Files

master e6ee092c7a product advisories update

2025-12-30 16:05:16 +02:00

41 KiB

Raw Blame History

Here’s a compact, plug‑and‑play plan to build a cross‑distro “golden set” so your retrieval can correctly handle backported fixes and avoid false “still vulnerable” flags.

What this golden set is

A small, curated corpus of tuples (distro, release, package, CVE) with:

the vendor‑declared fixed version (what the distro claims)
a counterexample where upstream is still affected but the distro backported the patch (so version comparison alone would be misleading)

Use it as regression tests + seed facts for your policy engine and matchers.

Minimum schema (normalize for reuse)

Tables

vendor_package (vendor_id, distro, release, src_name, bin_name, epoch, version, revision, arch)
cve (cve_id, description, CWE, published, severity, cvss_vector)
fix_decl (vendor declarations) (distro, release, src_name, cve_id, status ENUM('fixed','not_affected','affected','wont_fix'), fixed_epoch, fixed_version, fixed_revision, evidence_uri, evidence_hash, declared_at)
patch_evidence (backport facts) (distro, release, src_name, cve_id, patch_id, upstream_commit, backport_commit, applied_in_epoch, applied_in_version, applied_in_revision, diff_hash, proving_fn ENUM('hunk','symbol','function','binary'), notes)
upstream_affects (ground truth on upstream tags) (project, cve_id, affected_range (SemVer/commit range), last_affected_tag, first_fixed_tag, fix_commit)
golden_case (test harness) (case_id, distro, release, src_name, bin_name, cve_id, vendor_fixed_spec, upstream_state ENUM('still_affected','fixed'), backport_present BOOL, rationale)

Indexes

idx_fix_decl_key (distro, release, src_name, cve_id)
idx_patch_evidence_key (distro, release, src_name, cve_id)
idx_upstream_affects (project, cve_id)

Version math you must use

Implement distro‑specific comparators:

Debian/Ubuntu: dpkg --compare-versions (Epoch:Version-Revision)
RHEL/Fedora/CentOS/SUSE: RPMVERCMP (Epoch:Version-Release)
Alpine: apk version rules Store a normalized sortable key (e.g., verkey) alongside raw fields for each family.

Golden‑set curation algorithm (daily job)

Select targets

Choose top N packages (openssl, glibc, curl, zlib, libxml2, expat, xz, sudo, bash, systemd, sqlite, curl, busybox, python3 stdlib, musl, libssh2, libx11, nginx, apache, postgresql, mariadb, openssh).
Cross all with major CVEs known to have backports.

Ingest vendor claims

Scrape/consume security trackers (Debian, Ubuntu USN, RHEL, SUSE, Alpine, Fedora). Normalize into fix_decl.
Compute verkey_fixed.

Verify backport reality

For each (distro, release, pkg, cve) with status “fixed” where upstream tag still falls in affected_range:
- Pull src package diff (dsc+patches or SRPM .patch).
- Extract fix‑hunks (functions/symbols) from upstream fix_commit.
- Run proving functions:
  - hunk match: patch hunks present
  - symbol/function match: AST/name diff present
  - binary match: pattern in compiled object (for golden set, keep source‑level first)
- If proof ≥ threshold, write to patch_evidence and set backport_present=true in golden_case.

Create counterexample

Ensure at least one case per distro where:
- Upstream version number looks vulnerable, but distro has backport evidence → mark as “counterexample” in golden_case.

Attest facts

Generate DSSE/in‑toto attestations for each row (content hash of patches/diffs + URLs). Store evidence_hash.

