About CVE-2017-10965

[Teppei Fukuda <teppei.fukuda@aquasec.com>]

Hi Debian Security Team,

Thank you for providing the great tracker system. I have a question. When it comes to CVE-2017-10965, the following page says 1.0.2-1+deb9u2 is the fixed version on stretch.

https://security-tracker.debian.org/tracker/CVE-2017-10965

Change log also says so.

https://launchpad.net/debian/+source/irssi/+changelog

But OVAL says 1.0.2-1+deb9u3 as follows.

$ curl https://www.debian.org/security/oval/oval-definitions-stretch.xml | grep -A 50 CVE-2017-10965

<criterion comment="irssi DPKG is earlier than 1.0.2-1+deb9u3" test_ref="oval:org.debian.oval:tst:13567"/>

Which is correct?

Thank you,

teppei