To improve the user experience on this site we use cookies. I agree | I disagree

The Vulnerability Digest is a XML document, fully compliant with the CVRF/1.1 Schemas. It is updated once a day.

The document contains a full list of relevant vulnerabilities. The <Version> is in a form of year.month.day.hour and the <RevisionHistory> includes only a single <Revision>, which indicates the creation date. Ordinal numbers are not preserved between two Versions.

<DocumentDistribution> indicates the CVRF file must not be shared with people beyond your organization as stated in the Security Information Access Terms.

The <ProductTree> indicates all products and product versions covered by the particular CVRF document:

  • Router firmware (Conel OS) is covered since version 6.1.2 (released June, 2017)
  • Core user modules are covered since Jan, 2017.

The <Branch Type="Architecture"> can be:

  • RBv2, RBv3 that identifies the router platform (v2, v3) per Firmware Distribution Overview.
  • amd64 that identifies a server-side software (e.g. WebAccess/VPN).

Vulnerability <Title> can contain:

Vulnerability <ReleaseDate> indicates when the vulnerability has been published.

Vulnerability <Involvement> Status can be:

  • Open, indicating the team is aware of this new vulnerability, which is still in the Triage or Remediation phase. Status information is not available.
  • Completed, indicating the vulnerability has been Remediated and the Status information has been published.

Vulnerability <Status> Type indicates what products and products versions are affected by the vulnerability. This information is not available for vulnerabilities in the Triage or Remediation phase.

For Type="Known Not Affected" there is always a <Threat Type=”Exploit Status”> with a <Description> that provides additional rationale. The following reasons may be used:

  • Not Compiled. A patch is available and none of the patched source files is compiled and used in the product.
  • Not Shipped. The affected file is not shipped with the product.
  • Other System. The vulnerability affects another operating system, e.g. MS Windows.
  • Other Processor. The vulnerability affects another CPU, e.g. Intel.
  • Disabled. The affected functionality (e.g. secure boot) is not used in the product.
  • Patched. The vulnerability has been patched (in a previous version).
  • Upgraded. The product is no longer vulnerable, because the package has been upgraded to a newer version.
  • Before Broken. The vulnerability has been introduced in a later version of mainline branch.
  • After Fixed. The vulnerability has been fixed in an earlier version of the mainline branch.
  • Backported. The vulnerability has been fixed in an earlier version of the used stable branch.
  • Vendor Specific. The vulnerability applies to some distributions only; it does not apply to mainline kernel.
  • Invalid. The vulnerability has been marked as invalid.
  • Withdrawn. The vulnerability has been withdrawn.

For Type="Known Affected" there is always either a <Remediation Type="Vendor Fix"> indicating which product version fixed this vulnerability, or <Remediation Type="Mitigation"> referring to a specific section in Security Guidelines that addresses this vulnerability.

Vulnerabilities that are not listed do not affect any of the products indicated in the <ProductTree>.