| === arraybolt3_ is now known as arraybolt3 | ||
| === chris15 is now known as chris14 | ||
| mainek00n | Hi, I have a question about Kernel Packages in Ubuntu Security Tracker and OVAL. | 02:10 |
|---|---|---|
| mainek00n | In the Web and in the Git Repository of Ubuntu Security Tracker, there is no information about `linux-signed-*` or `linux-meta-*`, but in the OVAL criterion. | 02:10 |
| mainek00n | How should I manage Kernel Packages such as `linux-signed-*` and `linux-meta-*` when I use the Ubuntu Security Tracker data? | 02:10 |
| === chris15 is now known as chris14 | ||
| sarnold | mainek00n: I don't think any of the binary packages created by linux-meta-* is worth worrying about, a very quick check of my local archive mirror shows that the largest one of those is 3568 bytes (linux-meta-azure-fde/linux-azure-fde_5.4.0.1100.106+cvm1.35_amd64.deb) | 02:29 |
| === chris14- is now known as chris14 | ||
| sarnold | mainek00n: the signed vs unsigned source packages and "" vs "unsigned" binary packages are pretty obnoxious to untangle, but I thought the usual oval tool had all the right pieces to be aware of which packages are which | 02:30 |
| mainek00n | For example, Ubuntu CVE Tracker - CVE-2022-2964(https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2022-2964) mentions only linux-aws Package, but OVAL (https://security-metadata.canonical.com/oval/oci.com.ubuntu.focal.cve.oval.xml.bz2) mentions linux-aws, linux-signed-aws, and linux-meta-aws individually. | 02:49 |
| mainek00n | <criterion test_ref="oval:com.ubuntu.focal:tst:2020278200000010" comment="linux-aws package in focal is affected. An update containing the fix has been completed and is pending publication (note: '5.4.0-1073.78')." /> | 02:49 |
| mainek00n | <criterion test_ref="oval:com.ubuntu.focal:tst:2020278200000270" comment="linux-meta-aws package in focal is affected. An update containing the fix has been completed and is pending publication (note: '5.4.0-1073.78')." /> | 02:49 |
| -ubottu:#ubuntu-security- A flaw was found in the Linux kernel’s driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2964> | 02:49 | |
| mainek00n | <criterion test_ref="oval:com.ubuntu.focal:tst:2020278200000650" comment="linux-signed-aws package in focal is affected. An update containing the fix has been completed and is pending publication (note: '5.4.0-1073.78')." /> | 02:49 |
| mainek00n | So, how should I manage `linux-meta-aws` and `linux-signed-aws` if I use only Ubuntu CVE Tracker data? | 02:49 |
| sarnold | the ubuntu-cve-tracker doesn't track the -signed- or the -meta- packages because the one is generated from the -unsigned- versions and the other has no code at all | 02:51 |
| mainek00n | If OVAL is generated based on information from the Ubuntu CVE Tracker, how are the `linux-meta-aws` and `linux-signed-aws` criteria mentioned in OVAL determined? | 03:25 |
| sarnold | the generator has some rules around that https://git.launchpad.net/ubuntu-cve-tracker/tree/scripts/generate-oval#n362 | 03:36 |
| === chris15 is now known as chris14 | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!