Patch Tuesday defs & fixes

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Patch Tuesday defs & fixes

Robert Hollis

Happy morning after PT!

 

Woj,

 

I’m hoping I saved you a bunch of work here, instead of making it.  As requested, long, long ago, fixes are separated from new definitions in the zip.  However, I counted defs that aren’t yet in the repo (the def:999- series) to be existing and thus fixes.  (def:9980 and def:9981 break that rule for some reason, but please give proper credit for authorship their since they are not of my hands.)  That might screw up versioning a bit.  Please let me know how this fits your process.

 

One thing that may not be clear from the comments… one of the recent definitions introduced a 3rd definition to the repo to identify “Service Pack 2”.  I changed that to an existing id, and found other duplicates.  I therefore changed references from tst:3341 (3 instances) to tst:3019 (86 instances).

 

The rest should be clear.  Of course, things are always clear to the author.  Bounce back questions if needed.  Thanks!

 

            -rob

 

Chg (oval:org.mitre.oval:def:497)

            MS05-039, MS05-039, CVE-2005-1983

            -- Dropped reference to tst:3341 in favor of tst:3019. --

 

Chg (oval:org.mitre.oval:def:376)

            MS05-041, MS05-041, CVE-2005-1218

            -- Dropped reference to tst:3341 in favor of tst:3019. --

 

Chg (oval:org.mitre.oval:def:256)

            MS05-043, MS05-043, CVE-2005-1984

            -- Dropped reference to tst:3341 in favor of tst:3019. --

 

NEW class:inventory (oval:org.mitre.oval:def:1799)

            Microsoft Windows XP, SP2 (64-bit) is installed

 

Chg (oval:org.mitre.oval:def:1385)

            CVE-2006-5586, MS07-017

            -- Removed criteria sections and affected.family elements for S03 and Vista. MS07-017 says they are not affected.  Updated description from '**RESERVED**'. --

 

Chg class:inventory (oval:org.mitre.oval:def:1935)

            -- Dropped tst:4078 in favor of existing tst:3019. --

 

Chg (oval:org.mitre.oval:def:1927)

            CVE-2007-1215, MS07-017

            -- Altered S03 section of criteria to reference proper Gdi32.dll file versions for S03,SP1 and S03,SP2. --

 

Chg (oval:org.mitre.oval:def:1923)

            CVE-2007-1212, MS07-017

            -- Altered S03 section of criteria to reference proper Gdi32.dll file versions for S03,SP1 and S03,SP2.  Updated the description from '**RESERVED**'. --

 

Chg (oval:org.mitre.oval:def:1854)

            CVE-2007-0038, MS07-017

            -- Altered S03 section of criteria to reference proper Gdi32.dll file versions for S03,SP1 and S03,SP2.  Updated description from **RESERVED**. --

 

Chg (oval:org.mitre.oval:def:1797)

            CVE-2007-1213, MS07-017

            -- Removed criteria sections and affected.family elements for XP, S03, and Vista. MS07-017 says they are not affected.  Updated the description from **RESERVED**. --

 

Chg (oval:org.mitre.oval:def:2056)

            CVE-2006-5758, MS07-017

            -- Removed criteria sections and affected.family elements for S03 and Vista. MS07-017 says they are not affected. --

 

Chg (oval:org.mitre.oval:def:1571)

            MS07-017, CVE-2007-1211

            -- Removed criteria section and affected.family for Vista; MS07-017 says it's not affected.  Altered S03 section of criteria to reference proper Gdi32.dll file versions for S03,SP1 and S03,SP2.  Updated the description from '**RESERVED**'. --

 

NEW (oval:org.mitre.oval:def:2049)

            MS07-019, CVE-2007-1204

            UPnP Memory Corruption Vulnerability

 

Chg (oval:org.mitre.oval:def:9991)

            MS07-022, CVE-2007-1206

            -- Fixed criteria typos: tests for S03,SP1 and S03,SP2 referenced the state for S03-Gold. --

 

Chg (oval:org.mitre.oval:def:9992)

            MS07-021, CVE-2006-6696

            -- Fixed typo in Vista criteria changed XP test reference (def:521) to Vista (def:228). --

 

Chg (oval:org.mitre.oval:def:9993)

            MS07-021, CVE-2007-1209

            -- Removed Win2k,XP,S03 from affected.family and criteria; bulletin says they are not vulnerable.  Fixed typo in Vista criteria changed XP test reference (def:521) to Vista (def:228). --

 

Chg (oval:org.mitre.oval:def:9994)

            MS07-021, CVE-2006-6797

            -- Fixed typo in Vista criteria changed XP test reference (def:521) to Vista (def:228). --

 

NEW class:inventory (oval:org.mitre.oval:def:9980)  (please give credit to SE)

 

NEW class:inventory (oval:org.mitre.oval:def:9981)  (please give credit to SE)

 

NEW class:inventory (oval:org.mitre.oval:def:1631)

            Microsoft Content Management Server 2001 Service Pack 1 is installed

 

NEW class:inventory (oval:org.mitre.oval:def:1937)

            Microsoft Content Management Server 2002 Service Pack 2 is installed

 

NEW (oval:org.mitre.oval:def:2001)

            CVE-2007-0938, MS07-018

            CMS Memory Corruption Vulnerability

 

NEW (oval:org.mitre.oval:def:1575)

            CVE-2007-0939, MS07-018

            CMS Cross-Site Scripting and Spoofing Vulnerability

 

Number of Additions: 8

Number of Changes  : 15

Number of Updates  : 23

 

 

 

 

Definitions Test String:

oval:org.mitre.oval:def:497,oval:org.mitre.oval:def:376,oval:org.mitre.oval:def:256,oval:org.mitre.oval:def:1385,oval:org.mitre.oval:def:1927,oval:org.mitre.oval:def:1923,oval:org.mitre.oval:def:1854,oval:org.mitre.oval:def:1797,oval:org.mitre.oval:def:2056,oval:org.mitre.oval:def:1571,oval:org.mitre.oval:def:2049,oval:org.mitre.oval:def:9991,oval:org.mitre.oval:def:9992,oval:org.mitre.oval:def:9993,oval:org.mitre.oval:def:9994,oval:org.mitre.oval:def:2001,oval:org.mitre.oval:def:1575

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

windows.tg-oval-070410.zip (14K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Patch Tuesday defs & fixes

Matthew N. Wojcik
The OVAL Repository has been updated with the definition changes Rob
Hollis suggested back on April 11th.  For various reasons, I had to
process these by hand rather than simply importing the fix file Rob
sent in, which is why it took a while.

I also realised I never sent in the mapping from the temporary IDs used
by Secure Elements in their April Patch Tuesday submission to the
canonical IDs.  I'll give the mapping first, and then the details of
the changes made.

Thanks to Rob for all of the fixes.

Mapping:

Definitions: 7 new

def:9980 - def:1867
def:9981 - def:1825
def:9991 - def:1639
def:9992 - def:1816
def:9993 - def:1524
def:9994 - def:2013
def:9995 - def:2034

Tests: 12 new

tst:99911 - tst:3492
tst:99912 - tst:3351
tst:99913 - tst:3861
tst:99914 - tst:3662
tst:99915 - tst:3979

tst:99921 - tst:3935
tst:99922 - tst:3654
tst:99923 - tst:3288
tst:99925 - tst:3229
tst:99926 - tst:3701
tst:99951 - tst:4156
tst:99952 - tst:3462

Objects: No new objects

States: 12 new

ste:99911 - ste:3332
ste:99912 - ste:3229
ste:99913 - ste:2996
ste:99914 - ste:2976
ste:99915 - ste:3801
ste:99921 - ste:3501
ste:99922 - ste:3878
ste:99923 - ste:3536
ste:99925 - ste:3200
ste:99926 - ste:3852
ste:99951 - ste:3178
ste:99952 - ste:2955

Changes:

Patch Tuesday definitions:

def:1524: Removed Win2k,XP,S03 from affected platform and criteria;
bulletin says they are not vulnerable. Fixed typo in Vista criteria:
changed XP test reference (def:521) to Vista (def:228).

def:1639: Edited tst:3662: Replaced reference to ste:2996 with ste:2976
instead; ste:2976 is the correct file version for Windows Server 2003
SP1 for CVE-2007-1206.

ALSO: Edited tst: 3979: Replaced reference to ste:2996 with ste:3801
instead; ste:3801 is the correct file version for Windows Server 2003
SP2 for CVE-2007-1206.

def:1816: Fixed typo in Vista criteria block: changed reference to
extended def:521 (XP SP2) to def:228 (Vista).

def:2013: Fixed typo in Vista criteria block: changed reference to
extended def:521 (XP SP2) to def:228 (Vista).

