fix: xz has wrong affected_versions for CVE-2024-3094

[tombo13]

Description

I just ran cve-bin-tool 3.4 using databases from yesterday, July 15, and it produced the following for xz:

unknown,xz,5.4.6,/usr/bin/xz,CVE-2024-3094,CRITICAL,10,NVD,3,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H,,NewFound,,[5.0.0-r0 - 5.6.1-r1]

The affected versions should be 5.6.0 - 5.6.1.

To reproduce

Run cve-bin-tool on a Yocto (Scarthgap) created embedded package that uses the xz library.

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version):
3.4

Installed from pypi or github?
pypi

Operating system: Linux/Windows (other platforms are unsupported but feel free to report issues anyhow)
Yocto Scarthgap (5.0)

Python version (e.g. python3 --version):
3.10.12

Running in any particular CI environment we should know about? (e.g. Github Actions)

Anything else?

Feel free to add any other context here.

[ffontaine]

Thanks for the bug report, can you provide the xz binary as an attached file?

[terriko]

Thanks for the bug report!

We should be getting the min version directly from NVD so I'm not sure why this happened. Is it still happening with the most recent data, @tombo13 ?