-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 07 January 2009 14:04:50 Florian Weimer wrote: > Something is wrong because the -3 version is known to the tracker, > but not listed in your output.
How would I verify that -3 is known to the tracker? It's not in http://secure-testing.debian.net/debian-secure-testing/project/debsecan/release/1/etch > > If the installed version is the same or greater than any of > > the other_versions that have the same upstream version, then it is > > not vulnerable. > > This doesn't work because there might be a -4 version in unstable > which hasn't got the fix. (This is more apparent with the usual > -1+etch1 versioning scheme.) Well, perhaps. But the debsecan source knows the unstable_version that fixes the vulnerability. So I don't see how that matters. Maybe you thought I was suggesting that we rip out the entire existing is_vulnerable decision and replace it with what you quoted above? I just meant to change the evaluation of versions _other_ than unstable_version. Ciao, Sheldon. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJZMAQpGJX8XSgas0RAuPZAKCD2MTklNfklgrux89ZKGA9AAXvDQCcCo9k SQIS3wLlYr/pM2ou0+qVIXw= =4g5t -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