MS07-017 definitions:

def:1571: Removed Vista criteria section and affected platform
metadata; MS07-017 says it's not affected. Altered S03 section of
criteria to reference proper Gdi32.dll file versions for S03,SP1 and
S03,SP2.

def:1854: Altered S03 section of criteria to reference proper Gdi32.dll
file versions for S03,SP1 and S03,SP2.

def:1935: Dropped tst:4078 in favor of existing tst:3019.

def:1797: Removed criteria sections and affected.platform elements for
XP, S03, and Vista. MS07-017 says they are not affected.

def:2056: Removed criteria sections and affected.platform elements for
S03 and Vista. MS07-017 says they are not affected.

def:1385: Removed criteria sections and affected.platform elements for
S03 and Vista. MS07-017 says they are not affected.

def:1927: Altered S03 section of criteria to reference proper Gdi32.dll
file versions for S03,SP1 and S03,SP2.

def:1923: Altered S03 section of criteria to reference proper Gdi32.dll
file versions for S03,SP1 and S03,SP2.

Older definitions:

def:376: Dropped reference to tst:3341 in favor of tst:3019.

def:256: Dropped reference to tst:3341 in favor of tst:3019.

def:497: Dropped tst:3341 in favor of tst:3019.


I also deprecated tst:3341, tst:4078, ste:2951, and ste:3398, as these
were duplicates and are no longer used.

--Woj


> -----Original Message-----
> From: Robert Hollis [mailto:[hidden email]]
> Sent: Wednesday, April 11, 2007 10:26 AM
> To: oval-discussion-list OVAL Moderated Public Discussion List
> Subject: [OVAL-DISCUSSION-LIST] Patch Tuesday defs & fixes
>
> Happy morning after PT!
>
>  
>
> Woj,
>
>  
>
> I'm hoping I saved you a bunch of work here, instead of
> making it.  As requested, long, long ago, fixes are separated
> from new definitions in the zip.  However, I counted defs
> that aren't yet in the repo (the def:999- series) to be
> existing and thus fixes.  (def:9980 and def:9981 break that
> rule for some reason, but please give proper credit for
> authorship their since they are not of my hands.)  That might
> screw up versioning a bit.  Please let me know how this fits
> your process.
>
>  
>
> One thing that may not be clear from the comments... one of the
> recent definitions introduced a 3rd definition to the repo to
> identify "Service Pack 2".  I changed that to an existing id,
> and found other duplicates.  I therefore changed references
> from tst:3341 (3 instances) to tst:3019 (86 instances).
>
>  
>
> The rest should be clear.  Of course, things are always clear
> to the author.  Bounce back questions if needed.  Thanks!
>
>  
>
>             -rob
>
>  
>
> Chg (oval:org.mitre.oval:def:497)
>
>             MS05-039, MS05-039, CVE-2005-1983
>
>             -- Dropped reference to tst:3341 in favor of tst:3019. --
>
>  
>
> Chg (oval:org.mitre.oval:def:376)
>
>             MS05-041, MS05-041, CVE-2005-1218
>
>             -- Dropped reference to tst:3341 in favor of tst:3019. --
>
>  
>
> Chg (oval:org.mitre.oval:def:256)
>
>             MS05-043, MS05-043, CVE-2005-1984
>
>             -- Dropped reference to tst:3341 in favor of tst:3019. --
>
>  
>
> NEW class:inventory (oval:org.mitre.oval:def:1799)
>
>             Microsoft Windows XP, SP2 (64-bit) is installed
>
>  
>
> Chg (oval:org.mitre.oval:def:1385)
>
>             CVE-2006-5586, MS07-017
>
>             -- Removed criteria sections and affected.family
> elements for S03 and Vista. MS07-017 says they are not
> affected.  Updated description from '**RESERVED**'. --
>
>  
>
> Chg class:inventory (oval:org.mitre.oval:def:1935)
>
>             -- Dropped tst:4078 in favor of existing tst:3019. --
>
>  
>
> Chg (oval:org.mitre.oval:def:1927)
>
>             CVE-2007-1215, MS07-017
>
>             -- Altered S03 section of criteria to reference
> proper Gdi32.dll file versions for S03,SP1 and S03,SP2. --
>
>  
>
> Chg (oval:org.mitre.oval:def:1923)
>
>             CVE-2007-1212, MS07-017
>
>             -- Altered S03 section of criteria to reference
> proper Gdi32.dll file versions for S03,SP1 and S03,SP2.  
> Updated the description from '**RESERVED**'. --
>
>  
>
> Chg (oval:org.mitre.oval:def:1854)
>
>             CVE-2007-0038, MS07-017
>
>             -- Altered S03 section of criteria to reference
> proper Gdi32.dll file versions for S03,SP1 and S03,SP2.  
> Updated description from **RESERVED**. --
>
>  
>
> Chg (oval:org.mitre.oval:def:1797)
>
>             CVE-2007-1213, MS07-017
>
>             -- Removed criteria sections and affected.family
> elements for XP, S03, and Vista. MS07-017 says they are not
> affected.  Updated the description from **RESERVED**. --
>
>  
>
> Chg (oval:org.mitre.oval:def:2056)
>
>             CVE-2006-5758, MS07-017
>
>             -- Removed criteria sections and affected.family
> elements for S03 and Vista. MS07-017 says they are not affected. --
>
>  
>
> Chg (oval:org.mitre.oval:def:1571)
>
>             MS07-017, CVE-2007-1211
>
>             -- Removed criteria section and affected.family
> for Vista; MS07-017 says it's not affected.  Altered S03
> section of criteria to reference proper Gdi32.dll file
> versions for S03,SP1 and S03,SP2.  Updated the description
> from '**RESERVED**'. --
>
>  
>
> NEW (oval:org.mitre.oval:def:2049)
>
>             MS07-019, CVE-2007-1204
>
>             UPnP Memory Corruption Vulnerability
>
>  
>
> Chg (oval:org.mitre.oval:def:9991)
>
>             MS07-022, CVE-2007-1206
>
>             -- Fixed criteria typos: tests for S03,SP1 and
> S03,SP2 referenced the state for S03-Gold. --
>
>  
>
> Chg (oval:org.mitre.oval:def:9992)
>
>             MS07-021, CVE-2006-6696
>
>             -- Fixed typo in Vista criteria changed XP test
> reference (def:521) to Vista (def:228). --
>
>  
>
> Chg (oval:org.mitre.oval:def:9993)
>
>             MS07-021, CVE-2007-1209
>
>             -- Removed Win2k,XP,S03 from affected.family and
> criteria; bulletin says they are not vulnerable.  Fixed typo
> in Vista criteria changed XP test reference (def:521) to
> Vista (def:228). --
>
>  
>
> Chg (oval:org.mitre.oval:def:9994)
>
>             MS07-021, CVE-2006-6797
>
>             -- Fixed typo in Vista criteria changed XP test
> reference (def:521) to Vista (def:228). --
>
>  
>
> NEW class:inventory (oval:org.mitre.oval:def:9980)  (please
> give credit to SE)
>
>  
>
> NEW class:inventory (oval:org.mitre.oval:def:9981)  (please
> give credit to SE)
>
>  
>
> NEW class:inventory (oval:org.mitre.oval:def:1631)
>
>             Microsoft Content Management Server 2001 Service
> Pack 1 is installed
>
>  
>
> NEW class:inventory (oval:org.mitre.oval:def:1937)
>
>             Microsoft Content Management Server 2002 Service
> Pack 2 is installed
>
>  
>
> NEW (oval:org.mitre.oval:def:2001)
>
>             CVE-2007-0938, MS07-018
>
>             CMS Memory Corruption Vulnerability
>
>  
>
> NEW (oval:org.mitre.oval:def:1575)
>
>             CVE-2007-0939, MS07-018
>
>             CMS Cross-Site Scripting and Spoofing Vulnerability
>
>  
>
> Number of Additions: 8
>
> Number of Changes  : 15
>
> Number of Updates  : 23
>
>  
>
>  
>
>  
>
>  
>
> Definitions Test String:
>
> oval:org.mitre.oval:def:497,oval:org.mitre.oval:def:376,oval:o
> rg.mitre.oval:def:256,oval:org.mitre.oval:def:1385,oval:org.mi
> tre.oval:def:1927,oval:org.mitre.oval:def:1923,oval:org.mitre.
> oval:def:1854,oval:org.mitre.oval:def:1797,oval:org.mitre.oval
> :def:2056,oval:org.mitre.oval:def:1571,oval:org.mitre.oval:def
> :2049,oval:org.mitre.oval:def:9991,oval:org.mitre.oval:def:999
> 2,oval:org.mitre.oval:def:9993,oval:org.mitre.oval:def:9994,ov
> al:org.mitre.oval:def:2001,oval:org.mitre.oval:def:1575
>
> To unsubscribe, send an email message to
> [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in
> the BODY of the message. If you have difficulties, write to
> [hidden email].
>

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

Reply | Threaded
Open this post in threaded view
|

Re: Patch Tuesday defs & fixes

Robert Hollis
.
. The OVAL Repository has been updated with the definition changes Rob
. Hollis suggested back on April 11th.  For various reasons, I had to
. process these by hand rather than simply importing the fix file Rob
. sent in, which is why it took a while.
.

