Re: About CVE-2017-1000082

To: Teppei Fukuda <teppei.fukuda@aquasec.com>
Cc: "debian-security-tracker@lists.debian.org" <debian-security-tracker@lists.debian.org>, VijayKumar Kamannavar <Vijay.K@aquasec.com>
Subject: Re: About CVE-2017-1000082
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 26 Jun 2020 17:11:07 +0200
Message-id: <[🔎] 20200626151107.xidpdfaamnexeltk@inutil.org>
In-reply-to: <[🔎] AM0PR03MB57309F3C2171E36AAFA9587CFF930@AM0PR03MB5730.eurprd03.prod.outlook.com>
References: <[🔎] AM0PR03MB57309F3C2171E36AAFA9587CFF930@AM0PR03MB5730.eurprd03.prod.outlook.com>

Hi Teppei,

On Fri, Jun 26, 2020 at 01:09:40PM +0000, Teppei Fukuda wrote:
> Hi Debian Security Team,
> 
> Thank you for providing the great tracker system. I have a question. When it comes to CVE-2017-1000082, jessie says "fixed".
> https://security-tracker.debian.org/tracker/CVE-2017-1000082
> 
> But OVAL describes the following.
> <criterion comment="systemd DPKG is earlier than 0" test_ref="oval:org.debian.oval:tst:15314"/>
> 
> In the case of buster, OVAL is like the following.
>  <criterion comment="systemd DPKG is earlier than 234-1" test_ref="oval:org.debian.oval:tst:11877"/>
> Are they correct? If it is fixed, I think it should not be "0" and buster should have suffix like "~deb10uX", not "234-1".

These are all correct, 234 was the first systemd release to ship the fix.

It says 0 for jessie as jessie was never affected by this security issue, the version of
system in jessie does not contain the affected code.

Cheers,
        Moritz

Reply to:

References:
- About CVE-2017-1000082
  - From: Teppei Fukuda <teppei.fukuda@aquasec.com>

Prev by Date: About CVE-2017-1000082
Next by Date: External check
Previous by thread: About CVE-2017-1000082
Index(es):
- Date
- Thread