Uploaded image for project: 'Security Data'
  1. Security Data
  2. SECDATA-133

Repeated CVEs in oval db (example CVE-2017-15649 for RHEL7)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • oval
    • False
    • Hide

      None

      Show
      None
    • False
    • If Release Note Needed, Set a Value
    • Set a Value
    • 0

      We've found a CVE (CVE-2017-15649) that seems to impact both all and some version of the kernel package. Specifically, we parse the file at 
      https://access.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
       
      At the top of the file, CVE-2017-15649 appears for the first time with the title "CVE-2017-15649 kernel: Use-after-free in the af_packet.c (important)" and impacts all installations of the kernel package.
       
      CVE-2017-15649 appears a second time as part of a bug fix with title "RHSA-2018:0151: kernel security and bug fix update (Important)" and reduces the impact scope to kernel versions earlier than 0:3.10.0-693.17.1.el7.
       
      I've added screenshots of both sections this CVE appears in, highlighting the different kernel version criteria.
       
      Is this an expected format of the data or an error in the file?

        1. CVE-2017-15649 - first appear - impact all kernel versions.png
          CVE-2017-15649 - first appear - impact all kernel versions.png
          277 kB
        2. CVE-2017-15649 - second appear - impact some kernel versions.png
          CVE-2017-15649 - second appear - impact some kernel versions.png
          367 kB

              mprpic@redhat.com Martin Prpic
              yousefzoq Yousef Alowayed (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: