fix(models/redhat): fix collectRedHatPacks

[masahiro331]

What did you implement:

Fixed to include both packages when they have the same package name but different ModularityLabel.
And when importing packages that have the same package name but different versions, we used to rely on the order in which they were written in OVAL, but now we use the new version.
Then, OVALv1 defines non-RHEL5 package information among RHEL5 ones. We have tried to exclude such packages that are not the target version.

Type of change

• Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

same package name, but different ModularityLabel

OVAL(OVALv2)

<definition class="patch" id="oval:com.redhat.rhsa:def:20202774" version="638">
    <metadata>
     <title>RHSA-2020:2774: virt:rhel security update (Important)</title>
     ...
    </metadata>
    <criteria operator="OR">
     <criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.rhba:tst:20191992005"/>
     <criteria operator="AND">
      <criteria operator="OR">
       <criterion comment="Red Hat Enterprise Linux 8 is installed" test_ref="oval:com.redhat.rhba:tst:20191992003"/>
       <criterion comment="Red Hat CoreOS 4 is installed" test_ref="oval:com.redhat.rhba:tst:20191992004"/>
      </criteria>
      <criteria operator="OR">
       <criteria operator="AND">
        <criterion comment="Module virt:rhel is enabled" test_ref="oval:com.redhat.rhsa:tst:20191175195"/>
        <criteria operator="OR">
         <criteria operator="AND">
          <criterion comment="libvirt is earlier than 0:4.5.0-42.module+el8.2.0+6024+15a2423f" test_ref="oval:com.redhat.rhsa:tst:20202774051"/>
          <criterion comment="libvirt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20191175054"/>
         </criteria>
         ...
        </criteria>
       </criteria>
       <criteria operator="AND">
        <criterion comment="Module virt-devel:rhel is enabled" test_ref="oval:com.redhat.rhsa:tst:20193345244"/>
        <criteria operator="OR">
         <criteria operator="AND">
          <criterion comment="libvirt is earlier than 0:4.5.0-42.module+el8.2.0+6024+15a2423f" test_ref="oval:com.redhat.rhsa:tst:20202774198"/>
          <criterion comment="libvirt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20191175054"/>
         </criteria>
         ...
        </criteria>
       </criteria>
      </criteria>
     </criteria>
    </criteria>
</definition>

before

$ goval-dictionary fetch redhat 8
$ sqlite3 oval.sqlite3 'SELECT packages.name, packages.version, packages.modularity_label FROM definitions JOIN packages ON definitions.id = packages.definition_id WHERE definitions.definition_id = "oval:com.redhat.rhsa:def:20202774" AND packages.name = "libvirt"'
libvirt|0:4.5.0-42.module+el8.2.0+6024+15a2423f|virt-devel:rhel

after

$ goval-dictionary fetch redhat 8
$ sqlite3 oval.sqlite3 'SELECT packages.name, packages.version, packages.modularity_label FROM definitions JOIN packages ON definitions.id = packages.definition_id WHERE definitions.definition_id = "oval:com.redhat.rhsa:def:20202774" AND packages.name = "libvirt"'
libvirt|0:4.5.0-42.module+el8.2.0+6024+15a2423f|virt-devel:rhel
libvirt|0:4.5.0-42.module+el8.2.0+6024+15a2423f|virt:rhel

same package name, but different package version

OVAL(OVALv2)

<definition class="patch" id="oval:com.redhat.rhsa:def:20111349" version="638">
  <metadata>
   <title>RHSA-2011:1349: rpm security update (Important)</title>
   ...
  </metadata>
  <criteria operator="OR">
   <criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.rhba:tst:20111656004"/>
   <criteria operator="AND">
    <criterion comment="Red Hat Enterprise Linux 6 is installed" test_ref="oval:com.redhat.rhba:tst:20111656003"/>
    <criteria operator="OR">
     <criteria operator="AND">
      <criterion comment="rpm is earlier than 0:4.8.0-12.el6_0.1" test_ref="oval:com.redhat.rhsa:tst:20111349001"/>
      <criterion comment="rpm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20111349002"/>
     </criteria>
     ...
    </criteria>
   </criteria>
   <criteria operator="AND">
    <criterion comment="Red Hat Enterprise Linux 6 is installed" test_ref="oval:com.redhat.rhba:tst:20111656003"/>
    <criteria operator="OR">
     <criteria operator="AND">
      <criterion comment="rpm is earlier than 0:4.8.0-16.el6_1.1" test_ref="oval:com.redhat.rhsa:tst:20111349016"/>
      <criterion comment="rpm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20111349002"/>
     </criteria>
     ...
    </criteria>
   </criteria>
  </criteria>
</definition>

<definition class="patch" id="oval:com.redhat.rhsa:def:20120451" version="638">
  <metadata>
   <title>RHSA-2012:0451: rpm security update (Important)</title>
   ...
  </metadata>
  <criteria operator="OR">
   <criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.rhba:tst:20111656004"/>
   <criteria operator="AND">
    <criterion comment="Red Hat Enterprise Linux 6 is installed" test_ref="oval:com.redhat.rhba:tst:20111656003"/>
    <criteria operator="OR">
     <criteria operator="AND">
      <criterion comment="rpm is earlier than 0:4.8.0-12.el6_0.2" test_ref="oval:com.redhat.rhsa:tst:20120451001"/>
      <criterion comment="rpm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20111349002"/>
     </criteria>
     ...
    </criteria>
   </criteria>
   <criteria operator="AND">
    <criterion comment="Red Hat Enterprise Linux 6 is installed" test_ref="oval:com.redhat.rhba:tst:20111656003"/>
    <criteria operator="OR">
     <criteria operator="AND">
      <criterion comment="rpm is earlier than 0:4.8.0-19.el6_2.1" test_ref="oval:com.redhat.rhsa:tst:20120451016"/>
      <criterion comment="rpm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20111349002"/>
     </criteria>
     ...
    </criteria>
   </criteria>
  </criteria>
</definition>

$ goval-dictionary fetch redhat 6
$ sqlite3 oval.sqlite3 'SELECT packages.name, packages.version, packages.modularity_label FROM definitions JOIN packages ON definitions.id = packages.definition_id WHERE definitions.definition_id = "oval:com.redhat.rhsa:def:20111349" AND packages.name = "rpm"'
rpm|0:4.8.0-16.el6_1.1|

$ sqlite3 oval.sqlite3 'SELECT packages.name, packages.version, packages.modularity_label FROM definitions JOIN packages ON definitions.id = packages.definition_id WHERE definitions.definition_id = "oval:com.redhat.rhsa:def:20120451" AND packages.name = "rpm"'
rpm|0:4.8.0-19.el6_2.1|

not target RHEL version

OVAL(OVALv1)

<definition class="patch" id="oval:com.redhat.rhsa:def:20100889" version="636">
 <metadata>
  <title>RHSA-2010:0889: freetype security update (Important)</title>
  ...
 </metadata>
 <criteria operator="OR">
  <criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.rhba:tst:20070331006"/>
  <criteria operator="AND">
   <criterion comment="Red Hat Enterprise Linux 4 is installed" test_ref="oval:com.redhat.rhsa:tst:20070066005"/>
   <criteria operator="OR">
    <criteria operator="AND">
     <criterion comment="freetype is earlier than 0:2.1.9-17.el4_8.1" test_ref="oval:com.redhat.rhsa:tst:20100889001"/>
     <criterion comment="freetype is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070150002"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="freetype-demos is earlier than 0:2.1.9-17.el4_8.1" test_ref="oval:com.redhat.rhsa:tst:20100889003"/>
     <criterion comment="freetype-demos is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070150004"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="freetype-devel is earlier than 0:2.1.9-17.el4_8.1" test_ref="oval:com.redhat.rhsa:tst:20100889005"/>
     <criterion comment="freetype-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070150006"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="freetype-utils is earlier than 0:2.1.9-17.el4_8.1" test_ref="oval:com.redhat.rhsa:tst:20100889007"/>
     <criterion comment="freetype-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070150008"/>
    </criteria>
   </criteria>
  </criteria>
  <criteria operator="AND">
   <criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhba:tst:20070331005"/>
   <criteria operator="OR">
    <criteria operator="AND">
     <criterion comment="freetype is earlier than 0:2.2.1-28.el5_5.1" test_ref="oval:com.redhat.rhsa:tst:20100889010"/>
     <criterion comment="freetype is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070150002"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="freetype-demos is earlier than 0:2.2.1-28.el5_5.1" test_ref="oval:com.redhat.rhsa:tst:20100889011"/>
     <criterion comment="freetype-demos is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070150004"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="freetype-devel is earlier than 0:2.2.1-28.el5_5.1" test_ref="oval:com.redhat.rhsa:tst:20100889012"/>
     <criterion comment="freetype-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070150006"/>
    </criteria>
   </criteria>
  </criteria>
  <criteria operator="AND">
   <criterion comment="Red Hat Enterprise Linux 6 is installed" test_ref="oval:com.redhat.rhsa:tst:20100889017"/>
   <criteria operator="OR">
    <criteria operator="AND">
     <criterion comment="freetype is earlier than 0:2.3.11-6.el6_0.2" test_ref="oval:com.redhat.rhsa:tst:20100889014"/>
     <criterion comment="freetype is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070150002"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="freetype-demos is earlier than 0:2.3.11-6.el6_0.2" test_ref="oval:com.redhat.rhsa:tst:20100889015"/>
     <criterion comment="freetype-demos is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070150004"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="freetype-devel is earlier than 0:2.3.11-6.el6_0.2" test_ref="oval:com.redhat.rhsa:tst:20100889016"/>
     <criterion comment="freetype-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070150006"/>
    </criteria>
   </criteria>
  </criteria>
 </criteria>

