diff --git a/go.mod b/go.mod index d35eb18d..e811560c 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/briandowns/spinner v1.23.0 github.com/fatih/color v1.10.0 // indirect github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d - github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936 + github.com/knqyf263/go-rpm-version v0.0.0-20240918084003-2afd7dc6a38f github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08 github.com/pandatix/go-cvss v0.6.2 github.com/samber/lo v1.47.0 diff --git a/go.sum b/go.sum index 4819bf3a..daaef428 100644 --- a/go.sum +++ b/go.sum @@ -38,6 +38,8 @@ github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d h1:X4cedH4 github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d/go.mod h1:o8sgWoz3JADecfc/cTYD92/Et1yMqMy0utV1z+VaZao= github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936 h1:HDjRqotkViMNcGMGicb7cgxklx8OwnjtCBmyWEqrRvM= github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936/go.mod h1:i4sF0l1fFnY1aiw08QQSwVAFxHEm311Me3WsU/X7nL0= +github.com/knqyf263/go-rpm-version v0.0.0-20240918084003-2afd7dc6a38f h1:xt29M2T6STgldg+WEP51gGePQCsQvklmP2eIhPIBK3g= +github.com/knqyf263/go-rpm-version v0.0.0-20240918084003-2afd7dc6a38f/go.mod h1:i4sF0l1fFnY1aiw08QQSwVAFxHEm311Me3WsU/X7nL0= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index 8cc37def..d0ed48a4 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -10,13 +10,14 @@ import ( "strings" version "github.com/knqyf263/go-rpm-version" + "github.com/samber/lo" bolt "go.etcd.io/bbolt" + "golang.org/x/exp/maps" "golang.org/x/xerrors" "github.com/aquasecurity/trivy-db/pkg/db" "github.com/aquasecurity/trivy-db/pkg/types" "github.com/aquasecurity/trivy-db/pkg/utils" - ustrings "github.com/aquasecurity/trivy-db/pkg/utils/strings" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" ) @@ -37,7 +38,7 @@ type PutInput struct { VulnID string // CVE-ID or ELSA-ID Vuln types.VulnerabilityDetail // vulnerability detail such as CVSS and description Advisories map[AffectedPackage]types.Advisory // pkg => advisory - OVAL OracleOVAL // for extensibility, not used in trivy-db + OVALs []OracleOVAL // for extensibility, not used in trivy-db } type DB interface { @@ -111,6 +112,7 @@ func (vs *VulnSrc) put(ovals []OracleOVAL) error { } func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { + putInputs := make(map[string]PutInput) for _, oval := range ovals { elsaID := strings.Split(oval.Title, ":")[0] @@ -138,8 +140,13 @@ func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { return xerrors.Errorf("failed to put data source: %w", err) } + // Clean affectedPkg.Package.FixedVersion to find same packages, + // when we merge fixed versions from multiple ELSA files + fixedVersion := affectedPkg.Package.FixedVersion + affectedPkg.Package.FixedVersion = "" + advisories[affectedPkg] = types.Advisory{ - FixedVersion: affectedPkg.Package.FixedVersion, + PatchedVersions: []string{fixedVersion}, } } @@ -156,21 +163,96 @@ func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { Severity: severityFromThreat(oval.Severity), } - err := vs.Put(tx, PutInput{ + input := PutInput{ VulnID: vulnID, Vuln: vuln, - Advisories: advisories, - OVAL: oval, - }) - if err != nil { - return xerrors.Errorf("db put error: %w", err) + Advisories: maps.Clone(advisories), + OVALs: []OracleOVAL{oval}, + } + if savedInput, ok := putInputs[input.VulnID]; ok { + input.OVALs = append(input.OVALs, savedInput.OVALs...) + + for newPkg, newAdv := range input.Advisories { + if savedPkgAdv, pkgFound := savedInput.Advisories[newPkg]; pkgFound { + // Merge patchedVersions. + // We will remove duplicates later. + newAdv.PatchedVersions = append(savedPkgAdv.PatchedVersions, newAdv.PatchedVersions...) + } + savedInput.Advisories[newPkg] = newAdv + } + input.Advisories = savedInput.Advisories } + putInputs[input.VulnID] = input + } + } + + for _, input := range putInputs { + for pkg, adv := range input.Advisories { + // Remove duplicates and multiple version for one flavor. + // Keep only the normal version in adv.FixedVersion for backward compatibility. + adv.FixedVersion, adv.PatchedVersions = patchedVersions(adv.PatchedVersions) + input.Advisories[pkg] = adv + } + + err := vs.Put(tx, input) + if err != nil { + return xerrors.Errorf("db put error: %w", err) } } return nil } +type PkgFlavor string + +const ( + NormalPackageFlavor PkgFlavor = "normal" + FipsPackageFlavor PkgFlavor = "fips" + KsplicePackageFlavor PkgFlavor = "ksplice" +) + +// patchedVersions removes duplicates and returns normal flavor + only one version for each flavor. +func patchedVersions(vers []string) (string, []string) { + vers = lo.Uniq(vers) + + patchedVers := make(map[PkgFlavor]string) + for _, ver := range vers { + flavor := PackageFlavor(ver) + if savedVer, ok := patchedVers[flavor]; ok { + v := version.NewVersion(ver) + sv := version.NewVersion(savedVer) + if v.LessThan(sv) { + ver = savedVer + } + } + patchedVers[flavor] = ver + } + + versions := lo.Values(patchedVers) + slices.Sort(versions) + + return patchedVers[NormalPackageFlavor], versions +} + +// PackageFlavor determinants the package "flavor" based on its version string +// - normal +// - FIPS validated +// - ksplice userspace +func PackageFlavor(version string) PkgFlavor { + version = strings.ToLower(version) + if strings.HasSuffix(version, "_fips") { + return FipsPackageFlavor + } + + subs := strings.Split(version, ".") + for _, s := range subs { + if strings.HasPrefix(s, "ksplice") { + return KsplicePackageFlavor + } + } + return NormalPackageFlavor +} + func (o *Oracle) Put(tx *bolt.Tx, input PutInput) error { if err := o.PutVulnerabilityDetail(tx, input.VulnID, source.ID, input.Vuln); err != nil { return xerrors.Errorf("failed to save Oracle Linux OVAL vulnerability: %w", err) @@ -234,7 +316,11 @@ func referencesFromContains(sources []string, matches []string) []string { } } } - return ustrings.Unique(references) + + references = lo.Uniq(references) + slices.Sort(references) + + return references } func severityFromThreat(sev string) types.Severity { diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index 9d3ed857..37cd204b 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -39,24 +39,36 @@ func TestVulnSrc_Update(t *testing.T) { Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-devel"}, Value: types.Advisory{ FixedVersion: "30:9.3.3-8.el5", + PatchedVersions: []string{ + "30:9.3.3-8.el5", + }, }, }, { Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-devel"}, Value: types.Advisory{ FixedVersion: "30:9.3.3-8.el5", + PatchedVersions: []string{ + "30:9.3.3-8.el5", + }, }, }, { Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-sdb"}, Value: types.Advisory{ FixedVersion: "30:9.3.3-8.el5", + PatchedVersions: []string{ + "30:9.3.3-8.el5", + }, }, }, { Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-sdb"}, Value: types.Advisory{ FixedVersion: "30:9.3.3-8.el5", + PatchedVersions: []string{ + "30:9.3.3-8.el5", + }, }, }, { @@ -117,48 +129,72 @@ func TestVulnSrc_Update(t *testing.T) { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-doc"}, Value: types.Advisory{ FixedVersion: "4.1.12-124.24.3.el6uek", + PatchedVersions: []string{ + "4.1.12-124.24.3.el6uek", + }, }, }, { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-doc"}, Value: types.Advisory{ FixedVersion: "4.1.12-124.24.3.el6uek", + PatchedVersions: []string{ + "4.1.12-124.24.3.el6uek", + }, }, }, { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-firmware"}, Value: types.Advisory{ FixedVersion: "4.1.12-124.24.3.el6uek", + PatchedVersions: []string{ + "4.1.12-124.24.3.el6uek", + }, }, }, { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-firmware"}, Value: types.Advisory{ FixedVersion: "4.1.12-124.24.3.el6uek", + PatchedVersions: []string{ + "4.1.12-124.24.3.el6uek", + }, }, }, { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-doc"}, Value: types.Advisory{ FixedVersion: "4.1.12-124.24.3.el7uek", + PatchedVersions: []string{ + "4.1.12-124.24.3.el7uek", + }, }, }, { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-doc"}, Value: types.Advisory{ FixedVersion: "4.1.12-124.24.3.el7uek", + PatchedVersions: []string{ + "4.1.12-124.24.3.el7uek", + }, }, }, { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-firmware"}, Value: types.Advisory{ FixedVersion: "4.1.12-124.24.3.el7uek", + PatchedVersions: []string{ + "4.1.12-124.24.3.el7uek", + }, }, }, { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-firmware"}, Value: types.Advisory{ FixedVersion: "4.1.12-124.24.3.el7uek", + PatchedVersions: []string{ + "4.1.12-124.24.3.el7uek", + }, }, }, { @@ -195,6 +231,95 @@ func TestVulnSrc_Update(t *testing.T) { }, }, }, + { + name: "happy path multi flavors", + dir: filepath.Join("testdata", "multi-flavor"), + wantValues: []vulnsrctest.WantValues{ + { + Key: []string{"data-source", "Oracle Linux 8"}, + Value: types.DataSource{ + ID: vulnerability.OracleOVAL, + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls"}, + Value: types.Advisory{ + FixedVersion: "3.6.16-4.el8", + PatchedVersions: []string{ + "10:3.6.16-4.0.1.el8_fips", + "3.6.16-4.el8", + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls"}, + Value: types.Advisory{ + PatchedVersions: []string{ + "10:3.6.16-4.0.1.el8_fips", + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls"}, + Value: types.Advisory{ + FixedVersion: "3.6.16-4.el8", + PatchedVersions: []string{ + "3.6.16-4.el8", + }, + }, + }, + { + Key: []string{"vulnerability-detail", "CVE-2021-3580", "oracle-oval"}, + Value: types.VulnerabilityDetail{ + Title: "ELSA-2022-9221: gnutls security update (MODERATE)", + Description: "[3.6.16-4.0.1_fips]\n- Allow RSA keygen with modulus sizes bigger than 3072 bits and validate the seed length\n as defined in FIPS 186-4 section B.3.2 [Orabug: 33200526]\n- Allow bigger known RSA modulus sizes when calling\n rsa_generate_fips186_4_keypair directly [Orabug: 33200526]\n- Change Epoch from 1 to 10\n\n[3.6.16-4]\n- p11tool: Document ID reuse behavior when importing certs (#1776250)\n\n[3.6.16-3]\n- Treat SHA-1 signed CA in the trusted set differently (#1965445)\n\n[3.6.16-2]\n- Filter certificate_types in TLS 1.2 CR based on signature algorithms (#1942216)\n\n[3.6.16-1]\n- Update to upstream 3.6.16 release (#1956783)\n- Fix potential use-after-free in key_share handling (#1927597)\n- Fix potential use-after-free in pre_shared_key handling (#1927593)\n- Stop gnutls-serv relying on AI_ADDRCONFIG to decide listening address (#1908334)\n- Fix cert expiration issue in tests (#1908110)\n\n[3.6.14-10]\n- Port fixes for potential miscalculation in ecdsa_verify (#1942931)\n\n[3.6.14-9]\n- Revert the previous change", + References: []string{ + "https://linux.oracle.com/cve/CVE-2021-3580.html", + "https://linux.oracle.com/errata/ELSA-2022-9221.html", + }, + Severity: types.SeverityMedium, + }, + }, + { + Key: []string{"vulnerability-detail", "CVE-2021-3580", "oracle-oval"}, + Value: types.VulnerabilityDetail{ + Title: "ELSA-2022-9221: gnutls security update (MODERATE)", + Description: "[3.6.16-4.0.1_fips]\n- Allow RSA keygen with modulus sizes bigger than 3072 bits and validate the seed length\n as defined in FIPS 186-4 section B.3.2 [Orabug: 33200526]\n- Allow bigger known RSA modulus sizes when calling\n rsa_generate_fips186_4_keypair directly [Orabug: 33200526]\n- Change Epoch from 1 to 10\n\n[3.6.16-4]\n- p11tool: Document ID reuse behavior when importing certs (#1776250)\n\n[3.6.16-3]\n- Treat SHA-1 signed CA in the trusted set differently (#1965445)\n\n[3.6.16-2]\n- Filter certificate_types in TLS 1.2 CR based on signature algorithms (#1942216)\n\n[3.6.16-1]\n- Update to upstream 3.6.16 release (#1956783)\n- Fix potential use-after-free in key_share handling (#1927597)\n- Fix potential use-after-free in pre_shared_key handling (#1927593)\n- Stop gnutls-serv relying on AI_ADDRCONFIG to decide listening