Covering Linux related vulnerability data introduces additional challenges as there are many different distributions, packages, and maintainers. We use different approaches to assign such entries depending on the maintainer and/or affected component.
- If a Linux vulnerability is generic and affects core components, then it is assigned to Linux Kernel as product.
- If a Linux vulnerability affects a specific distribution only, we assign it to the distribution (and not to the generic Linux Kernel). For example Red Hat Enterprise Linux or Debian Linux entries.
- If a Linux vulnerability affects specific architectures (e.g. x86, x64), the entry uses the field
software_platformaccordingly. VDB-150513 for example.
- If a package is affected in general, we assign it to the specific package. sudo for example.
- If a package is maintained by a specific Linux distribution, we assign the distribution name to the field
software_vendorand the affected package to the field
software_name. VDB-109304 for example.
- If a package on a certain distribution is affected but not maintained by the distribution itself, we assign it to the specific package but define the field
software_platformaccordingly (e.g. ISC BIND on Red Hat). VDB-100949 for example.
- If a package affects multiple distributions but not all of them, we assign it to the specific package and add the affected distributions to the field
software_affectedlist. VDB-67685 for example.
Are you interested in using VulDB?
Download the whitepaper to learn more about our service!