[ubuntu-hardened] OVAL definitions for Ubuntu
Seth Arnold
seth.arnold at canonical.com
Wed Sep 23 02:47:10 UTC 2015
Hello,
Ubuntu now offers OVAL vulnerability content that can be used with OVAL
scanners or SCAP scanners to provide information on packages that require
updates or have known vulnerabilities.
Most naive vulnerability scanners will simply take upstream version
numbers as the authoritative "fixed" version and give completely useless
results to everyone using a distribution such as Ubuntu that backports
or writes security fixes rather than upgrading to entirely new packages.
OVAL definitions allow vulnerability scanners to accurately report
packages with known issues and fixed versions.
The OVAL content can be downloaded from:
https://people.canonical.com/~ubuntu-security/oval/
Currently we're only generating content for LTS releases, as we anticipate
this will be most useful to larger deployments. (If there's demand we could
increase this to our enthusiast releases as well.)
Currently, these are:
https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.precise.cve.oval.xml
https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.trusty.cve.oval.xml
David Solin and David Ries from JovalCM contributed the OVAL content
generator; rather than build it solely for their customers, they have
provided it to us under the GPL so that it can benefit all Ubuntu users.
You can take a look at JovalCM's offerings at http://jovalcm.com/.
Thanks to David Solin and David Ries for working with us to provide OVAL
content for everyone.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20150922/d5972742/attachment.pgp>
More information about the ubuntu-hardened
mailing list