From 74afaa37d5dec1a9d1b83951529ba69d8947fb07 Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Sun, 20 Oct 2019 22:10:00 +0200
Subject: cve: Rewrite to read the JSON feed instead of the XML feed.

The XML feed was discontinued on Oct. 16th, 2019:

  <https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3>

* guix/cve.scm (string->date*): New procedure.
(<cve-item>, <cve>, <cve-reference>): New record types.
(cpe-match->cve-configuration, configuration-data->cve-configurations)
(json->cve-items, version-matches?): New procedures.
(yearly-feed-uri): Change URL to refer to JSON feed.
(cpe->product-alist, %parse-vulnerability-feed)
(xml->vulnerabilities): Remove.
(cve-configuration->package-list, merge-package-lists)
(cve-item->vulnerability, json->vulnerabilities): New procedures.
(write-cache): Use 'json->vulnerabilities' instead of
'xml->vulnerabilities', and remove 'parameterize'.
(vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is
true.
* tests/cve.scm (%sample): Use 'tests/cve-sample.json'.
(%expected-vulnerabilities): Rewrite accordingly.
("json->cve-items", "cve-item-published-date")
("json->vulnerabilities"): New tests.
("xml->vulnerabilities"): Remove.
("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities.
* tests/cve-sample.json: New file.
* tests/cve-sample.xml: Remove.
* Makefile.am (EXTRA_DIST): Adjust accordingly.
* doc/guix.texi (Invoking guix lint): Update nist.gov URLs.
---
 tests/cve-sample.xml | 616 ---------------------------------------------------
 1 file changed, 616 deletions(-)
 delete mode 100644 tests/cve-sample.xml

(limited to 'tests/cve-sample.xml')

diff --git a/tests/cve-sample.xml b/tests/cve-sample.xml
deleted file mode 100644
index ce158490f1..0000000000
--- a/tests/cve-sample.xml
+++ /dev/null
@@ -1,616 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<nvd xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1" xmlns:cvss="http://scap.nist.gov/schema/cvss-v2/0.2" xmlns:vuln="http://scap.nist.gov/schema/vulnerability/0.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:patch="http://scap.nist.gov/schema/patch/0.1" xmlns="http://scap.nist.gov/schema/feed/vulnerability/2.0" xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" nvd_xml_version="2.0" pub_date="2015-11-25T08:07:01" xsi:schemaLocation="http://scap.nist.gov/schema/patch/0.1 http://nvd.nist.gov/schema/patch_0.1.xsd http://scap.nist.gov/schema/feed/vulnerability/2.0 http://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd http://scap.nist.gov/schema/scap-core/0.1 http://nvd.nist.gov/schema/scap-core_0.1.xsd">
-  <entry id="CVE-2003-0001">
-    <vuln:vulnerable-configuration id="http://nvd.nist.gov/">
-      <cpe-lang:logical-test operator="OR" negate="false">
-        <cpe-lang:fact-ref name="cpe:/o:freebsd:freebsd:4.2"/>
-        <cpe-lang:fact-ref name="cpe:/o:freebsd:freebsd:4.3"/>
-        <cpe-lang:fact-ref name="cpe:/o:freebsd:freebsd:4.4"/>
-        <cpe-lang:fact-ref name="cpe:/o:freebsd:freebsd:4.5"/>
-        <cpe-lang:fact-ref name="cpe:/o:freebsd:freebsd:4.6"/>
-        <cpe-lang:fact-ref name="cpe:/o:freebsd:freebsd:4.7"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.1"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.10"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.11"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.12"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.13"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.14"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.15"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.16"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.17"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.18"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.19"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.2"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.20"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.3"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.4"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.5"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.6"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.7"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.8"/>
-        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.9"/>
-        <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000:::advanced_server"/>
-        <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000:::datacenter_server"/>
-        <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000:::professional"/>
-        <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000:::server"/>
-        <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp1:advanced_server"/>
-        <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp1:datacenter_server"/>
-        <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp1:professional"/>
-        <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp1:server"/>
-        <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp2:advanced_server"/>
-        <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp2:datacenter_server"/>
-        <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp2:professional"/>
-        <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp2:server"/>
-        <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000_terminal_services"/>
-        <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000_terminal_services::sp1"/>
-        <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000_terminal_services::sp2"/>
-        <cpe-lang:fact-ref name="cpe:/o:netbsd:netbsd:1.5"/>
-        <cpe-lang:fact-ref name="cpe:/o:netbsd:netbsd:1.5.1"/>
-        <cpe-lang:fact-ref name="cpe:/o:netbsd:netbsd:1.5.2"/>
-        <cpe-lang:fact-ref name="cpe:/o:netbsd:netbsd:1.5.3"/>
-        <cpe-lang:fact-ref name="cpe:/o:netbsd:netbsd:1.6"/>
-      </cpe-lang:logical-test>
-    </vuln:vulnerable-configuration>
-    <vuln:vulnerable-software-list>
-      <vuln:product>cpe:/o:microsoft:windows_2000::sp2:professional</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.4</vuln:product>
-      <vuln:product>cpe:/o:microsoft:windows_2000_terminal_services::sp1</vuln:product>
-      <vuln:product>cpe:/o:microsoft:windows_2000::sp1:advanced_server</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.19</vuln:product>
-      <vuln:product>cpe:/o:microsoft:windows_2000::sp2:advanced_server</vuln:product>
-      <vuln:product>cpe:/o:microsoft:windows_2000_terminal_services</vuln:product>
-      <vuln:product>cpe:/o:microsoft:windows_2000:::advanced_server</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.20</vuln:product>
-      <vuln:product>cpe:/o:netbsd:netbsd:1.5.1</vuln:product>
-      <vuln:product>cpe:/o:microsoft:windows_2000_terminal_services::sp2</vuln:product>
-      <vuln:product>cpe:/o:netbsd:netbsd:1.5.3</vuln:product>
-      <vuln:product>cpe:/o:netbsd:netbsd:1.5.2</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.6</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.9</vuln:product>
-      <vuln:product>cpe:/o:microsoft:windows_2000:::datacenter_server</vuln:product>
-      <vuln:product>cpe:/o:netbsd:netbsd:1.6</vuln:product>
-      <vuln:product>cpe:/o:netbsd:netbsd:1.5</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.7</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.8</vuln:product>
-      <vuln:product>cpe:/o:microsoft:windows_2000::sp1:datacenter_server</vuln:product>
-      <vuln:product>cpe:/o:microsoft:windows_2000::sp2:datacenter_server</vuln:product>
-      <vuln:product>cpe:/o:freebsd:freebsd:4.3</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.10</vuln:product>
-      <vuln:product>cpe:/o:microsoft:windows_2000::sp1:server</vuln:product>
-      <vuln:product>cpe:/o:freebsd:freebsd:4.5</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.12</vuln:product>
-      <vuln:product>cpe:/o:freebsd:freebsd:4.2</vuln:product>
-      <vuln:product>cpe:/o:freebsd:freebsd:4.7</vuln:product>
-      <vuln:product>cpe:/o:freebsd:freebsd:4.4</vuln:product>
-      <vuln:product>cpe:/o:freebsd:freebsd:4.6</vuln:product>
-      <vuln:product>cpe:/o:microsoft:windows_2000::sp2:server</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.18</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.1</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.15</vuln:product>
-      <vuln:product>cpe:/o:microsoft:windows_2000:::server</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.17</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.14</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.2</vuln:product>
-      <vuln:product>cpe:/o:microsoft:windows_2000:::professional</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.11</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.5</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.16</vuln:product>
-      <vuln:product>cpe:/o:microsoft:windows_2000::sp1:professional</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.13</vuln:product>
-      <vuln:product>cpe:/o:linux:linux_kernel:2.4.3</vuln:product>
-    </vuln:vulnerable-software-list>
-    <vuln:cve-id>CVE-2003-0001</vuln:cve-id>
-    <vuln:published-datetime>2003-01-17T00:00:00.000-05:00</vuln:published-datetime>
