[21:10] <Guest38> Hello
[21:13] <sarnold> hello
[21:14] <Guest38> Not sure I am at the right place, but I try. I have a question about kernel CVE assesment with openscap+OVAL on ubuntu 20.04/22.04. I think there are some false positives, but maybe there is something I don't understand with kernel versions, patches and vulnerabilities
[21:14] <Guest38> I described what I observed for a few months here : https://askubuntu.com/questions/1444976/confused-about-reported-kernel-cve-by-openscap-with-oval-on-ubuntu-20-04-22-04
[21:17] <arraybolt3> Guest38: According to Ubuntu's Security Advisory List, that CVE has been partially dealt with. https://ubuntu.com/security/CVE-2022-43945 If I'm understanding the page right, Focal is still affected, but not Jammy.
[21:17] -ubottu:#ubuntu-security- The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43945>
[21:23] <sarnold> curious indeed,  https://ubuntu.com/security/notices/USN-5755-1 sure looks like we think we fixed this; here's where jammy said it was fixed, but the focal one is missing that cve: https://launchpad.net/ubuntu/+source/linux/+changelog  https://launchpad.net/ubuntu/+source/linux/5.15.0-56.62 
[21:24] <arraybolt3> If you're using the HWE kernel (which I believe is used by default in Ubuntu?), you should have the fix from Jammy, though.
[21:24] <arraybolt3> (Is this the default in Ubuntu Server? I don't know for sure.)
[21:28] <sarnold> heh good question, I *think* the server installer defaults to the GA kernel while the desktop point release installers default to the HWE kernel, but that might be stale, or perhaps I just never knew the details, etc
[21:28] <Guest38> yes indeed. I have a few servers on focal with HWE, and same problem as Jammy. Some kernel CVE are patched, but OVAL definitions seems to be wrong because when checking kernel versions for evaluating if the CVE is still here with openscap, the result is true
[21:44] <arraybolt3> I should specify, I don't know if the use of the HWE kernel is enough to patch the bug on Focal. I highly suspect it is, but I don't know.
[21:44] <arraybolt3> Guest38: ^