/srv/irclogs.ubuntu.com/2023/01/20/#ubuntu-security.txt

=== arraybolt3_ is now known as arraybolt3
=== chris15 is now known as chris14
mainek00nHi, I have a question about Kernel Packages in Ubuntu Security Tracker and OVAL.02:10
mainek00nIn the Web and in the Git Repository of Ubuntu Security Tracker, there is no information about `linux-signed-*` or `linux-meta-*`, but in the OVAL criterion.02:10
mainek00nHow should I manage Kernel Packages such as `linux-signed-*` and `linux-meta-*` when I use the Ubuntu Security Tracker data?02:10
=== chris15 is now known as chris14
sarnoldmainek00n: I don't think any of the binary packages created by linux-meta-* is worth worrying about, a very quick check of my local archive mirror shows that the largest one of those is 3568 bytes (linux-meta-azure-fde/linux-azure-fde_5.4.0.1100.106+cvm1.35_amd64.deb)02:29
=== chris14- is now known as chris14
sarnoldmainek00n: the signed vs unsigned source packages and "" vs "unsigned" binary packages are pretty obnoxious to untangle, but I thought the usual oval tool had all the right pieces to be aware of which packages are which02:30
mainek00nFor example, Ubuntu CVE Tracker - CVE-2022-2964(https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2022-2964) mentions only linux-aws Package, but OVAL (https://security-metadata.canonical.com/oval/oci.com.ubuntu.focal.cve.oval.xml.bz2) mentions linux-aws, linux-signed-aws, and linux-meta-aws individually.02:49
mainek00n<criterion test_ref="oval:com.ubuntu.focal:tst:2020278200000010" comment="linux-aws package in focal is affected. An update containing the fix has been completed and is pending publication (note: '5.4.0-1073.78')." />02:49
mainek00n<criterion test_ref="oval:com.ubuntu.focal:tst:2020278200000270" comment="linux-meta-aws package in focal is affected. An update containing the fix has been completed and is pending publication (note: '5.4.0-1073.78')." />02:49
-ubottu:#ubuntu-security- A flaw was found in the Linux kernel&#8217;s driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2964>02:49
mainek00n<criterion test_ref="oval:com.ubuntu.focal:tst:2020278200000650" comment="linux-signed-aws package in focal is affected. An update containing the fix has been completed and is pending publication (note: '5.4.0-1073.78')." />02:49
mainek00nSo, how should I manage `linux-meta-aws` and `linux-signed-aws` if I use only Ubuntu CVE Tracker data?02:49
sarnoldthe ubuntu-cve-tracker doesn't track the -signed- or the -meta- packages because the one is generated from the -unsigned- versions and the other has no code at all02:51
mainek00nIf OVAL is generated based on information from the Ubuntu CVE Tracker, how are the `linux-meta-aws` and `linux-signed-aws` criteria mentioned in OVAL determined?03:25
sarnoldthe generator has some rules around that https://git.launchpad.net/ubuntu-cve-tracker/tree/scripts/generate-oval#n36203:36
=== chris15 is now known as chris14

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!