Retrieval‑time decision function (pseudo)

bool is_vulnerable(pkg, ver, distro, release, cve):
  decl = get_fix_decl(distro, release, pkg.src, cve)
  if decl is null:
     return heuristic_by_upstream_ranges(pkg.project, ver, cve)

  if decl.status == 'not_affected': return false
  if decl.status == 'wont_fix':     return true  // unless patch_evidence says otherwise

  // status == 'fixed' -> check two paths
  if compare(ver, decl.fixed_spec, distro_family) >= 0:
     return false  // version >= declared fixed

  // version < declared fixed: still check for backport proof pinned to our exact build
  if has_patch_evidence(distro, release, pkg.src, cve, ver):
     return false  // verified backport on this version/build

  return true

Note: has_patch_evidence should accept (epoch, version, revision) and allow applied_in_* <= installed_*.

Golden test harness (what “must pass”)

For each golden_case:

Resolve installed (epoch,version,revision).
Evaluate is_vulnerable.
Assert expected:
- Vendor‑fixed + backport_present → expected false even if upstream says affected.
- No backport + version < fixed_spec → expected true.

Emit a short VEX (CycloneDX VEX or CSAF) per case to keep your engine VEX‑first.

Minimal data loaders (first pass)

Debian/Ubuntu: security-tracker, USN JSON, Sources + .dsc + debian/patches/*.
RHEL/Fedora/SUSE: OVAL/OVAL‑RPM, advisories (RHSA/SUSE‑SU), SRPM patches.
Alpine: secdb, APKBUILD diffs (.patch in community/main).

Ship list (MVP → Week 1–2)

Parsers: dpkg/rpm/apk version compare libs in C# (+ test vectors).
Ingestors for Debian, Ubuntu, RHEL, SUSE, Alpine, Fedora → fix_decl.
Patch proof: hunk‑matcher (line‑fuzzy, filename maps), symbol‑finder (ctags or Roslyn/ctags‑like for C).
50–100 curated golden_case rows with airtight evidence.

If you want, I can drop a ready‑to‑use PostgreSQL DDL + sample rows and a C# VersionComparer + BackportProof interface next.

Golden Set of Backport Test Cases (Distro – Release – Package – CVE)

Each row highlights a case where a distro shipped a patched older version below the upstream fixed version. This causes naive version checks to wrongly flag the package as vulnerable. We include the vendor’s fixed package version, the upstream version range still affected (i.e. up to but not including the upstream fix), evidence of the backport (patch/changelog references), a flag if upstream would consider the vendor’s version vulnerable, and a brief rationale.

Distro (Release)	Source Package	CVE ID	Vendor Fixed Version	Upstream Affected Versions	Backport Evidence	Upstream Says Affected?
Debian 7 “Wheezy”	openssl	CVE-2014-0160	1.0.1e-2+deb7u5lists.debian.org	1.0.1 through 1.0.1f (fixed in 1.0.1g)security-tracker.debian.org security-tracker.debian.org	Yes (1.0.1e < 1.0.1g)	Version 1.0.1e with Heartbleed patch applied (Debian backported fix)lists.debian.org. Upstream requires 1.0.1g, so 1.0.1e is normally seen as vulnerable.
RHEL 6 (6.5)	openssl	CVE-2014-0160	1.0.1e-16.el6_5.7helpdesk.kaseya.com	1.0.1 through 1.0.1f (fixed in 1.0.1g)security-tracker.debian.org	Yes (1.0.1e < 1.0.1g)	Version 1.0.1e with Heartbleed fix backported (openssl-1.0.1e-16.el6). Upstream 1.0.1e is Heartbleed-affectedhelpdesk.kaseya.com.
RHEL 7	openssl	CVE-2020-1971	1.0.2k-21.el7_9suse.com linuxsecurity.com	OpenSSL ≤1.1.1h and 1.0.2(-unsupported) (fixed in 1.1.1i & 1.0.2u)openssl-library.org	Yes (1.0.2k < 1.0.2u)	OpenSSL 1.0.2k with NULL pointer deref fix backported (RHEL7 openssl-1.0.2k-21). Upstream says 1.0.2k is affectedsuse.com linuxsecurity.com.
Ubuntu 20.04 LTS “Focal”	apache2	CVE-2024-39573	2.4.41-4ubuntu3.19ubuntu.com	Apache HTTPd ≤2.4.59 (fixed in 2.4.60)ubuntu.com	Yes (2.4.41 < 2.4.60)	Apache 2.4.41 with SSRF fix backported (Ubuntu patchset). Version 2.4.41 is below upstream 2.4.60 fixubuntu.com ubuntu.com.
SUSE SLE 12 SP5	apache2	CVE-2024-39573	2.4.51-35.51.1 (patched build)suse.com suse.com	Apache HTTPd ≤2.4.59 (fixed in 2.4.60)ubuntu.com	Yes (2.4.51 < 2.4.60)	Apache 2.4.51 in SLES12 SP5 with backported fixsuse.com. Upstream considers <2.4.60 vulnerable, so 2.4.51 would normally be flagged.
SUSE SLE 12 SP5	apache2	CVE-2024-38477	2.4.51-35.51.1 (same update)suse.com	Apache HTTPd ≤2.4.59 (fixed by 2.4.60)ubuntu.com	Yes (2.4.51 < 2.4.60)	Apache mod_proxy null-pointer fix backported into 2.4.51suse.com. Version appears older than upstream fix version.
SUSE SLE 12 SP5	apache2	CVE-2024-38475	2.4.51-35.51.1 (same update)suse.com	Apache HTTPd ≤2.4.59 (fixed by 2.4.60)ubuntu.com	Yes (2.4.51 < 2.4.60)	Apache mod_rewrite output-escaping issue fixed on 2.4.51 via patchsuse.com. Vendor version < upstream fixed version.
Debian 9 “Stretch”	openssh	CVE-2018-15473	1:7.4p1-10+deb9u4lists.debian.org	OpenSSH ≤7.7 (fixed in 7.8/7.9)security-tracker.debian.org	Yes (7.4 < 7.8)	OpenSSH 7.4p1 (Stretch) patched for user-enumeration flawlists.debian.org. Upstream required ≥7.8, so 7.4p1 normally seen as affected.
Debian 10 “Buster”	sudo	CVE-2021-3156	1.8.27-1+deb10u3security-tracker.debian.org	sudo <1.9.5p2 (fixed in 1.9.5p2)security-tracker.debian.org security-tracker.debian.org	Yes (1.8.27 < 1.9.5p2)	sudo 1.8.27 in Buster with Baron Samedit patchsecurity-tracker.debian.org. Upstream says versions below 1.9.5p2 are vulnerable, so 1.8.27 would be flaggedsecurity-tracker.debian.org.
RHEL 7	sudo	CVE-2019-14287	1.8.23-4.el7_7.1suse.com	sudo ≤1.8.27 (fixed in 1.8.28)suse.com nvd.nist.gov	Yes (1.8.23 < 1.8.28)	sudo 1.8.23 in RHEL7 patched for Runas All bugsuse.com. Upstream fix came later (1.8.28), so 1.8.23 is normally marked affected.
Debian 8 “Jessie”	sudo	CVE-2017-1000367	1.8.10p3-1+deb8u4lists.debian.org	sudo ≤1.8.20 (fixed in 1.8.21)nvd.nist.gov security.snyk.io	Yes (1.8.10 < 1.8.21)	sudo 1.8.10p3 in Jessie got the tty hijack fix backportedlists.debian.org. Upstream resolved it in a much newer sudo release, so 1.8.10p3 would appear vulnerable.
