[Openvas-plugins] CPE INVENTORY
s.aucouturier at itrust.fr
Mon Jun 20 11:55:33 CEST 2011
> I don't know neither...
> Nevertheless I can see (only) two entries like this in the CPE
> dictionary. According to the CPE specification (2.2), the vendor
> part "should be the highest organization-specific label of the
> organization's DNS name". My understanding of this leads to openbsd
> (http://www.openbsd.org) and makes me think that
> cpe:/a:openssh:openssh entries should probably be deprecated.
>  http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=name&searchText=cpe%3A%2Fa%3Aopenssh%3Aopenssh
I dig to get more information and
got some useful on : http://www.openssh.com/portable.html.
that can help to distinguish some ssh portage (but not all :-( and
mismatch some cve :-( what a dilemma :-( )
The '*portable OpenSSH*' follows development of the official version,
but releases are not synchronized.
*Portable releases are marked with a 'p'* (e.g. 5.8p1).
*The official OpenBSD source will never use the 'p' suffix*, but will
instead increment the version number when they hit 'stable spots' in
my view :
OpenSSH_5.8p1-hpn13v10 => cpe:/a:openssh:openssh:5.8p1
OpenSSH_5.8 => cpe:/a:openbsd:openssh:5.8
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openvas-plugins