Comments (8)
Note that the list above only shows the upgradable metapackages; the actual binaries aren't listed because due to how kernel package naming works (embedding versions) they are actually new packages, not upgrades. I wonder if that's related to this cvescan issue.
from sec-cvescan.
The hint that lead ot the conclusion above was that motd correctly reports:
ubuntu@ip-172-31-29-146:~$ grep security /var/run/motd.dynamic
7 updates are security updates.
The reason it knows is because /usr/lib/update-notifier/apt-check loops through everything which is marked either install or upgrade, i.e.:
if not (depcache.marked_install(pkg) or
depcache.marked_upgrade(pkg)):
continue
Whereas a simple apt list --upgradable | grep security
won't list packages marked for installation.
from sec-cvescan.
I think this might be a problem with the OVAL generation rather than with cvescan.
ubuntu@ip-172-31-29-146:~$ grep 4.15.0.1063.64 /home/ubuntu/snap/cvescan/common/com.ubuntu.bionic.cve.oval.xml
And it might be related to the known problem we have where the OVAL uses the source package version (even in cases where the inary packages generated from that source have different version strings)
from sec-cvescan.
The OVAL is saying that it is fixed in a different version
ubuntu@ip-172-31-29-146:~$ grep linux-aws /home/ubuntu/snap/cvescan/common/com.ubuntu.bionic.cve.oval.xml| grep test_ref | grep 1063 | head -n 1
<criterion test_ref="oval:com.ubuntu.bionic:tst:2019152170000010" comment="linux-aws package in bionic was vulnerable but has been fixed (note: '4.15.0-1063.67')." />
[Edited to make the result of the grep visible, github was filtering it -- stevebeattie]
from sec-cvescan.
Yes. Kernel's are particularly difficult to track because the meta packages that get updates in generated from a separate source package (linux-meta-aws in this case) from the actual source package that provides the binary packages (source linux-aws), and thus contains the actual fix. It gets even more complicated if signed kernels are used, because they are from a third source package (linux-signed-DERIVATIVE, would be linux-signed-aws on amd64 here).
In this case, the version @markmorlino is seeing above is the actual version of the linux-aws source package; but that differs from the version of the meta source package.
The oval does define:
<linux-def:dpkginfo_object id="oval:com.ubuntu.bionic:obj:201245420000010" version="1" comment="The 'linux-aws' package binary.">
<linux-def:name>linux-image-4.15.0-1063-aws</linux-def:name>
</linux-def:dpkginfo_object\>
but that test object is not the one that is getting applied for the specific issues address by the 1063 kernel (though to be fair I haven't looked terribly closely at the xml).
from sec-cvescan.
Oh right, this is the test referenced above:
<linux-def:dpkginfo_test id="oval:com.ubuntu.bionic:tst:2019152170000010" version="1" check_existence="at_least_one_exists" check="at least one" comment="Does the 'linux-aws' package exist and is the version less than '4.15.0-1063.67'?">
<linux-def:object object_ref="oval:com.ubuntu.bionic:obj:201245420000010"/>
<linux-def:state state_ref="oval:com.ubuntu.bionic:ste:2019152170000010" />
</linux-def:dpkginfo_test>
which checks the object oval:com.ubuntu.bionic:obj:201245420000010
:
<linux-def:dpkginfo_object id="oval:com.ubuntu.bionic:obj:201245420000010" version="1" comment="The 'linux-aws' package binary.">
<linux-def:name>linux-image-4.15.0-1063-aws</linux-def:name>
</linux-def:dpkginfo_object\>
in this case, the linux-image-4.15.0-1063-aws
kernel package against the version 4.15.0-1063.67
:
<linux-def:dpkginfo_state id="oval:com.ubuntu.bionic:ste:2019152170000010" version="1" comment="The package version is less than '4.15.0-1063.67'.">
<linux-def:evr datatype="debian_evr_string" operation="less than">4.15.0-1063.67</linux-def:evr>
</linux-def:dpkginfo_state>
from sec-cvescan.
But yes, what I believe (not having looked at the oval generator code) needs to happen as well is for it to lookup in launchpad what the specific matching abi version is for the associated meta package, and include a correct version test for that.
from sec-cvescan.
I think that explains why those are not being reported by cvescan. And the other discrepancy comes from update notifier showing both security packages that will be updated and packages that will be newly installed on the system but already have security updates. The latter won't be reported by cvescan since they are not installed yet.
from sec-cvescan.
Related Issues (20)
- CVE publish date
- deb package cvescan HOT 1
- Database Release Version
- Debian compatibility HOT 2
- Scan shows vulnerable if some patched packages are installed from PPA HOT 1
- Mismatch between oval and cvescan
- Vulnerability database used by cvescan not the same as the Oval data thus missing some vulnerable packages during scan
- cloud-init package listed as fixable, but not yet available in official repositories HOT 3
- epoch number might causing inaccurate results
- CVE-2019-3466 outstanding when postgresql-all = 10+190ubuntu0.1
- Database files are out of date HOT 2
- grub related packages reported as vulnerable without a means to fix HOT 3
- CVEscan should catch network issues and not crash HOT 1
- Publish Pypi packages
- CVE data not yet published for Impish Indiri HOT 2
- cvescan on Xenial incorrectly labelling a number of CVEs as still unfixed. HOT 1
- KeyError in parsing recent /var/lib/ubuntu-advantage/status.json HOT 1
- Add support for parsing DISTRIB_CODENAME vs just Ubuntu only HOT 1
- cvescan gives dpkg error on rhel8 HOT 2
- When using manifest, please provide option to specify suite HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sec-cvescan.