CVE's reported to be fixed twice in the secfixes comments/ secdb.alpinelinux.org (#11914) · Issues · alpine / aports

CVE's reported to be fixed twice in the secfixes comments/ secdb.alpinelinux.org

Following up from our chat on IRC, adding here all the cases we found that have the same CVE for different fixed version for a specific package

v3.3 openssl CVE-2017-3738
v3.4 openssl CVE-2017-3738
v3.4 php5 CVE-2018-5712
v3.5 openssl CVE-2017-3738
v3.5 php5 CVE-2018-5712
v3.5 php7 CVE-2018-5712
v3.6 bind CVE-2017-3145
v3.6 bind CVE-2017-3142
v3.6 bind CVE-2017-3143
v3.6 ffmpeg CVE-2017-11665
v3.6 ghostscript CVE-2019-6116
v3.6 openssl CVE-2017-3738
v3.6 php5 CVE-2018-5712
v3.6 php7 CVE-2018-5712
v3.6 wireshark CVE-2018-7335
v3.6 wireshark CVE-2018-7334
v3.6 wireshark CVE-2018-7336
v3.7 bind CVE-2017-3145
v3.7 firefox-esr CVE-2017-7843
v3.7 ghostscript CVE-2019-6116
v3.7 lame CVE-2017-9410
v3.7 lame CVE-2017-9411
v3.7 lame CVE-2017-9412
v3.7 lame CVE-2015-9099
v3.7 openssl CVE-2017-3738
v3.7 php5 CVE-2018-5712
v3.7 php7 CVE-2018-5712
v3.7 php7 CVE-2018-7584
v3.7 sdl CVE-2019-7577
v3.7 wireshark CVE-2017-15191
v3.7 wireshark CVE-2017-15192
v3.7 wireshark CVE-2017-15193
v3.7 wireshark CVE-2017-13765
v3.7 wireshark CVE-2017-13766
v3.7 wireshark CVE-2017-13767
v3.8 exim CVE-2018-6789
v3.8 firefox-esr CVE-2017-7843
v3.8 ghostscript CVE-2019-6116
v3.8 lame CVE-2017-9410
v3.8 lame CVE-2017-9411
v3.8 lame CVE-2017-9412
v3.8 lame CVE-2015-9099
v3.8 openssl CVE-2017-3738
v3.8 php5 CVE-2018-5712
v3.8 samba CVE-2018-14629
v3.8 sdl CVE-2019-7577
v3.8 sqlite CVE-2018-20346
v3.8 sqlite CVE-2019-19242
v3.8 wireshark CVE-2017-15191
v3.8 wireshark CVE-2017-15192
v3.8 wireshark CVE-2017-15193
v3.8 wireshark CVE-2017-13765
v3.8 wireshark CVE-2017-13766
v3.8 wireshark CVE-2017-13767
v3.9 exim CVE-2018-6789
v3.9 firefox-esr CVE-2017-7843
v3.9 ghostscript CVE-2019-6116
v3.9 hostapd CVE-2017-13082
v3.9 lame CVE-2015-9099
v3.9 lame CVE-2017-9410
v3.9 lame CVE-2017-9411
v3.9 lame CVE-2017-9412
v3.9 libsndfile CVE-2018-19758
v3.9 libvorbis CVE-2018-10393
v3.9 samba CVE-2018-14629
v3.9 sdl CVE-2019-7577
v3.9 sqlite CVE-2019-19242
v3.9 wireshark CVE-2017-15191
v3.9 wireshark CVE-2017-15192
v3.9 wireshark CVE-2017-15193
v3.9 wireshark CVE-2017-13765
v3.9 wireshark CVE-2017-13766
v3.9 wireshark CVE-2017-13767
v3.9 wpa_supplicant CVE-2017-13077
v3.9 wpa_supplicant CVE-2017-13078
v3.9 wpa_supplicant CVE-2017-13079
v3.9 wpa_supplicant CVE-2017-13080
v3.9 wpa_supplicant CVE-2017-13081
v3.9 wpa_supplicant CVE-2017-13082
v3.9 wpa_supplicant CVE-2017-13086
v3.9 wpa_supplicant CVE-2017-13087
v3.9 wpa_supplicant CVE-2017-13088
v3.9 xen CVE-2019-19579,XSA-306
v3.10 busybox CVE-2019-5747
v3.10 exim CVE-2018-6789
v3.10 firefox-esr CVE-2017-7843
v3.10 ghostscript CVE-2019-6116
v3.10 hostapd CVE-2017-13082
v3.10 lame CVE-2015-9099
v3.10 lame CVE-2017-9410
v3.10 lame CVE-2017-9411
v3.10 lame CVE-2017-9412
v3.10 libsndfile CVE-2018-19758
v3.10 libvorbis CVE-2018-10393
v3.10 rdesktop CVE-2018-20175
v3.10 rdesktop CVE-2018-20176
v3.10 samba CVE-2018-14629
v3.10 sdl CVE-2019-7577
v3.10 sqlite CVE-2019-19242
v3.10 unbound CVE-2020-12662
v3.10 unbound CVE-2020-12663
v3.10 wireshark CVE-2017-15191
v3.10 wireshark CVE-2017-15192
v3.10 wireshark CVE-2017-15193
v3.10 wireshark CVE-2017-13765
v3.10 wireshark CVE-2017-13766
v3.10 wireshark CVE-2017-13767
v3.10 wpa_supplicant CVE-2019-11555
v3.10 wpa_supplicant CVE-2017-13077
v3.10 wpa_supplicant CVE-2017-13078
v3.10 wpa_supplicant CVE-2017-13079
v3.10 wpa_supplicant CVE-2017-13080
v3.10 wpa_supplicant CVE-2017-13081
v3.10 wpa_supplicant CVE-2017-13082
v3.10 wpa_supplicant CVE-2017-13086
v3.10 wpa_supplicant CVE-2017-13087
v3.10 wpa_supplicant CVE-2017-13088
v3.11 busybox CVE-2019-5747
v3.11 exim CVE-2018-6789
v3.11 firefox-esr CVE-2017-7843
v3.11 ghostscript CVE-2019-6116
v3.11 hostapd CVE-2017-13082
v3.11 lame CVE-2015-9099
v3.11 lame CVE-2017-9410
v3.11 lame CVE-2017-9411
v3.11 lame CVE-2017-9412
v3.11 libsndfile CVE-2018-19758
v3.11 libvorbis CVE-2018-10393
v3.11 rdesktop CVE-2018-20175
v3.11 rdesktop CVE-2018-20176
v3.11 samba CVE-2018-14629
v3.11 sdl CVE-2019-7577
v3.11 sqlite CVE-2019-19242
v3.11 tor CVE-2019-8955
v3.11 wireshark CVE-2017-13765
v3.11 wireshark CVE-2017-13766
v3.11 wireshark CVE-2017-13767
v3.11 wireshark CVE-2017-15191
v3.11 wireshark CVE-2017-15192
v3.11 wireshark CVE-2017-15193
v3.11 wpa_supplicant CVE-2019-11555
v3.11 wpa_supplicant CVE-2017-13077
v3.11 wpa_supplicant CVE-2017-13078
v3.11 wpa_supplicant CVE-2017-13079
v3.11 wpa_supplicant CVE-2017-13080
v3.11 wpa_supplicant CVE-2017-13081
v3.11 wpa_supplicant CVE-2017-13082
v3.11 wpa_supplicant CVE-2017-13086
v3.11 wpa_supplicant CVE-2017-13087
v3.11 wpa_supplicant CVE-2017-13088
v3.12 busybox CVE-2019-5747
v3.12 clamav CVE-2020-3123
v3.12 exim CVE-2018-6789
v3.12 firefox-esr CVE-2017-7843
v3.12 ghostscript CVE-2019-6116
v3.12 hostapd CVE-2017-13082
v3.12 lame CVE-2015-9099
v3.12 lame CVE-2017-9410
v3.12 lame CVE-2017-9411
v3.12 lame CVE-2017-9412
v3.12 libsndfile CVE-2018-19758
v3.12 libvorbis CVE-2018-10393
v3.12 rdesktop CVE-2018-20175
v3.12 rdesktop CVE-2018-20176
v3.12 samba CVE-2018-14629
v3.12 sdl CVE-2019-7577
v3.12 sqlite CVE-2019-19242
v3.12 tor CVE-2019-8955
v3.12 wireshark CVE-2017-15191
v3.12 wireshark CVE-2017-15192
v3.12 wireshark CVE-2017-15193
v3.12 wireshark CVE-2017-13765
v3.12 wireshark CVE-2017-13766
v3.12 wireshark CVE-2017-13767
v3.12 wpa_supplicant CVE-2017-13077
v3.12 wpa_supplicant CVE-2017-13078
v3.12 wpa_supplicant CVE-2017-13079
v3.12 wpa_supplicant CVE-2017-13080
v3.12 wpa_supplicant CVE-2017-13081
v3.12 wpa_supplicant CVE-2017-13082
v3.12 wpa_supplicant CVE-2017-13086
v3.12 wpa_supplicant CVE-2017-13087
v3.12 wpa_supplicant CVE-2017-13088
v3.12 wpa_supplicant CVE-2019-11555

For the cases shown above, it isn't well defined which of the versions should be expected as the initial fixed version for the CVE. If you're able to fix those, that's great. Otherwise, if you're able to let us know which one we should treat as the initial fixed version, we can report the correct versions in Snyk.

As @ncopa suggested - #11912, it will be awesome if we could prevent this cases from happening at all - this would help us have more accurate and correct understanding of the security fixes 🙏

Thanks!

Hey @Leo @ncopa :wave:!

Following up from our chat on IRC, adding here all the cases we found that have the same CVE for different fixed version for a specific package

```
v3.3 openssl CVE-2017-3738
v3.4 openssl CVE-2017-3738
v3.4 php5 CVE-2018-5712
v3.5 openssl CVE-2017-3738
v3.5 php5 CVE-2018-5712
v3.5 php7 CVE-2018-5712
v3.6 bind CVE-2017-3145
v3.6 bind CVE-2017-3142
v3.6 bind CVE-2017-3143
v3.6 ffmpeg CVE-2017-11665
v3.6 ghostscript CVE-2019-6116
v3.6 openssl CVE-2017-3738
v3.6 php5 CVE-2018-5712
v3.6 php7 CVE-2018-5712
v3.6 wireshark CVE-2018-7335
v3.6 wireshark CVE-2018-7334
v3.6 wireshark CVE-2018-7336
v3.7 bind CVE-2017-3145
v3.7 firefox-esr CVE-2017-7843
v3.7 ghostscript CVE-2019-6116
v3.7 lame CVE-2017-9410
v3.7 lame CVE-2017-9411
v3.7 lame CVE-2017-9412
v3.7 lame CVE-2015-9099
v3.7 openssl CVE-2017-3738
v3.7 php5 CVE-2018-5712
v3.7 php7 CVE-2018-5712
v3.7 php7 CVE-2018-7584
v3.7 sdl CVE-2019-7577
v3.7 wireshark CVE-2017-15191
v3.7 wireshark CVE-2017-15192
v3.7 wireshark CVE-2017-15193
v3.7 wireshark CVE-2017-13765
v3.7 wireshark CVE-2017-13766
v3.7 wireshark CVE-2017-13767
v3.8 exim CVE-2018-6789
v3.8 firefox-esr CVE-2017-7843
v3.8 ghostscript CVE-2019-6116
v3.8 lame CVE-2017-9410
v3.8 lame CVE-2017-9411
v3.8 lame CVE-2017-9412
v3.8 lame CVE-2015-9099
v3.8 openssl CVE-2017-3738
v3.8 php5 CVE-2018-5712
v3.8 samba CVE-2018-14629
v3.8 sdl CVE-2019-7577
v3.8 sqlite CVE-2018-20346
v3.8 sqlite CVE-2019-19242
v3.8 wireshark CVE-2017-15191
v3.8 wireshark CVE-2017-15192
v3.8 wireshark CVE-2017-15193
v3.8 wireshark CVE-2017-13765
v3.8 wireshark CVE-2017-13766
v3.8 wireshark CVE-2017-13767
v3.9 exim CVE-2018-6789
v3.9 firefox-esr CVE-2017-7843
v3.9 ghostscript CVE-2019-6116
v3.9 hostapd CVE-2017-13082
v3.9 lame CVE-2015-9099
v3.9 lame CVE-2017-9410
v3.9 lame CVE-2017-9411
v3.9 lame CVE-2017-9412
v3.9 libsndfile CVE-2018-19758
v3.9 libvorbis CVE-2018-10393
v3.9 samba CVE-2018-14629
v3.9 sdl CVE-2019-7577
v3.9 sqlite CVE-2019-19242
v3.9 wireshark CVE-2017-15191
v3.9 wireshark CVE-2017-15192
v3.9 wireshark CVE-2017-15193
v3.9 wireshark CVE-2017-13765
v3.9 wireshark CVE-2017-13766
v3.9 wireshark CVE-2017-13767
v3.9 wpa_supplicant CVE-2017-13077
v3.9 wpa_supplicant CVE-2017-13078
v3.9 wpa_supplicant CVE-2017-13079
v3.9 wpa_supplicant CVE-2017-13080
v3.9 wpa_supplicant CVE-2017-13081
v3.9 wpa_supplicant CVE-2017-13082
v3.9 wpa_supplicant CVE-2017-13086
v3.9 wpa_supplicant CVE-2017-13087
v3.9 wpa_supplicant CVE-2017-13088
v3.9 xen CVE-2019-19579,XSA-306
v3.10 busybox CVE-2019-5747
v3.10 exim CVE-2018-6789
v3.10 firefox-esr CVE-2017-7843
v3.10 ghostscript CVE-2019-6116
v3.10 hostapd CVE-2017-13082
v3.10 lame CVE-2015-9099
v3.10 lame CVE-2017-9410
v3.10 lame CVE-2017-9411
v3.10 lame CVE-2017-9412
v3.10 libsndfile CVE-2018-19758
v3.10 libvorbis CVE-2018-10393
v3.10 rdesktop CVE-2018-20175
v3.10 rdesktop CVE-2018-20176
v3.10 samba CVE-2018-14629
v3.10 sdl CVE-2019-7577
v3.10 sqlite CVE-2019-19242
v3.10 unbound CVE-2020-12662
v3.10 unbound CVE-2020-12663
v3.10 wireshark CVE-2017-15191
v3.10 wireshark CVE-2017-15192
v3.10 wireshark CVE-2017-15193
v3.10 wireshark CVE-2017-13765
v3.10 wireshark CVE-2017-13766
v3.10 wireshark CVE-2017-13767
v3.10 wpa_supplicant CVE-2019-11555
v3.10 wpa_supplicant CVE-2017-13077
v3.10 wpa_supplicant CVE-2017-13078
v3.10 wpa_supplicant CVE-2017-13079
v3.10 wpa_supplicant CVE-2017-13080
v3.10 wpa_supplicant CVE-2017-13081
v3.10 wpa_supplicant CVE-2017-13082
v3.10 wpa_supplicant CVE-2017-13086
v3.10 wpa_supplicant CVE-2017-13087
v3.10 wpa_supplicant CVE-2017-13088
v3.11 busybox CVE-2019-5747
v3.11 exim CVE-2018-6789
v3.11 firefox-esr CVE-2017-7843
v3.11 ghostscript CVE-2019-6116
v3.11 hostapd CVE-2017-13082
v3.11 lame CVE-2015-9099
v3.11 lame CVE-2017-9410
v3.11 lame CVE-2017-9411
v3.11 lame CVE-2017-9412
v3.11 libsndfile CVE-2018-19758
v3.11 libvorbis CVE-2018-10393
v3.11 rdesktop CVE-2018-20175
v3.11 rdesktop CVE-2018-20176
v3.11 samba CVE-2018-14629
v3.11 sdl CVE-2019-7577
v3.11 sqlite CVE-2019-19242
