[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2010-1452: apache2 fix version issue

Hi Yadd,

Thank You for clarification!

Is it possible to fix typo in the OVAL file?

Thanks again.

Fr, 14 May 2021, 12:30, Yadd <yadd@debian.org>:
Le 14/05/2021 à 07:49, Andrei Nikonov a écrit :
> Good afternoon,
> I am writing to you as you are mentioned as a maintainers of /*apache2*
> /package.
> I did some research about Debian vulnerability data and found an issue.
> If I check CVE-2010-1452
> <https://security-tracker.debian.org/tracker/CVE-2010-1452> with Debian
> Security Tracker page, I will see that fixed version for apache2 is
> *2.2.16-1* (the same version is on page of JSON-formatted security data
> <https://security-tracker.debian.org/tracker/data/json>)
> But information of this CVE in the file of OVAL data for Buster
> <https://www.debian.org/security/oval/oval-definitions-buster.xml> is
> different. Definition of that CVE starts from line 109250 in that file
> (I attached a screenshot for convenience). Criterion below tells that
> /*apache2 DPKG is earlier than 2.2.19-3*.
> /
> /
> /
> My questions are:
> 1. Should I consider fixed version 2.2.19-3 for apache2?
> 2. Should I rely on OVAL files? Is it just a typo in this case?
> Hoping for an answer.


security-tracker.debian.org is the reference (updated in real time), it
uses information from cve.mitre.org:

This issue is fixed in 2.2.16-1. 2.2.* versions are so old that some
information are missing, but 2.2.19-3 wasn't a Debian version (see
http://snapshot.debian.org/package/apache2/). So there is probably a
typo in criterion.


Andrey Nikonov,
Security engineer,
"Frodex" Ltd.
Ufa, Russia.

Reply to: