Hi Debian Security Team, Thank you for providing the great tracker system. I have a question. When it comes to CVE-2017-10965, the following page says 1.0.2-1+deb9u2 is the fixed version on stretch. https://security-tracker.debian.org/tracker/CVE-2017-10965
Change log also says so. https://launchpad.net/debian/+source/irssi/+changelog But OVAL says 1.0.2-1+deb9u3 as follows. $ curl https://www.debian.org/security/oval/oval-definitions-stretch.xml | grep -A 50 CVE-2017-10965 <criterion comment="irssi DPKG is earlier than 1.0.2-1+deb9u3" test_ref="oval:org.debian.oval:tst:13567"/> Which is correct? Thank you, teppei