v3.11 tor CVE-2019-8955
v3.11 wireshark CVE-2017-13765
v3.11 wireshark CVE-2017-13766
v3.11 wireshark CVE-2017-13767
v3.11 wireshark CVE-2017-15191
v3.11 wireshark CVE-2017-15192
v3.11 wireshark CVE-2017-15193
v3.11 wpa_supplicant CVE-2019-11555
v3.11 wpa_supplicant CVE-2017-13077
v3.11 wpa_supplicant CVE-2017-13078
v3.11 wpa_supplicant CVE-2017-13079
v3.11 wpa_supplicant CVE-2017-13080
v3.11 wpa_supplicant CVE-2017-13081
v3.11 wpa_supplicant CVE-2017-13082
v3.11 wpa_supplicant CVE-2017-13086
v3.11 wpa_supplicant CVE-2017-13087
v3.11 wpa_supplicant CVE-2017-13088
v3.12 busybox CVE-2019-5747
v3.12 clamav CVE-2020-3123
v3.12 exim CVE-2018-6789
v3.12 firefox-esr CVE-2017-7843
v3.12 ghostscript CVE-2019-6116
v3.12 hostapd CVE-2017-13082
v3.12 lame CVE-2015-9099
v3.12 lame CVE-2017-9410
v3.12 lame CVE-2017-9411
v3.12 lame CVE-2017-9412
v3.12 libsndfile CVE-2018-19758
v3.12 libvorbis CVE-2018-10393
v3.12 rdesktop CVE-2018-20175
v3.12 rdesktop CVE-2018-20176
v3.12 samba CVE-2018-14629
v3.12 sdl CVE-2019-7577
v3.12 sqlite CVE-2019-19242
v3.12 tor CVE-2019-8955
v3.12 wireshark CVE-2017-15191
v3.12 wireshark CVE-2017-15192
v3.12 wireshark CVE-2017-15193
v3.12 wireshark CVE-2017-13765
v3.12 wireshark CVE-2017-13766
v3.12 wireshark CVE-2017-13767
v3.12 wpa_supplicant CVE-2017-13077
v3.12 wpa_supplicant CVE-2017-13078
v3.12 wpa_supplicant CVE-2017-13079
v3.12 wpa_supplicant CVE-2017-13080
v3.12 wpa_supplicant CVE-2017-13081
v3.12 wpa_supplicant CVE-2017-13082
v3.12 wpa_supplicant CVE-2017-13086
v3.12 wpa_supplicant CVE-2017-13087
v3.12 wpa_supplicant CVE-2017-13088
v3.12 wpa_supplicant CVE-2019-11555
```

For the cases shown above, it isn't well defined which of the versions should be expected as the initial fixed version for the CVE. 
If you're able to fix those, that's great. Otherwise, if you're able to let us know which one we should treat as the initial fixed version, we can report the correct versions in Snyk.

As @ncopa suggested - https://gitlab.alpinelinux.org/alpine/aports/-/issues/11912, it will be awesome if we could prevent this cases from happening at all - this would help us have more accurate and correct understanding of the security fixes :pray:

Thanks!

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.