RE: Debian Package Version system
Thanks for the info, this solves the issue.
I probably have been looking in the wrong direction.
-----Original Message-----
From: Darac Marjal [mailto:mailinglist@darac.org.uk]
Sent: donderdag 22 november 2012 15:51
To: debian-user@lists.debian.org
Subject: Re: Debian Package Version system
On Thu, Nov 22, 2012 at 09:54:22AM +0100, Arnoud Tijssen wrote:
> Hi All,
>
> After performing some vulnerability scans on some our systems one of the outcomes was that some software packages were out of date.
> We`re using the package management system of Debian and all packages were updated (apt-get update & apt-get (dist-)upgrade) prior to the scan.
> The vulnerability scanner most likely compares the version against that of the source code, which differs.
> How can I tell which version in the debian package repository system corresponds to which version of the source code.
http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Version
states that a debian package has a version number that is formatted as:
[epoch:]upstream_version[-debian_revision]
That is, a small integer (0, if unspecified) followed by a colon, then the upstream version, then (starting from the last hyphen) the debian revision (again 0 if unspecified).
So, taking some examples from my system:
bash: 4.1-3 -> Upstream: 4.1
acpid: 1:2.0.7-1squeeze4 -> Upstream: 2.0.7
etckeeper: 0.48 -> Upstream: 0.48
> That way I can whitelist these software packages in our vulnerability scans.
You might want to consider WHY the software was updated. Is there a newer upstream because there's a security vulnerability, or is it just new features (possibly untested).
Reply to: