Some preliminary data on things that need data added

19 views
Skip to first unread message

Kurt Seifried

unread,
Feb 15, 2022, 8:54:59 PMFeb 15
to GSD Discussion Group
So Debian has DSA's with CVEs currently not in the CVE database. Over 100 from 2021 and 2022 alone, I assume 2-300 in total. Quickest way to see the Debian data is https://security-tracker.debian.org/tracker/CVE-2016-2124

I collected the data by basically wget'ing DSA's from 2021/2022, stripping out the CVEs and comparing it to the RESERVED list of CVEs. I assume we'll find more if we look at other sources (Red Hat, AlpineLinux, etc.). 

CVE-2016-2124
CVE-2020-15685
CVE-2020-25717
CVE-2020-25718
CVE-2020-25719
CVE-2020-25721
CVE-2020-25722
CVE-2021-20001
CVE-2021-23158
CVE-2021-23165
CVE-2021-23180
CVE-2021-23191
CVE-2021-23192
CVE-2021-23206
CVE-2021-23214
CVE-2021-23222
CVE-2021-23980
CVE-2021-26252
CVE-2021-26259
CVE-2021-26948
CVE-2021-3609
CVE-2021-3638
CVE-2021-3656
CVE-2021-3732
CVE-2021-3738
CVE-2021-3739
CVE-2021-3743
CVE-2021-3748
CVE-2021-3753
CVE-2021-3781
CVE-2021-39685
CVE-2021-3995
CVE-2021-3996
CVE-2021-4076
CVE-2021-4098
CVE-2021-4099
CVE-2021-4100
CVE-2021-4101
CVE-2021-4102
CVE-2021-4122
CVE-2021-4126
CVE-2021-4140
CVE-2021-4155
CVE-2021-41816
CVE-2021-43529
CVE-2021-44142
CVE-2022-0096
CVE-2022-0097
CVE-2022-0098
CVE-2022-0099
CVE-2022-0100
CVE-2022-0101
CVE-2022-0102
CVE-2022-0103
CVE-2022-0104
CVE-2022-0105
CVE-2022-0106
CVE-2022-0107
CVE-2022-0108
CVE-2022-0109
CVE-2022-0110
CVE-2022-0111
CVE-2022-0112
CVE-2022-0113
CVE-2022-0114
CVE-2022-0115
CVE-2022-0116
CVE-2022-0117
CVE-2022-0118
CVE-2022-0120
CVE-2022-0185
CVE-2022-0217
CVE-2022-0289
CVE-2022-0290
CVE-2022-0291
CVE-2022-0292
CVE-2022-0293
CVE-2022-0294
CVE-2022-0295
CVE-2022-0296
CVE-2022-0297
CVE-2022-0298
CVE-2022-0300
CVE-2022-0301
CVE-2022-0302
CVE-2022-0303
CVE-2022-0304
CVE-2022-0305
CVE-2022-0306
CVE-2022-0307
CVE-2022-0308
CVE-2022-0309
CVE-2022-0310
CVE-2022-0311
CVE-2022-0336
CVE-2022-0452
CVE-2022-0453
CVE-2022-0454
CVE-2022-0455
CVE-2022-0456
CVE-2022-0457
CVE-2022-0458
CVE-2022-0459
CVE-2022-0460
CVE-2022-0461
CVE-2022-0462
CVE-2022-0463
CVE-2022-0464
CVE-2022-0465
CVE-2022-0466
CVE-2022-0467
CVE-2022-0468
CVE-2022-0469
CVE-2022-0470
CVE-2022-22737
CVE-2022-22738
CVE-2022-22739
CVE-2022-22740
CVE-2022-22741
CVE-2022-22742
CVE-2022-22743
CVE-2022-22745
CVE-2022-22747
CVE-2022-22748
CVE-2022-22751
CVE-2022-22754
CVE-2022-22756
CVE-2022-22759
CVE-2022-22760
CVE-2022-22761
CVE-2022-22763
CVE-2022-22764

Kurt Seifried (He/Him)
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance

Marcus Meissner

unread,
Feb 16, 2022, 3:27:16 AMFeb 16
to Kurt Seifried, GSD Discussion Group
Hi,

On Tue, Feb 15, 2022 at 06:54:21PM -0700, 'Kurt Seifried' via GSD Discussion Group wrote:
> So Debian has DSA's with CVEs currently not in the CVE database. Over 100
> from 2021 and 2022 alone, I assume 2-300 in total. Quickest way to see the
> Debian data is https://security-tracker.debian.org/tracker/CVE-2016-2124
>
> I collected the data by basically wget'ing DSA's from 2021/2022, stripping
> out the CVEs and comparing it to the RESERVED list of CVEs. I assume we'll
> find more if we look at other sources (Red Hat, AlpineLinux, etc.).

