||
* **Alpine**: `secdb`, `APKBUILD` diffs (`.patch` in `community/main`).
|
||||
|
||||
---
|
||||
|
||||
# Ship list (MVP → Week 1–2)
|
||||
|
||||
* Parsers: dpkg/rpm/apk version compare libs in C# (+ test vectors).
|
||||
* Ingestors for **Debian, Ubuntu, RHEL, SUSE, Alpine, Fedora** → `fix_decl`.
|
||||
* Patch proof: hunk‑matcher (line‑fuzzy, filename maps), symbol‑finder (ctags or Roslyn/ctags‑like for C).
|
||||
* 50–100 curated `golden_case` rows with airtight evidence.
|
||||
|
||||
If you want, I can drop a ready‑to‑use PostgreSQL DDL + sample rows and a C# `VersionComparer` + `BackportProof` interface next.
|
||||
# Golden Set of Backport Test Cases (Distro – Release – Package – CVE)
|
||||
|
||||
Each row highlights a case where a distro shipped a **patched older version** below the upstream fixed version. This causes naive version checks to wrongly flag the package as vulnerable. We include the vendor’s fixed package version, the upstream version range still affected (i.e. up to but _not_ including the upstream fix), evidence of the backport (patch/changelog references), a flag if upstream would consider the vendor’s version vulnerable, and a brief rationale.
|
||||
|
||||
| **Distro (Release)** | **Source Package** | **CVE ID** | **Vendor Fixed Version** | **Upstream Affected Versions** | **Backport Evidence** | **Upstream Says Affected?** | **Rationale** |
|
||||
| --- | --- | --- | --- | --- | --- | --- | --- |
|
||||
| Debian 7 “Wheezy” | openssl | CVE-2014-0160 | 1.0.1e-2+deb7u5[lists.debian.org](https://lists.debian.org/debian-security-announce/2014/msg00071.html#:~:text=For%20the%20stable%20distribution%20,2%2Bdeb7u5) | 1.0.1 through 1.0.1f (fixed in 1.0.1g)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Name%20CVE,Debian%20ELTS%2C%20%208%20Red)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Package%20Type%20Release%20Fixed%20Version,1743883) | **Yes** (1.0.1e < 1.0.1g) | Version 1.0.1e with Heartbleed patch applied (Debian backported fix)[lists.debian.org](https://lists.debian.org/debian-security-announce/2014/msg00071.html#:~:text=For%20the%20stable%20distribution%20,2%2Bdeb7u5). Upstream requires 1.0.1g, so 1.0.1e is normally seen as vulnerable. | |
|
||||
| RHEL 6 (6.5) | openssl | CVE-2014-0160 | 1.0.1e-16.el6\_5.7[helpdesk.kaseya.com](https://helpdesk.kaseya.com/hc/en-gb/articles/4407522717329-CVE-2014-0160-OpenSSL-Heartbleed-Vulnerability#:~:text=If%20CentOS6%2C%20apply%20Unitrends%20security,42.el6) | 1.0.1 through 1.0.1f (fixed in 1.0.1g)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Description%20The%20,Debian%20ELTS%2C%20%208%20Red) | **Yes** (1.0.1e < 1.0.1g) | Version 1.0.1e with Heartbleed fix backported (openssl-1.0.1e-16.el6). Upstream 1.0.1e is Heartbleed-affected[helpdesk.kaseya.com](https://helpdesk.kaseya.com/hc/en-gb/articles/4407522717329-CVE-2014-0160-OpenSSL-Heartbleed-Vulnerability#:~:text=If%20CentOS6%2C%20apply%20Unitrends%20security,42.el6). | |
|
||||
| RHEL 7 | openssl | CVE-2020-1971 | 1.0.2k-21.el7\_9[suse.com](https://www.suse.com/security/cve/CVE-2020-1971.html#:~:text=CVE,21.el7_9%3B%20openssl)[linuxsecurity.com](https://linuxsecurity.com/advisories/scilinux/scilinux-slsa-2020-5566-1-important-openssl-on-sl7-x-x86-64-14-12-13#:~:text=Update%20linuxsecurity,21.el7_9.i686.rpm) | OpenSSL ≤1.1.1h and 1.0.2(-unsupported) (fixed in 1.1.1i & 1.0.2u)[openssl-library.org](https://openssl-library.org/news/timeline/#:~:text=Release%20and%20Advisory%20Timeline%20,Truncated%20packet%20could) | **Yes** (1.0.2k < 1.0.2u) | OpenSSL 1.0.2k with NULL pointer deref fix backported (RHEL7 openssl-1.0.2k-21). Upstream says 1.0.2k is affected[suse.com](https://www.suse.com/security/cve/CVE-2020-1971.html#:~:text=CVE,21.el7_9%3B%20openssl)[linuxsecurity.com](https://linuxsecurity.com/advisories/scilinux/scilinux-slsa-2020-5566-1-important-openssl-on-sl7-x-x86-64-14-12-13#:~:text=Update%20linuxsecurity,21.el7_9.i686.rpm). | |
|
||||
| Ubuntu 20.04 LTS “Focal” | apache2 | CVE-2024-39573 | 2.4.41-4ubuntu3.19[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=22) | Apache HTTPd ≤2.4.59 (fixed in 2.4.60)[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=Description) | **Yes** (2.4.41 < 2.4.60) | Apache 2.4.41 with SSRF fix backported (Ubuntu patchset). Version 2.4.41 is below upstream 2.4.60 fix[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=22)[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=Potential%20SSRF%20in%20mod_rewrite%20in,60%2C%20which%20fixes%20this%20issue). | |
|
||||
| SUSE SLE 12 SP5 | apache2 | CVE-2024-39573 | 2.4.51-35.51.1 (patched build)[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Security%20fixes%3A)[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Package%20List%3A) | Apache HTTPd ≤2.4.59 (fixed in 2.4.60)[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=Potential%20SSRF%20in%20mod_rewrite%20in,60%2C%20which%20fixes%20this%20issue) | **Yes** (2.4.51 < 2.4.60) | Apache 2.4.51 in SLES12 SP5 with backported fix[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Security%20fixes%3A). Upstream considers <2.4.60 vulnerable, so 2.4.51 would normally be flagged. | |
|
||||
| SUSE SLE 12 SP5 | apache2 | CVE-2024-38477 | 2.4.51-35.51.1 (same update)[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Security%20fixes%3A) | Apache HTTPd ≤2.4.59 (fixed by 2.4.60)[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=Potential%20SSRF%20in%20mod_rewrite%20in,60%2C%20which%20fixes%20this%20issue) | **Yes** (2.4.51 < 2.4.60) | Apache mod\_proxy null-pointer fix backported into 2.4.51[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Security%20fixes%3A). Version appears older than upstream fix version. | |
|
||||
| SUSE SLE 12 SP5 | apache2 | CVE-2024-38475 | 2.4.51-35.51.1 (same update)[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=%2A%20CVE,1227268) | Apache HTTPd ≤2.4.59 (fixed by 2.4.60)[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=Potential%20SSRF%20in%20mod_rewrite%20in,60%2C%20which%20fixes%20this%20issue) | **Yes** (2.4.51 < 2.4.60) | Apache mod\_rewrite output-escaping issue fixed on 2.4.51 via patch[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=%2A%20CVE,1227268). Vendor version < upstream fixed version. | |
|
||||
| Debian 9 “Stretch” | openssh | CVE-2018-15473 | 1:7.4p1-10+deb9u4[lists.debian.org](https://lists.debian.org/debian-security-announce/2018/msg00209.html#:~:text=For%20the%20stable%20distribution%20,10%2Bdeb9u4) | OpenSSH ≤7.7 (fixed in 7.8/7.9)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2018-15473#:~:text=CVE,an%20invalid%20authenticating%20user) | **Yes** (7.4 < 7.8) | OpenSSH 7.4p1 (Stretch) patched for user-enumeration flaw[lists.debian.org](https://lists.debian.org/debian-security-announce/2018/msg00209.html#:~:text=Dariusz%20Tytko%2C%20Michal%20Sajdak%20and,existed%20on%20the%20target%20server). Upstream required ≥7.8, so 7.4p1 normally seen as affected. | |
|
||||
| Debian 10 “Buster” | sudo | CVE-2021-3156 | 1.8.27-1+deb10u3[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Package%20Type%20Release%20Fixed%20Version,1.1) | sudo <1.9.5p2 (fixed in 1.9.5p2)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Name%20CVE,ELTS%2C%20Red%20Hat%2C%20Ubuntu%2C%20Gentoo)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=sudo%20%28PTS%29bullseye%201.9.5p2,1%20fixed) | **Yes** (1.8.27 < 1.9.5p2) | sudo 1.8.27 in Buster with Baron Samedit patch[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Package%20Type%20Release%20Fixed%20Version,1.1). Upstream says versions below 1.9.5p2 are vulnerable, so 1.8.27 would be flagged[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Name%20CVE,ELTS%2C%20Red%20Hat%2C%20Ubuntu%2C%20Gentoo). | |
|
||||
| RHEL 7 | sudo | CVE-2019-14287 | 1.8.23-4.el7\_7.1[suse.com](https://www.suse.com/security/cve/CVE-2019-14287.html#:~:text=CVE,4.el7_7.1.%20Patchnames%3A%20RHSA) | sudo ≤1.8.27 (fixed in 1.8.28)[suse.com](https://www.suse.com/security/cve/CVE-2019-14287.html#:~:text=CVE,4.el7_7.1.%20Patchnames%3A%20RHSA)[nvd.nist.gov](https://nvd.nist.gov/vuln/detail/cve-2017-1000367#:~:text=Todd%20Miller%27s%20sudo%20version%201,function) | **Yes** (1.8.23 < 1.8.28) | sudo 1.8.23 in RHEL7 patched for Runas All bug[suse.com](https://www.suse.com/security/cve/CVE-2019-14287.html#:~:text=CVE,4.el7_7.1.%20Patchnames%3A%20RHSA). Upstream fix came later (1.8.28), so 1.8.23 is normally marked affected. | |
|
||||
| Debian 8 “Jessie” | sudo | CVE-2017-1000367 | 1.8.10p3-1+deb8u4[lists.debian.org](https://lists.debian.org/debian-security-announce/2017/msg00127.html#:~:text=an%20SELinux,full%20root%20privileges) | sudo ≤1.8.20 (fixed in 1.8.21)[nvd.nist.gov](https://nvd.nist.gov/vuln/detail/cve-2017-1000367#:~:text=Todd%20Miller%27s%20sudo%20version%201,function)[security.snyk.io](https://security.snyk.io/vuln/SNYK-DEBIAN9-SUDO-406955#:~:text=Race%20Condition%20in%20sudo%20,2%20or%20higher.%20NVD%20Description) | **Yes** (1.8.10 < 1.8.21) | sudo 1.8.10p3 in Jessie got the tty hijack fix backported[lists.debian.org](https://lists.debian.org/debian-security-announce/2017/msg00127.html#:~:text=an%20SELinux,full%20root%20privileges). Upstream resolved it in a much newer sudo release, so 1.8.10p3 would appear vulnerable. | |
|
||||
| Ubuntu 12.04 LTS “Precise” | bash | CVE-2014-6271 | 4.2-2ubuntu2.5[askubuntu.com](https://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-how-do-i-fix-it#:~:text=dpkg%20,Version) | Bash ≤4.3 (fixed in 4.3 patch)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2014-6271#:~:text=Description%20GNU%20Bash%20through%204,present%20after%20the%20incorrect%20fix) | **Yes** (4.2 < 4.3-fixed) | Bash 4.2 on Precise patched for Shellshock[askubuntu.com](https://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-how-do-i-fix-it#:~:text=dpkg%20,Version). Version 4.2 is below upstream 4.3 fix, so normally flagged as Shellshock-vulnerable. | |
|
||||
| Debian 10 “Buster” (LTS) | curl | CVE-2023-27533 | 7.64.0-4+deb10u6[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=Package%20%20%20%20,27538)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=For%20Debian%2010%20buster%2C%20these,4%2Bdeb10u6) | curl <8.0.0 (fixed in 8.0.0)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/source-package/curl#:~:text=A%20path%20traversal%20vulnerability%20exists,8.0%20during) | **Yes** (7.64.0 < 8.0.0) | curl 7.64.0 with TELNET injection fix backported (Debian LTS)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=Package%20%20%20%20,27538)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=For%20Debian%2010%20buster%2C%20these,4%2Bdeb10u6). Upstream requires curl 8.x, so 7.64.0 is seen as affected. | |
|
||||
| Debian 10 “Buster” (LTS) | curl | CVE-2023-27535 | 7.64.0-4+deb10u6[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=Package%20%20%20%20,27538)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE) | curl <8.0.0 (fixed in 8.0.0)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/source-package/curl#:~:text=A%20path%20traversal%20vulnerability%20exists,8.0%20during) | **Yes** (7.64.0 < 8.0.0) | curl 7.64.0 with FTP reuse auth bypass fix backported[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=For%20Debian%2010%20buster%2C%20these,4%2Bdeb10u6). Version appears vulnerable by upstream standards (<8.0). | |
|
||||
| Debian 10 “Buster” (LTS) | curl | CVE-2023-27536 | 7.64.0-4+deb10u6[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=Package%20%20%20%20,27538)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE) | curl <8.0.0 (fixed in 8.0.0)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/source-package/curl#:~:text=A%20path%20traversal%20vulnerability%20exists,8.0%20during) | **Yes** (7.64.0 < 8.0.0) | curl 7.64.0 with GSSAPI delegation reuse fix backported[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=For%20Debian%2010%20buster%2C%20these,4%2Bdeb10u6). Upstream would mark 7.64.0 vulnerable. | |
|
||||
| Debian 10 “Buster” (LTS) | curl | CVE-2023-27538 | 7.64.0-4+deb10u6[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=Package%20%20%20%20,27538)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE) | curl <8.0.0 (fixed in 8.0.0)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/source-package/curl#:~:text=A%20path%20traversal%20vulnerability%20exists,8.0%20during) | **Yes** (7.64.0 < 8.0.0) | curl 7.64.0 with SSH connection reuse fix backported[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE)[lists.debian.org](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=For%20Debian%2010%20buster%2C%20these,4%2Bdeb10u6). Version number <8.0 means upstream would treat it as unfixed. | |
|
||||
| Fedora 34 | glibc | CVE-2021-33574 | glibc-2.33-16.fc34[lists.fedoraproject.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBUUWUGXVILQXVWEOU7N42ICHPJNAEUP/#:~:text=%5BSECURITY%5D%20Fedora%2034%20Update%3A%20glibc,11%202021%20Arjun%20Shankar) | glibc ≤2.33 (fixed in 2.34)[suse.com](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=Heap,GHOST) | **Yes** (2.33 < 2.34) | glibc 2.33 with `mq_notify` use-after-free fix applied (Fedora update). Upstream fix came in 2.34, so 2.33 is normally flagged as vulnerable. | |
|
||||
| RHEL 8 | glibc | CVE-2024-2961 | glibc-2.28-236.el8\_9.13[openwall.com](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Public,31)[openwall.com](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Vulnerable,263) | glibc ≤2.39 (fixed in 2.40)[openwall.com](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Public,459) | **Yes** (2.28 < 2.40) | glibc 2.28 with `iconv()` overflow fix backported (RHEL8 patch)[openwall.com](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Public,459). Upstream requires 2.40+, so 2.28 is considered affected. | |
|
||||
| RHEL 7 | glibc | CVE-2015-0235 | glibc-2.17-55.el7\_0.5[suse.com](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=%2A%20%60glibc%20%3E%3D%202.17,55.el7_0.5) | glibc 2.2 up to 2.17 (fixed in 2.18)[suse.com](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=Heap,GHOST) | **Yes** (2.17 < 2.18) | glibc 2.17 with GHOST bug patched (RHEL7 update)[suse.com](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=Product,SUSE%20Liberty%20Linux%207). Upstream fix was in 2.18; 2.17 is normally flagged as vulnerable[suse.com](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=Heap,GHOST). | |
|
||||
| RHEL 7 | systemd | CVE-2020-1712 | systemd-219-57.el7\_8 (patch backport)[alas.aws.amazon.com](https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html#:~:text=aarch64%3A%20systemd,57.amzn2.0.12.aarch64) | systemd ≤242 (fixed in 243)[alas.aws.amazon.com](https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html#:~:text=A%20heap%20use,1712) | **Yes** (219 < 243) | systemd 219 with use-after-free fix backported (RHEL7/AL2 update)[alas.aws.amazon.com](https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html#:~:text=A%20heap%20use,1712)[alas.aws.amazon.com](https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html#:~:text=aarch64%3A%20systemd,57.amzn2.0.12.aarch64). Upstream fix is in v243, so v219 would be marked vulnerable. | |
|
||||
| Alpine 3.10 | musl libc | CVE-2020-28928 | 1.1.22-r4[security.alpinelinux.org](https://security.alpinelinux.org/vuln/CVE-2020-28928#:~:text=musl%20%20%2038%201.2.2_pre2,tracker%200.9.1%20%E2%80%94%20Source%20code) | musl ≤1.2.1 (fixed in 1.2.2)[security.alpinelinux.org](https://security.alpinelinux.org/vuln/CVE-2020-28928#:~:text=CPE%20URI%20Source%20package%20Min,1.2.1) | **Yes** (1.1.x < 1.2.2) | musl 1.1.22 with `wcsnrtombs()` overflow fixed (Alpine 3.10)[security.alpinelinux.org](https://security.alpinelinux.org/vuln/CVE-2020-28928#:~:text=musl%20%20%2038%201.2.2_pre2,tracker%200.9.1%20%E2%80%94%20Source%20code). Upstream fixed in 1.2.2, so 1.1.22 would normally be considered vulnerable. | |
|
||||
| Ubuntu 20.04 LTS “Focal” | openssl | CVE-2022-0778 | 1.1.1f-1ubuntu2.15 (patched)[serverfault.com](https://serverfault.com/questions/1096683/how-can-i-know-that-ubuntu-18-04-bionics-latest-openssl-is-really-1-1-1n#:~:text=,fix%20to%20their%20chosen%20version) | OpenSSL ≤1.1.1m (fixed in 1.1.1n)[serverfault.com](https://serverfault.com/questions/1096683/how-can-i-know-that-ubuntu-18-04-bionics-latest-openssl-is-really-1-1-1n#:~:text=,fix%20to%20their%20chosen%20version) | **Yes** (1.1.1f < 1.1.1n) | OpenSSL 1.1.1f with BN infinite-loop fix backported (Ubuntu)[serverfault.com](https://serverfault.com/questions/1096683/how-can-i-know-that-ubuntu-18-04-bionics-latest-openssl-is-really-1-1-1n#:~:text=,fix%20to%20their%20chosen%20version). Upstream says only 1.1.1n+ is safe, so 1.1.1f appears vulnerable to scanners. | |
|
||||
|
||||
**Sources:** Vendor security advisories and trackers (Debian DSAs, Ubuntu CVE/USN pages, Red Hat errata, SUSE and Alpine trackers) are linked above to confirm patch versions and upstream fix info[lists.debian.org](https://lists.debian.org/debian-security-announce/2014/msg00071.html#:~:text=For%20the%20stable%20distribution%20,2%2Bdeb7u5)[ubuntu.com](https://ubuntu.com/security/CVE-2024-39573#:~:text=22)[suse.com](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=%2A%20CVE,1227268)[openwall.com](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Public,459)[security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Package%20Type%20Release%20Fixed%20Version,1.1) etc. Each case demonstrates a backported security fix where the package version alone is misleading, helping test vulnerability scanners’ ability to detect patched-but-backported packages instead of raising false positives.