address (#1908334)\n- Fix cert expiration issue in tests (#1908110)\n\n[3.6.14-10]\n- Port fixes for potential miscalculation in ecdsa_verify (#1942931)\n\n[3.6.14-9]\n- Revert the previous change", + References: []string{ + "https://linux.oracle.com/cve/CVE-2021-3580.html", + "https://linux.oracle.com/errata/ELSA-2022-9221.html", + }, + Severity: types.SeverityMedium, + }, + }, + { + Key: []string{"vulnerability-detail", "CVE-2021-20231", "oracle-oval"}, + Value: types.VulnerabilityDetail{ + Title: "ELSA-2021-4451: gnutls and nettle security, bug fix, and enhancement update (MODERATE)", + Description: "gnutls\n[3.6.16-4]\n- p11tool: Document ID reuse behavior when importing certs (#1776250)\n\n[3.6.16-3]\n- Treat SHA-1 signed CA in the trusted set differently (#1965445)\n\n[3.6.16-2]\n- Filter certificate_types in TLS 1.2 CR based on signature algorithms (#1942216)\n\n[3.6.16-1]\n- Update to upstream 3.6.16 release (#1956783)\n- Fix potential use-after-free in key_share handling (#1927597)\n- Fix potential use-after-free in pre_shared_key handling (#1927593)\n- Stop gnutls-serv relying on AI_ADDRCONFIG to decide listening address (#1908334)\n- Fix cert expiration issue in tests (#1908110)\n\n[3.6.14-10]\n- Port fixes for potential miscalculation in ecdsa_verify (#1942931)\n\n[3.6.14-9]\n- Revert the previous change\n\nnettle\n[3.4.1-7]\n- Backport CVE-2021-3580 from upstream 3.7.3 release (#1967990)\n\n[3.4.1-6]\n- Enable CTR mode optimization when the block size is 16\n\n[3.4.1-5]\n- Backport powerpc64 optimization patches from upstream (#1855228)\n Patch from Christopher M. Riedl.", + References: []string{ + "https://linux.oracle.com/cve/CVE-2021-20231.html", + "https://linux.oracle.com/errata/ELSA-2021-4451.html", + }, + Severity: types.SeverityMedium, + }, + }, + { + Key: []string{"vulnerability-id", "CVE-2021-20232"}, + Value: map[string]interface{}{}, + }, + { + Key: []string{"vulnerability-id", "CVE-2021-3580"}, + Value: map[string]interface{}{}, + }, + { + Key: []string{"vulnerability-id", "CVE-2021-20231"}, + Value: map[string]interface{}{}, + }, + }, + }, { name: "happy path ELSA-ID", dir: filepath.Join("testdata", "elsa-id"), @@ -211,6 +336,9 @@ func TestVulnSrc_Update(t *testing.T) { Key: []string{"advisory-detail", "ELSA-2007-0057", "Oracle Linux 5", "bind-devel"}, Value: types.Advisory{ FixedVersion: "9.3.3-8.el5", + PatchedVersions: []string{ + "9.3.3-8.el5", + }, }, }, { @@ -293,6 +421,9 @@ func TestVulnSrc_Get(t *testing.T) { { VulnerabilityID: "ELSA-2019-1145", FixedVersion: "32:9.11.4-17.P2.el8_0", + PatchedVersions: []string{ + "32:9.11.4-17.P2.el8_0", + }, }, }, }, diff --git a/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml b/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml index 05fb8b16..f7a28db9 100644 --- a/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml +++ b/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml @@ -5,3 +5,5 @@ - key: ELSA-2019-1145 value: FixedVersion: "32:9.11.4-17.P2.el8_0" + PatchedVersions: + - "32:9.11.4-17.P2.el8_0" diff --git a/pkg/vulnsrc/oracle-oval/testdata/multi-flavor/vuln-list/oval/oracle/2021/ELSA-2021-4451.json b/pkg/vulnsrc/oracle-oval/testdata/multi-flavor/vuln-list/oval/oracle/2021/ELSA-2021-4451.json new file mode 100644 index 00000000..b2324cb8 --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/multi-flavor/vuln-list/oval/oracle/2021/ELSA-2021-4451.json @@ -0,0 +1,81 @@ +{ + "Title": "ELSA-2021-4451: gnutls and nettle security, bug fix, and enhancement update (MODERATE)", + "Description": "gnutls\n[3.6.16-4]\n- p11tool: Document ID reuse behavior when importing certs (#1776250)\n\n[3.6.16-3]\n- Treat SHA-1 signed CA in the trusted set differently (#1965445)\n\n[3.6.16-2]\n- Filter certificate_types in TLS 1.2 CR based on signature algorithms (#1942216)\n\n[3.6.16-1]\n- Update to upstream 3.6.16 release (#1956783)\n- Fix potential use-after-free in key_share handling (#1927597)\n- Fix potential use-after-free in pre_shared_key handling (#1927593)\n- Stop gnutls-serv relying on AI_ADDRCONFIG to decide listening address (#1908334)\n- Fix cert expiration issue in tests (#1908110)\n\n[3.6.14-10]\n- Port fixes for potential miscalculation in ecdsa_verify (#1942931)\n\n[3.6.14-9]\n- Revert the previous change\n\nnettle\n[3.4.1-7]\n- Backport CVE-2021-3580 from upstream 3.7.3 release (#1967990)\n\n[3.4.1-6]\n- Enable CTR mode optimization when the block size is 16\n\n[3.4.1-5]\n- Backport powerpc64 optimization patches from upstream (#1855228)\n Patch from Christopher M. Riedl.", + "Platform": [ + "Oracle Linux 8" + ], + "References": [ + { + "Source": "elsa", + "URI": "https://linux.oracle.com/errata/ELSA-2021-4451.html", + "ID": "ELSA-2021-4451" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2021-20232.html", + "ID": "CVE-2021-20232" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2021-20231.html", + "ID": "CVE-2021-20231" + } + ], + "Criteria": { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls is earlier than 0:3.6.16-4.el8" + }, + { + "Comment": "gnutls is signed with the Oracle Linux 8 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux 8 is installed" + } + ] + }, + "Severity": "MODERATE", + "Cves": [ + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2021-20232.html", + "ID": "CVE-2021-20232" + }, + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2021-20231.html", + "ID": "CVE-2021-20231" + } + ] + } \ No newline at end of file diff --git a/pkg/vulnsrc/oracle-oval/testdata/multi-flavor/vuln-list/oval/oracle/2022/ELSA-2022-9221.json b/pkg/vulnsrc/oracle-oval/testdata/multi-flavor/vuln-list/oval/oracle/2022/ELSA-2022-9221.json new file mode 100644 index 00000000..7be22df3 --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/multi-flavor/vuln-list/oval/oracle/2022/ELSA-2022-9221.json @@ -0,0 +1,84 @@ +{ + "Title": "ELSA-2022-9221: gnutls security update (MODERATE)", + "Description": "[3.6.16-4.0.1_fips]\n- Allow RSA keygen with modulus sizes bigger than 3072 bits and validate the seed length\n as defined in FIPS 186-4 section B.3.2 [Orabug: 33200526]\n- Allow bigger known RSA modulus sizes when calling\n rsa_generate_fips186_4_keypair directly [Orabug: 33200526]\n- Change Epoch from 1 to 10\n\n[3.6.16-4]\n- p11tool: Document ID reuse behavior when importing certs (#1776250)\n\n[3.6.16-3]\n- Treat SHA-1 signed CA in the trusted set differently (#1965445)\n\n[3.6.16-2]\n- Filter certificate_types in TLS 1.2 CR based on signature algorithms (#1942216)\n\n[3.6.16-1]\n- Update to upstream 3.6.16 release (#1956783)\n- Fix potential use-after-free in key_share handling (#1927597)\n- Fix potential use-after-free in pre_shared_key handling (#1927593)\n- Stop gnutls-serv relying on AI_ADDRCONFIG to decide listening address (#1908334)\n- Fix cert expiration issue in tests (#1908110)\n\n[3.6.14-10]\n- Port fixes for potential miscalculation in ecdsa_verify (#1942931)\n\n[3.6.14-9]\n- Revert the previous change", + "Platform": [ + "Oracle Linux 8" + ], + "References": [ + { + "Source": "elsa", + "URI": "https://linux.oracle.com/errata/ELSA-2022-9221.html", + "ID": "ELSA-2022-9221" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2021-20232.html", + "ID": "CVE-2021-20232" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2021-3580.html", + "ID": "CVE-2021-3580" + } + ], + "Criteria": { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls is earlier than 10:3.6.16-4.0.1.el8_fips" + }, + { + "Comment": "gnutls is signed with the Oracle Linux 8 key" + }, + { + "Comment": "gnutls is fips patched" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux 8 is installed" + } + ] + }, + "Severity": "MODERATE", + "Cves": [ + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2021-20232.html", + "ID": "CVE-2021-20232" + }, + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2021-3580.html", + "ID": "CVE-2021-3580" + } + ] + } \ No newline at end of file