[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Debian Package Version system



Thanks for the info, this solves the issue.
I probably have been looking in the wrong direction.


-----Original Message-----
From: Darac Marjal [mailto:mailinglist@darac.org.uk] 
Sent: donderdag 22 november 2012 15:51
To: debian-user@lists.debian.org
Subject: Re: Debian Package Version system

On Thu, Nov 22, 2012 at 09:54:22AM +0100, Arnoud Tijssen wrote:
> Hi All,
> 
> After performing some vulnerability scans on some our systems one of the outcomes was that some software packages were out of date.
> We`re using the package management system of Debian and all packages were updated (apt-get update & apt-get (dist-)upgrade) prior to the scan.
> The vulnerability scanner most likely compares the version against that of the source code, which differs.
> How can I tell which version in the debian package repository system corresponds to which version of the source code.

http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Version
states that a debian package has a version number that is formatted as:
  [epoch:]upstream_version[-debian_revision]

That is, a small integer (0, if unspecified) followed by a colon, then the upstream version, then (starting from the last hyphen) the debian revision (again 0 if unspecified).

So, taking some examples from my system:
 bash: 		4.1-3				-> Upstream: 4.1
 acpid: 	1:2.0.7-1squeeze4	-> Upstream: 2.0.7
 etckeeper: 0.48				-> Upstream: 0.48

> That way I can whitelist these software packages in our vulnerability scans.

You might want to consider WHY the software was updated. Is there a newer upstream because there's a security vulnerability, or is it just new features (possibly untested).


Reply to: