[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About CVE-2017-10965

On Tue, Sep 01, 2020 at 04:51:43AM +0000, Teppei Fukuda wrote:
> Hi Debian Security Team,
> 
> Thank you for providing the great tracker system. I have a question. When it comes to CVE-2017-10965, the following page says 1.0.2-1+deb9u2 is the fixed version on stretch.
> https://security-tracker.debian.org/tracker/CVE-2017-10965
> 
> Change log also says so.
> https://launchpad.net/debian/+source/irssi/+changelog
> 
> But OVAL says 1.0.2-1+deb9u3 as follows.
> 
> $ curl https://www.debian.org/security/oval/oval-definitions-stretch.xml | grep -A 50 CVE-2017-10965
> 
> <criterion comment="irssi DPKG is earlier than 1.0.2-1+deb9u3" test_ref="oval:org.debian.oval:tst:13567"/>
> Which is correct?

1.0.2-1+deb9u2 should be correct, so the OVAL data seems wrong here.

Cheers,
        Moritz
Reply to: