[02:10] <mainek00n> Hi, I have a question about Kernel Packages in Ubuntu Security Tracker and OVAL.
[02:10] <mainek00n> In the Web and in the Git Repository of Ubuntu Security Tracker, there is no information about `linux-signed-*` or `linux-meta-*`, but in the OVAL criterion.
[02:10] <mainek00n> How should I manage Kernel Packages such as `linux-signed-*` and `linux-meta-*` when I use the Ubuntu Security Tracker data?
[02:29] <sarnold> mainek00n: I don't think any of the binary packages created by linux-meta-* is worth worrying about, a very quick check of my local archive mirror shows that the largest one of those is 3568 bytes (linux-meta-azure-fde/linux-azure-fde_5.4.0.1100.106+cvm1.35_amd64.deb)
[02:30] <sarnold> mainek00n: the signed vs unsigned source packages and "" vs "unsigned" binary packages are pretty obnoxious to untangle, but I thought the usual oval tool had all the right pieces to be aware of which packages are which
[02:49] <mainek00n> For example, Ubuntu CVE Tracker - CVE-2022-2964(https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2022-2964) mentions only linux-aws Package, but OVAL (https://security-metadata.canonical.com/oval/oci.com.ubuntu.focal.cve.oval.xml.bz2) mentions linux-aws, linux-signed-aws, and linux-meta-aws individually.
[02:49] <mainek00n> <criterion test_ref="oval:com.ubuntu.focal:tst:2020278200000010" comment="linux-aws package in focal is affected. An update containing the fix has been completed and is pending publication (note: '5.4.0-1073.78')." />
[02:49] <mainek00n> <criterion test_ref="oval:com.ubuntu.focal:tst:2020278200000270" comment="linux-meta-aws package in focal is affected. An update containing the fix has been completed and is pending publication (note: '5.4.0-1073.78')." />
[02:49] -ubottu:#ubuntu-security- A flaw was found in the Linux kernel&#8217;s driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2964>
[02:49] <mainek00n> <criterion test_ref="oval:com.ubuntu.focal:tst:2020278200000650" comment="linux-signed-aws package in focal is affected. An update containing the fix has been completed and is pending publication (note: '5.4.0-1073.78')." />
[02:49] <mainek00n> So, how should I manage `linux-meta-aws` and `linux-signed-aws` if I use only Ubuntu CVE Tracker data?
[02:51] <sarnold> the ubuntu-cve-tracker doesn't track the -signed- or the -meta- packages because the one is generated from the -unsigned- versions and the other has no code at all
[03:25] <mainek00n> If OVAL is generated based on information from the Ubuntu CVE Tracker, how are the `linux-meta-aws` and `linux-signed-aws` criteria mentioned in OVAL determined?
[03:36] <sarnold> the generator has some rules around that https://git.launchpad.net/ubuntu-cve-tracker/tree/scripts/generate-oval#n362