greetings; i’m writing in reference to CVE-2023-27522, which according to this AL9 security advisory, should be fixed in the package versions listed therein.
however, if i install any of the noted package versions and run an OVAL scan, the resulting report notes that the security advistory/vulnerability applies. (ID oval:org.almalinux.alsa:def:20236403
is reported as true
, when i would expect it to be false
).
i’m a new discourse group user without file attachment privileges, but it seems straightforward to reproduce and illustrate using the AL9 container image (i’ve originally run the OVAL scan on a virtual machine with AL9.3 installed with the latest packages as of this writing):
docker run --rm --name al9test -it almalinux:9 bash
dnf update -y
dnf install -y openscap scap-security-guide httpd
curl -s -O https://security.almalinux.org/oval/org.almalinux.alsa-9.xml
oscap oval eval --results oval_results.xml --report oval_report.html --fetch-remote-resources org.almalinux.alsa-9.xml
from another terminal, one may retrieve the HTML report to see the aforementioned vulnerability ID is set to “true” and applies to the reference system:
docker cp al9test:/oval_report.html .
additional note: the following OVAL feed XML snippet may be relevant to this scenario:
<red-def:rpminfo_test check="at least one" comment="httpd is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403001" version="637">
<red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067001"/>
<red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-core is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403003" version="637">
<red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067002"/>
<red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-devel is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403005" version="637">
<red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067003"/>
<red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-filesystem is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403007" version="637">
<red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067004"/>
<red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-manual is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403009" version="637">
<red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067005"/>
<red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-tools is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403011" version="637">
<red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067006"/>
<red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_ldap is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403013" version="637">
<red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067007"/>
<red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_lua is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403015" version="637">
<red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067008"/>
<red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_proxy_html is earlier than 1:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403017" version="637">
<red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067009"/>
<red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_session is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403019" version="637">
<red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067010"/>
<red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_ssl is earlier than 1:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403021" version="637">
<red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067011"/>
<red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt is earlier than 0:9.5.0-7.el9_3" id="oval:org.almalinux.alsa:tst:20236409001" version="636">
<red-def:object object_ref="oval:org.almalinux.alsa:obj:20228003001"/>
<red-def:state state_ref="oval:org.almalinux.alsa:ste:20236409001"/>
</red-def:rpminfo_test>
i wonder if the presence of the package epoch prefix has anything to do with this