** Description changed: recently published OVAL definition (https://people.canonical.com /~ubuntu-security/oval/) may have some breaking change as following: all definition which referenced 'linux' binary package object, has been affected. How to reproduce: for example find definition id: oval:com.ubuntu.xenial:def:2019114770000000 then in criterions find test_ref="oval:com.ubuntu.xenial:tst:2019114770000000" then in that test, find object: oval:com.ubuntu.xenial:obj:201245420000000, which represent 'linux' package binaries. + + <linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:201245420000000" version="1" comment="The 'linux' package binaries."> + <linux-def:name var_ref="oval:com.ubuntu.xenial:var:201245420000000" var_check="at least one" /> + </linux-def:dpkginfo_object> + + in this `dpkginfo_object`, <linux-def:name> used to contain only the name of the binary package, but now it contains a var_ref which points to multiple full name of the most recent binary package for linux kernel image: - <constant_variable id="oval:com.ubuntu.xenial:var:201245420000000" version="1" datatype="string" comment="'linux' package binaries"> - <value>linux-image-4.4.0-151-generic</value> - <value>linux-image-4.4.0-151-generic-lpae</value> - <value>linux-image-4.4.0-151-lowlatency</value> - <value>linux-image-4.4.0-151-powerpc-e500mc</value> - <value>linux-image-4.4.0-151-powerpc-smp</value> - <value>linux-image-4.4.0-151-powerpc64-emb</value> - <value>linux-image-4.4.0-151-powerpc64-smp</value> - <value>linux-image-unsigned-4.4.0-151-generic</value> - <value>linux-image-unsigned-4.4.0-151-lowlatency</value> - </constant_variable> + <constant_variable id="oval:com.ubuntu.xenial:var:201245420000000" version="1" datatype="string" comment="'linux' package binaries"> + <value>linux-image-4.4.0-151-generic</value> + <value>linux-image-4.4.0-151-generic-lpae</value> + <value>linux-image-4.4.0-151-lowlatency</value> + <value>linux-image-4.4.0-151-powerpc-e500mc</value> + <value>linux-image-4.4.0-151-powerpc-smp</value> + <value>linux-image-4.4.0-151-powerpc64-emb</value> + <value>linux-image-4.4.0-151-powerpc64-smp</value> + <value>linux-image-unsigned-4.4.0-151-generic</value> + <value>linux-image-unsigned-4.4.0-151-lowlatency</value> + </constant_variable> + In previous version, an object of 'Linux' package has no var_ref and + looks like this: - I believe this is an error, an 'linux' binary package should not contain any version information, as can be seen in other packages objects which only contains a name of package. + <linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20137445000" version="1" comment="The 'linux' package."> + <linux-def:name>linux</linux-def:name> + </linux-def:dpkginfo_object> + + I believe this is an error, an 'linux' binary package should not contain + any version information, as can be seen in other packages objects which + only contains a name of package. can you please explain the purpose of this section?
** Description changed: recently published OVAL definition (https://people.canonical.com /~ubuntu-security/oval/) may have some breaking change as following: all definition which referenced 'linux' binary package object, has been affected. How to reproduce: for example find definition id: oval:com.ubuntu.xenial:def:2019114770000000 then in criterions find test_ref="oval:com.ubuntu.xenial:tst:2019114770000000" then in that test, find object: oval:com.ubuntu.xenial:obj:201245420000000, which represent 'linux' package binaries. - <linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:201245420000000" version="1" comment="The 'linux' package binaries."> - <linux-def:name var_ref="oval:com.ubuntu.xenial:var:201245420000000" var_check="at least one" /> - </linux-def:dpkginfo_object> + # oval:com.ubuntu.xenial:obj:201245420000000 + + <linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:201245420000000" version="1" comment="The 'linux' package binaries."> + <linux-def:name var_ref="oval:com.ubuntu.xenial:var:201245420000000" var_check="at least one" /> + </linux-def:dpkginfo_object> in this `dpkginfo_object`, <linux-def:name> used to contain only the name of the binary package, but now it contains a var_ref which points to multiple full name of the most recent binary package for linux kernel image: + + # oval:com.ubuntu.xenial:var:201245420000000 <constant_variable id="oval:com.ubuntu.xenial:var:201245420000000" version="1" datatype="string" comment="'linux' package binaries"> <value>linux-image-4.4.0-151-generic</value> <value>linux-image-4.4.0-151-generic-lpae</value> <value>linux-image-4.4.0-151-lowlatency</value> <value>linux-image-4.4.0-151-powerpc-e500mc</value> <value>linux-image-4.4.0-151-powerpc-smp</value> <value>linux-image-4.4.0-151-powerpc64-emb</value> <value>linux-image-4.4.0-151-powerpc64-smp</value> <value>linux-image-unsigned-4.4.0-151-generic</value> <value>linux-image-unsigned-4.4.0-151-lowlatency</value> </constant_variable> In previous version, an object of 'Linux' package has no var_ref and looks like this: - <linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20137445000" version="1" comment="The 'linux' package."> - <linux-def:name>linux</linux-def:name> - </linux-def:dpkginfo_object> + # oval:com.ubuntu.xenial:obj:20137445000 + <linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20137445000" version="1" comment="The 'linux' package."> + <linux-def:name>linux</linux-def:name> + </linux-def:dpkginfo_object> I believe this is an error, an 'linux' binary package should not contain any version information, as can be seen in other packages objects which only contains a name of package. can you please explain the purpose of this section? ** Information type changed from Public to Public Security ** Description changed: recently published OVAL definition (https://people.canonical.com /~ubuntu-security/oval/) may have some breaking change as following: all definition which referenced 'linux' binary package object, has been affected. How to reproduce: for example find definition id: oval:com.ubuntu.xenial:def:2019114770000000 then in criterions find test_ref="oval:com.ubuntu.xenial:tst:2019114770000000" then in that test, find object: oval:com.ubuntu.xenial:obj:201245420000000, which represent 'linux' package binaries. # oval:com.ubuntu.xenial:obj:201245420000000 <linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:201245420000000" version="1" comment="The 'linux' package binaries."> <linux-def:name var_ref="oval:com.ubuntu.xenial:var:201245420000000" var_check="at least one" /> </linux-def:dpkginfo_object> - - in this `dpkginfo_object`, <linux-def:name> used to contain only the name of the binary package, but now it contains a var_ref which points to multiple full name of the most recent binary package for linux kernel image: - + in this `dpkginfo_object`, <linux-def:name> used to contain only the + name of the binary package, but now it contains a var_ref which points + to multiple full name of the most recent binary package for linux kernel + image: # oval:com.ubuntu.xenial:var:201245420000000 <constant_variable id="oval:com.ubuntu.xenial:var:201245420000000" version="1" datatype="string" comment="'linux' package binaries"> <value>linux-image-4.4.0-151-generic</value> <value>linux-image-4.4.0-151-generic-lpae</value> <value>linux-image-4.4.0-151-lowlatency</value> <value>linux-image-4.4.0-151-powerpc-e500mc</value> <value>linux-image-4.4.0-151-powerpc-smp</value> <value>linux-image-4.4.0-151-powerpc64-emb</value> <value>linux-image-4.4.0-151-powerpc64-smp</value> <value>linux-image-unsigned-4.4.0-151-generic</value> <value>linux-image-unsigned-4.4.0-151-lowlatency</value> </constant_variable> In previous version, an object of 'Linux' package has no var_ref and looks like this: # oval:com.ubuntu.xenial:obj:20137445000 <linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20137445000" version="1" comment="The 'linux' package."> <linux-def:name>linux</linux-def:name> </linux-def:dpkginfo_object> + + Compare the object above to the recent version + oval:com.ubuntu.xenial:obj:201245420000000, we can see there's a change of 'linux' package object, but of which meaning is not yet clear. + I believe this is an error, an 'linux' binary package should not contain any version information, as can be seen in other packages objects which only contains a name of package. can you please explain the purpose of this section? ** Description changed: recently published OVAL definition (https://people.canonical.com /~ubuntu-security/oval/) may have some breaking change as following: all definition which referenced 'linux' binary package object, has been affected. How to reproduce: for example find definition id: oval:com.ubuntu.xenial:def:2019114770000000 then in criterions find test_ref="oval:com.ubuntu.xenial:tst:2019114770000000" then in that test, find object: oval:com.ubuntu.xenial:obj:201245420000000, which represent 'linux' package binaries. # oval:com.ubuntu.xenial:obj:201245420000000 <linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:201245420000000" version="1" comment="The 'linux' package binaries."> <linux-def:name var_ref="oval:com.ubuntu.xenial:var:201245420000000" var_check="at least one" /> </linux-def:dpkginfo_object> in this `dpkginfo_object`, <linux-def:name> used to contain only the name of the binary package, but now it contains a var_ref which points to multiple full name of the most recent binary package for linux kernel image: # oval:com.ubuntu.xenial:var:201245420000000 <constant_variable id="oval:com.ubuntu.xenial:var:201245420000000" version="1" datatype="string" comment="'linux' package binaries"> <value>linux-image-4.4.0-151-generic</value> <value>linux-image-4.4.0-151-generic-lpae</value> <value>linux-image-4.4.0-151-lowlatency</value> <value>linux-image-4.4.0-151-powerpc-e500mc</value> <value>linux-image-4.4.0-151-powerpc-smp</value> <value>linux-image-4.4.0-151-powerpc64-emb</value> <value>linux-image-4.4.0-151-powerpc64-smp</value> <value>linux-image-unsigned-4.4.0-151-generic</value> <value>linux-image-unsigned-4.4.0-151-lowlatency</value> </constant_variable> In previous version, an object of 'Linux' package has no var_ref and looks like this: # oval:com.ubuntu.xenial:obj:20137445000 <linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20137445000" version="1" comment="The 'linux' package."> <linux-def:name>linux</linux-def:name> </linux-def:dpkginfo_object> - - Compare the object above to the recent version - oval:com.ubuntu.xenial:obj:201245420000000, we can see there's a change of 'linux' package object, but of which meaning is not yet clear. + Compare the object above to the recent version + oval:com.ubuntu.xenial:obj:201245420000000, we can see there's a change of 'linux' package object, but of which meaning is not yet clear. I believe this is an error, an 'linux' binary package should not contain any version information, as can be seen in other packages objects which only contains a name of package. - - can you please explain the purpose of this section? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1834439 Title: designated object in OVAL definition may be wrong Status in linux package in Ubuntu: Confirmed Bug description: recently published OVAL definition (https://people.canonical.com /~ubuntu-security/oval/) may have some breaking change as following: all definition which referenced 'linux' binary package object, has been affected. How to reproduce: for example find definition id: oval:com.ubuntu.xenial:def:2019114770000000 then in criterions find test_ref="oval:com.ubuntu.xenial:tst:2019114770000000" then in that test, find object: oval:com.ubuntu.xenial:obj:201245420000000, which represent 'linux' package binaries. # oval:com.ubuntu.xenial:obj:201245420000000 <linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:201245420000000" version="1" comment="The 'linux' package binaries."> <linux-def:name var_ref="oval:com.ubuntu.xenial:var:201245420000000" var_check="at least one" /> </linux-def:dpkginfo_object> in this `dpkginfo_object`, <linux-def:name> used to contain only the name of the binary package, but now it contains a var_ref which points to multiple full name of the most recent binary package for linux kernel image: # oval:com.ubuntu.xenial:var:201245420000000 <constant_variable id="oval:com.ubuntu.xenial:var:201245420000000" version="1" datatype="string" comment="'linux' package binaries"> <value>linux-image-4.4.0-151-generic</value> <value>linux-image-4.4.0-151-generic-lpae</value> <value>linux-image-4.4.0-151-lowlatency</value> <value>linux-image-4.4.0-151-powerpc-e500mc</value> <value>linux-image-4.4.0-151-powerpc-smp</value> <value>linux-image-4.4.0-151-powerpc64-emb</value> <value>linux-image-4.4.0-151-powerpc64-smp</value> <value>linux-image-unsigned-4.4.0-151-generic</value> <value>linux-image-unsigned-4.4.0-151-lowlatency</value> </constant_variable> In previous version, an object of 'Linux' package has no var_ref and looks like this: # oval:com.ubuntu.xenial:obj:20137445000 <linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20137445000" version="1" comment="The 'linux' package."> <linux-def:name>linux</linux-def:name> </linux-def:dpkginfo_object> Compare the object above to the recent version oval:com.ubuntu.xenial:obj:201245420000000, we can see there's a change of 'linux' package object, but of which meaning is not yet clear. I believe this is an error, an 'linux' binary package should not contain any version information, as can be seen in other packages objects which only contains a name of package. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1834439/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
