CVE's reported to be fixed twice in the secfixes comments/ secdb.alpinelinux.org
Following up from our chat on IRC, adding here all the cases we found that have the same CVE for different fixed version for a specific package
-
v3.3 openssl CVE-2017-3738 (fdbb0da2) -
v3.4 openssl CVE-2017-3738 (29180d09) -
v3.4 php5 CVE-2018-5712 (da800bdf) -
v3.5 openssl CVE-2017-3738 (9dd91880) -
v3.5 php5 CVE-2018-5712 (67c11dd3) -
v3.5 php7 CVE-2018-5712 (df489246) -
v3.6 bind CVE-2017-3145 (fa2e4d9e) -
v3.6 bind CVE-2017-3142 (fa2e4d9e) -
v3.6 bind CVE-2017-3143 (fa2e4d9e) -
v3.6 ffmpeg CVE-2017-11665 (60935a48) -
v3.6 ghostscript CVE-2019-6116 (8202374b) -
v3.6 openssl CVE-2017-3738 (24a4091d) -
v3.6 php5 CVE-2018-5712 (3f847fb3) -
v3.6 php7 CVE-2018-5712 (244815ce) -
v3.6 wireshark CVE-2018-7335 (bd8ad1d0) -
v3.6 wireshark CVE-2018-7334 (bd8ad1d0) -
v3.6 wireshark CVE-2018-7336 (bd8ad1d0) -
v3.7 bind CVE-2017-3145 (cbc49e4f) -
v3.7 firefox-esr CVE-2017-7843 (a56ee65a) -
v3.7 ghostscript CVE-2019-6116 (413d825a) -
v3.7 lame CVE-2017-9410 (5e0c4c47) -
v3.7 lame CVE-2017-9411 (5e0c4c47) -
v3.7 lame CVE-2017-9412 (5e0c4c47) -
v3.7 lame CVE-2015-9099 (5e0c4c47) -
v3.7 openssl CVE-2017-3738 (81efcef4) -
v3.7 php5 CVE-2018-5712 (89054feb) -
v3.7 php7 CVE-2018-5712 (05c7db62) -
v3.7 php7 CVE-2018-7584 (05c7db62) -
v3.7 sdl CVE-2019-7577 (0b9593eb) -
v3.7 wireshark CVE-2017-15191 (b277839a) -
v3.7 wireshark CVE-2017-15192 (b277839a) -
v3.7 wireshark CVE-2017-15193 (b277839a) -
v3.7 wireshark CVE-2017-13765 (b277839a) -
v3.7 wireshark CVE-2017-13766 (b277839a) -
v3.7 wireshark CVE-2017-13767 (b277839a) -
v3.8 exim CVE-2018-6789 (04e42b67) -
v3.8 firefox-esr CVE-2017-7843 (268f75ea) -
v3.8 ghostscript CVE-2019-6116 (5a4b02d3) -
v3.8 lame CVE-2017-9410 (cd6dbbc5) -
v3.8 lame CVE-2017-9411 (cd6dbbc5) -
v3.8 lame CVE-2017-9412 (cd6dbbc5) -
v3.8 lame CVE-2015-9099 (cd6dbbc5) -
v3.8 openssl CVE-2017-3738 (90ac76e9) -
v3.8 php5 CVE-2018-5712 (f86eadb4) -
v3.8 samba CVE-2018-14629 (1ffd0c4c) -
v3.8 sdl CVE-2019-7577 (14810256) -
v3.8 sqlite CVE-2018-20346 (9001046c) -
v3.8 sqlite CVE-2019-19242 (9001046c) -
v3.8 wireshark CVE-2017-15191 (7feb5ee1) -
v3.8 wireshark CVE-2017-15192 (7feb5ee1) -
v3.8 wireshark CVE-2017-15193 (7feb5ee1) -
v3.8 wireshark CVE-2017-13765 (7feb5ee1) -
v3.8 wireshark CVE-2017-13766 (7feb5ee1) -
v3.8 wireshark CVE-2017-13767 (7feb5ee1) -
v3.9 exim CVE-2018-6789 (0a5dfd7f) -
v3.9 firefox-esr CVE-2017-7843 (a2c80d00) -
v3.9 ghostscript CVE-2019-6116 (038246e3) -
v3.9 hostapd CVE-2017-13082 (d01d4710) -
v3.9 lame CVE-2015-9099 (86cfc54b) -
v3.9 lame CVE-2017-9410 (86cfc54b) -
v3.9 lame CVE-2017-9411 (86cfc54b) -
v3.9 lame CVE-2017-9412 (86cfc54b) -
v3.9 libsndfile CVE-2018-19758 (e831cc1b) -
v3.9 libvorbis CVE-2018-10393 (f45d0b27) -
v3.9 samba CVE-2018-14629 (3bac040e) -
v3.9 sdl CVE-2019-7577 (635f81bc) -
v3.9 sqlite CVE-2019-19242 (357837f9) -
v3.9 wireshark CVE-2017-15191 (e8d61b9a) -
v3.9 wireshark CVE-2017-15192 (e8d61b9a) -
v3.9 wireshark CVE-2017-15193 (e8d61b9a) -
v3.9 wireshark CVE-2017-13765 (e8d61b9a) -
v3.9 wireshark CVE-2017-13766 (e8d61b9a) -
v3.9 wireshark CVE-2017-13767 (e8d61b9a) -
v3.9 wpa_supplicant CVE-2017-13077 (e6b435d7) -
v3.9 wpa_supplicant CVE-2017-13078 (e6b435d7) -
v3.9 wpa_supplicant CVE-2017-13079 (e6b435d7) -
v3.9 wpa_supplicant CVE-2017-13080 (e6b435d7) -
v3.9 wpa_supplicant CVE-2017-13081 (e6b435d7) -
v3.9 wpa_supplicant CVE-2017-13082 (e6b435d7) -
v3.9 wpa_supplicant CVE-2017-13086 (e6b435d7) -
v3.9 wpa_supplicant CVE-2017-13087 (e6b435d7) -
v3.9 wpa_supplicant CVE-2017-13088 (e6b435d7) -
v3.9 xen CVE-2019-19579,XSA-306 (bd0c62f6) -
v3.10 busybox CVE-2019-5747 (cee91fd2) -
v3.10 exim CVE-2018-6789 (8395de3d) -
v3.10 firefox-esr CVE-2017-7843 (6b8eb050) -
v3.10 ghostscript CVE-2019-6116 (174d3dcd) -
v3.10 hostapd CVE-2017-13082 (74857956) -
v3.10 lame CVE-2015-9099 (a57b3d9f) -
v3.10 lame CVE-2017-9410 (a57b3d9f) -
v3.10 lame CVE-2017-9411 (a57b3d9f) -
v3.10 lame CVE-2017-9412 (a57b3d9f) -
v3.10 libsndfile CVE-2018-19758 (d9c76cb0) -
v3.10 libvorbis CVE-2018-10393 (18b62e40) -
v3.10 rdesktop CVE-2018-20175 (06cd87d9) -
v3.10 rdesktop CVE-2018-20176 (06cd87d9) -
v3.10 samba CVE-2018-14629 (d43122c1) -
v3.10 sdl CVE-2019-7577 (22f290af) -
v3.10 sqlite CVE-2019-19242 (b513c7d9) -
v3.10 unbound CVE-2020-12662 (7de63602) -
v3.10 unbound CVE-2020-12663 (7de63602) -
v3.10 wireshark CVE-2017-15191 (0ca6a6f0) -
v3.10 wireshark CVE-2017-15192 (0ca6a6f0) -
v3.10 wireshark CVE-2017-15193 (0ca6a6f0) -
v3.10 wireshark CVE-2017-13765 (0ca6a6f0) -
v3.10 wireshark CVE-2017-13766 (0ca6a6f0) -
v3.10 wireshark CVE-2017-13767 (0ca6a6f0) -
v3.10 wpa_supplicant CVE-2019-11555 (6104fab1) -
v3.10 wpa_supplicant CVE-2017-13077 (db21cf64) -
v3.10 wpa_supplicant CVE-2017-13078 (db21cf64) -
v3.10 wpa_supplicant CVE-2017-13079 (db21cf64) -
v3.10 wpa_supplicant CVE-2017-13080 (db21cf64) -
v3.10 wpa_supplicant CVE-2017-13081 (db21cf64) -
v3.10 wpa_supplicant CVE-2017-13082 (db21cf64) -
v3.10 wpa_supplicant CVE-2017-13086 (db21cf64) -
v3.10 wpa_supplicant CVE-2017-13087 (db21cf64) -
v3.10 wpa_supplicant CVE-2017-13088 (db21cf64) -
v3.11 busybox CVE-2019-5747 (5086c803) -
v3.11 exim CVE-2018-6789 (73d689f0) -
v3.11 firefox-esr CVE-2017-7843 (235d94b8) -
v3.11 ghostscript CVE-2019-6116 (a7731895) -
v3.11 hostapd CVE-2017-13082 (6d852c12) -
v3.11 lame CVE-2015-9099 (4682ce00) -
v3.11 lame CVE-2017-9410 (4682ce00) -
v3.11 lame CVE-2017-9411 (4682ce00) -
v3.11 lame CVE-2017-9412 (4682ce00) -
v3.11 libsndfile CVE-2018-19758 (aba083c6) -
v3.11 libvorbis CVE-2018-10393 (28c3640a) -
v3.11 rdesktop CVE-2018-20175 (32b2d233) -
v3.11 rdesktop CVE-2018-20176 (32b2d233) -
v3.11 samba CVE-2018-14629 (ee1c2d92) -
v3.11 sdl CVE-2019-7577 (f149d00e) -
