[openssl-commits] [web] master update

Mark J. Cox mark at openssl.org
Mon Feb 5 15:01:34 UTC 2018 

The branch master has been updated
       via  8ba74cf7cecf400ff776874e4165e5c66653095a (commit)
       via  11b53fcc49c27a3adaa5282fb2567d084fae8f09 (commit)
      from  f7d3fb4dbadf9235d05d806b974b21b5a8f96487 (commit)


- Log -----------------------------------------------------------------
commit 8ba74cf7cecf400ff776874e4165e5c66653095a
Author: Mark J. Cox <mark at awe.com>
Date:   Mon Feb 5 15:00:47 2018 +0000

    Based on discussions with Mitre, over this field that isn't yet defined, but is unlikely
    to be machine parsable (looking at all the published ones to date).  They'd like "Fixed in"
    and "Affects", so let's give that both in a nice text format for the description and the
    vulnerability affects sections.

commit 11b53fcc49c27a3adaa5282fb2567d084fae8f09
Author: Mark J. Cox <mark at awe.com>
Date:   Mon Feb 5 14:57:10 2018 +0000

    CVE-2004-0081 was missing the 'fixed in 0.9.6d' line, causing it to not get included on the list of 0.9.6 issues
    and fail json validation.

-----------------------------------------------------------------------

Summary of changes:
 bin/vulnxml2json.py      | 23 ++++++++++++-----------
 news/vulnerabilities.xml |  2 ++
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/bin/vulnxml2json.py b/bin/vulnxml2json.py
index 41afbf8..b905da1 100755
--- a/bin/vulnxml2json.py
+++ b/bin/vulnxml2json.py
@@ -23,14 +23,16 @@ neverreleased = "1.0.0h,";
 # Location of CVE JSON schema (default, can use local file etc)
 default_cve_schema = "https://raw.githubusercontent.com/CVEProject/automation-working-group/master/cve_json_schema/CVE_JSON_4.0_min_public.schema"
 
-def merge_affects(issue):
+def merge_affects(issue,base):
     # let's merge the affects into a nice list which is better for Mitre text but we have to take into account our stange lettering scheme
     prev = ""
     anext = ""
     alist = list()
     vlist = list()
     for affects in issue.getElementsByTagName('affects'): # so we can sort them
-       vlist.append(affects.getAttribute("version"))
+       version = affects.getAttribute("version")
+       if (not base or base in version):
+           vlist.append(version)
     for ver in sorted(vlist):
        # print "version %s (last was %s, next was %s)" %(ver,prev,anext)
        if (ver != anext):
@@ -110,18 +112,17 @@ for issue in issues:
     if refs:
         cve['references'] = { "reference_data": refs  }
 
-    allaffects = list()
-    for affects in issue.getElementsByTagName('affects'):
-        allaffects.append({ "version_value":"openssl-"+affects.getAttribute("version")})
+    vv = list()
+    for affects in issue.getElementsByTagName('fixed'):
+        text = "Fixed in OpenSSL %s (Affected %s)" %(affects.getAttribute('version'),merge_affects(issue,affects.getAttribute("base")))
+        # Let's condense into a list form since the format of this field is 'free text' at the moment, not machine readable (as per mail with George Theall)
+        vv.append({"version_value":text})
+        # Mitre want the fixed/affected versions in the text too
+        desc += " "+text+"."
 
-    cve['affects'] = { "vendor" : { "vendor_data" : [ { "vendor_name": "OpenSSL", "product": { "product_data" : [ { "product_name": "OpenSSL", "version": { "version_data" : allaffects}}]}}]}}
-
-    # Mitre want the fixed/affected versions in the text too
-    
-    desc += " (Affects "+merge_affects(issue)+")."
+    cve['affects'] = { "vendor" : { "vendor_data" : [ { "vendor_name": "OpenSSL", "product": { "product_data" : [ { "product_name": "OpenSSL", "version": { "version_data" : vv}}]}}]}}
         
     # Mitre want newlines and excess spaces stripped
-
     desc = re.sub('[\n ]+',' ', desc)
         
     cve['description'] = { "description_data": [ { "lang":"eng", "value": desc} ] }
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index 80786e1..6e4c717 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -4638,6 +4638,8 @@ OpenSSL library in such a way as to cause a crash.
     <affects base="0.9.6" version="0.9.6a"/>
     <affects base="0.9.6" version="0.9.6b"/>
     <affects base="0.9.6" version="0.9.6c"/>
+    <fixed base="0.9.6" version="0.9.6d" date="20020603"/> <!-- guessed date -->
+    
     <advisory url="/news/secadv/20030317.txt"/>
     <reported source="OpenSSL group"/>
     <description>

More information about the openssl-commits mailing list