|
||||
|
||||
Citations
|
||||
|
||||
[
|
||||
|
||||
|
||||
|
||||
\[SECURITY\] \[DSA 2896-1\] openssl security update
|
||||
|
||||
https://lists.debian.org/debian-security-announce/2014/msg00071.html
|
||||
|
||||
](https://lists.debian.org/debian-security-announce/2014/msg00071.html#:~:text=For%20the%20stable%20distribution%20,2%2Bdeb7u5)[
|
||||
|
||||
|
||||
|
||||
CVE-2014-0160
|
||||
|
||||
https://security-tracker.debian.org/tracker/CVE-2014-0160
|
||||
|
||||
](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Name%20CVE,Debian%20ELTS%2C%20%208%20Red)[
|
||||
|
||||
|
||||
|
||||
CVE-2014-0160
|
||||
|
||||
https://security-tracker.debian.org/tracker/CVE-2014-0160
|
||||
|
||||
](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Package%20Type%20Release%20Fixed%20Version,1743883)[
|
||||
|
||||
CVE-2014-0160: OpenSSL Heartbleed Vulnerability – Kaseya
|
||||
|
||||
https://helpdesk.kaseya.com/hc/en-gb/articles/4407522717329-CVE-2014-0160-OpenSSL-Heartbleed-Vulnerability
|
||||
|
||||
](https://helpdesk.kaseya.com/hc/en-gb/articles/4407522717329-CVE-2014-0160-OpenSSL-Heartbleed-Vulnerability#:~:text=If%20CentOS6%2C%20apply%20Unitrends%20security,42.el6)[
|
||||
|
||||
|
||||
|
||||
CVE-2014-0160
|
||||
|
||||
https://security-tracker.debian.org/tracker/CVE-2014-0160
|
||||
|
||||
](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Description%20The%20,Debian%20ELTS%2C%20%208%20Red)[
|
||||
|
||||
|
||||
|
||||
CVE-2020-1971 Common Vulnerabilities and Exposures - SUSE
|
||||
|
||||
https://www.suse.com/security/cve/CVE-2020-1971.html
|
||||
|
||||
](https://www.suse.com/security/cve/CVE-2020-1971.html#:~:text=CVE,21.el7_9%3B%20openssl)[
|
||||
|
||||
|
||||
|
||||
Scientific Linux 7.x SLSA-2020-5566-1 Critical OpenSSL Update
|
||||
|
||||
https://linuxsecurity.com/advisories/scilinux/scilinux-slsa-2020-5566-1-important-openssl-on-sl7-x-x86-64-14-12-13
|
||||
|
||||
](https://linuxsecurity.com/advisories/scilinux/scilinux-slsa-2020-5566-1-important-openssl-on-sl7-x-x86-64-14-12-13#:~:text=Update%20linuxsecurity,21.el7_9.i686.rpm)[
|
||||
|
||||
|
||||
|
||||
Release and Advisory Timeline | OpenSSL Library
|
||||
|
||||
https://openssl-library.org/news/timeline/
|
||||
|
||||
](https://openssl-library.org/news/timeline/#:~:text=Release%20and%20Advisory%20Timeline%20,Truncated%20packet%20could)[
|
||||
|
||||
|
||||
|
||||
CVE-2024-39573 | Ubuntu
|
||||
|
||||
https://ubuntu.com/security/CVE-2024-39573
|
||||
|
||||
](https://ubuntu.com/security/CVE-2024-39573#:~:text=22)[
|
||||
|
||||
|
||||
|
||||
CVE-2024-39573 | Ubuntu
|
||||
|
||||
https://ubuntu.com/security/CVE-2024-39573
|
||||
|
||||
](https://ubuntu.com/security/CVE-2024-39573#:~:text=Description)[
|
||||
|
||||
|
||||
|
||||
CVE-2024-39573 | Ubuntu
|
||||
|
||||
https://ubuntu.com/security/CVE-2024-39573
|
||||
|
||||
](https://ubuntu.com/security/CVE-2024-39573#:~:text=Potential%20SSRF%20in%20mod_rewrite%20in,60%2C%20which%20fixes%20this%20issue)[
|
||||
|
||||
|
||||
|
||||
Security update for apache2 SUSE-SU-2024:2436-1 | SUSE Support | SUSE
|
||||
|
||||
https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/
|
||||
|
||||
](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Security%20fixes%3A)[
|
||||
|
||||
|
||||
|
||||
Security update for apache2 SUSE-SU-2024:2436-1 | SUSE Support | SUSE
|
||||
|
||||
https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/
|
||||
|
||||
](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Package%20List%3A)[
|
||||
|
||||
|
||||
|
||||
Security update for apache2 SUSE-SU-2024:2436-1 | SUSE Support | SUSE
|
||||
|
||||
https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/
|
||||
|
||||
](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=%2A%20CVE,1227268)[
|
||||
|
||||
|
||||
|
||||
Security update for apache2 SUSE-SU-2024:2436-1 | SUSE Support | SUSE
|
||||
|
||||
https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/
|
||||
|
||||
](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=%2A%20CVE,1227268)[
|
||||
|
||||
|
||||
|
||||
\[SECURITY\] \[DSA 4280-1\] openssh security update
|
||||
|
||||
https://lists.debian.org/debian-security-announce/2018/msg00209.html
|
||||
|
||||
](https://lists.debian.org/debian-security-announce/2018/msg00209.html#:~:text=For%20the%20stable%20distribution%20,10%2Bdeb9u4)[
|
||||
|
||||
|
||||
|
||||
CVE-2018-15473 - Security Bug Tracker - Debian
|
||||
|
||||
https://security-tracker.debian.org/tracker/CVE-2018-15473
|
||||
|
||||
](https://security-tracker.debian.org/tracker/CVE-2018-15473#:~:text=CVE,an%20invalid%20authenticating%20user)[
|
||||
|
||||
|
||||
|
||||
\[SECURITY\] \[DSA 4280-1\] openssh security update
|
||||
|
||||
https://lists.debian.org/debian-security-announce/2018/msg00209.html
|
||||
|
||||
](https://lists.debian.org/debian-security-announce/2018/msg00209.html#:~:text=Dariusz%20Tytko%2C%20Michal%20Sajdak%20and,existed%20on%20the%20target%20server)[
|
||||
|
||||
|
||||
|
||||
CVE-2021-3156
|
||||
|
||||
https://security-tracker.debian.org/tracker/CVE-2021-3156
|
||||
|
||||
](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Package%20Type%20Release%20Fixed%20Version,1.1)[
|
||||
|
||||
|
||||
|
||||
CVE-2021-3156
|
||||
|
||||
https://security-tracker.debian.org/tracker/CVE-2021-3156
|
||||
|
||||
](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Name%20CVE,ELTS%2C%20Red%20Hat%2C%20Ubuntu%2C%20Gentoo)[
|
||||
|
||||
|
||||
|
||||
CVE-2021-3156
|
||||
|
||||
https://security-tracker.debian.org/tracker/CVE-2021-3156
|
||||
|
||||
](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=sudo%20%28PTS%29bullseye%201.9.5p2,1%20fixed)[
|
||||
|
||||
|
||||
|
||||
CVE-2019-14287 Common Vulnerabilities and Exposures - SUSE
|
||||
|
||||
https://www.suse.com/security/cve/CVE-2019-14287.html
|
||||
|
||||
](https://www.suse.com/security/cve/CVE-2019-14287.html#:~:text=CVE,4.el7_7.1.%20Patchnames%3A%20RHSA)[
|
||||
|
||||
|
||||
|
||||