Ubuntu 12.04 LTS “Precise”	bash	CVE-2014-6271	4.2-2ubuntu2.5askubuntu.com	Bash ≤4.3 (fixed in 4.3 patch)security-tracker.debian.org	Yes (4.2 < 4.3-fixed)	Bash 4.2 on Precise patched for Shellshockaskubuntu.com. Version 4.2 is below upstream 4.3 fix, so normally flagged as Shellshock-vulnerable.
Debian 10 “Buster” (LTS)	curl	CVE-2023-27533	7.64.0-4+deb10u6lists.debian.org lists.debian.org	curl <8.0.0 (fixed in 8.0.0)security-tracker.debian.org	Yes (7.64.0 < 8.0.0)	curl 7.64.0 with TELNET injection fix backported (Debian LTS)lists.debian.org lists.debian.org. Upstream requires curl 8.x, so 7.64.0 is seen as affected.
Debian 10 “Buster” (LTS)	curl	CVE-2023-27535	7.64.0-4+deb10u6lists.debian.org lists.debian.org	curl <8.0.0 (fixed in 8.0.0)security-tracker.debian.org	Yes (7.64.0 < 8.0.0)	curl 7.64.0 with FTP reuse auth bypass fix backportedlists.debian.org lists.debian.org. Version appears vulnerable by upstream standards (<8.0).
Debian 10 “Buster” (LTS)	curl	CVE-2023-27536	7.64.0-4+deb10u6lists.debian.org lists.debian.org	curl <8.0.0 (fixed in 8.0.0)security-tracker.debian.org	Yes (7.64.0 < 8.0.0)	curl 7.64.0 with GSSAPI delegation reuse fix backportedlists.debian.org lists.debian.org. Upstream would mark 7.64.0 vulnerable.
Debian 10 “Buster” (LTS)	curl	CVE-2023-27538	7.64.0-4+deb10u6lists.debian.org lists.debian.org	curl <8.0.0 (fixed in 8.0.0)security-tracker.debian.org	Yes (7.64.0 < 8.0.0)	curl 7.64.0 with SSH connection reuse fix backportedlists.debian.org lists.debian.org. Version number <8.0 means upstream would treat it as unfixed.
Fedora 34	glibc	CVE-2021-33574	glibc-2.33-16.fc34lists.fedoraproject.org	glibc ≤2.33 (fixed in 2.34)suse.com	Yes (2.33 < 2.34)	glibc 2.33 with `mq_notify` use-after-free fix applied (Fedora update). Upstream fix came in 2.34, so 2.33 is normally flagged as vulnerable.
RHEL 8	glibc	CVE-2024-2961	glibc-2.28-236.el8_9.13openwall.com openwall.com	glibc ≤2.39 (fixed in 2.40)openwall.com	Yes (2.28 < 2.40)	glibc 2.28 with `iconv()` overflow fix backported (RHEL8 patch)openwall.com. Upstream requires 2.40+, so 2.28 is considered affected.
RHEL 7	glibc	CVE-2015-0235	glibc-2.17-55.el7_0.5suse.com	glibc 2.2 up to 2.17 (fixed in 2.18)suse.com	Yes (2.17 < 2.18)	glibc 2.17 with GHOST bug patched (RHEL7 update)suse.com. Upstream fix was in 2.18; 2.17 is normally flagged as vulnerablesuse.com.
RHEL 7	systemd	CVE-2020-1712	systemd-219-57.el7_8 (patch backport)alas.aws.amazon.com	systemd ≤242 (fixed in 243)alas.aws.amazon.com	Yes (219 < 243)	systemd 219 with use-after-free fix backported (RHEL7/AL2 update)alas.aws.amazon.com alas.aws.amazon.com. Upstream fix is in v243, so v219 would be marked vulnerable.
Alpine 3.10	musl libc	CVE-2020-28928	1.1.22-r4security.alpinelinux.org	musl ≤1.2.1 (fixed in 1.2.2)security.alpinelinux.org	Yes (1.1.x < 1.2.2)	musl 1.1.22 with `wcsnrtombs()` overflow fixed (Alpine 3.10)security.alpinelinux.org. Upstream fixed in 1.2.2, so 1.1.22 would normally be considered vulnerable.
Ubuntu 20.04 LTS “Focal”	openssl	CVE-2022-0778	1.1.1f-1ubuntu2.15 (patched)serverfault.com	OpenSSL ≤1.1.1m (fixed in 1.1.1n)serverfault.com	Yes (1.1.1f < 1.1.1n)	OpenSSL 1.1.1f with BN infinite-loop fix backported (Ubuntu)serverfault.com. Upstream says only 1.1.1n+ is safe, so 1.1.1f appears vulnerable to scanners.