-    <vuln:last-modified-datetime>2015-11-24T13:05:47.073-05:00</vuln:last-modified-datetime>
-    <vuln:cvss>
-      <cvss:base_metrics>
-        <cvss:score>5.0</cvss:score>
-        <cvss:access-vector>NETWORK</cvss:access-vector>
-        <cvss:access-complexity>LOW</cvss:access-complexity>
-        <cvss:authentication>NONE</cvss:authentication>
-        <cvss:confidentiality-impact>PARTIAL</cvss:confidentiality-impact>
-        <cvss:integrity-impact>NONE</cvss:integrity-impact>
-        <cvss:availability-impact>NONE</cvss:availability-impact>
-        <cvss:source>http://nvd.nist.gov</cvss:source>
-        <cvss:generated-on-datetime>2015-11-24T12:23:33.593-05:00</cvss:generated-on-datetime>
-      </cvss:base_metrics>
-    </vuln:cvss>
-    <vuln:assessment_check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:2665" name="oval:org.mitre.oval:def:2665"/>
-    <vuln:cwe id="CWE-200"/>
-    <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
-      <vuln:source>CERT-VN</vuln:source>
-      <vuln:reference href="http://www.kb.cert.org/vuls/id/412115" xml:lang="en">VU#412115</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>BUGTRAQ</vuln:source>
-      <vuln:reference href="http://www.securityfocus.com/archive/1/archive/1/535181/100/0/threaded" xml:lang="en">20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>BUGTRAQ</vuln:source>
-      <vuln:reference href="http://www.securityfocus.com/archive/1/archive/1/307564/30/26270/threaded" xml:lang="en">20030117 Re: More information regarding Etherleak</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>BUGTRAQ</vuln:source>
-      <vuln:reference href="http://www.securityfocus.com/archive/1/archive/1/305335/30/26420/threaded" xml:lang="en">20030106 Etherleak: Ethernet frame padding information leakage (A010603-1)</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>REDHAT</vuln:source>
-      <vuln:reference href="http://www.redhat.com/support/errata/RHSA-2003-088.html" xml:lang="en">RHSA-2003:088</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>REDHAT</vuln:source>
-      <vuln:reference href="http://www.redhat.com/support/errata/RHSA-2003-025.html" xml:lang="en">RHSA-2003:025</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>OSVDB</vuln:source>
-      <vuln:reference href="http://www.osvdb.org/9962" xml:lang="en">9962</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>CONFIRM</vuln:source>
-      <vuln:reference href="http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" xml:lang="en">http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MISC</vuln:source>
-      <vuln:reference href="http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf" xml:lang="en">http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
-      <vuln:source>ATSTAKE</vuln:source>
-      <vuln:reference href="http://www.atstake.com/research/advisories/2003/a010603-1.txt" xml:lang="en">A010603-1</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>FULLDISC</vuln:source>
-      <vuln:reference href="http://seclists.org/fulldisclosure/2015/Apr/5" xml:lang="en">20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MISC</vuln:source>
-      <vuln:reference href="http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html" xml:lang="en">http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
-      <vuln:source>BUGTRAQ</vuln:source>
-      <vuln:reference href="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=104222046632243&amp;w=2" xml:lang="en">20030110 More information regarding Etherleak</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>VULNWATCH</vuln:source>
-      <vuln:reference href="http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0016.html" xml:lang="en">20030110 More information regarding Etherleak</vuln:reference>
-    </vuln:references>
-    <vuln:scanner>
-      <vuln:definition system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:2665" name="oval:org.mitre.oval:def:2665"/>
-    </vuln:scanner>
-    <vuln:summary>Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.</vuln:summary>
-  </entry>
-  <entry id="CVE-2004-0230">
-    <vuln:vulnerable-configuration id="http://nvd.nist.gov/">
-      <cpe-lang:logical-test operator="OR" negate="false">
-        <cpe-lang:fact-ref name="cpe:/a:tcp:tcp"/>
-      </cpe-lang:logical-test>
-    </vuln:vulnerable-configuration>
-    <vuln:vulnerable-software-list>
-      <vuln:product>cpe:/a:tcp:tcp</vuln:product>
-    </vuln:vulnerable-software-list>
-    <vuln:cve-id>CVE-2004-0230</vuln:cve-id>
-    <vuln:published-datetime>2004-08-18T00:00:00.000-04:00</vuln:published-datetime>
-    <vuln:last-modified-datetime>2015-11-24T13:06:40.597-05:00</vuln:last-modified-datetime>
-    <vuln:cvss>
-      <cvss:base_metrics>
-        <cvss:score>5.0</cvss:score>
-        <cvss:access-vector>NETWORK</cvss:access-vector>
-        <cvss:access-complexity>LOW</cvss:access-complexity>
-        <cvss:authentication>NONE</cvss:authentication>
-        <cvss:confidentiality-impact>NONE</cvss:confidentiality-impact>
-        <cvss:integrity-impact>NONE</cvss:integrity-impact>
-        <cvss:availability-impact>PARTIAL</cvss:availability-impact>
-        <cvss:source>http://nvd.nist.gov</cvss:source>
-        <cvss:generated-on-datetime>2015-11-24T12:17:30.930-05:00</cvss:generated-on-datetime>
-      </cvss:base_metrics>
-    </vuln:cvss>
-    <vuln:assessment_check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5711" name="oval:org.mitre.oval:def:5711"/>
-    <vuln:assessment_check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4791" name="oval:org.mitre.oval:def:4791"/>
-    <vuln:assessment_check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:3508" name="oval:org.mitre.oval:def:3508"/>
-    <vuln:assessment_check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:270" name="oval:org.mitre.oval:def:270"/>
-    <vuln:assessment_check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:2689" name="oval:org.mitre.oval:def:2689"/>
-    <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
-      <vuln:source>CERT</vuln:source>
-      <vuln:reference href="http://www.us-cert.gov/cas/techalerts/TA04-111A.html" xml:lang="en">TA04-111A</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>CERT-VN</vuln:source>
-      <vuln:reference href="http://www.kb.cert.org/vuls/id/415294" xml:lang="en">VU#415294</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>CONFIRM</vuln:source>
-      <vuln:reference href="https://kc.mcafee.com/corporate/index?page=content&amp;id=SB10053" xml:lang="en">https://kc.mcafee.com/corporate/index?page=content&amp;id=SB10053</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
-      <vuln:source>XF</vuln:source>
-      <vuln:reference href="http://xforce.iss.net/xforce/xfdb/15886" xml:lang="en">tcp-rst-dos(15886)</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>VUPEN</vuln:source>
-      <vuln:reference href="http://www.vupen.com/english/advisories/2006/3983" xml:lang="en">ADV-2006-3983</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MISC</vuln:source>
-      <vuln:reference href="http://www.uniras.gov.uk/vuls/2004/236929/index.htm" xml:lang="en">http://www.uniras.gov.uk/vuls/2004/236929/index.htm</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
-      <vuln:source>BID</vuln:source>
-      <vuln:reference href="http://www.securityfocus.com/bid/10183" xml:lang="en">10183</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>BUGTRAQ</vuln:source>
-      <vuln:reference href="http://www.securityfocus.com/archive/1/archive/1/535181/100/0/threaded" xml:lang="en">20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>HP</vuln:source>
-      <vuln:reference href="http://www.securityfocus.com/archive/1/archive/1/449179/100/0/threaded" xml:lang="en">SSRT061264</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>OSVDB</vuln:source>
-      <vuln:reference href="http://www.osvdb.org/4030" xml:lang="en">4030</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>CONFIRM</vuln:source>
-      <vuln:reference href="http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" xml:lang="en">http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MS</vuln:source>
-      <vuln:reference href="http://www.microsoft.com/technet/security/Bulletin/MS06-064.mspx" xml:lang="en">MS06-064</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MS</vuln:source>
-      <vuln:reference href="http://www.microsoft.com/technet/security/bulletin/ms05-019.mspx" xml:lang="en">MS05-019</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>CISCO</vuln:source>
-      <vuln:reference href="http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml" xml:lang="en">20040420 TCP Vulnerabilities in Multiple IOS-Based Cisco Products</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>FULLDISC</vuln:source>
-      <vuln:reference href="http://seclists.org/fulldisclosure/2015/Apr/5" xml:lang="en">20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MISC</vuln:source>
-      <vuln:reference href="http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html" xml:lang="en">http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>HP</vuln:source>
-      <vuln:reference href="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108506952116653&amp;w=2" xml:lang="en">SSRT4696</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>BUGTRAQ</vuln:source>
-      <vuln:reference href="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=108302060014745&amp;w=2" xml:lang="en">20040425 Perl code exploting TCP not checking RST ACK.</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>CONFIRM</vuln:source>
-      <vuln:reference href="http://kb.juniper.net/JSA10638" xml:lang="en">http://kb.juniper.net/JSA10638</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>SGI</vuln:source>
-      <vuln:reference href="ftp://patches.sgi.com/support/free/security/advisories/20040403-01-A.asc" xml:lang="en">20040403-01-A</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>SCO</vuln:source>
-      <vuln:reference href="ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.14/SCOSA-2005.14.txt" xml:lang="en">SCOSA-2005.14</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>SCO</vuln:source>
-      <vuln:reference href="ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.9/SCOSA-2005.9.txt" xml:lang="en">SCOSA-2005.9</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>SCO</vuln:source>
-      <vuln:reference href="ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.3/SCOSA-2005.3.txt" xml:lang="en">SCOSA-2005.3</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>NETBSD</vuln:source>
-      <vuln:reference href="ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-006.txt.asc" xml:lang="en">NetBSD-SA2004-006</vuln:reference>
-    </vuln:references>
-    <vuln:scanner>
-      <vuln:definition system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:3508" name="oval:org.mitre.oval:def:3508"/>
-    </vuln:scanner>
-    <vuln:scanner>
-      <vuln:definition system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:270" name="oval:org.mitre.oval:def:270"/>
-    </vuln:scanner>
-    <vuln:scanner>
-      <vuln:definition system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:2689" name="oval:org.mitre.oval:def:2689"/>
-    </vuln:scanner>
-    <vuln:scanner>
-      <vuln:definition system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:5711" name="oval:org.mitre.oval:def:5711"/>
-    </vuln:scanner>
-    <vuln:scanner>
-      <vuln:definition system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:4791" name="oval:org.mitre.oval:def:4791"/>
-    </vuln:scanner>
-    <vuln:summary>TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.</vuln:summary>
-  </entry>
-  <entry id="CVE-2008-2335">
-    <vuln:vulnerable-configuration id="http://nvd.nist.gov/">
-      <cpe-lang:logical-test operator="OR" negate="false">
-        <cpe-lang:fact-ref name="cpe:/a:vastal:phpvid:1.2"/>
-        <cpe-lang:fact-ref name="cpe:/a:vastal:phpvid:1.1"/>
-      </cpe-lang:logical-test>
-    </vuln:vulnerable-configuration>
-    <vuln:vulnerable-software-list>
-      <vuln:product>cpe:/a:vastal:phpvid:1.1</vuln:product>
-      <vuln:product>cpe:/a:vastal:phpvid:1.2</vuln:product>
-    </vuln:vulnerable-software-list>
-    <vuln:cve-id>CVE-2008-2335</vuln:cve-id>
-    <vuln:published-datetime>2008-05-19T09:20:00.000-04:00</vuln:published-datetime>
-    <vuln:last-modified-datetime>2015-11-24T11:45:25.057-05:00</vuln:last-modified-datetime>
-    <vuln:cvss>
-      <cvss:base_metrics>
-        <cvss:score>4.3</cvss:score>
-        <cvss:access-vector>NETWORK</cvss:access-vector>
-        <cvss:access-complexity>MEDIUM</cvss:access-complexity>
-        <cvss:authentication>NONE</cvss:authentication>
-        <cvss:confidentiality-impact>NONE</cvss:confidentiality-impact>
-        <cvss:integrity-impact>PARTIAL</cvss:integrity-impact>
-        <cvss:availability-impact>NONE</cvss:availability-impact>
-        <cvss:source>http://nvd.nist.gov</cvss:source>
-        <cvss:generated-on-datetime>2015-11-24T10:50:05.737-05:00</cvss:generated-on-datetime>
-      </cvss:base_metrics>
-    </vuln:cvss>
-    <vuln:cwe id="CWE-79"/>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>XF</vuln:source>
-      <vuln:reference href="http://xforce.iss.net/xforce/xfdb/42450" xml:lang="en">phpvid-query-xss(42450)</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>VUPEN</vuln:source>
-      <vuln:reference href="http://www.vupen.com/english/advisories/2008/2552" xml:lang="en">ADV-2008-2552</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>BID</vuln:source>
-      <vuln:reference href="http://www.securityfocus.com/bid/29238" xml:lang="en">29238</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MILW0RM</vuln:source>
-      <vuln:reference href="http://www.milw0rm.com/exploits/6422" xml:lang="en">6422</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>EXPLOIT-DB</vuln:source>
-      <vuln:reference href="http://www.exploit-db.com/exploits/27519" xml:lang="en">27519</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MISC</vuln:source>
-      <vuln:reference href="http://tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/" xml:lang="en">http://tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>FULLDISC</vuln:source>
-      <vuln:reference href="http://seclists.org/fulldisclosure/2015/Mar/59" xml:lang="en">20150310 Vastal I-tech phpVID 1.2.3 Multiple XSS (Cross-site Scripting) Security Vulnerabilities</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MISC</vuln:source>
-      <vuln:reference href="http://packetstormsecurity.com/files/130755/Vastal-I-tech-phpVID-1.2.3-Cross-Site-Scripting.html" xml:lang="en">http://packetstormsecurity.com/files/130755/Vastal-I-tech-phpVID-1.2.3-Cross-Site-Scripting.html</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MISC</vuln:source>
-      <vuln:reference href="http://packetstormsecurity.com/files/122746/PHP-VID-XSS-SQL-Injection-CRLF-Injection.html" xml:lang="en">http://packetstormsecurity.com/files/122746/PHP-VID-XSS-SQL-Injection-CRLF-Injection.html</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>OSVDB</vuln:source>
-      <vuln:reference href="http://osvdb.org/show/osvdb/45171" xml:lang="en">45171</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MISC</vuln:source>
-      <vuln:reference href="http://holisticinfosec.org/content/view/65/45/" xml:lang="en">http://holisticinfosec.org/content/view/65/45/</vuln:reference>
-    </vuln:references>
-    <vuln:summary>Cross-site scripting (XSS) vulnerability in search_results.php in Vastal I-Tech phpVID 1.1 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter.  NOTE: some of these details are obtained from third party information.  NOTE: it was later reported that 1.2.3 is also affected.</vuln:summary>
-  </entry>
-  <entry id="CVE-2008-3522">
-    <vuln:vulnerable-configuration id="http://nvd.nist.gov/">
-      <cpe-lang:logical-test operator="OR" negate="false">
-        <cpe-lang:fact-ref name="cpe:/a:redhat:enterprise_virtualization:3.5"/>
-      </cpe-lang:logical-test>
-    </vuln:vulnerable-configuration>
-    <vuln:vulnerable-configuration id="http://nvd.nist.gov/">
-      <cpe-lang:logical-test operator="OR" negate="false">
-        <cpe-lang:fact-ref name="cpe:/a:jasper_project:jasper:1.900.1"/>
-      </cpe-lang:logical-test>
-    </vuln:vulnerable-configuration>
-    <vuln:vulnerable-software-list>
-      <vuln:product>cpe:/a:redhat:enterprise_virtualization:3.5</vuln:product>
-      <vuln:product>cpe:/a:jasper_project:jasper:1.900.1</vuln:product>
-    </vuln:vulnerable-software-list>
-    <vuln:cve-id>CVE-2008-3522</vuln:cve-id>
-    <vuln:published-datetime>2008-10-02T14:18:05.790-04:00</vuln:published-datetime>
-    <vuln:last-modified-datetime>2015-11-24T11:46:04.933-05:00</vuln:last-modified-datetime>
-    <vuln:cvss>
-      <cvss:base_metrics>
-        <cvss:score>10.0</cvss:score>
-        <cvss:access-vector>NETWORK</cvss:access-vector>
-        <cvss:access-complexity>LOW</cvss:access-complexity>
-        <cvss:authentication>NONE</cvss:authentication>
-        <cvss:confidentiality-impact>COMPLETE</cvss:confidentiality-impact>
-        <cvss:integrity-impact>COMPLETE</cvss:integrity-impact>
-        <cvss:availability-impact>COMPLETE</cvss:availability-impact>
-        <cvss:source>http://nvd.nist.gov</cvss:source>
-        <cvss:generated-on-datetime>2015-11-24T10:05:46.467-05:00</cvss:generated-on-datetime>
-      </cvss:base_metrics>
-    </vuln:cvss>
-    <vuln:security-protection>ALLOWS_ADMIN_ACCESS</vuln:security-protection>
-    <vuln:cwe id="CWE-119"/>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>XF</vuln:source>
-      <vuln:reference href="http://xforce.iss.net/xforce/xfdb/45623" xml:lang="en">jasper-jasstreamprintf-bo(45623)</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>UBUNTU</vuln:source>
-      <vuln:reference href="http://www.ubuntu.com/usn/USN-742-1" xml:lang="en">USN-742-1</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>BID</vuln:source>
-      <vuln:reference href="http://www.securityfocus.com/bid/31470" xml:lang="en">31470</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MANDRIVA</vuln:source>
-      <vuln:reference href="http://www.mandriva.com/security/advisories?name=MDVSA-2009:164" xml:lang="en">MDVSA-2009:164</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MANDRIVA</vuln:source>
-      <vuln:reference href="http://www.mandriva.com/security/advisories?name=MDVSA-2009:144" xml:lang="en">MDVSA-2009:144</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MANDRIVA</vuln:source>
-      <vuln:reference href="http://www.mandriva.com/security/advisories?name=MDVSA-2009:142" xml:lang="en">MDVSA-2009:142</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>GENTOO</vuln:source>
-      <vuln:reference href="http://security.gentoo.org/glsa/glsa-200812-18.xml" xml:lang="en">GLSA-200812-18</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>REDHAT</vuln:source>
-      <vuln:reference href="http://rhn.redhat.com/errata/RHSA-2015-0698.html" xml:lang="en">RHSA-2015:0698</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MISC</vuln:source>
-      <vuln:reference href="http://bugs.gentoo.org/show_bug.cgi?id=222819" xml:lang="en">http://bugs.gentoo.org/show_bug.cgi?id=222819</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MISC</vuln:source>
-      <vuln:reference href="http://bugs.gentoo.org/attachment.cgi?id=163282&amp;action=view" xml:lang="en">http://bugs.gentoo.org/attachment.cgi?id=163282&amp;action=view</vuln:reference>
-    </vuln:references>
-    <vuln:summary>Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf.</vuln:summary>
-  </entry>
-  <entry id="CVE-2009-3301">
-    <vuln:vulnerable-configuration id="http://www.nist.gov/">
-      <cpe-lang:logical-test operator="OR" negate="false">
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:3.1.1"/>
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:3.1.0"/>
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:3.0.1"/>
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:3.0.0"/>
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.4.1"/>
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.4.0"/>
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.1.0"/>
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:1.1.0"/>
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.4.2"/>
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.4.3"/>
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.3.0"/>
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.3.1"/>
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.2.0"/>
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.2.1"/>
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.0.0"/>
-        <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.0.3"/>
-      </cpe-lang:logical-test>
-    </vuln:vulnerable-configuration>
-    <vuln:vulnerable-configuration id="http://www.nist.gov/">
-      <cpe-lang:logical-test operator="OR" negate="false">
-        <cpe-lang:fact-ref name="cpe:/o:canonical:ubuntu_linux:10.04::~~lts~~~"/>
-        <cpe-lang:fact-ref name="cpe:/o:canonical:ubuntu_linux:10.10"/>
-        <cpe-lang:fact-ref name="cpe:/o:canonical:ubuntu_linux:9.10"/>
-        <cpe-lang:fact-ref name="cpe:/o:canonical:ubuntu_linux:8.04:-:lts"/>
-      </cpe-lang:logical-test>
-    </vuln:vulnerable-configuration>
-    <vuln:vulnerable-software-list>
-      <vuln:product>cpe:/o:canonical:ubuntu_linux:10.04::~~lts~~~</vuln:product>
-      <vuln:product>cpe:/o:canonical:ubuntu_linux:8.04:-:lts</vuln:product>
-      <vuln:product>cpe:/o:canonical:ubuntu_linux:10.10</vuln:product>
-      <vuln:product>cpe:/a:sun:openoffice.org:2.1.0</vuln:product>
-      <vuln:product>cpe:/a:sun:openoffice.org:2.3.0</vuln:product>
-      <vuln:product>cpe:/a:sun:openoffice.org:2.2.1</vuln:product>
-      <!-- snipped -->
-    </vuln:vulnerable-software-list>
-    <vuln:cve-id>CVE-2009-3301</vuln:cve-id>
-    <vuln:published-datetime>2010-02-16T14:30:00.533-05:00</vuln:published-datetime>
-    <vuln:last-modified-datetime>2015-11-17T10:59:44.723-05:00</vuln:last-modified-datetime>
-    <vuln:cvss>
-      <cvss:base_metrics>
-        <cvss:score>9.3</cvss:score>
-        <cvss:access-vector>NETWORK</cvss:access-vector>
-        <cvss:access-complexity>MEDIUM</cvss:access-complexity>
-        <cvss:authentication>NONE</cvss:authentication>
-        <cvss:confidentiality-impact>COMPLETE</cvss:confidentiality-impact>
-        <cvss:integrity-impact>COMPLETE</cvss:integrity-impact>
-        <cvss:availability-impact>COMPLETE</cvss:availability-impact>
-        <cvss:source>http://nvd.nist.gov</cvss:source>
-        <cvss:generated-on-datetime>2015-11-17T10:02:50.097-05:00</cvss:generated-on-datetime>
-      </cvss:base_metrics>
-    </vuln:cvss>
-    <vuln:assessment_check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10423" name="oval:org.mitre.oval:def:10423"/>
-    <vuln:cwe id="CWE-189"/>
-    <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
-      <vuln:source>CERT</vuln:source>
-      <vuln:reference href="http://www.us-cert.gov/cas/techalerts/TA10-287A.html" xml:lang="en">TA10-287A</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>CONFIRM</vuln:source>
-      <vuln:reference href="https://bugzilla.redhat.com/show_bug.cgi?id=533038" xml:lang="en">https://bugzilla.redhat.com/show_bug.cgi?id=533038</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>XF</vuln:source>
-      <vuln:reference href="http://xforce.iss.net/xforce/xfdb/56240" xml:lang="en">openoffice-word-sprmtdeftable-bo(56240)</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>VUPEN</vuln:source>
-      <vuln:reference href="http://www.vupen.com/english/advisories/2010/2905" xml:lang="en">ADV-2010-2905</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>VUPEN</vuln:source>
-      <vuln:reference href="http://www.vupen.com/english/advisories/2010/0635" xml:lang="en">ADV-2010-0635</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
-      <vuln:source>VUPEN</vuln:source>
-      <vuln:reference href="http://www.vupen.com/english/advisories/2010/0366" xml:lang="en">ADV-2010-0366</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>UBUNTU</vuln:source>
-      <vuln:reference href="http://www.ubuntu.com/usn/USN-903-1" xml:lang="en">USN-903-1</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>BID</vuln:source>
-      <vuln:reference href="http://www.securityfocus.com/bid/38218" xml:lang="en">38218</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>REDHAT</vuln:source>
-      <vuln:reference href="http://www.redhat.com/support/errata/RHSA-2010-0101.html" xml:lang="en">RHSA-2010:0101</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>CONFIRM</vuln:source>
-      <vuln:reference href="http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html" xml:lang="en">http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
-      <vuln:source>CONFIRM</vuln:source>
-      <vuln:reference href="http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html" xml:lang="en">http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY">
-      <vuln:source>CONFIRM</vuln:source>
-      <vuln:reference href="http://www.openoffice.org/security/bulletin.html" xml:lang="en">http://www.openoffice.org/security/bulletin.html</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MANDRIVA</vuln:source>
-      <vuln:reference href="http://www.mandriva.com/security/advisories?name=MDVSA-2010:221" xml:lang="en">MDVSA-2010:221</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>GENTOO</vuln:source>
-      <vuln:reference href="http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml" xml:lang="en">GLSA-201408-19</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>DEBIAN</vuln:source>
-      <vuln:reference href="http://www.debian.org/security/2010/dsa-1995" xml:lang="en">DSA-1995</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>SECTRACK</vuln:source>
-      <vuln:reference href="http://securitytracker.com/id?1023591" xml:lang="en">1023591</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>SUSE</vuln:source>
-      <vuln:reference href="http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html" xml:lang="en">SUSE-SA:2010:017</vuln:reference>
-    </vuln:references>
-    <vuln:scanner>
-      <vuln:definition system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10423" name="oval:org.mitre.oval:def:10423"/>
-    </vuln:scanner>
-    <vuln:summary>Integer underflow in filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTDefTable table property modifier in a Word document.</vuln:summary>
-  </entry>
-  <entry id="CVE-2015-8330">
-    <vuln:cve-id>CVE-2015-8330</vuln:cve-id>
-    <vuln:published-datetime>2015-11-24T15:59:25.897-05:00</vuln:published-datetime>
-    <vuln:last-modified-datetime>2015-11-24T15:59:26.930-05:00</vuln:last-modified-datetime>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MISC</vuln:source>
-      <vuln:reference href="https://www.onapsis.com/blog/analyzing-sap-security-notes-november-2015" xml:lang="en">https://www.onapsis.com/blog/analyzing-sap-security-notes-november-2015</vuln:reference>
-    </vuln:references>
-    <vuln:references xml:lang="en" reference_type="UNKNOWN">
-      <vuln:source>MISC</vuln:source>
-      <vuln:reference href="http://erpscan.com/advisories/erpscan-15-032-sap-pco-agent-dos-vulnerability/" xml:lang="en">http://erpscan.com/advisories/erpscan-15-032-sap-pco-agent-dos-vulnerability/</vuln:reference>
-    </vuln:references>
-    <vuln:summary>The PCo agent in SAP Plant Connectivity (PCo) allows remote attackers to cause a denial of service (memory corruption and agent crash) via crafted xMII requests, aka SAP Security Note 2238619.</vuln:summary>
-  </entry>
-</nvd>
-- 
cgit v1.2.3