The Vulnerability Digest is a XML document, fully compliant with the CVRF/1.1 Schemas. It is updated once a day.

The document contains a full list of relevant vulnerabilities. The <Version> is in a form of year.month.day.hour and the <RevisionHistory> includes only a single <Revision>, which indicates the creation date. Ordinal numbers are not preserved between two Versions.

<DocumentDistribution> indicates the CVRF file must not be shared with people beyond your organization as stated in the Security Information Access Terms.

The <ProductTree> indicates all products and product versions covered by the particular CVRF document:

• Router firmware (Conel OS) is covered since version 6.1.2 (released June, 2017)
• Core user modules are covered since Jan, 2017.

The <Branch Type="Architecture"> can be:

• RBv2, RBv3 that identifies the router platform (v2, v3) per Firmware Distribution Overview.
• amd64 that identifies a server-side software (e.g. WebAccess/VPN).

Vulnerability <Title> can contain:

• CVE number (e.g. CVE-2018-7740), referring to the NVD database (vulnerability details are e.g. at https://nvd.nist.gov/vuln/detail/CVE-2018-7740);
• Nessus Plugin ID (e.g. Nessus-42873), referring to the Tenable Nessus (details e.g. at https://www.tenable.com/plugins/nessus/42873);
• Hash (e.g. “f83875d9-0fe3-492a-a1c1-e0ed39e74001”), referring to the Sonatype OSS Index (details e.g. at https://ossindex.sonatype.org/vuln/f83875d9-0fe3-492a-a1c1-e0ed39e74001).

Vulnerability <ReleaseDate> indicates when the vulnerability has been published.

Vulnerability <Involvement> Status can be:

• Open, indicating the team is aware of this new vulnerability, which is still in the Triage or Remediation phase. Status information is not available.
• Completed, indicating the vulnerability has been Remediated and the Status information has been published.

Vulnerability <Status> Type indicates what products and products versions are affected by the vulnerability. This information is not available for vulnerabilities in the Triage or Remediation phase.

For Type="Known Not Affected" there is always a <Threat Type=”Exploit Status”> with a <Description> that provides additional rationale. The following reasons may be used:

• Not Compiled. A patch is available and none of the patched source files is compiled and used in the product.
• Not Shipped. The affected file is not shipped with the product.
• Other System. The vulnerability affects another operating system, e.g. MS Windows.
• Other Processor. The vulnerability affects another CPU, e.g. Intel.
• Disabled. The affected functionality (e.g. secure boot) is not used in the product.
• Patched. The vulnerability has been patched (in a previous version).
• Upgraded. The product is no longer vulnerable, because the package has been upgraded to a newer version.
• Before Broken. The vulnerability has been introduced in a later version of mainline branch.
• After Fixed. The vulnerability has been fixed in an earlier version of the mainline branch.
• Backported. The vulnerability has been fixed in an earlier version of the used stable branch.
• Vendor Specific. The vulnerability applies to some distributions only; it does not apply to mainline kernel.
• Invalid. The vulnerability has been marked as invalid.
• Withdrawn. The vulnerability has been withdrawn.

For Type="Known Affected" there is always either a <Remediation Type="Vendor Fix"> indicating which product version fixed this vulnerability, or <Remediation Type="Mitigation"> referring to a specific section in Security Guidelines that addresses this vulnerability.

Vulnerabilities that are not listed do not affect any of the products indicated in the <ProductTree>.