Re: About CVE-2017-1000082
Hi Teppei,
On Fri, Jun 26, 2020 at 01:09:40PM +0000, Teppei Fukuda wrote:
> Hi Debian Security Team,
>
> Thank you for providing the great tracker system. I have a question. When it comes to CVE-2017-1000082, jessie says "fixed".
> https://security-tracker.debian.org/tracker/CVE-2017-1000082
>
> But OVAL describes the following.
> <criterion comment="systemd DPKG is earlier than 0" test_ref="oval:org.debian.oval:tst:15314"/>
>
> In the case of buster, OVAL is like the following.
> <criterion comment="systemd DPKG is earlier than 234-1" test_ref="oval:org.debian.oval:tst:11877"/>
> Are they correct? If it is fixed, I think it should not be "0" and buster should have suffix like "~deb10uX", not "234-1".
These are all correct, 234 was the first systemd release to ship the fix.
It says 0 for jessie as jessie was never affected by this security issue, the version of
system in jessie does not contain the affected code.
Cheers,
Moritz
Reply to: