tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Trust in version range in CVE
Frederic Fauberteau writes:
> Hi,
>
Hello Frederic,
> I was looking at https://nvd.nist.gov/vuln/detail/CVE-2020-13902 and I noticed that range is ImageMagick 7.0.9-27 through 7.0.10-17. We are now at 7.0.10-32 but I did not see any reference to CVE-2020-13902 in ImageMagick's ChangeLog. Could we consider to update pkg-vulnerabilities to introduce this range? In other words, could we trust https://nvd.nist.gov/?
>
In general: no, I would always double-check version listed with references
and possible further upstream information (if any).
The CPE information (`Known Affected Software Configurations') on
nvd.nist.gov most of the times is outdated/incorrect in my experience
(I would just ignore it completely).
When there aren't any useful references often
https://security-tracker.debian.org/tracker/<cve-id> (where <cve-id>
is, e.g. CVE-2020-12345) is a possible good resource to look.
Most of the times you find a "through version x.y.z" in the CVE
description - like in that case - it's probably a wildcard entry i.e.
`ImageMagick-[0-9]*' (as it is currently is).
Most of the times you find a "before version x.y.z" in the CVE
description, that's usually correct.
Home |
Main Index |
Thread Index |
Old Index