Re: CVE-2010-1452: apache2 fix version issue
Le 14/05/2021 à 07:49, Andrei Nikonov a écrit :
> Good afternoon,
> I am writing to you as you are mentioned as a maintainers of /*apache2*
> I did some research about Debian vulnerability data and found an issue.
> If I check CVE-2010-1452
> <https://security-tracker.debian.org/tracker/CVE-2010-1452> with Debian
> Security Tracker page, I will see that fixed version for apache2 is
> *2.2.16-1* (the same version is on page of JSON-formatted security data
> But information of this CVE in the file of OVAL data for Buster
> <https://www.debian.org/security/oval/oval-definitions-buster.xml> is
> different. Definition of that CVE starts from line 109250 in that file
> (I attached a screenshot for convenience). Criterion below tells that
> /*apache2 DPKG is earlier than 2.2.19-3*.
> My questions are:
> 1. Should I consider fixed version 2.2.19-3 for apache2?
> 2. Should I rely on OVAL files? Is it just a typo in this case?
> Hoping for an answer.
security-tracker.debian.org is the reference (updated in real time), it
uses information from cve.mitre.org:
This issue is fixed in 2.2.16-1. 2.2.* versions are so old that some
information are missing, but 2.2.19-3 wasn't a Debian version (see
http://snapshot.debian.org/package/apache2/). So there is probably a
typo in criterion.