Hi Teppei,

On Fri, Jun 26, 2020 at 01:09:40PM +0000, Teppei Fukuda wrote:
> Hi Debian Security Team,
> 
> Thank you for providing the great tracker system. I have a question. When it 
> comes to CVE-2017-1000082, jessie says "fixed".
> https://security-tracker.debian.org/tracker/CVE-2017-1000082
> 
> But OVAL describes the following.
> <criterion comment="systemd DPKG is earlier than 0" 
> test_ref="oval:org.debian.oval:tst:15314"/>
> 
> In the case of buster, OVAL is like the following.
>  <criterion comment="systemd DPKG is earlier than 234-1" 
> test_ref="oval:org.debian.oval:tst:11877"/>
> Are they correct? If it is fixed, I think it should not be "0" and buster 
> should have suffix like "~deb10uX", not "234-1".

These are all correct, 234 was the first systemd release to ship the fix.

It says 0 for jessie as jessie was never affected by this security issue, the 
version of
system in jessie does not contain the affected code.

Cheers,
        Moritz

Reply via email to