Re: Trust in version range in CVE

To: Leonardo Taccari <leot%NetBSD.org@localhost>
Subject: Re: Trust in version range in CVE
From: Frederic Fauberteau <triaxx%NetBSD.org@localhost>
Date: Mon, 5 Oct 2020 17:18:31 +0200

Leonardo Taccari writes:
> Frederic Fauberteau writes:
>> Hi,
>>
> 
> Hello Frederic,

Hello Leonardo,

>> I was looking at https://nvd.nist.gov/vuln/detail/CVE-2020-13902 and I noticed that range is ImageMagick 7.0.9-27 through 7.0.10-17. We are now at 7.0.10-32 but I did not see any reference to CVE-2020-13902 in ImageMagick's ChangeLog. Could we consider to update pkg-vulnerabilities to introduce this range? In other words, could we trust https://nvd.nist.gov/?
>>
> 
> In general: no, I would always double-check version listed with references
> and possible further upstream information (if any).
> The CPE information (`Known Affected Software Configurations') on
> nvd.nist.gov most of the times is outdated/incorrect in my experience
> (I would just ignore it completely).
> 
> When there aren't any useful references often
> https://security-tracker.debian.org/tracker/<cve-id> (where <cve-id>
> is, e.g. CVE-2020-12345) is a possible good resource to look.
> 
> Most of the times you find a "through version x.y.z" in the CVE
> description - like in that case - it's probably a wildcard entry i.e.
> `ImageMagick-[0-9]*' (as it is currently is).
> 
> Most of the times you find a "before version x.y.z" in the CVE
> description, that's usually correct.
Thank you for this clear explanation. You confirm the doubts I had about what I considered as an upper bound but that was not referenced upstream.

References:
- Trust in version range in CVE
  - From: Frederic Fauberteau
- Re: Trust in version range in CVE
  - From: Leonardo Taccari

Prev by Date: Re: Trust in version range in CVE
Next by Date: Re: Requesting review of new interchangeable BLAS components
Previous by Thread: Re: Trust in version range in CVE
Indexes:

Home | Main Index | Thread Index | Old Index