The Vulnerability Digest is a XML document, fully compliant with the CVRF/1.1 Schemas. It is updated once a day.
The document contains a full list of relevant vulnerabilities. The <Version> is in a form of year.month.day.hour and the <RevisionHistory> includes only a single <Revision>, which indicates the creation date. Ordinal numbers are not preserved between two Versions.
<DocumentDistribution> indicates the CVRF file must not be shared with people beyond your organization as stated in the Security Information Access Terms.
The <ProductTree> indicates all products and product versions covered by the particular CVRF document:
- Router firmware (Conel OS) is covered since version 6.1.2 (released June, 2017)
- Core user modules are covered since Jan, 2017.
The <Branch Type="Architecture"> can be:
- RBv2, RBv3 that identifies the router platform (v2, v3) per Firmware Distribution Overview.
- amd64 that identifies a server-side software (e.g. WebAccess/VPN).
Vulnerability <Title> can contain:
Vulnerability <ReleaseDate> indicates when the vulnerability has been published.
Vulnerability <Involvement> Status can be:
- Open, indicating the team is aware of this new vulnerability, which is still in the Triage or Remediation phase. Status information is not available.
- Completed, indicating the vulnerability has been Remediated and the Status information has been published.
Vulnerability <Status> Type indicates what products and products versions are affected by the vulnerability. This information is not available for vulnerabilities in the Triage or Remediation phase.
For Type="Known Not Affected" there is always a <Threat Type=”Exploit Status”> with a <Description> that provides additional rationale. The following reasons may be used:
- Not Compiled. A patch is available and none of the patched source files is compiled and used in the product.
- Not Shipped. The affected file is not shipped with the product.
- Other System. The vulnerability affects another operating system, e.g. MS Windows.
- Other Processor. The vulnerability affects another CPU, e.g. Intel.
- Disabled. The affected functionality (e.g. secure boot) is not used in the product.
- Patched. The vulnerability has been patched (in a previous version).
- Upgraded. The product is no longer vulnerable, because the package has been upgraded to a newer version.
- Before Broken. The vulnerability has been introduced in a later version of mainline branch.
- After Fixed. The vulnerability has been fixed in an earlier version of the mainline branch.
- Backported. The vulnerability has been fixed in an earlier version of the used stable branch.
- Vendor Specific. The vulnerability applies to some distributions only; it does not apply to mainline kernel.
- Invalid. The vulnerability has been marked as invalid.
- Withdrawn. The vulnerability has been withdrawn.
For Type="Known Affected" there is always either a <Remediation Type="Vendor Fix"> indicating which product version fixed this vulnerability, or <Remediation Type="Mitigation"> referring to a specific section in Security Guidelines that addresses this vulnerability.
Vulnerabilities that are not listed do not affect any of the products indicated in the <ProductTree>.