Hi,
A lot of definitions have a criterion saying that the version is "earlier than 0", e.g.
<criterion comment="sendmail DPKG is earlier than 0" test_ref="oval:org.debian.oval:tst:5"/>
What's the meaning of this version, that it's not addressed yet? If so, I find some discrepancies, e.g. in the Jessie feed we have sendmail CVE-1999-1580 with that version. If we check in the security tracker -
https://security-tracker.debian.org/tracker/CVE-1999-1580 it says that the status for Jessie is "fixed" for version "8.14.4-8+deb8u2". However some having that version are actually tracked as "vulnerable" in the security tracker.
Is this expected? What would the recommendation for handling these be?
Thanks,
Lyubo