-
Story
-
Resolution: Done
-
Normal
-
None
-
None
-
False
-
False
-
The affected CPEs found inĀ rhel-7.7-e4s.oval.xml.bz2 contain CPEs for previous RHEL 7 releases.
Here is the affected CPE list for every advisory in https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7.7-e4s.oval.xml.bz2:
<affected_cpe_list>
<cpe>cpe:/a:redhat:rhel_extras_sap_e4s:7.7</cpe>
<cpe>cpe:/a:redhat:rhel_extras_sap_hana_e4s:7.7</cpe>
<cpe>cpe:/o:redhat:rhel_e4s:7.6</cpe>
<cpe>cpe:/o:redhat:rhel_e4s:7.6::server</cpe>
<cpe>cpe:/o:redhat:rhel_e4s:7.7</cpe>
<cpe>cpe:/o:redhat:rhel_e4s:7.7::server</cpe>
</affected_cpe_list>
I do not believe that these two items should be listed:
<cpe>cpe:/o:redhat:rhel_e4s:7.6</cpe>
<cpe>cpe:/o:redhat:rhel_e4s:7.6::server</cpe>
Both RHSA-2020:2485 and RHSA-2020:3592 appear in the rhel-7.7-e4s.oval.xml.bz2 OVAL archive with cpe:/o:redhat:rhel_e4s:7.6 listed in the affected_cpe_list, but these advisories are actually not for RHEL 7.6 and do not appear in rhel-7.6-e4s.oval.xml.bz2.
Previously the CPE lists in these major.minor OVAL archives only contained CPEs relevant for each specific release.