group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 2004476] Re: [SRU] Allow openscap to be less strict about epoch digit and able to build security certification projects

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <2004476@xxxxxxxxxxxxxxxxxx>
Date: Thu, 23 Mar 2023 13:57:04 -0000
Reply-to: Bug 2004476 <2004476@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
This bug was fixed in the package openscap - 1.2.16-2ubuntu3.3

---------------
openscap (1.2.16-2ubuntu3.3) focal; urgency=medium

  * Make dpkg version comparison less strict for epoch digit. (LP: #2004476)
    - d/p/debian-epoch-less-strict.patch: oval_cmp_evr_string:
      Make epoch comparison less restrict for dpkg.
  * Allow build of ComplianceAsCode and USG projects for platforms that use
    remote resources. (LP: #2002551)
    - d/p/allow-DS-session-to-continue-without-remote-resource.patch:
      Allow DS session to continue without remote resource.

 -- Eduardo Barretto <eduardo.barretto@xxxxxxxxxxxxx>  Tue, 31 Jan 2023
13:27:43 +0100

** Changed in: openscap (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2004476

Title:
  [SRU] Allow openscap to be less strict about epoch digit and able to
  build security certification projects

Status in openscap package in Ubuntu:
  Confirmed
Status in openscap source package in Trusty:
  Fix Committed
Status in openscap source package in Xenial:
  Fix Committed
Status in openscap source package in Bionic:
  Fix Released
Status in openscap source package in Focal:
  Fix Released
Status in openscap source package in Jammy:
  Fix Released
Status in openscap source package in Kinetic:
  Fix Released

Bug description:
  [Impact]
  Back in [1] where we added dpkg version comparison algorithm, we were too strict about the epoch number, where oscap would return an error message if no epoch number was provided. This SRU backports the fix provided to upstream [2] and released with openscap 1.3.7, meaning lunar is not affected by it.

  [Test Case]
  Attached to this bug is a zip file that contains OVAL data for one package (expat) and data of one CVE (CVE-2022-43680). The OVAL data is in both OCI
  and non-OCI format.

  The test consists of comparing the installed version of the mentioned
  packages, to different versions where the CVE could have been fixed.

  Testing procedure (Bionic):
  $ sudo apt update
  $ sudo apt install libopenscap8
  $ sudo apt install libexpat1
  $ tar -xzf test-data.tar.gz
  $ cd test-data/
  $ ./run.sh

  Here is the output of the test, with current openscap in jammy:
  $ ./run.sh
  oscap oval eval com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: error
  Definition oval:com.ubuntu.jammy:def:100: true
  OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399]
  oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: error
  OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399]

  and the output of the test, with patched openscap in jammy:
  $ ./run.sh
  oscap oval eval com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: false
  Definition oval:com.ubuntu.jammy:def:100: true
  Evaluation done.
  oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml
  Definition oval:com.ubuntu.jammy:def:2022436800000000: false
  Evaluation done.

  [Where problems could occur]

  The patch touches the comparison algorithm, so any regressions that it
  might have, might impact the comparison and scanning results.

  [Other Info]

  The epoch issue affects all releases from Bionic to Kinetic, and it
  also Trusty ESM and Xenial ESM and we will be handling those in the
  ESM PPAs.

  The versioning algorithm implemented is based on dpkg's algorithm.

  Upstream accepted and merged the Debian epoch fix to its maint-1.3
  branch and it already made into 1.3.7 version [3]

  [1] https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791
  [2] https://github.com/OpenSCAP/openscap/pull/1901
  [3] https://github.com/OpenSCAP/openscap/releases/tag/1.3.7

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2004476/+subscriptions