Sources: Vendor security advisories and trackers (Debian DSAs, Ubuntu CVE/USN pages, Red Hat errata, SUSE and Alpine trackers) are linked above to confirm patch versions and upstream fix infolists.debian.org ubuntu.com suse.com openwall.com security-tracker.debian.org etc. Each case demonstrates a backported security fix where the package version alone is misleading, helping test vulnerability scanners’ ability to detect patched-but-backported packages instead of raising false positives.

Citations

[

[SECURITY] [DSA 2896-1] openssl security update

https://lists.debian.org/debian-security-announce/2014/msg00071.html

](https://lists.debian.org/debian-security-announce/2014/msg00071.html#:~:text=For%20the%20stable%20distribution%20,2%2Bdeb7u5)[

CVE-2014-0160

https://security-tracker.debian.org/tracker/CVE-2014-0160

](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Name%20CVE,Debian%20ELTS%2C%20%208%20Red)[

CVE-2014-0160

https://security-tracker.debian.org/tracker/CVE-2014-0160

](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Package%20Type%20Release%20Fixed%20Version,1743883)[

CVE-2014-0160: OpenSSL Heartbleed Vulnerability – Kaseya

https://helpdesk.kaseya.com/hc/en-gb/articles/4407522717329-CVE-2014-0160-OpenSSL-Heartbleed-Vulnerability

](https://helpdesk.kaseya.com/hc/en-gb/articles/4407522717329-CVE-2014-0160-OpenSSL-Heartbleed-Vulnerability#:~:text=If%20CentOS6%2C%20apply%20Unitrends%20security,42.el6)[

CVE-2014-0160

https://security-tracker.debian.org/tracker/CVE-2014-0160

](https://security-tracker.debian.org/tracker/CVE-2014-0160#:~:text=Description%20The%20,Debian%20ELTS%2C%20%208%20Red)[

CVE-2020-1971 Common Vulnerabilities and Exposures - SUSE

https://www.suse.com/security/cve/CVE-2020-1971.html

](https://www.suse.com/security/cve/CVE-2020-1971.html#:~:text=CVE,21.el7_9%3B%20openssl)[

Scientific Linux 7.x SLSA-2020-5566-1 Critical OpenSSL Update

https://linuxsecurity.com/advisories/scilinux/scilinux-slsa-2020-5566-1-important-openssl-on-sl7-x-x86-64-14-12-13

](https://linuxsecurity.com/advisories/scilinux/scilinux-slsa-2020-5566-1-important-openssl-on-sl7-x-x86-64-14-12-13#:~:text=Update%20linuxsecurity,21.el7_9.i686.rpm)[

Release and Advisory Timeline | OpenSSL Library

https://openssl-library.org/news/timeline/

](https://openssl-library.org/news/timeline/#:~:text=Release%20and%20Advisory%20Timeline%20,Truncated%20packet%20could)[

CVE-2024-39573 | Ubuntu

https://ubuntu.com/security/CVE-2024-39573

](https://ubuntu.com/security/CVE-2024-39573#:~:text=22)[

CVE-2024-39573 | Ubuntu

https://ubuntu.com/security/CVE-2024-39573

](https://ubuntu.com/security/CVE-2024-39573#:~:text=Description)[

CVE-2024-39573 | Ubuntu

https://ubuntu.com/security/CVE-2024-39573

](https://ubuntu.com/security/CVE-2024-39573#:~:text=Potential%20SSRF%20in%20mod_rewrite%20in,60%2C%20which%20fixes%20this%20issue)[