FWIW the Mitre Root CNA usually is quite pushy on getting these published
though.

If a CNA is backlogged with publishing they will not get new CVEs allocated.

Ciao, Marcus
> <https://cloudsecurityalliance.org/?utm_source=signature&utm_medium=email>
> Kurt Seifried (He/Him)
> Chief Blockchain Officer and Director of Special Projects
> Cloud Security Alliance
> e: ksei...@cloudsecurityalliance.org
> <https://www.linkedin.com/company/cloud-security-alliance/>
> <https://twitter.com/cloudsa> <https://www.facebook.com/csacloudfiles/>
> <https://www.youtube.com/channel/UCrcG6ZtsBPz3xkUZU6asVhA>
>
> --
> You received this message because you are subscribed to the Google Groups "GSD Discussion Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to gsd+uns...@groups.cloudsecurityalliance.org.

Kurt Seifried

unread,
Feb 16, 2022, 11:42:56 AMFeb 16
to Marcus Meissner, GSD Discussion Group
On Wed, Feb 16, 2022 at 1:27 AM Marcus Meissner <meis...@suse.de> wrote:
Hi,

On Tue, Feb 15, 2022 at 06:54:21PM -0700, 'Kurt Seifried' via GSD Discussion Group wrote:
> So Debian has DSA's with CVEs currently not in the CVE database. Over 100
> from 2021 and 2022 alone, I assume 2-300 in total. Quickest way to see the
> Debian data is https://security-tracker.debian.org/tracker/CVE-2016-2124
>
> I collected the data by basically wget'ing DSA's from 2021/2022, stripping
> out the CVEs and comparing it to the RESERVED list of CVEs. I assume we'll
> find more if we look at other sources (Red Hat, AlpineLinux, etc.).

FWIW the Mitre Root CNA usually is quite pushy on getting these published
though.

I don't think most of these are Debian CVEs. They are simply CVEs for stuff Debian happens to ship. But I can't know as the "ASSIGNER" field is not set in "RESERVED" CVEs. 
 

If a CNA is backlogged with publishing they will not get new CVEs allocated.

Ciao, Marcus
 

SuSE is another great example of this, you list the following  398 CVEs on your security page (https://www.suse.com/security/cve/) that the CVE database still has marked as reserved. Some of your CVE pages don't have a ton of data (e.g. the one from 2003 =) but they do at least have a link to your bugzilla and thus there is some data from a trustworthy source that can be used to populate the CVE database. I assume most (all?) of these 398 CVEs that SUSE has, but the CE database doesn't list are not assigned by SUSE, but again like Debian merely CVEs for stuff you do ship:

CVE-2003-0250
CVE-2004-1178
CVE-2005-0717
CVE-2006-2619
CVE-2006-2620
CVE-2006-2621
CVE-2006-2622
CVE-2006-2623
CVE-2006-2624
CVE-2006-2625
CVE-2006-2626
CVE-2006-2627
CVE-2006-2628
CVE-2007-6251
CVE-2008-0637
CVE-2008-1418
CVE-2008-1424
CVE-2008-2141
CVE-2008-4550
CVE-2008-5251
CVE-2008-5253
CVE-2008-5254
CVE-2008-5255
CVE-2009-0539
CVE-2009-1142
CVE-2009-1143
CVE-2009-2941
CVE-2009-5515
CVE-2010-3352
CVE-2010-3356
CVE-2010-3367
CVE-2010-3368
CVE-2010-3370
CVE-2010-3371
CVE-2010-3379
CVE-2010-3388
CVE-2010-3390
CVE-2010-3391
CVE-2010-3392
CVE-2010-3395
CVE-2010-3675
CVE-2010-3997
CVE-2010-4003
CVE-2010-4004
CVE-2010-4014
CVE-2010-4315
CVE-2010-4318
CVE-2011-0068
CVE-2011-1210
CVE-2011-1410
CVE-2011-2390
CVE-2011-4916
CVE-2011-4917
CVE-2012-0415
CVE-2012-0416
CVE-2013-1089
CVE-2014-0144
CVE-2014-0147
CVE-2014-0148
CVE-2014-3253
CVE-2014-8692
CVE-2015-1931
CVE-2015-5298
CVE-2015-9679
CVE-2016-1000212
CVE-2016-1604
CVE-2016-2124
CVE-2016-2915
CVE-2016-6524
CVE-2016-6583
CVE-2016-8888
CVE-2016-9971
CVE-2017-1000
CVE-2017-171479
CVE-2017-1809
CVE-2017-7252
CVE-2018-1002161
CVE-2018-12128
CVE-2018-12129
CVE-2018-1537
CVE-2018-15472
CVE-2018-17449
CVE-2018-17450
CVE-2018-17451
CVE-2018-17452
CVE-2018-17453
CVE-2018-17454
CVE-2018-17455
CVE-2018-17536
CVE-2018-17537
CVE-2018-20104
CVE-2018-20319
CVE-2018-3692
CVE-2018-3694
CVE-2018-8523
CVE-2018-8704
CVE-2019-1000029
CVE-2019-1002162
CVE-2019-14560
CVE-2019-15167
CVE-2019-15690
CVE-2019-5797
CVE-2019-8720
CVE-2020-10367
CVE-2020-10368
CVE-2020-10369
CVE-2020-10370
CVE-2020-10872
CVE-2020-11935
CVE-2020-11936
CVE-2020-12413
CVE-2020-13233
CVE-2020-13981
CVE-2020-13982
CVE-2020-14394
CVE-2020-15685
CVE-2020-2521

CVE-2020-25717
CVE-2020-25718
CVE-2020-25719
CVE-2020-25721
CVE-2020-25722
CVE-2020-27545
CVE-2020-27834
CVE-2020-28163
CVE-2020-28407
CVE-2020-35501
CVE-2020-35516
CVE-2020-6817
CVE-2021-20180
CVE-2021-20257
CVE-2021-20269
CVE-2021-20295
CVE-2021-20298
CVE-2021-20299
CVE-2021-20300
CVE-2021-20302
CVE-2021-20303
CVE-2021-20304
CVE-2021-20315
CVE-2021-20316
CVE-2021-20320
CVE-2021-20321
CVE-2021-20322
CVE-2021-20323
CVE-2021-22141
CVE-2021-22142
CVE-2021-22297
CVE-2021-23180

CVE-2021-23192
CVE-2021-23206
CVE-2021-23214
CVE-2021-23222
CVE-2021-23980
CVE-2021-25635
CVE-2021-25736
CVE-2021-26252
CVE-2021-26259
CVE-2021-26948
CVE-2021-27017
CVE-2021-3020
CVE-2021-31566
CVE-2021-33589
CVE-2021-3408
CVE-2021-3428
CVE-2021-3429
CVE-2021-34337
CVE-2021-3481
CVE-2021-34981
CVE-2021-35057
CVE-2021-3521
CVE-2021-35373
CVE-2021-3560
CVE-2021-3563
CVE-2021-3567
CVE-2021-3575
CVE-2021-3578
CVE-2021-3582
CVE-2021-35937
CVE-2021-35938
CVE-2021-35939
CVE-2021-3596
CVE-2021-3600
CVE-2021-3601
CVE-2021-3602
CVE-2021-3607
CVE-2021-3608
CVE-2021-3609
CVE-2021-3610
CVE-2021-3611
CVE-2021-3618
CVE-2021-3620
CVE-2021-3623
CVE-2021-3624
CVE-2021-3631
CVE-2021-3638
CVE-2021-3639
CVE-2021-3640
CVE-2021-3648
CVE-2021-3652
CVE-2021-3654
CVE-2021-3656
CVE-2021-3657
CVE-2021-3658
CVE-2021-3659
CVE-2021-3660
CVE-2021-3667
CVE-2021-3669
CVE-2021-3677
CVE-2021-3681
CVE-2021-3698
CVE-2021-3700
CVE-2021-3715
CVE-2021-3716
CVE-2021-3732
CVE-2021-3733
CVE-2021-3735
CVE-2021-3736
CVE-2021-3737
CVE-2021-3738
CVE-2021-3739
CVE-2021-3743
CVE-2021-3744
CVE-2021-3748
CVE-2021-3750
CVE-2021-3752
CVE-2021-3753
CVE-2021-3759
CVE-2021-3760
CVE-2021-3764
CVE-2021-3772
CVE-2021-3773
CVE-2021-3781
CVE-2021-3798
CVE-2021-3800
CVE-2021-3847
CVE-2021-3864
CVE-2021-3894
CVE-2021-3905
CVE-2021-3929
CVE-2021-3930
CVE-2021-3933
CVE-2021-3941
CVE-2021-3947
CVE-2021-39685
CVE-2021-3975
CVE-2021-3979
CVE-2021-3981
CVE-2021-3982
CVE-2021-3995
CVE-2021-3996
CVE-2021-3997
CVE-2021-3998
CVE-2021-3999
CVE-2021-4002
CVE-2021-4021
CVE-2021-4023
CVE-2021-4028
CVE-2021-4041
CVE-2021-4090
CVE-2021-4091
CVE-2021-4093
CVE-2021-4095
CVE-2021-4115
CVE-2021-4122
CVE-2021-4126
CVE-2021-4135
CVE-2021-4140
CVE-2021-4147
CVE-2021-4148
CVE-2021-4149
CVE-2021-4150
CVE-2021-4155
CVE-2021-4156
CVE-2021-4157
CVE-2021-4158
CVE-2021-4159
CVE-2021-4189
CVE-2021-4197
CVE-2021-4202
CVE-2021-4203
CVE-2021-4204
CVE-2021-4214
CVE-2021-4218
CVE-2021-42778
CVE-2021-42779
CVE-2021-42780
CVE-2021-42781
CVE-2021-42782
CVE-2021-43310
CVE-2021-43565
CVE-2021-43612
CVE-2021-44141
CVE-2021-44142
CVE-2021-44531
CVE-2021-44532
CVE-2021-44533
CVE-2021-47527
CVE-2022-0135
CVE-2022-0175
CVE-2022-0204
CVE-2022-0217
CVE-2022-0284
CVE-2022-0303
CVE-2022-0322
CVE-2022-0330
CVE-2022-0336
CVE-2022-0358
CVE-2022-0367
CVE-2022-0400
CVE-2022-0433
CVE-2022-0435