before

$ goval-dictionary fetch redhat 5
$ sqlite3 oval.sqlite3 'SELECT COUNT(*) FROM packages WHERE packages.version LIKE "%.el6%" OR packages.version LIKE "%.el7%" OR packages.version LIKE "%.el8%" OR packages.version LIKE "%.el9%"'
1278

after

$ goval-dictionary fetch redhat 5
$ sqlite3 oval.sqlite3 'SELECT COUNT(*) FROM packages WHERE packages.version LIKE "%.el6%" OR packages.version LIKE "%.el7%" OR packages.version LIKE "%.el8%" OR packages.version LIKE "%.el9%"'
0

Checklist:

You don't have to satisfy all of the following.

• Write tests
• Write documentation
• Check that there aren't other open pull requests for the same issue/feature
• Format your source code by make fmt
• Pass the test by make test
• Provide verification config / commands
• Enable "Allow edits from maintainers" for this PR
• Update the messages below

Is this ready for review?: YES

Reference

• fix(fetcher/redhat): use redhat oval v2 #308

[masahiro331]

I will write a test. Please wait.

[masahiro331]

Criteria in RedHat's OVAL definition include advisories for multiple OS versions.
With the current implement, a RedHat 7 advisory is likely to be included for a RedHat 5 database.

For example.

<definition class="patch" id="oval:com.redhat.rhsa:def:20161944" version="636">
 <metadata>
  <title>RHSA-2016:1944: bind security update (Important)</title>
  <affected family="unix">
   <platform>Red Hat Enterprise Linux 5</platform>
   <platform>Red Hat Enterprise Linux 6</platform>
   <platform>Red Hat Enterprise Linux 7</platform>
  </affected>
  <reference ref_id="RHSA-2016:1944" ref_url="https://access.redhat.com/errata/RHSA-2016:1944" source="RHSA"/>
  <reference ref_id="CVE-2016-2776" ref_url="https://access.redhat.com/security/cve/CVE-2016-2776" source="CVE"/>
  <description>The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix(es):

* A denial of service flaw was found in the way BIND constructed a response to a query that met certain criteria. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request packet. (CVE-2016-2776)

Red Hat would like to thank ISC for reporting this issue.</description>
  <advisory from="secalert@redhat.com">
   <severity>Important</severity>
   <rights>Copyright 2016 Red Hat, Inc.</rights>
   <issued date="2016-09-28"/>
   <updated date="2016-09-28"/>
   <cve cvss2="5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P" cvss3="7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" cwe="CWE-617" href="https://access.redhat.com/security/cve/CVE-2016-2776" impact="important" public="20160927">CVE-2016-2776</cve>
   <bugzilla href="https://bugzilla.redhat.com/1378380" id="1378380">CVE-2016-2776 bind: assertion failure in buffer.c while building responses to a specifically constructed request</bugzilla>
   <affected_cpe_list>
    <cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:5::client</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:5::client_workstation</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:5::server</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:6::client</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:6::computenode</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:6::server</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:6::workstation</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:7::client</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:7::computenode</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:7::server</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:7::workstation</cpe>
   </affected_cpe_list>
  </advisory>
 </metadata>
 <criteria operator="OR">
  <criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.rhba:tst:20070331006"/>
  <criteria operator="AND">
   <criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhba:tst:20070331005"/>
   <criteria operator="OR">
    <criteria operator="AND">
     <criterion comment="bind is earlier than 30:9.3.6-25.P1.el5_11.9" test_ref="oval:com.redhat.rhsa:tst:20161944001"/>
     <criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057002"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-chroot is earlier than 30:9.3.6-25.P1.el5_11.9" test_ref="oval:com.redhat.rhsa:tst:20161944003"/>
     <criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057004"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-devel is earlier than 30:9.3.6-25.P1.el5_11.9" test_ref="oval:com.redhat.rhsa:tst:20161944005"/>
     <criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057006"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-libbind-devel is earlier than 30:9.3.6-25.P1.el5_11.9" test_ref="oval:com.redhat.rhsa:tst:20161944007"/>
     <criterion comment="bind-libbind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057008"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-libs is earlier than 30:9.3.6-25.P1.el5_11.9" test_ref="oval:com.redhat.rhsa:tst:20161944009"/>
     <criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057010"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-sdb is earlier than 30:9.3.6-25.P1.el5_11.9" test_ref="oval:com.redhat.rhsa:tst:20161944011"/>
     <criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057012"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-utils is earlier than 30:9.3.6-25.P1.el5_11.9" test_ref="oval:com.redhat.rhsa:tst:20161944013"/>
     <criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057014"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="caching-nameserver is earlier than 30:9.3.6-25.P1.el5_11.9" test_ref="oval:com.redhat.rhsa:tst:20161944015"/>
     <criterion comment="caching-nameserver is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057016"/>
    </criteria>
   </criteria>
  </criteria>
  <criteria operator="AND">
   <criterion comment="Red Hat Enterprise Linux 7 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741011"/>
   <criteria operator="OR">
    <criteria operator="AND">
     <criterion comment="bind is earlier than 32:9.9.4-29.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20161944018"/>
     <criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057002"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-chroot is earlier than 32:9.9.4-29.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20161944019"/>
     <criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057004"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-devel is earlier than 32:9.9.4-29.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20161944020"/>
     <criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057006"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-libs is earlier than 32:9.9.4-29.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20161944021"/>
     <criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057010"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-libs-lite is earlier than 32:9.9.4-29.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20161944022"/>
     <criterion comment="bind-libs-lite is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984023"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-license is earlier than 32:9.9.4-29.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20161944024"/>
     <criterion comment="bind-license is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984025"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-lite-devel is earlier than 32:9.9.4-29.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20161944026"/>
     <criterion comment="bind-lite-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984027"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-pkcs11 is earlier than 32:9.9.4-29.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20161944028"/>
     <criterion comment="bind-pkcs11 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160073036"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-pkcs11-devel is earlier than 32:9.9.4-29.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20161944030"/>
     <criterion comment="bind-pkcs11-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160073038"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-pkcs11-libs is earlier than 32:9.9.4-29.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20161944032"/>
     <criterion comment="bind-pkcs11-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160073040"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-pkcs11-utils is earlier than 32:9.9.4-29.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20161944034"/>
     <criterion comment="bind-pkcs11-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160073042"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-sdb is earlier than 32:9.9.4-29.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20161944036"/>
     <criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057012"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-sdb-chroot is earlier than 32:9.9.4-29.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20161944037"/>
     <criterion comment="bind-sdb-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984030"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-utils is earlier than 32:9.9.4-29.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20161944039"/>
     <criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057014"/>
    </criteria>
   </criteria>
  </criteria>
  <criteria operator="AND">
   <criterion comment="Red Hat Enterprise Linux 6 is installed" test_ref="oval:com.redhat.rhsa:tst:20100889017"/>
   <criteria operator="OR">
    <criteria operator="AND">
     <criterion comment="bind is earlier than 32:9.8.2-0.47.rc1.el6_8.1" test_ref="oval:com.redhat.rhsa:tst:20161944041"/>
     <criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057002"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-chroot is earlier than 32:9.8.2-0.47.rc1.el6_8.1" test_ref="oval:com.redhat.rhsa:tst:20161944042"/>
     <criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057004"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-devel is earlier than 32:9.8.2-0.47.rc1.el6_8.1" test_ref="oval:com.redhat.rhsa:tst:20161944043"/>
     <criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057006"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-libs is earlier than 32:9.8.2-0.47.rc1.el6_8.1" test_ref="oval:com.redhat.rhsa:tst:20161944044"/>
     <criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057010"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-sdb is earlier than 32:9.8.2-0.47.rc1.el6_8.1" test_ref="oval:com.redhat.rhsa:tst:20161944045"/>
     <criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057012"/>
    </criteria>
    <criteria operator="AND">
     <criterion comment="bind-utils is earlier than 32:9.8.2-0.47.rc1.el6_8.1" test_ref="oval:com.redhat.rhsa:tst:20161944046"/>
     <criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20070057014"/>
    </criteria>
   </criteria>
  </criteria>
 </criteria>
</definition>

[masahiro331]

So this fix reverts back to the previous state, but I have a feeling it's not the right fix...

[MaineK00n]

thanks @masahiro331 !