Fixing CVEs with unlimited version ranges

[AMDmi3]

Allowing CVE version ranges not limited from above has revealed a bunch of old CVEs with ranges covering all current and future versions. These need fixing in NVD.

• activemq
• alsa-lib 📧
• amarok
• apache
• asterisk
• bash
• bind
• bitchx
• bitlbee
• blender
• bugzilla
• bzip2
• clamav
• concourse
• coreutils
• cpio
• cups
• drupal
• e107
• emacs
• epiphany
• exim
• exiv2
• ffmpeg
• firefox
• freeipa
• freeradius
• fuse
• gdb
• gedit
• git
• gitlab
• gnome-shell
• gnutls
• google-chrome
• graphicsmagick
• groff
• gstreamer
• gtk
• heimdal
• imagemagick
• inn
• ipsec-tools
• jira
• joomla
• js:jquery
• konqueror
• lcms
• libdwarf
• libvirt
• libxslt
• linux
• lynx
• mailman
• mariadb
• mediawiki
• mutt
• mysql
• networkmanager
• nss
• ntp
• openjdk
• openldap
• openssh
• openssl
• openswan
• osticket
• otrs
• pdns
• php
• phpbb
• phplist
• pidgin
• portage
• procmail
• proftpd
• punbb
• python
• qemu
• realplayer
• rsync
• rxvt
• samba
• seamonkey
• sendmail
• skype
• sqlite
• squirrelmail
• subversion
• sympa
• systemtap
• t1lib
• thttpd
• thunderbird
• tomcat
• tor 📧
• trac
• typo3
• unzip
• util-linux
• v8
• wordpress
• wu-ftpd
• xen
• xpdf
• xterm
• xymon
• ytnef

[tomato42]

what if a given issue is still unfixed, or worse yet, unfixable? then unlimited version range is correct and marking the package as vulnerable, is also correct...

[AMDmi3]

Yes. But there are too many bogus unlimited ranges which overweight the benefits of considering legal ones.

[tomato42]

are you talking about ones that have both the upper and lower bound missing, or do you also include ones that have just the upper bound missing?

[AMDmi3]

I don't differentiate these.