Re: debsecan vs. debian-volatile

To: "Aneurin Price" <aneurin.price@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: debsecan vs. debian-volatile
From: Florian Weimer <fw@deneb.enyo.de>
Date: Mon, 03 Sep 2007 19:57:54 +0200
Message-id: <[🔎] 87ejhfk4wt.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 501db8660709030617i461624e3v343d34af888a4961@mail.gmail.com> (Aneurin Price's message of "Mon, 3 Sep 2007 14:17:24 +0100")
References: <[🔎] 501db8660709030617i461624e3v343d34af888a4961@mail.gmail.com>

* Aneurin Price:

> I'm running sarge with clamav from debian-volatile, and debsecan
> reports some vulnerabilities with it. I'm fairly sure that the version
> I have installed (0.91.2-0volatile1) is in fact okay, and that the
> problem is simply that debsecan doesn't understand volatile - based on
> the vulnerability descriptions which seem to be telling me that the
> vulnerabilities are fixed in the version I'm using.

Actually, debsecan should be able to deal with this situation.

I guess that CVE-2007-4560 is an example for this kind of problem.
We've marked it as fixed in version 0.91.2-1, but volatile contains
0.91.2-0volatile1, which is less than that.  I suppose we could mark
it as fixed in 0.91.2, which would cover both cases (and wouldn't
introduce a false negative if this bug was in fact fixed upstream).

Reply to:

Follow-Ups:
- Re: debsecan vs. debian-volatile
  - From: "Aneurin Price" <aneurin.price@gmail.com>

References:
- debsecan vs. debian-volatile
  - From: "Aneurin Price" <aneurin.price@gmail.com>

Prev by Date: Re: debsecan vs. debian-volatile
Next by Date: Re: debsecan vs. debian-volatile
Previous by thread: Re: debsecan vs. debian-volatile
Next by thread: Re: debsecan vs. debian-volatile
Index(es):
- Date
- Thread