[00:22] <mainek00n> I have a question about fixed versions of kernel-related packages in OVAL, such as the linux package.
[00:22] <mainek00n> For example, https://ubuntu.com/security/CVE-2022-3635 says that the bionic linux package will be fixed in 4.15.0-197.208.
[00:22] <mainek00n> But in OVAL (definition id: oval:com.ubuntu.bionic:def:202236350000000), I can only find 0:4.15.0-197 in the criteria section. The description says 4.15.0-197.208, but that was linked to the binary package.
[00:22] <mainek00n> How should fixed versions of Kernel-related packages, such as linux packages, be handled in OVAL?
[00:22] -ubottu:#ubuntu-security- A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3635>
[01:41] <tomreyn> i suppose the person who is supposedly ( /topic ) on community assignment, is actually on holidays. ;-)
[23:13] <amurray> mainek00n: ebarretto is the main OVAL expert - am hoping he can help answer the kernel version question