CVE-2017-1000367 Detail - NVD
|
||||
|
||||
https://nvd.nist.gov/vuln/detail/cve-2017-1000367
|
||||
|
||||
](https://nvd.nist.gov/vuln/detail/cve-2017-1000367#:~:text=Todd%20Miller%27s%20sudo%20version%201,function)[
|
||||
|
||||
|
||||
|
||||
\[SECURITY\] \[DSA 3867-1\] sudo security update
|
||||
|
||||
https://lists.debian.org/debian-security-announce/2017/msg00127.html
|
||||
|
||||
](https://lists.debian.org/debian-security-announce/2017/msg00127.html#:~:text=an%20SELinux,full%20root%20privileges)[
|
||||
|
||||
|
||||
|
||||
Race Condition in sudo | CVE-2017-1000367 | Snyk
|
||||
|
||||
https://security.snyk.io/vuln/SNYK-DEBIAN9-SUDO-406955
|
||||
|
||||
](https://security.snyk.io/vuln/SNYK-DEBIAN9-SUDO-406955#:~:text=Race%20Condition%20in%20sudo%20,2%20or%20higher.%20NVD%20Description)[
|
||||
|
||||
|
||||
|
||||
security - What is the CVE-2014-6271 bash vulnerability (Shellshock) and how do I fix it? - Ask Ubuntu
|
||||
|
||||
https://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-how-do-i-fix-it
|
||||
|
||||
](https://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-how-do-i-fix-it#:~:text=dpkg%20,Version)[
|
||||
|
||||
|
||||
|
||||
CVE-2014-6271
|
||||
|
||||
https://security-tracker.debian.org/tracker/CVE-2014-6271
|
||||
|
||||
](https://security-tracker.debian.org/tracker/CVE-2014-6271#:~:text=Description%20GNU%20Bash%20through%204,present%20after%20the%20incorrect%20fix)[
|
||||
|
||||
|
||||
|
||||
\[SECURITY\] \[DLA 3398-1\] curl security update
|
||||
|
||||
https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html
|
||||
|
||||
](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=Package%20%20%20%20,27538)[
|
||||
|
||||
|
||||
|
||||
\[SECURITY\] \[DLA 3398-1\] curl security update
|
||||
|
||||
https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html
|
||||
|
||||
](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=For%20Debian%2010%20buster%2C%20these,4%2Bdeb10u6)[
|
||||
|
||||
|
||||
|
||||
Information on source package curl - Security Bug Tracker - Debian
|
||||
|
||||
https://security-tracker.debian.org/tracker/source-package/curl
|
||||
|
||||
](https://security-tracker.debian.org/tracker/source-package/curl#:~:text=A%20path%20traversal%20vulnerability%20exists,8.0%20during)[
|
||||
|
||||
|
||||
|
||||
\[SECURITY\] \[DLA 3398-1\] curl security update
|
||||
|
||||
https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html
|
||||
|
||||
](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE)[
|
||||
|
||||
|
||||
|
||||
\[SECURITY\] \[DLA 3398-1\] curl security update
|
||||
|
||||
https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html
|
||||
|
||||
](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE)[
|
||||
|
||||
|
||||
|
||||
\[SECURITY\] \[DLA 3398-1\] curl security update
|
||||
|
||||
https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html
|
||||
|
||||
](https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html#:~:text=CVE)[
|
||||
|
||||
|
||||
|
||||
\[SECURITY\] Fedora 34 Update: glibc-2.33-16.fc34
|
||||
|
||||
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBUUWUGXVILQXVWEOU7N42ICHPJNAEUP/
|
||||
|
||||
](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBUUWUGXVILQXVWEOU7N42ICHPJNAEUP/#:~:text=%5BSECURITY%5D%20Fedora%2034%20Update%3A%20glibc,11%202021%20Arjun%20Shankar)[
|
||||
|
||||
|
||||
|
||||
CVE-2015-0235 Common Vulnerabilities and Exposures | SUSE
|
||||
|
||||
https://www.suse.com/security/cve/CVE-2015-0235.html
|
||||
|
||||
](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=Heap,GHOST)[
|
||||
|
||||
|
||||
|
||||
oss-security - The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
|
||||
|
||||
https://www.openwall.com/lists/oss-security/2024/04/17/9
|
||||
|
||||
](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Public,31)[
|
||||
|
||||
|
||||
|
||||
oss-security - The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
|
||||
|
||||
https://www.openwall.com/lists/oss-security/2024/04/17/9
|
||||
|
||||
](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Vulnerable,263)[
|
||||
|
||||
|
||||
|
||||
oss-security - The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
|
||||
|
||||
https://www.openwall.com/lists/oss-security/2024/04/17/9
|
||||
|
||||
](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Public,459)[
|
||||
|
||||
|
||||
|
||||
CVE-2015-0235 Common Vulnerabilities and Exposures | SUSE
|
||||
|
||||
https://www.suse.com/security/cve/CVE-2015-0235.html
|
||||
|
||||
](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=%2A%20%60glibc%20%3E%3D%202.17,55.el7_0.5)[
|
||||
|
||||
|
||||
|
||||
CVE-2015-0235 Common Vulnerabilities and Exposures | SUSE
|
||||
|
||||
https://www.suse.com/security/cve/CVE-2015-0235.html
|
||||
|
||||
](https://www.suse.com/security/cve/CVE-2015-0235.html#:~:text=Product,SUSE%20Liberty%20Linux%207)[
|
||||
|
||||
ALAS2-2020-1388
|
||||
|
||||
https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html
|
||||
|
||||
](https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html#:~:text=aarch64%3A%20systemd,57.amzn2.0.12.aarch64)[
|
||||
|
||||
ALAS2-2020-1388
|
||||
|
||||
https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html
|
||||
|
||||
](https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html#:~:text=A%20heap%20use,1712)[
|
||||
|
||||
CVE-2020-28928 — Alpine Security Tracker
|
||||
|
||||
https://security.alpinelinux.org/vuln/CVE-2020-28928
|
||||
|
||||
](https://security.alpinelinux.org/vuln/CVE-2020-28928#:~:text=musl%20%20%2038%201.2.2_pre2,tracker%200.9.1%20%E2%80%94%20Source%20code)[
|
||||
|
||||
CVE-2020-28928 — Alpine Security Tracker
|
||||
|
||||
https://security.alpinelinux.org/vuln/CVE-2020-28928
|
||||
|
||||
](https://security.alpinelinux.org/vuln/CVE-2020-28928#:~:text=CPE%20URI%20Source%20package%20Min,1.2.1)[
|
||||
|
||||
|
||||
|
||||
How can I know that Ubuntu 18.04 Bionic's latest OpenSSL is really ...
