Incorrect vulnerability details in openssl

[masty1982]

Component URLs

• https://ossindex.sonatype.org/component/pkg:deb/debian/openssl@1.1.1f
• https://ossindex.sonatype.org/component/pkg:deb/ubuntu/openssl@1.1.1f

Description OSS Index reports two vulnerabilities for openssl 1.1.1f version and this seems to be missing five vulnerabilities. Total number of vulnerabilities is seven as reported by Dependency-Track app that uses NVD database and this CPE (cpe:2.3:a:openssl:openssl:1.1.1f:*:*:*:*:*:*:*):

1. NVD CVE-2020-1967 | 21 Apr 2020 | CWE-476 NULL Pointer Dereference | High
2. NVD CVE-2020-1971 | 8 Dec 2020 | CWE-476 NULL Pointer Dereference | Medium
3. NVD CVE-2021-3449 | 25 Mar 2021 | CWE-476 NULL Pointer Dereference | Medium
4. NVD CVE-2021-23841 | 16 Feb 2021 | CWE-190 Integer Overflow or Wraparound | Medium
5. NVD CVE-2021-23840 | 16 Feb 2021 | CWE-190 Integer Overflow or Wraparound | High
6. NVD CVE-2021-3712 | 24 Aug 2021 | CWE-125 Out-of-bounds Read | High
7. NVD CVE-2021-3711 | 24 Aug 2021 | CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Further information of vulnerabilities in openssl 1.1.1f version, see https://www.openssl.org/news/openssl-1.1.1-notes.html.

[ken-duck]

Thanks for letting us know. I have figured out the problem. We do have the data, but the version matching routines are unhappy with some of the openssl versions.

I know how to fix it, but it will take a bit of time.