| Summary: | GLSA announcements show non-vulnerable versions of packages as affected | ||
|---|---|---|---|
| Product: | Websites | Reporter: | cmwatts |
| Component: | Other | Assignee: | Gentoo Website Team <www> |
| Status: | CONFIRMED --- | ||
| Severity: | enhancement | CC: | bertrand, gentoo, security |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
cmwatts
2022-11-08 21:27:59 UTC
Specifically, this is about the page here: https://security.gentoo.org/glsa/202211-01 If anyone is relying on the GLSA page at security.gentoo.org as an authoritative source of truth for GLSA content, I'd say that's a bug in itself. The range of affected packages is explicit in the GLSA XML itself (https://gitweb.gentoo.org/data/glsa.git/tree/glsa-202211-01.xml#n13): <unaffected range="ge" slot="0/3">3.0.7</unaffected> <vulnerable range="lt" slot="0/3">3.0.7</vulnerable> That slot is only held by versions of Openssl-3, so the GLSA does indeed accurately target the right versions. Going to reassign this bug as a websites issue. Thank you. I am looking at the NASL for Tenable/Nessus plugin 166788 (gentoo_GLSA-202211-01.nasl). It appears they got it 'right' on this one, as it contains an 'unaffected' list of "ge 3.0.7", "lt 3.0.0". This behavior by Tenable was last seen with respect to this GLSA: https://security.gentoo.org/glsa/202004-10 It was a similar situation where 1.1.1g was required for openssl if you were running 1.1.1d-1.1.1f versions of openssl, but openssl 1.0.2x and 1.1.1a-c were unaffected at that time, which (unless Tenable has changed their methodology) makes me suspect that they are just reading the web page and building their Gentoo-related plugins, as opposed to consuming the XML and understanding slotting. At the time, we opened a ticket with Tenable, and they claimed that Gentoo had said 'less than 1.1.1g is vulnerable', so they were going with what the vendor web page said, which made me suspect that they did not understand the non-vulnerable versions prior to 1.1.1g at that time. I don't disagree that Tenable should read the XML and understand the slotting to evaluate vulnerabilities. And maybe they are now based on this current GLSA and its corresponding plugin source - or maybe the publicity around this bug stimulated them to do the 'right thing' just in this particular instance. It's hard to say as I lack visibility into their internal processes for building Gentoo-specific plugins. I also think it would be better if the web page were accurate in terms of humans consuming this information as a general point and would still mitigate potential future issues with scan vendors. I.e.: My opinion, for what it's worth, is that having the web page versions of GLSA clearly specify vulnerable package versions would be a net positive. In the case of GLSA-202004-10, Tenable is right, we do mark <1.1.1g as vulnerable. As I recall, that GLSA was pushed through by Whissi (now retired) without any review, which shouldn't happen anymore. In any case, openssl versions <1.1.1 are masked now, so there's no reason to touch the GLSA at this point. (of course, that's orthogonal to the UI issue of the website, that is indeed a valid issue) Thank you for that clarification. Will look forward to feedback as far as whether we can get the website to match the slotting so as to increase accuracy from a UI perspective, as we are hoping for. |
