Ubuntu CVE Tracker

Public date and copyright year missing for CVE-2020-1945 in OVAL

Bug #1878917 reported by Steen Schutt
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu CVE Tracker
Fix Released
Undecided
Unassigned

Bug Description

I have previously filed a similar bug:
https://bugs.launchpad.net/ubuntu-cve-tracker/+bug/1856009

When reading the OVAL file, the public_date tag contains "unknown", and the rights tag says "Copyright (C) unknown Canonical Ltd.". Maybe another test for you to add :)

Here's the definition from the OVAL file.

```
<definition class="vulnerability" id="oval:com.ubuntu.bionic:def:202019450000000" version="1">
    <metadata>
        <title>CVE-2020-1945 on Ubuntu 18.04 LTS (bionic) - medium.</title>
        <description>It was discovered that Apache Ant created temporary files with insecure permissions. An attacker could use this vulnerability to
read sensitive information leaked into /tmp, or potentially inject malicious code into a project that is built with Apache Ant.</description>
        <affected family="unix">
            <platform>Ubuntu 18.04 LTS</platform>
        </affected>
        <reference source="CVE" ref_id="CVE-2020-1945" ref_url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1945" />
        <advisory>
            <severity>Medium</severity>
            <rights>Copyright (C) unknown Canonical Ltd.</rights>
            <public_date>unknown</public_date>
            <assigned_to>msalvatore</assigned_to>
            <discovered_by>Mike Salvatore</discovered_by>
            <crd>unknown</crd>
            <ref>http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1945.html</ref>
        </advisory>
    </metadata>
    <criteria>
        <extend_definition definition_ref="oval:com.ubuntu.bionic:def:100" comment="Ubuntu 18.04 LTS (bionic) is installed." applicability_check="true" />
        <criterion test_ref="oval:com.ubuntu.bionic:tst:202019450000000" comment="ant package in bionic is affected and needs fixing." />
    </criteria>
</definition>
```

From https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.bionic.cve.oval.xml.bz2. Present as of May 15 2020 13:23:00 UTC, first seen May 15 2020 05:00:58 UTC.

Kind regards.

CVE References

Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for reporting this - I have updated this in the Ubuntu CVE Tracker via https://git.launchpad.net/ubuntu-cve-tracker/commit/?id=91f4418c84674ff86b8aeb96af5fbdf6fa27629f and so the OVAL should be regenerated soon with this new date. FYI - I took the date from the public announcement in https://lists.apache.org/thread.html/r8e592bbfc016a5dbe2a8c0e81ff99682b9c78c453621b82c14e7b75e%40%3Cdev.ant.apache.org%3E

Changed in ubuntu-cve-tracker:
status: New → Fix Committed
Revision history for this message
Steen Schutt (steenschutt) wrote :

I'm just going to bump in here, I have yet more interesting publish dates.

CVE-2020-12662 and CVE-2020-12663 both have the date set to 2020-05-19, which should most likely be 2020-05-19 :)
Stumbled upon them while ordering my data by date, but they are not by any means causing me issues (apart from the data being incorrect).

Revision history for this message
Steen Schutt (steenschutt) wrote :

Typo - the OVAL says 2021-05-19, NVD says 2020-05-19.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Steen, I've fixed those two date issues in our tracker, and they should be in the public OVAL data shortly, if not already. Thanks for reporting it; you can always file a new bug against the ubuntu-cve-tracker via https://bugs.launchpad.net/ubuntu-cve-tracker/+filebug if you find additional issues like that.

Changed in ubuntu-cve-tracker:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.