group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #44932
[Bug 2004476] Re: [SRU] Allow openscap to be less strict about epoch digit and able to build security certification projects
This bug was fixed in the package openscap - 1.2.17-0.1ubuntu7.22.10.1
---------------
openscap (1.2.17-0.1ubuntu7.22.10.1) kinetic; urgency=medium
* Make dpkg version comparison less strict for epoch digit. (LP: #2004476)
- d/p/debian-epoch-less-strict.patch: oval_cmp_evr_string:
Make epoch comparison less restrict for dpkg.
* Allow build of ComplianceAsCode and USG projects for platforms that use
remote resources. (LP: #2002551)
- d/p/allow-DS-session-to-continue-without-remote-resource.patch:
Allow DS session to continue without remote resource.
-- Eduardo Barretto <eduardo.barretto@xxxxxxxxxxxxx> Tue, 31 Jan 2023
13:16:05 +0100
** Changed in: openscap (Ubuntu Kinetic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2004476
Title:
[SRU] Allow openscap to be less strict about epoch digit and able to
build security certification projects
Status in openscap package in Ubuntu:
Confirmed
Status in openscap source package in Trusty:
Fix Committed
Status in openscap source package in Xenial:
Fix Committed
Status in openscap source package in Bionic:
Fix Released
Status in openscap source package in Focal:
Fix Released
Status in openscap source package in Jammy:
Fix Released
Status in openscap source package in Kinetic:
Fix Released
Bug description:
[Impact]
Back in [1] where we added dpkg version comparison algorithm, we were too strict about the epoch number, where oscap would return an error message if no epoch number was provided. This SRU backports the fix provided to upstream [2] and released with openscap 1.3.7, meaning lunar is not affected by it.
[Test Case]
Attached to this bug is a zip file that contains OVAL data for one package (expat) and data of one CVE (CVE-2022-43680). The OVAL data is in both OCI
and non-OCI format.
The test consists of comparing the installed version of the mentioned
packages, to different versions where the CVE could have been fixed.
Testing procedure (Bionic):
$ sudo apt update
$ sudo apt install libopenscap8
$ sudo apt install libexpat1
$ tar -xzf test-data.tar.gz
$ cd test-data/
$ ./run.sh
Here is the output of the test, with current openscap in jammy:
$ ./run.sh
oscap oval eval com.ubuntu.jammy.cve.oval.xml
Definition oval:com.ubuntu.jammy:def:2022436800000000: error
Definition oval:com.ubuntu.jammy:def:100: true
OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399]
oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml
Definition oval:com.ubuntu.jammy:def:2022436800000000: error
OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399]
and the output of the test, with patched openscap in jammy:
$ ./run.sh
oscap oval eval com.ubuntu.jammy.cve.oval.xml
Definition oval:com.ubuntu.jammy:def:2022436800000000: false
Definition oval:com.ubuntu.jammy:def:100: true
Evaluation done.
oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml
Definition oval:com.ubuntu.jammy:def:2022436800000000: false
Evaluation done.
[Where problems could occur]
The patch touches the comparison algorithm, so any regressions that it
might have, might impact the comparison and scanning results.
[Other Info]
The epoch issue affects all releases from Bionic to Kinetic, and it
also Trusty ESM and Xenial ESM and we will be handling those in the
ESM PPAs.
The versioning algorithm implemented is based on dpkg's algorithm.
Upstream accepted and merged the Debian epoch fix to its maint-1.3
branch and it already made into 1.3.7 version [3]
[1] https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791
[2] https://github.com/OpenSCAP/openscap/pull/1901
[3] https://github.com/OpenSCAP/openscap/releases/tag/1.3.7
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2004476/+subscriptions