New user here, so it’s certainly possible I’m missing something fundamental, but… we’re seeing what looks like a large number of false positives on CentOS 6 kernel version checks on any system with the kernel-debuginfo-common-x86_64 RPM installed.
Here’s an example from “CentOS Update for kernel CESA-2018:2846 centos6 (OID: 1.3.6.1.4.1.25623.1.0.882957)”
Vulnerability Detection Result
Package kernel-firmware version kernel-debuginfo-common-x86_64-2.6.32-754.9.1.el6 is installed which is known to be vulnerable.
Note that
a) “kernel-debuginfo-common-x86_64” is not actually “kernel-firmware”
b) the fixed version of kernel-firmware for this VT is 2.6.32-754.6.3.el6
We see this issue on every kernel check that isn’t actually vulnerable (the ones that are report correctly) against this kernel-firmware/kernel-debuginfo mismatch. After looking over the plugins I think something funny is going on in pkg-lib-rpm.inc, probably to do with an underscore in a kernel-* package name.
Actual packages on this server:
[root@abergynolwyn ~]#rpm -qa | grep ^kernel
kernel-debuginfo-common-x86_64-2.6.32-754.9.1.el6.x86_64
kernel-2.6.32-754.9.1.el6.x86_64
kernel-debuginfo-2.6.32-754.9.1.el6.x86_64
kernel-firmware-2.6.32-754.9.1.el6.noarch
Any advice? I’m happy to run further testing, splice logging statements into the NVT etc. etc. if helpful.