[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

DPKG is earlier than 0 in OVAL feeds

Hi,

I'm working with Debian OVAL feeds (the ones in https://www.debian.org/security/oval/)
A lot of definitions have a criterion saying that the version is "earlier than 0", e.g.

<criterion comment="sendmail DPKG is earlier than 0" test_ref="oval:org.debian.oval:tst:5"/>

What's the meaning of this version, that it's not addressed yet? If so, I find some discrepancies, e.g. in the Jessie feed we have sendmail CVE-1999-1580 with that version. If we check in the security tracker - https://security-tracker.debian.org/tracker/CVE-1999-1580 it says that the status for Jessie is "fixed" for version "8.14.4-8+deb8u2". However some having that version are actually tracked as "vulnerable" in the security tracker.
Is this expected? What would the recommendation for handling these be?

Thanks,
Lyubo
Reply to: