Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(ubuntu): Support Ubuntu 14.04 and 16.04 ESM #1682

Merged
merged 3 commits into from
May 31, 2023
Merged

feat(ubuntu): Support Ubuntu 14.04 and 16.04 ESM #1682

merged 3 commits into from
May 31, 2023

Conversation

kotakanbe
Copy link
Member

@kotakanbe kotakanbe commented May 24, 2023
edited
Loading

What did you implement:

The Ubuntu Security Tracker includes data for Ubuntu ESM.
This update enables Vuls to scan Ubuntu Linux versions even after their End of Life (EOL).

For details, see vulsio/gost#185

Type of change

  • New feature (non-breaking change which adds functionality)

How Has This Been Tested?

$ ./vuls.new -v 
vuls-v0.23.2-build-20230525_043547_5223596

vuls report

u16 (ubuntu16.04)                                                                                      
=================                                                                                      
Total: 333 (Critical:42 High:105 Medium:175 Low:11 ?:0)                                                
291/333 Fixed, 138 poc, 1 exploits, cisa: 0, uscert: 0, jpcert: 36 alerts                              
431 installed                                                                                          
                                                                                                       
Warning: Some warnings occurred.                                                                       
[Standard OS support is EOL(End-of-Life). Purchase extended support if available or Upgrading your OS i
s strongly recommended. Extended support available until 2024-04-01. Check the vendor site.]           
                                                                                                       
                                                                                                       
+------------------+------+--------+-----+-----------+---------+--------------------------------+      
|      CVE-ID      | CVSS | ATTACK | POC |   ALERT   |  FIXED  |            PACKAGES            |      
+------------------+------+--------+-----+-----------+---------+--------------------------------+      
| CVE-2016-1585    |  9.8 |  AV:N  |     |           | unfixed | libapparmor1                   |      
+------------------+------+--------+-----+-----------+---------+--------------------------------+      
...snip

--format-full-text

https://ubuntu.com/security/CVE-2016-7948

...snip...
+------------------------+-----------------------------------------------------------------------------------------------------+
| CVE-2016-7948          | FIXED                                                                                               |
+------------------------+-----------------------------------------------------------------------------------------------------+
| Max Score              | 9.8 CRITICAL (nvd)                                                                                  |
| nvd                    | 9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CRITICAL                                           |
| jvn                    | 9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CRITICAL                                           |
| ubuntu_api             | 0.1-3.9 LOW                                                                                         |
| nvd                    | 7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P HIGH                                                                 |
| jvn                    | 7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P HIGH                                                                 |
| Summary                | X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds                       |
|                        | write operations by leveraging mishandling of reply data.                                           |
| Primary Src            | https://lists.x.org/archives/xorg-announce/2016-October/002720.html                                 |
| Primary Src            | https://nvd.nist.gov/vuln/detail/CVE-2016-7948                                                      |
| Primary Src            | https://ubuntu.com/security/CVE-2016-7948                                                           |
| Patch                  | https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6 |
| Affected Pkg           | libxrandr2-2:1.5.0-1 -> Unknown (FixedIn: 2:1.5.0-1ubuntu0.1~esm1)                                  |
| Confidence             | 100 / UbuntuAPIMatch                                                                                |
| CWE                    | [CWE(2019) Top12] CWE-787: Out-of-bounds Write (nvd)                                                |
| CWE                    | [CWE(2020) Top2] CWE-787: Out-of-bounds Write (nvd)                                                 |
| CWE                    | [CWE(2021) Top1] CWE-787: Out-of-bounds Write (nvd)                                                 |
| CWE                    | [CWE(2022) Top1] CWE-787: Out-of-bounds Write (nvd)                                                 |
| CWE                    | [CWE/SANS(latest) Top12]  CWE-787: Out-of-bounds Write (nvd)                                        |
| CWE                    | https://cwe.mitre.org/data/definitions/CWE-787.html                                                 |
| CWE(2019) Top25        | https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html                                        |
| CWE(2020) Top25        | https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html                                        |
| CWE(2021) Top25        | https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html                                        |
| CWE(2022) Top25        | https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html                                        |
| SANS/CWE(latest) Top25 | https://www.sans.org/top25-software-errors/                                                         |
+------------------------+-----------------------------------------------------------------------------------------------------+
...snip

Integration test

  • Redis vs RDB ... no diff

Checklist:

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

@kotakanbe kotakanbe changed the title Support Ubuntu 14.04 and 16.04 ESM feat(ubuntu): Support Ubuntu 14.04 and 16.04 ESM May 24, 2023
@kotakanbe kotakanbe marked this pull request as ready for review May 31, 2023 00:27
@kotakanbe kotakanbe merged commit 5a69804 into master May 31, 2023
@kotakanbe kotakanbe deleted the esm branch May 31, 2023 00:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kotakanbe