|
||||
|
||||
https://serverfault.com/questions/1096683/how-can-i-know-that-ubuntu-18-04-bionics-latest-openssl-is-really-1-1-1n
|
||||
|
||||
](https://serverfault.com/questions/1096683/how-can-i-know-that-ubuntu-18-04-bionics-latest-openssl-is-really-1-1-1n#:~:text=,fix%20to%20their%20chosen%20version)
|
||||
|
||||
All Sources
|
||||
|
||||
[
|
||||
|
||||
|
||||
|
||||
lists.debian
|
||||
|
||||
](https://lists.debian.org/debian-security-announce/2014/msg00071.html#:~:text=For%20the%20stable%20distribution%20,2%2Bdeb7u5)[
|
||||
|
||||
|
||||
|
||||
security...er.debian
|
||||
|
||||
](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Name%20CVE,Debian%20ELTS%2C%20%208%20Red)[
|
||||
|
||||
helpdesk.kaseya
|
||||
|
||||
](https://helpdesk.kaseya.com/hc/en-gb/articles/4407522717329-CVE-2014-0160-OpenSSL-Heartbleed-Vulnerability#:~:text=If%20CentOS6%2C%20apply%20Unitrends%20security,42.el6)[
|
||||
|
||||
|
||||
|
||||
suse
|
||||
|
||||
](https://www.suse.com/security/cve/CVE-2020-1971.html#:~:text=CVE,21.el7_9%3B%20openssl)[
|
||||
|
||||
|
||||
|
||||
linuxsecurity
|
||||
|
||||
](https://linuxsecurity.com/advisories/scilinux/scilinux-slsa-2020-5566-1-important-openssl-on-sl7-x-x86-64-14-12-13#:~:text=Update%20linuxsecurity,21.el7_9.i686.rpm)[
|
||||
|
||||
|
||||
|
||||
openssl-library
|
||||
|
||||
](https://openssl-library.org/news/timeline/#:~:text=Release%20and%20Advisory%20Timeline%20,Truncated%20packet%20could)[
|
||||
|
||||
|
||||
|
||||
ubuntu
|
||||
|
||||
](https://ubuntu.com/security/CVE-2024-39573#:~:text=22)[
|
||||
|
||||
|
||||
|
||||
nvd.nist
|
||||
|
||||
](https://nvd.nist.gov/vuln/detail/cve-2017-1000367#:~:text=Todd%20Miller%27s%20sudo%20version%201,function)[
|
||||
|
||||
|
||||
|
||||
security.snyk
|
||||
|
||||
](https://security.snyk.io/vuln/SNYK-DEBIAN9-SUDO-406955#:~:text=Race%20Condition%20in%20sudo%20,2%20or%20higher.%20NVD%20Description)[
|
||||
|
||||
|
||||
|
||||
askubuntu
|
||||
|
||||
](https://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-how-do-i-fix-it#:~:text=dpkg%20,Version)[
|
||||
|
||||
|
||||
|
||||
lists.fedoraproject
|
||||
|
||||
](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBUUWUGXVILQXVWEOU7N42ICHPJNAEUP/#:~:text=%5BSECURITY%5D%20Fedora%2034%20Update%3A%20glibc,11%202021%20Arjun%20Shankar)[
|
||||
|
||||
|
||||
|
||||
openwall
|
||||
|
||||
](https://www.openwall.com/lists/oss-security/2024/04/17/9#:~:text=Public,31)[
|
||||
|
||||
alas.aws.amazon
|
||||
|
||||
](https://alas.aws.amazon.com/AL2/ALAS2-2020-1388.html#:~:text=aarch64%3A%20systemd,57.amzn2.0.12.aarch64)[
|
||||
|
||||
security.alpinelinux
|
||||
|
||||
](https://security.alpinelinux.org/vuln/CVE-2020-28928#:~:text=musl%20%20%2038%201.2.2_pre2,tracker%200.9.1%20%E2%80%94%20Source%20code)[
|
||||
|
||||
|
||||
|
||||
serverfault
|
||||
|
||||
](https://serverfault.com/questions/1096683/how-can-i-know-that-ubuntu-18-04-bionics-latest-openssl-is-really-1-1-1n#:~:text=,fix%20to%20their%20chosen%20version)
|
||||
@@ -0,0 +1,160 @@
|
||||
## Product Advisory: Deterministic VEX-first vulnerability verdicts with CycloneDX 1.7
|
||||
|
||||
### 1) The problem you are solving
|
||||
|
||||
Modern scanners produce a long list of “components with known CVEs,” but that list is routinely misleading because it ignores *context*: whether the vulnerable code is shipped, configured, reachable, mitigated, or already fixed via backport. Teams then waste time on false positives, duplicate findings, and non-actionable noise.
|
||||
|
||||
A **VEX-first** approach solves this by attaching *exploitability/impact assertions* to SBOM components. In CycloneDX, this is expressed via the **Vulnerability / Analysis** model (often used as VEX), which can declare that a component is **not affected**, **under investigation/in triage**, **exploitable/affected**, or **resolved/fixed**, along with rationale/justification and other details. CycloneDX explicitly frames this as “vulnerability exploitability” context, including a `state` and a `justification` for why a vulnerability is (or isn’t) a practical risk. ([cyclonedx.org][1])
|
||||
|
||||
The core product challenge is therefore:
|
||||
|
||||
* You will ingest **multiple statements** (vendors, distros, internal security, runtime evidence) that may **conflict**.
|
||||
* Those statements may be **conditional** (only affected on certain OS, feature flags, build options).
