[OVAL REPOSITORY] Outdated CVEs in multiple OVAL references

Erwan Le Pape erwan.le-pape-ml at tehtri-security.com
Tue Aug 9 04:45:25 EDT 2016


Hi,

I've noticed that a few OVAL definitions have references to CVEs that
have been tagged as rejects haven't been updated in the OVAL database.

The full list is as follows:

OVAL Definition               Reference CVE:Preferred CVE

oval:org.mitre.oval:def:7192  CVE-2010-3885:CVE-2010-3227
oval:org.mitre.oval:def:6880  CVE-2010-3410:CVE-2010-1825
oval:org.mitre.oval:def:16935 CVE-2012-3977:CVE-2012-4930
oval:org.mitre.oval:def:6717  CVE-2010-3409:CVE-2010-1824
oval:org.mitre.oval:def:7462  CVE-2010-3408:CVE-2010-1823
oval:org.mitre.oval:def:8888  CVE-2009-1563:CVE-2009-0689
oval:org.mitre.oval:def:11904 CVE-2010-2052:CVE-2010-2155
oval:org.mitre.oval:def:13239 CVE-2010-2052:CVE-2010-2155
oval:org.mitre.oval:def:21289 CVE-2012-4166:CVE-2012-4165
oval:org.mitre.oval:def:27258 CVE-2012-5595:CVE-2012-6056
oval:org.mitre.oval:def:27258 CVE-2012-5597:CVE-2012-6059
oval:org.mitre.oval:def:27258 CVE-2012-5598:CVE-2012-6060
oval:org.mitre.oval:def:27258 CVE-2012-5599:CVE-2012-6061
oval:org.mitre.oval:def:27258 CVE-2012-5600:CVE-2012-6062
oval:org.mitre.oval:def:23957 CVE-2012-4166:CVE-2012-4165
oval:org.mitre.oval:def:18512 CVE-2007-1323:CVE-2007-2893
oval:org.mitre.oval:def:17091 CVE-2007-5336:CVE-2007-5339
oval:org.mitre.oval:def:24432 CVE-2012-5595:CVE-2012-6056
oval:org.mitre.oval:def:24432 CVE-2012-5598:CVE-2012-6060
oval:org.mitre.oval:def:24432 CVE-2012-5599:CVE-2012-6061
oval:org.mitre.oval:def:24432 CVE-2012-5600:CVE-2012-6062
oval:org.mitre.oval:def:13692 CVE-2009-3906:CVE-2009-3606
oval:org.mitre.oval:def:13692 CVE-2009-3907:CVE-2009-3607
oval:org.mitre.oval:def:13692 CVE-2009-3908:CVE-2009-3608
oval:org.mitre.oval:def:29230 CVE-2009-1563:CVE-2009-0689
oval:org.mitre.oval:def:27327 CVE-2012-5595:CVE-2012-6056
oval:org.mitre.oval:def:27327 CVE-2012-5598:CVE-2012-6060
oval:org.mitre.oval:def:27327 CVE-2012-5599:CVE-2012-6061
oval:org.mitre.oval:def:27327 CVE-2012-5600:CVE-2012-6062
oval:org.mitre.oval:def:20038 CVE-2013-4257:CVE-2013-4256
oval:org.mitre.oval:def:19220 CVE-2013-4257:CVE-2013-4256
oval:org.cisecurity:def:88    CVE-2015-3287:CVE-2015-6587
oval:org.cisecurity:def:846   CVE-2016-4347:CVE-2015-7558
oval:org.mitre.oval:def:7365  CVE-2009-3906:CVE-2009-3606
oval:org.mitre.oval:def:7365  CVE-2009-3907:CVE-2009-3607
oval:org.mitre.oval:def:7365  CVE-2009-3908:CVE-2009-3608
oval:org.mitre.oval:def:13742 CVE-2009-1563:CVE-2009-0689
oval:org.mitre.oval:def:25991 CVE-2013-1894:CVE-2013-2561
oval:org.mitre.oval:def:24378 CVE-2012-5595:CVE-2012-6056
oval:org.mitre.oval:def:24378 CVE-2012-5598:CVE-2012-6060
oval:org.mitre.oval:def:24378 CVE-2012-5599:CVE-2012-6061
oval:org.mitre.oval:def:24378 CVE-2012-5600:CVE-2012-6062
oval:org.mitre.oval:def:13140 CVE-2010-2077:CVE-2010-1640
oval:org.mitre.oval:def:13598 CVE-2009-1563:CVE-2009-0689
oval:org.mitre.oval:def:13121 CVE-2009-1563:CVE-2009-0689
oval:org.mitre.oval:def:26946 CVE-2012-5595:CVE-2012-6056
oval:org.mitre.oval:def:26946 CVE-2012-5597:CVE-2012-6059
oval:org.mitre.oval:def:26946 CVE-2012-5598:CVE-2012-6060
oval:org.mitre.oval:def:26946 CVE-2012-5599:CVE-2012-6061
oval:org.mitre.oval:def:26946 CVE-2012-5600:CVE-2012-6062
oval:org.mitre.oval:def:20094 CVE-2013-4349:CVE-2012-4540
oval:org.mitre.oval:def:12465 CVE-2010-1738:CVE-2010-1448
oval:org.mitre.oval:def:20603 CVE-2013-4336:CVE-2013-5964
oval:org.mitre.oval:def:23464 CVE-2013-4336:CVE-2013-5964
oval:org.mitre.oval:def:22986 CVE-2009-1563:CVE-2009-0689
oval:org.mitre.oval:def:8171  CVE-2009-1563:CVE-2009-0689

I imagine that it's because they were tagged as such after the
definition was created and nobody goes through all references to check
they're still valid but if it's by design, feel free to ignore this.

If not, should I submit a pull request on GitHub (sorry, I'm not exactly
sure how contributions work, I noticed that OVAL seems to have a bot to
handle that)?

Best regards,

-Erwan Le Pape <erwan.le-pape at tehtri-security.com>
TEHTRI-Security


...




More information about the OVAL_Repository mailing list