Woj,

Is there anything I can do to make that process easier for you?

        -rob

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

Reply | Threaded
Open this post in threaded view
|

Comment on 5.3 schema

Ken Lassesen-2
I finally got some cycles to look at the changes. There are two items that stands out...

*
        "fixed a schema error that had a_time, c_time, and m_time defined as strings, changed to ints "

                *
                        Why not to XmlDate instead? This seems far more appropriate. Ints seems odd, what is '0', will we not loose the ability to check exact time stamps (fractions of days).

*
        Also "added a schematron rule in certain places to validate that an int value was supplied when a datatype of int was declared "

                *
                        I'm a little confused, I thought schema validators would do that automatically? Is this a 'fudge' because of some issue with some schema validation issues...

Needless to say, per earlier email, because of different SQL standards for different Databases, I would strongly advocate that in lieu of sql_test, the tests be specific to the database engine, i.e. <oracle_test>, <foxpro_test>, <mysql_test> and that the version of database engines that the test would work on is also included explicitly or implicitly.  
 
One could argue  
"is FOCUS 4.5-5.0 and <focus_test>" would be adequate,
 
But this is decoupling the test constraints too far. The SQL is EXPLICIT to certain version and to insure that information does not get lost or misplaced, it should be part of the <focus_test> or <db2_test> etc/
 
 
Many thanks!
 
Ken Lassesen
Home Office: 360-297-4717   Cell: 360-509-2402   Fax: 928-832-6836
IM: [hidden email] <mailto:[hidden email]>  or [hidden email] <mailto:[hidden email]>  

 

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

Reply | Threaded
Open this post in threaded view
|

Re: Comment on 5.3 schema

Andrew Buttner
Administrator
>>* "fixed a schema error that had a_time, c_time, and
>>m_time defined as strings, changed to ints "
>>
> * Why not to XmlDate instead? This seems
>far more appropriate. Ints seems odd, what is '0', will we not
>loose the ability to check exact time stamps (fractions of days).

These fields are documented as the number of 100-nanosecond intervals
since January 1, 1601 (UTC).



>>* Also "added a schematron rule in certain places to
>>validate that an int value was supplied when a datatype of int
>>was declared "
>
> *
> I'm a little confused, I thought schema
>validators would do that automatically? Is this a 'fudge'
>because of some issue with some schema validation issues...

For those entities in OVAL that only allow one value for the datatype
attribute, then schema validation works fine.  But there are certain
entities (e.g. <value> of a registry test) where the datatype attribute
can be set to 'string', 'int', 'version', etc.  In this case, schema
validation doesn't work since it is grammar based and doesn't handle
co-constraints.  The xsd schema therefore allows any type of value.
Schematron does handle co-constraints and so we can make an assertion
that if the datatype attribute is set to 'int', then the value should
be an int.




>Needless to say, per earlier email, because of different SQL
>standards for different Databases, I would strongly advocate
>that in lieu of sql_test, the tests be specific to the
>database engine, i.e. <oracle_test>, <foxpro_test>,
><mysql_test> and that the version of database engines that the
>test would work on is also included explicitly or implicitly.  
>
>One could argue  
>"is FOCUS 4.5-5.0 and <focus_test>" would be adequate,
>
>But this is decoupling the test constraints too far. The SQL
>is EXPLICIT to certain version and to insure that information
>does not get lost or misplaced, it should be part of the
><focus_test> or <db2_test> etc/

I thought we agreed on the <connection_string> approach and that you
can include a driver name in the string if you want to conect via a
certain driver?  But the connection_string also allows you to use DNS
if desired.

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

Reply | Threaded
Open this post in threaded view
|

Re: Comment on 5.3 schema

Ken Lassesen-2
Yes,

"we agreed on the <connection_string> approach and that you can include
a driver name in the string if you want to conect via a certain driver?
But the connection_string also allows you to use DNS if desired."

But that does not address the CONTENTS of the SQL Command -- there are
many SQL dialects with no dialect common across everything etc. So
either the grammar of the command must be restricted to a limited subset
(that would need to be published), or we would need to identify what
database engines that this command would work on.

This <mysql_test>, <oracle_test>, <db2_test>, <foxpro_test>,
<reflection_test> etc appears to be appropriate. All of them would use
connection strings, but the sql command for a specific test may be
different for each.

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].