[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsecan vs. debian-volatile

* Aneurin Price:

> I'm running sarge with clamav from debian-volatile, and debsecan
> reports some vulnerabilities with it. I'm fairly sure that the version
> I have installed (0.91.2-0volatile1) is in fact okay, and that the
> problem is simply that debsecan doesn't understand volatile - based on
> the vulnerability descriptions which seem to be telling me that the
> vulnerabilities are fixed in the version I'm using.

Actually, debsecan should be able to deal with this situation.

I guess that CVE-2007-4560 is an example for this kind of problem.
We've marked it as fixed in version 0.91.2-1, but volatile contains
0.91.2-0volatile1, which is less than that.  I suppose we could mark
it as fixed in 0.91.2, which would cover both cases (and wouldn't
introduce a false negative if this bug was in fact fixed upstream).

Reply to: