Hi, I have some concerns with the OVAL files on the OpenSUSE site at: http://ftp.suse.com/pub/projects/security/oval/ It seems like there is conflicting information in some of the information provided. The criteria that specifies packages have duplicates with different versions. For example, the following is a snippet from the OVAL file: http://ftp.suse.com/pub/projects/security/oval/opensuse.11.1.xml <definition id="oval:org.opensuse.security:def:20130160" version="1" class="vulnerability"> ... <criteria operator="OR"> ... <!-- 23807efa0fda2554a9635e4fffacead3 --> <criteria operator="AND"> <criterion test_ref="oval:org.opensuse.security:tst:2009073673" comment="sles11-sp2 is installed"/> <criteria operator="OR"> <criterion test_ref="oval:org.opensuse.security:tst:2009077426" comment="kernel-default less than 3.0.80-0.5.1"/> ... </criteria> </criteria> <!-- 2f736fd60525e237201b485f497a314b --> <criteria operator="OR"> <criteria operator="AND"> <criterion test_ref="oval:org.opensuse.security:tst:2009073673" comment="sles11-sp2 is installed"/> <criteria operator="OR"> <criterion test_ref="oval:org.opensuse.security:tst:2009077162" comment="kernel-default less than 3.0.74-0.6.6.2"/> ... </criteria> </criteria> If I am reading this correctly, it specifies the package kernel-default less than version 3.0.80-0.5.1 OR version 3.0.74-0.6.6.2. This effectively specifies the kernel-package version less than 3.0.80-0.5.1. On a similar note, this CVE (CVE-2013-0160) appears to be affecting SUSE Linux Enterprise Server 11 SP2, based off the OVAL snippet above. However, SLES 11SP2 is not listed on the announcement, here: http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00018.html Am I understanding this correctly? If this is not in error, could someone please explain the logic behind this? Thanks, Jason McFadyen Security Researcher | Rapid7 | Toronto, ON (416) 531-3180 This electronic message contains information which may be confidential or privileged. The information is intended for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify us by e-mail at (postmaster@rapid7.com) immediately. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org