CVE-2022-0452
CVE-2022-0453
CVE-2022-0454
CVE-2022-0455
CVE-2022-0456
CVE-2022-0457
CVE-2022-0458
CVE-2022-0459
CVE-2022-0460
CVE-2022-0461
CVE-2022-0462
CVE-2022-0463
CVE-2022-0464
CVE-2022-0465
CVE-2022-0466
CVE-2022-0467
CVE-2022-0468
CVE-2022-0469
CVE-2022-0470
CVE-2022-0480
CVE-2022-0485
CVE-2022-0492
CVE-2022-0496
CVE-2022-0497
CVE-2022-0511
CVE-2022-0516
CVE-2022-0544
CVE-2022-0545
CVE-2022-0546
CVE-2022-0585
CVE-2022-0603
CVE-2022-0604
CVE-2022-0605
CVE-2022-0606
CVE-2022-0607
CVE-2022-0608
CVE-2022-0609
CVE-2022-0610
CVE-2022-21824
CVE-2022-22589
CVE-2022-22590
CVE-2022-22592
CVE-2022-22736

CVE-2022-22737
CVE-2022-22738
CVE-2022-22739
CVE-2022-22740
CVE-2022-22741
CVE-2022-22742
CVE-2022-22743
CVE-2022-22744
CVE-2022-22745
CVE-2022-22746
CVE-2022-22747
CVE-2022-22748
CVE-2022-22749
CVE-2022-22750
CVE-2022-22751
CVE-2022-22752
CVE-2022-22753
CVE-2022-22754
CVE-2022-22755
CVE-2022-22756
CVE-2022-22757
CVE-2022-22758
CVE-2022-22759
CVE-2022-22760
CVE-2022-22761
CVE-2022-22762
CVE-2022-22763
CVE-2022-22764
CVE-2022-22942
CVE-2022-2318
CVE-2022-2334
CVE-2022-23451
CVE-2022-23452
CVE-2022-23948
CVE-2022-23949
CVE-2022-23950
CVE-2022-23951
CVE-2022-23952
CVE-2022-24048
CVE-2022-24050
CVE-2022-24051
CVE-2022-24052
CVE-2022-24303


 

Kurt Seifried

unread,
Feb 22, 2022, 11:26:58 AMFeb 22
to Marcus Meissner, GSD Discussion Group
 


On Wed, Feb 16, 2022 at 9:42 AM Kurt Seifried <ksei...@cloudsecurityalliance.org> wrote:

One question: Marcus: can you tell me which (if any?) of the following were requested by SUSE and simply not published to the MITRE database yet? I suspect it's 0 (e.g. this is all third-party CVEs from your perspective) and I figure asking you is easier than asking MITRE. Thanks.
 
I tried using the cveform.mitre.org but the text entry field isn't big enough. 

Marcus Meissner

unread,
Feb 22, 2022, 12:02:30 PMFeb 22
to Kurt Seifried, GSD Discussion Group
Hi,

From the SUSE CNA unpublished are the 107, the older than 2020 ones
assigned to our previous company Microfocus. I would prefer not to publish
the full list.

My tracking goes only back to 2010, for the olders I would need to dig
deeper.

The only overlap between your list and ours is:
CVE-2010-4315
CVE-2010-4318
CVE-2012-0415
CVE-2012-0416
CVE-2013-1089
CVE-2016-1604
CVE-2018-20104

but all these are assigned for other parts of Microfocus and we have
delegated away the CNA responsibility for those.

So for the SUSE part we have no CNA deliquence. I would need to go step
by step if we allocated them manually via webform though, but this is a
bit more rare.

Ciao, Marcus
Reply all
Reply to author
Forward
0 new messages