Hi Teppei, On Fri, Jun 26, 2020 at 01:09:40PM +0000, Teppei Fukuda wrote: > Hi Debian Security Team, > > Thank you for providing the great tracker system. I have a question. When it > comes to CVE-2017-1000082, jessie says "fixed". > https://security-tracker.debian.org/tracker/CVE-2017-1000082 > > But OVAL describes the following. > <criterion comment="systemd DPKG is earlier than 0" > test_ref="oval:org.debian.oval:tst:15314"/> > > In the case of buster, OVAL is like the following. > <criterion comment="systemd DPKG is earlier than 234-1" > test_ref="oval:org.debian.oval:tst:11877"/> > Are they correct? If it is fixed, I think it should not be "0" and buster > should have suffix like "~deb10uX", not "234-1".
These are all correct, 234 was the first systemd release to ship the fix. It says 0 for jessie as jessie was never affected by this security issue, the version of system in jessie does not contain the affected code. Cheers, Moritz