v3.11 sqlite CVE-2019-19242 (71fcdfce) -
v3.11 tor CVE-2019-8955 (945ddd42) -
v3.11 wireshark CVE-2017-13765 (062cbfcf) -
v3.11 wireshark CVE-2017-13766 (062cbfcf) -
v3.11 wireshark CVE-2017-13767 (062cbfcf) -
v3.11 wireshark CVE-2017-15191 (062cbfcf) -
v3.11 wireshark CVE-2017-15192 (062cbfcf) -
v3.11 wireshark CVE-2017-15193 (062cbfcf) -
v3.11 wpa_supplicant CVE-2019-11555 (e84bb0f6) -
v3.11 wpa_supplicant CVE-2017-13077 (e84bb0f6) -
v3.11 wpa_supplicant CVE-2017-13078 (e84bb0f6) -
v3.11 wpa_supplicant CVE-2017-13079 (e84bb0f6) -
v3.11 wpa_supplicant CVE-2017-13080 (e84bb0f6) -
v3.11 wpa_supplicant CVE-2017-13081 (e84bb0f6) -
v3.11 wpa_supplicant CVE-2017-13082 (e84bb0f6) -
v3.11 wpa_supplicant CVE-2017-13086 (e84bb0f6) -
v3.11 wpa_supplicant CVE-2017-13087 (e84bb0f6) -
v3.11 wpa_supplicant CVE-2017-13088 (e84bb0f6) -
v3.12 busybox CVE-2019-5747 (d674ed89) -
v3.12 clamav CVE-2020-3123 (d674ed89) -
v3.12 exim CVE-2018-6789 (8069e74a) -
v3.12 firefox-esr CVE-2017-7843 (d674ed89) -
v3.12 ghostscript CVE-2019-6116 (880b8f85) -
v3.12 hostapd CVE-2017-13082 (d674ed89) -
v3.12 lame CVE-2015-9099 (d674ed89) -
v3.12 lame CVE-2017-9410 (d674ed89) -
v3.12 lame CVE-2017-9411 (d674ed89) -
v3.12 lame CVE-2017-9412 (d674ed89) -
v3.12 libsndfile CVE-2018-19758 (d674ed89) -
v3.12 libvorbis CVE-2018-10393 (d674ed89) -
v3.12 rdesktop CVE-2018-20175 (d674ed89) -
v3.12 rdesktop CVE-2018-20176 (d674ed89) -
v3.12 samba CVE-2018-14629 (eeaffa45) -
v3.12 sdl CVE-2019-7577 (d674ed89) -
v3.12 sqlite CVE-2019-19242 (d674ed89) -
v3.12 tor CVE-2019-8955 (d674ed89) -
v3.12 wireshark CVE-2017-15191 (12743c84) -
v3.12 wireshark CVE-2017-15192 (12743c84) -
v3.12 wireshark CVE-2017-15193 (12743c84) -
v3.12 wireshark CVE-2017-13765 (12743c84) -
v3.12 wireshark CVE-2017-13766 (12743c84) -
v3.12 wireshark CVE-2017-13767 (12743c84) -
v3.12 wpa_supplicant CVE-2017-13077 (48fb8266) -
v3.12 wpa_supplicant CVE-2017-13078 (48fb8266) -
v3.12 wpa_supplicant CVE-2017-13079 (48fb8266) -
v3.12 wpa_supplicant CVE-2017-13080 (48fb8266) -
v3.12 wpa_supplicant CVE-2017-13081 (48fb8266) -
v3.12 wpa_supplicant CVE-2017-13082 (48fb8266) -
v3.12 wpa_supplicant CVE-2017-13086 (48fb8266) -
v3.12 wpa_supplicant CVE-2017-13087 (48fb8266) -
v3.12 wpa_supplicant CVE-2017-13088 (48fb8266) -
v3.12 wpa_supplicant CVE-2019-11555 (48fb8266)
For the cases shown above, it isn't well defined which of the versions should be expected as the initial fixed version for the CVE. If you're able to fix those, that's great. Otherwise, if you're able to let us know which one we should treat as the initial fixed version, we can report the correct versions in Snyk.
As @ncopa suggested - #11912 (closed), it will be awesome if we could prevent this cases from happening at all - this would help us have more accurate and correct understanding of the security fixes
Thanks!
Edited by Natanael Copa