[ubuntu-hardened] The patch package for util-linux in Ubuntu OVAL is incorrect
古好佑輔
yusuke.koyoshi at bizreach.co.jp
Thu May 9 04:58:57 UTC 2024
I suspect that in Ubuntu OVAL, the version of bsdutils, which is a
dependency package of util-linux, is mistakenly reported as the version of
the util-linux patch package.
The following CVEs are relevant:
CVE-2016-5011
CVE-2018-7738
CVE-2021-3995
CVE-2021-3996
CVE-2021-37600
CVE-2024-28085
https://security-metadata.canonical.com/oval/
For example, for CVE-2024-28085, the following are reported as the patch
packages:
util-linux 2.37.2-4ubuntu3.3 or higher
util-linux 1:2.37.2-4ubuntu3.3 or higher
util-linux 1:2.37.2-4ubuntu3.3 is a version that does not exist in
util-linux, could it be a version of bsdutils?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20240509/75a5add7/attachment.html>
More information about the ubuntu-hardened
mailing list