[09:49] <ebarretto> Guest38, are you the author of this https://askubuntu.com/questions/1444976/confused-about-reported-kernel-cve-by-openscap-with-oval-on-ubuntu-20-04-22-04/ ? 
[12:28] <Guest38> yes I am
[12:52] <ebarretto> Guest38, have you tried to use a newer OVAL data and see if you can reproduce the issue? I couldn't here 
[13:01] <Guest38> yes, I refresh the OVAL definition before each run. I will try one run again today
[13:04] <ebarretto> great, let me know if this is still happening 
[16:30] <Guest38> new test
[16:31] <Guest38> fjc@nas:~$ uname -a
[16:31] <Guest38> Linux nas 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
[16:31] <Guest38> fjc@nas:~$ grep -i "oval:timestamp" com.ubuntu.jammy.cve.oval.xml
[16:31] <Guest38>         <oval:timestamp>2022-12-15T14:55:46</oval:timestamp>
[16:31] <Guest38> fjc@nas:~$ oscap oval eval --report report_cve_$(hostname).html com.ubuntu.jammy.cve.oval.xml | grep 202243945
[16:31] <Guest38> Definition oval:com.ubuntu.jammy:def:2022439450000000: true
[16:40] <ebarretto> Guest38, https://pastebin.ubuntu.com/p/JhQ228p7P8/  I cannot reproduce it 
[16:41] <ebarretto> Guest38, could you run oscap with: oscap oval eval --report report_cve_$(hostname).html --results results.xml --verbose INFO --verbose-log-file log.txt com.ubuntu.jammy.cve.oval.xml | grep 202243945
[16:41] <ebarretto> and then share the results.xml and log.txt 
[17:05] <Guest38> https://file.io/mmuAwwxRt9YB
[17:05] <Guest38> one download allowed :/
[17:20] <ebarretto> Guest38, do you have linux-image-extra-virtual or linux-image-generic or linux-image-virtual installed? 
[17:22] <Guest38> fjc@nas:~$ sudo apt list --installed | grep linux-image
[17:22] <Guest38> WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
[17:22] <Guest38> linux-image-5.15.0-53-generic/jammy-updates,jammy-security,now 5.15.0-53.59 amd64  [installé, automatique]
[17:22] <Guest38> linux-image-5.15.0-56-generic/jammy-updates,jammy-security,now 5.15.0-56.62 amd64  [installé, automatique]
[17:22] <Guest38> linux-image-generic/jammy-updates,jammy-security,now 5.15.0.56.54 amd64  [installé, automatique]
[17:22] <Guest38> it is a 22.04 machine migrated from a 20.04. does it raise some problems ?
[17:35] <Guest38> I also have tens of (freshly installed) 20.04 machines which have the same symptoms
[17:37] <ebarretto> Guest38, so it is giving you 'true' result because it is matching the linux-image-generic binary package as part of the linux-meta-riscv source package. And that source package apparently didn't receive the CVE fix, so they will for sure trigger the true. I need to check with the kernel team more about it
[19:05] <Guest38> thank you for the explanation
[19:11] <ebarretto> Guest38, I will take a look tomorrow on how to avoid this. This is a kind of false positive, but for a reason that shouldn't happen. I won't promise that the fix will be published tomorrow as we are about to leave for holidays, so it might have to wait until first week of January 
[19:11] <ebarretto> and thanks for reporting it and providing the logs
[20:22] <Guest38> thanks, no hurry. I think I noticed this problem for 6 months or something, for 20.04 and 22.04. Not for 18.04.
[20:24] <Guest38> another example : oscap oval eval com.ubuntu.jammy.cve.oval.xml | grep 202242703
[20:24] <Guest38> Definition oval:com.ubuntu.jammy:def:2022427030000000: true
[20:24] <Guest38> https://ubuntu.com/security/CVE-2022-42703
[20:24] -ubottu:#ubuntu-security- mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42703>
[20:55] <Guest38> thanks, no hurry. I think I noticed this problem for 6 months or something, for 20.04 and 22.04. Not for 18.04.
[20:56] <Guest38> another example : oscap oval eval com.ubuntu.jammy.cve.oval.xml | grep 202242703
[20:56] <Guest38> Definition oval:com.ubuntu.jammy:def:2022427030000000: true
[20:56] <Guest38> https://ubuntu.com/security/CVE-2022-42703
[20:56] -ubottu:#ubuntu-security- mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42703>
[20:56] <Guest38> another kind of false positive, but probably with another root cause as it is a special case of rejected CVE : https://ubuntu.com/security/CVE-2022-2209
[20:56] -ubottu:#ubuntu-security- ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2209>
[20:57] <Guest38> oscap oval eval com.ubuntu.jammy.cve.oval.xml | grep 20222209
[20:57] <Guest38> Definition oval:com.ubuntu.jammy:def:202222090000000: true
=== Guest38 is now known as fjc