|
||||
* You must produce a **single stable, explainable verdict** per (product, vuln), and do so **deterministically** so audits and diffs are reproducible.
|
||||
|
||||
---
|
||||
|
||||
### 2) Product intent and outcomes
|
||||
|
||||
**Primary outcome:** Reduce noise while increasing trust: every suppression or escalation is backed by evidence and explainable logic.
|
||||
|
||||
**What “good” looks like:**
|
||||
|
||||
* Fewer alerts, but higher signal.
|
||||
* Each vuln has a clear **final verdict** plus **reason chain** (“why this was marked not_affected/fixed/affected”).
|
||||
* Deterministic replay: the same inputs produce the same outputs.
|
||||
|
||||
---
|
||||
|
||||
### 3) Recommended data contract (CycloneDX 1.7 aligned)
|
||||
|
||||
Use CycloneDX 1.7 as the canonical interchange for impact/exploitability assertions:
|
||||
|
||||
* **SBOM**: components + dependencies (CycloneDX and/or SPDX)
|
||||
* **Vulnerability entries** with **analysis** fields:
|
||||
|
||||
* `analysis.state` (status in context) and `analysis.justification` (why), as described in CycloneDX’s exploitability use case. ([cyclonedx.org][1])
|
||||
* Optional ingress from **OpenVEX** or CSAF; normalize into CycloneDX analysis semantics (OpenVEX defines the commonly used status set `not_affected / affected / fixed / under_investigation`, and requires justification in `not_affected` cases). ([GitHub][2])
|
||||
|
||||
Graph relationships (if you use SPDX 3.0.1 as your internal graph layer):
|
||||
|
||||
* Model dependencies and containment via SPDX `Relationship` and `RelationshipType`, which formalize “Element A RELATIONSHIP Element B” semantics used to compute transitive impact. ([SPDX][3])
|
||||
|
||||
---
|
||||
|
||||
### 4) Product behavior guidelines
|
||||
|
||||
#### A. Single “Risk Verdict” per vuln, backed by evidence
|
||||
|
||||
Expose one final verdict per vulnerability at the product level, with an expandable “proof” pane:
|
||||
|
||||
* Inputs considered (SBOM nodes, relationship paths, VEX statements, conditions).
|
||||
* Merge logic explanation (how conflicts were resolved).
|
||||
* Timestamped lineage: which feed/source asserted what.
|
||||
|
||||
#### B. Quiet-by-design UX
|
||||
|
||||
* Default views show only items needing action: **Affected/Exploitable**, and **Under Investigation** with age/timeouts.
|
||||
* “Not affected” and “Fixed/Resolved” are accessible but not front-and-center; they primarily serve audit and trust.
|
||||
|
||||
#### C. Diff-aware notifications
|
||||
|
||||
Notify only on **meaningful transitions** (e.g., Unknown→Affected, Affected→Fixed), not on every feed refresh.
|
||||
|
||||
---
|
||||
|
||||
### 5) Development guidelines (deterministic resolver)
|
||||
|
||||
#### A. Normalize identifiers first
|
||||
|
||||
Create a strict canonical key for matching “the same component” across SBOMs and VEX:
|
||||
|
||||
1. prefer **purl**, then **CPE**, then (name, version, supplier).
|
||||
2. persist alias mappings (vendor naming variance is normal).
|
||||
|
||||
#### B. Represent the world as two layers
|
||||
|
||||
1. **Graph layer** (what is shipped/depends-on/contains what)
|
||||
2. **Assertion layer** (CycloneDX 1.7 vulnerability analysis statements, plus optional runtime/reachability evidence)
|
||||
|
||||
Do not mix them—keep assertions as immutable facts that the resolver evaluates.
|
||||
|
||||
#### C. Condition evaluation must be total and deterministic
|
||||
|
||||
For each assertion, evaluate conditions against a frozen `Context`:
|
||||
|
||||
* platform (OS/distro/arch), build flags, enabled features, packaging mode
|
||||
* runtime signals (if used) must be versioned and hashed like any other input
|
||||
|
||||
If a condition cannot be evaluated, treat it explicitly as **Unknown**, not false.
|
||||
|
||||
#### D. Merge conflicts via a documented lattice
|
||||
|
||||
Define a monotonic merge function that is:
|
||||
|
||||
* **commutative** (order independent),
|
||||
* **idempotent** (reapplying doesn’t change),
|
||||
* **associative** (supports streaming/parallel merges).
|
||||
|
||||
A pragmatic priority (adjust to your policy):
|
||||
|
||||
1. **Fixed/Resolved** (with evidence of fix scope)
|
||||
2. **Not affected** (with valid justification and conditions satisfied)
|
||||
3. **Affected/Exploitable**
|
||||
4. **Under investigation / In triage**
|
||||
5. **Unknown**
|
||||
|
||||
CycloneDX’s exploitability model explicitly supports “state + justification” to make “not affected” meaningful, not a hand-wave. ([cyclonedx.org][1])
|
||||
|
||||
#### E. Propagation rules must be explicit
|
||||
|
||||
Decide and document how assertions propagate across the dependency graph:
|
||||
|
||||
* When a dependency is **Affected**, does the product become Affected automatically? (Typically yes if the dependency is shipped and used, unless a product-level assertion says otherwise.)
|
||||
* When a dependency is **Not affected** due to “code removed before shipping,” does the product inherit Not affected? (Often yes, but only if you can prove the affected code path is absent for the shipped artifact.)
|
||||
* Keep propagation rules versioned to avoid “policy drift” breaking deterministic replay.
|
||||
|
||||
#### F. Always emit a proof object
|
||||
|
||||
For every final verdict emit:
|
||||
|
||||
* contributing assertions (source IDs), condition evaluations, merge steps
|
||||
* the graph path(s) that made it relevant (SPDX Relationship chain or CycloneDX dependency references)
|
||||
This proof is what lets you be quiet-by-design without losing auditability.
|
||||
|
||||
---
|
||||
|
||||
### 6) Interop guidance (OpenVEX / CSAF → CycloneDX 1.7)
|
||||
|
||||
If you ingest OpenVEX:
|
||||
|
||||
* Map OpenVEX status to CycloneDX analysis state (policy-defined mapping).
|
||||
* Enforce OpenVEX minimums: `not_affected` should have a justification/impact statement. ([GitHub][2])
|
||||
|
||||
If you ingest CSAF advisories:
|
||||
|
||||
* Treat them as another assertion source; do not let them overwrite higher-confidence internal evidence without explicit precedence rules.
|
||||
|
||||
---
|
||||
|
||||
### 7) Testing and rollout checklist
|
||||
|
||||
* **Golden test vectors**: fixed input bundles (SBOM + assertions + context) with expected verdicts.
|
||||
* **Determinism tests**: shuffle assertion ordering; results must be identical.
|
||||
* **Regression diffs**: store prior proofs; verify only intended transitions occur after feed updates.
|
||||
* **Adversarial cases**: conflicting assertions, partial conditions, alias mismatches, missing dependency edges.
|
||||
|
||||
---
|
||||
|
||||
### 8) Common failure modes to avoid
|
||||
|
||||
* Treating “not affected” as a suppression without requiring justification.
|
||||
* Allowing “latest feed wins” behavior (non-deterministic and unauditable).
|
||||
* Mixing runtime telemetry directly into SBOM identity (breaks replay).
|
||||
* Implicit propagation rules (different engineers will interpret differently; results drift).
|
||||
|
||||
If you want, I can also provide a short, implementation-ready “resolver contract” (types, verdict lattice, proof schema) that is CycloneDX 1.7-centric while remaining neutral to whether you store the graph as CycloneDX dependencies or SPDX 3.0.1 relationships.
|
||||
|
||||
[1]: https://cyclonedx.org/use-cases/vulnerability-exploitability/?utm_source=chatgpt.com "Security Use Case: Vulnerability Exploitability"
|
||||
[2]: https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md?utm_source=chatgpt.com "spec/OPENVEX-SPEC.md at main"
|
||||
[3]: https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Classes/Relationship/?utm_source=chatgpt.com "Relationship - SPDX Specification 3.0.1"
|
||||
@@ -0,0 +1,115 @@
|
||||
Here’s a simple, high‑signal pattern you can drop into your security product: **gate AI remediation/explanations behind an “Evidence Coverage” badge**—and hide suggestions when coverage is weak.
|
||||
|
||||
---
|
||||
|
||||
### What this solves (plain English)
|
||||
|
||||
AI advice is only trustworthy when it’s grounded in real evidence. If your scan only sees half the picture, AI “fixes” become noise. A visible coverage badge makes this explicit and keeps the UI quiet until you’ve got enough facts.
|
||||
|
||||
---
|
||||
|
||||
### What “Evidence Coverage” means
|
||||
|
||||
Score = % of the verdict’s required facts present, e.g., do we have:
|
||||
|
||||
* **Reachability** (is the vulnerable code/path actually callable in this artifact/runtime?)
|
||||
* **VEX** (vendor/product statements: affected/not‑affected/under‑investigation)
|
||||
* **Runtime** (telemetry, process trees, loaded libs, eBPF hooks)
|
||||
* **Exploit signals** (known exploits, KEV, EPSS tier, in‑the‑wild intel)
|
||||
* **Patch/backport proof** (distro backports, symbols, diff/Build‑ID match)
|
||||
* **Provenance** (in‑toto/DSSE attestations, signer trust)
|
||||
* **Environment match** (kernel/os/distro/package set parity)
|
||||
* **Differential context** (did this change since last release?)
|
||||
|
||||
Each fact bucket contributes weighted points → a 0–100% **Coverage** score.
|
||||
|
||||
---
|
||||
|
||||
### UX rule of thumb
|
||||
|
||||
* **<60%**: Hide AI suggestions by default. Show a muted badge “Coverage 41% — add sources to unlock guidance.”
|
||||
* **60–79%**: Collapse AI panel; allow manual expand with a caution label. Every sentence shows its **citations**.
|
||||
* **≥80%**: Show AI remediation by default with a green badge and inline evidence chips.
|
||||
* **100%**: Add a subtle “High confidence” ribbon + “export proof” link.
|
||||
|
||||
---
|
||||
|
||||
### Minimal UI components
|
||||
|
||||
* A small badge next to each finding: `Coverage 82%` (click → drawer).
|
||||
* Drawer tabs: **Sources**, **Why we think it’s reachable**, **Counter‑evidence**, **Gaps**.
|
||||
* “Fill the gaps” call‑outs (e.g., “Attach VEX”, “Enable runtime sensor”, “Upload SBOM”).
|
||||
|
||||
---
|
||||
|
||||
### Copy you can reuse
|
||||
|
||||
* Collapsed state (low coverage):
|
||||
*“We’re missing runtime or VEX evidence. Add one source to unlock tailored remediation.”*
|
||||
* Expanded (medium):
|
||||
*“Guidance shown with caution. 3/5 evidence buckets present. See gaps →”*
|
||||
|
||||
---
|
||||
|
||||
### Data model (lean)
|
||||
|
||||
```yaml
|
||||
coverage:
|
||||
score: 0-100
|
||||
buckets:
|
||||
- id: reachability # call graph, symbol, entrypoints
|
||||
present: true
|
||||
weight: 0.22
|
||||
evidence_refs: [e1,e7]
|
||||
- id: vex # product/vendor statements
|
||||
present: false
|
||||
weight: 0.18
|
||||
evidence_refs: []
|
||||
- id: runtime
|
||||
present: true
|
||||
weight: 0.20
|
||||
evidence_refs: [e3]
|
||||
- id: exploit_signals
|
||||
present: true
|
||||
weight: 0.15
|
||||
evidence_refs: [e6]
|
||||
- id: patch_backport
|
||||
present: false
|
||||
weight: 0.15
|
||||
evidence_refs: []
|
||||
- id: provenance
|
||||
present: true
|
||||
weight: 0.10
|
||||
evidence_refs: [e9]
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### Policy in one line (ship this as a guard)
|
||||
|
||||
```pseudo
|
||||
if coverage.score < 60: hide_ai()
|
||||
elif coverage.score < 80: show_ai(collapsed=true, label="limited evidence")
|
||||
else: show_ai(collapsed=false, label="evidence-backed")
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### What the AI must output (when shown)
|
||||
|
||||
* **Step‑by‑step remediation** with **per‑step citations** to the evidence drawer.
|
||||
* **Why this is safe** (mentions backports, ABI risk, service impact).
|
||||
* **Counterfactual**: “If VEX says Not Affected → do X instead.”
|
||||
* **Residual risk** and **rollback** plan.
|
||||
|
||||
---
|
||||
|
||||
### How to reach ≥80% more often
|
||||
|
||||
* Auto‑request missing inputs (“Upload maintainer VEX” / “Turn on runtime for 24h”).
|
||||
* Fetch distro backport diffs and symbol maps to close the patch/backport bucket.
|
||||
* Merge SBOM + call‑graph + eBPF to strengthen reachability.
|
||||
|
||||
---
|
||||
|
||||
If you want, I can draft a drop‑in React component (Badge + Drawer) and a tiny scoring service (C#/.NET 10) that plugs into your verdict pipeline.
|
||||
Reference in New Issue
Block a user