Security update for apache2 SUSE-SU-2024:2436-1 | SUSE Support | SUSE

https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/

](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Security%20fixes%3A)[

Security update for apache2 SUSE-SU-2024:2436-1 | SUSE Support | SUSE

https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/

](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=Package%20List%3A)[

Security update for apache2 SUSE-SU-2024:2436-1 | SUSE Support | SUSE

https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/

](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=%2A%20CVE,1227268)[

Security update for apache2 SUSE-SU-2024:2436-1 | SUSE Support | SUSE

https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/

](https://www.suse.com/support/update/announcement/2024/suse-su-20242436-1/#:~:text=%2A%20CVE,1227268)[

[SECURITY] [DSA 4280-1] openssh security update

https://lists.debian.org/debian-security-announce/2018/msg00209.html

](https://lists.debian.org/debian-security-announce/2018/msg00209.html#:~:text=For%20the%20stable%20distribution%20,10%2Bdeb9u4)[

CVE-2018-15473 - Security Bug Tracker - Debian

https://security-tracker.debian.org/tracker/CVE-2018-15473

](https://security-tracker.debian.org/tracker/CVE-2018-15473#:~:text=CVE,an%20invalid%20authenticating%20user)[

[SECURITY] [DSA 4280-1] openssh security update

https://lists.debian.org/debian-security-announce/2018/msg00209.html

](https://lists.debian.org/debian-security-announce/2018/msg00209.html#:~:text=Dariusz%20Tytko%2C%20Michal%20Sajdak%20and,existed%20on%20the%20target%20server)[

CVE-2021-3156

https://security-tracker.debian.org/tracker/CVE-2021-3156

](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Package%20Type%20Release%20Fixed%20Version,1.1)[

CVE-2021-3156

https://security-tracker.debian.org/tracker/CVE-2021-3156

](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=Name%20CVE,ELTS%2C%20Red%20Hat%2C%20Ubuntu%2C%20Gentoo)[

CVE-2021-3156

https://security-tracker.debian.org/tracker/CVE-2021-3156

](https://security-tracker.debian.org/tracker/CVE-2021-3156#:~:text=sudo%20%28PTS%29bullseye%201.9.5p2,1%20fixed)[

CVE-2019-14287 Common Vulnerabilities and Exposures - SUSE

https://www.suse.com/security/cve/CVE-2019-14287.html

](https://www.suse.com/security/cve/CVE-2019-14287.html#:~:text=CVE,4.el7_7.1.%20Patchnames%3A%20RHSA)[

CVE-2017-1000367 Detail - NVD

https://nvd.nist.gov/vuln/detail/cve-2017-1000367

](https://nvd.nist.gov/vuln/detail/cve-2017-1000367#:~:text=Todd%20Miller%27s%20sudo%20version%201,function)[

[SECURITY] [DSA 3867-1] sudo security update

https://lists.debian.org/debian-security-announce/2017/msg00127.html

](https://lists.debian.org/debian-security-announce/2017/msg00127.html#:~:text=an%20SELinux,full%20root%20privileges)[

Race Condition in sudo | CVE-2017-1000367 | Snyk

https://security.snyk.io/vuln/SNYK-DEBIAN9-SUDO-406955

](https://security.snyk.io/vuln/SNYK-DEBIAN9-SUDO-406955#:~:text=Race%20Condition%20in%20sudo%20,2%20or%20higher.%20NVD%20Description)[

security - What is the CVE-2014-6271 bash vulnerability (Shellshock) and how do I fix it? - Ask Ubuntu

https://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-how-do-i-fix-it

](https://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-how-do-i-fix-it#:~:text=dpkg%20,Version)[

CVE-2014-6271

https://security-tracker.debian.org/tracker/CVE-2014-6271

](https://security-tracker.debian.org/tracker/CVE-2014-6271#:~:text=Description%20GNU%20Bash%20through%204,present%20after%20the%20incorrect%20fix)[